PRIVACY & DATA SECURITY
CalPrivacy Gears Up for Privacy Audits to Begin This Year
The California Privacy Protection Agency (CalPrivacy) plans to begin auditing businesses for compliance with the CCPA this year, according to Executive Director Tom Kemp. The newly created Audits Division is building a team of technologists who will review written responses and directly test systems and applications. Audits may be announced or unannounced and can cover businesses, service providers, contractors, and high‑risk areas. Audit findings can be referred directly to the Enforcement Division.
The agency is also shifting to a more targeted, “bite‑sized” approach to rulemaking rather than sweeping regulatory packages. Upcoming focus areas include opt‑out preference signals, reducing friction in privacy rights requests, employee data, privacy notices, and data broker deletion obligations. Meanwhile, CalPrivacy is pressing ahead with enforcement, expanding oversight of data brokers under the Delete Act and promoting its new Delete Request and Opt‑Out Platform (DROP), which already has significant consumer uptake ahead of the August compliance deadline.
BUSINESSES NEED TO KNOW: The implementation of audits signals a shift from policy‑building to active compliance testing, meaning privacy programs need to work in practice, not just on paper. Here’s what to expect:
- Compliance will be tested, not just reviewed. Audits are expected to include technical validation of systems and workflows, increasing exposure where actual data practices don’t match stated policies.
- Audit findings can quickly become enforcement matters. Identified deficiencies can be referred directly to enforcement, increasing the risk that compliance gaps lead to penalties rather than informal course correction.
- Unannounced audits are on the table. Because audits may be unannounced, companies should maintain ongoing compliance readiness rather than preparing reactively.
- Data brokers face heightened pressure. With Delete Act compliance approaching and DROP gaining traction, businesses that collect or sell data without a direct consumer relationship should expect closer oversight of deletion workflows and data-handling practices.
Alabama Adds Another Layer to the State Privacy Patchwork
Following on the heels of Oklahoma just last month, Alabama became the 21st state to enact a comprehensive consumer privacy law with the governor’s signing of the Alabama Personal Data Protection Act (APDPA). Taking effect May 1, 2027, the law applies to companies that control or process personal data of at least 25,000 consumers or derive more than 25% of their revenue from the sale of personal data—one of the lowest applicability thresholds in the country. Notably, Alabama is the only state to apply the revenue‑based trigger without tying it to a minimum number of consumers, potentially capturing niche data‑driven businesses with limited in‑state reach.
Like the Oklahoma law, ADPDA has been deemed “business‑friendly,” and even goes a bit further by narrowly defining “sale” and “targeted advertising” and including exemptions for certain analytics services and first‑party marketing activities. It also includes comparatively lighter enforcement provisions, including a 45‑day cure period and enforcement limited to the state attorney general.
BUSINESSES NEED TO KNOW: Alabama’s privacy law may look “lighter” on its face, but it can still catch companies off guard. Companies should not assume that narrow definitions and generous carveouts automatically shield their data practices, particularly where analytics, marketing, or ad‑tech arrangements involve third parties. Whether an exemption applies will depend heavily on how data is actually used, shared, and segregated in practice, not just how arrangements are described contractually.
The law’s long runway to a May 2027 effective date gives businesses time, but that breathing room should be used strategically. Companies already complying with other state privacy laws should inventory whether Alabama‑specific gaps exist, especially around applicability, opt‑out rights, and data sharing tied to advertising or monetization models.
Virginia Becomes 3rd State to Ban Sale of Precise Geolocation Data
Virginia enacted a new law banning the sale of consumers’ precise geolocation data, becoming the third state, after Maryland and Oregon, to impose a blanket prohibition on these practices. Effective July 1, 2026, SB 338 amends Virginia’s Consumer Data Protection Act (VCDPA) to bar companies from selling location data capable of identifying a person within a 1,750‑foot radius, regardless of consumer consent.
The measure passed unanimously in both legislative chambers and was signed over objections from advertising industry groups, who argued the ban disrupts consent‑based data practices and location‑based services. Consumer advocates, by contrast, say the law addresses growing concerns about data brokers collecting and selling detailed movement data tied to sensitive locations.
Several other states are expected to consider similar geolocation restrictions in 2026, perhaps portending a shrinking national market for the sale of precise geolocation data.
BUSINESSES NEED TO KNOW: This law marks a meaningful shift away from consent‑based location data sales and puts data monetization models squarely in regulators’ crosshairs. Once the law takes effect, companies will no longer be able to rely on consumer opt‑in to sell precise geolocation data in Virginia, even where such practices were previously permitted under the state’s privacy framework. Additionally, the definition of “precise” location data is broad: covering information that can identify a consumer within a 1,750‑foot radius and capturing many common mobile app, ad tech, and location‑based marketing use cases. Businesses that trade, license, or otherwise monetize location data, including through downstream partners, should reassess their data flows and contracts now.
Kentucky Expands Privacy Law to Cover Smart TV Viewing Data
Kentucky has amended its Consumer Data Protection Act to classify certain Smart TV viewing data as “sensitive data,” meaning companies may not collect it without consumer consent. Signed by Governor Andy Beshear on April 13th, HB 692 takes effect July 1, 2027.
The amendment adds automatic content recognition (ACR) data to the definition of sensitive data, bringing this information squarely within the law’s heightened protections. ACR data is defined as information collected through technology embedded in smart televisions or monitors that can identify, in real time, the specific content a person is watching across broadcast, cable, satellite, and streaming services. The law also introduces a definition of “smart monitor” and clarifies that ACR does not include data tied solely to a company’s own content, consumer‑requested services or features, or enforcement of terms of service.
BUSINESSES NEED TO KNOW: The Kentucky amendment signals growing regulatory discomfort with connected‑TV and other ambient data collection technologies, particularly where consumers may not fully understand what data is being captured or how it’s used. Businesses involved in smart TV manufacturing, platform development, advertising, or analytics should expect heightened scrutiny of any technology capable of monitoring real‑time content consumption.
We’re seeing this move as part of a broader trend: even where current practices fall within statutory exclusions, regulators appear increasingly focused on meaningful transparency and affirmative consent, especially as enforcement actions in other states highlight the risks of passive or buried disclosures.
Did you catch our latest AI blog series: Legal Lines Around AI? Check out the first blog of the series here.
TCPA & TELESERVICES
FCC Moves Toward Tougher “Know Your Customer” Rules to Combat Illegal Robocalls
Calling illegal robocalls its top consumer protection challenge, the FCC has voted unanimously to begin developing stronger “Know Your Customer” (KYC) requirements for voice service providers. In a Further Notice of Proposed Rulemaking (FNPRM) adopted on April 30th, telecom providers, particularly those that originate call traffic, would be required to conduct more rigorous vetting of new and renewing customers before carrying their calls, with the goal of stopping scam activity before it enters U.S. phone networks.
Under the proposed framework, providers could be required to verify customer identities, including name, address, government ID, and alternative phone numbers before enabling service. For high‑volume callers, additional information such as intended use of the service and technical data linked to call origination could be required. The FCC is also considering penalties tied to the volume of illegal calls transmitted, aligning enforcement more closely with consumer harm.
The FCC is requesting public comments on these proposed customer verification standards. Initial comments are due May 31, 2026, so interested parties should carefully, but quickly, review the FNRPM and work to identify if they want to submit opinions regarding the proposal. Please reach out if we can assist.
BUSINESSES NEED TO KNOW: For voice service providers, the FCC is signaling that minimal customer vetting will no longer be enough. Originating providers are expected to act as gatekeepers, with greater responsibility for verifying customer identities, understanding how services will be used, and preventing illegal call traffic before it enters U.S. networks. Providers that enable high‑volume calling, especially for marketing, political, or automated campaigns, should expect closer scrutiny and potentially penalties tied to the volume of illegal calls transmitted, not just isolated violations.
For businesses that rely on outbound calling, the FNPRM is a reminder that upstream compliance matters. Companies using third‑party voice vendors may face more onboarding questions, documentation requests, or service limitations as providers tighten controls. Businesses with legitimate calling programs should be prepared to clearly explain the purpose of their calls and ensure practices align with robocall, spoofing, and consent rules – because increased FCC pressure on providers is likely to cascade down to their customers.
Florida VSP Faces $4.5M Fine Over Bank-Spoofing Robocall Traffic
Florida‑based Voxbeam Telecommunications is facing a proposed $4.5 million FCC fine for allegedly allowing foreign robocall traffic into U.S. networks that spoofed legitimate bank phone numbers. According to the agency, the calls, which were linked to an overseas provider not registered in the Robocall Mitigation Database, impersonated fraud prevention and customer service lines at major financial institutions, including Bank of America and Chase.
The FCC found that Voxbeam transmitted tens of thousands of these calls over several days in 2025, despite rules requiring gateway providers to block or mitigate illegal robocall traffic. The agency emphasized that gateway providers serve as critical entry points to U.S. phone networks and bear heightened responsibility for vetting inbound traffic. Voxbeam can still contest the proposed penalty, but the action underscores the FCC’s continued focus on holding providers accountable for robocall compliance failures.
BUSINESSES NEED TO KNOW: For companies that originate, aggregate, or transmit call traffic, the FCC is making clear that accountability doesn’t stop with the scammer. Gateway and voice service providers are required to actively vet upstream partners, monitor traffic patterns, and block non‑compliant sources – especially those not listed in the Robocall Mitigation Database. Allowing questionable traffic through, even for a short window, can expose providers to enormous penalties and “pass‑through” defenses will carry little weight when spoofed or fraudulent calls reach consumers.
Check out our upcoming webinar! Inside the AG’s Office: How Consumer Protection Enforcement Really Works. Register Here.
ADVERTISING & MARKETING
FTC Fines StubHub $10M Over Hidden Ticket Fees Under New Pricing Rule
The FTC reached a $10 million settlement with StubHub over allegations that the ticket resale platform deceptively advertised ticket prices by failing to clearly disclose mandatory fees upfront. According to the agency, StubHub violated the FTC Act and the Commission’s Rule on Unfair or Deceptive Fees by displaying ticket prices that did not include all required fees, preventing consumers from understanding the total cost they would ultimately pay.
The action follows a May 2025 warning letter and comes shortly after the Fees Rule took effect, which requires businesses selling live‑event tickets to prominently disclose the full, all‑in price wherever prices are shown. The settlement bars StubHub from misrepresenting prices or fees and requires the company to provide consumer redress for certain ticket purchases made in mid‑May 2025, reinforcing the FTC’s push for price transparency across the ticketing market, including secondary sellers.
BUSINESSES NEED TO KNOW: Don’t be so quick to dismiss this one if you’re not in the event/ticketing business. The enforcement action is about more than concerts and sports – it reflects the FTC’s broader crackdown on “drip pricing” and incomplete price disclosures across industries. The agency is sending a clear message that when businesses advertise prices, consumers must see the all‑in, total cost upfront, not pieced together later in the transaction. That principle applies to any product or service with mandatory fees, surcharges, or add‑ons—from subscriptions and travel to e‑commerce and B2B services.
Just as importantly, the FTC is scrutinizing how and where prices are displayed, not just whether information is technically disclosed somewhere on a website. Pricing that appears before checkout, in search results, or on comparison screens must be accurate, prominently presented, and not misleading. Businesses should review pricing flows now to ensure that any mandatory charges are clearly included wherever prices are shown, especially as the FTC continues to enforce its new Fees Rule well beyond the ticketing context.
FTC Steps Up Enforcement of “Made in USA” Claims with New Settlements
The FTC announced a series of enforcement actions against three companies it says deceived consumers by falsely advertising products as “Made in the USA,” underscoring its renewed focus on domestic‑origin claims. The actions follow a recent executive order directing agencies to ensure truthful advertising of products claiming to be American‑made.
The FTC reached settlements with sellers of patriotic flags and flag display products, electronic dartboards, and footwear, resolving allegations that each company made unqualified “Made in USA” claims despite relying on significant imported components or overseas manufacturing and assembly. Collectively, the companies agreed to pay more than $850,000 in consumer redress. The FTC also issued closing letters to two other manufacturers after they agreed to revise “Made in USA” representations and commit to compliance, while warning that further violations could still prompt enforcement.
BUSINESSES NEED TO KNOW: Marketing language matters, especially where national origin claims are concerned. Domestic assembly alone is not enough when key components or production occur abroad. Businesses should reassess any “Made in USA,” “All‑American,” or similar claims to ensure they can substantiate them under the FTC’s strict “all or virtually all” standard, which looks beyond final assembly to the sourcing of components and materials. Recent settlements show that even partial reliance on imported parts can make unqualified claims risky, and that warning letters may quickly escalate to enforcement if issues are not corrected.
Hear more about “Made in USA” enforcement and other consumer protection updates in our most recent ComplianceTalk episode.
GENERAL COMPLIANCE
FTC Orders Rollins to Drop Worker Noncompetes, Warns Pest-Control Industry
The FTC has ordered Rollins, Inc., the parent company of Orkin and other major pest‑control brands, to stop enforcing noncompete agreements against more than 18,000 employees nationwide, citing unfair and anticompetitive labor practices. According to the FTC, Rollins imposed sweeping noncompetes on nearly all employees, restricting them from working in the pest‑control industry for up to two years within a 75‑mile radius of company locations. The proposed consent order would require Rollins to cease enforcing noncompetes and notify current and former employees that they are free to compete or start their own businesses.
At the same time, the FTC sent warning letters to 13 other pest‑control companies urging them to review their employment agreements for similar restrictions. The FTC’s continued focus on labor‑market competition signals heightened scrutiny of noncompete provisions, particularly those applied broadly to lower‑wage or non‑negotiating workers.
BUSINESSES NEED TO KNOW: The FTC is actively using its antitrust and unfair‑competition authority to police noncompete agreements, even outside the abandoned nationwide noncompete rule. Broad, blanket noncompetes, especially those imposed on lower‑wage workers, applied company‑wide, or unsupported by meaningful consideration, are a prime enforcement target.
If you haven’t already done so, review your employment agreements to assess whether noncompetes are narrowly tailored, role‑specific, and defensible under competition law, or whether they risk being viewed as coercive or anticompetitive. Certain highly competitive industries with limited employment alternatives for employees may be subject to greater scrutiny. The FTC’s warning letters make clear that enforcement may extend beyond individual cases and into entire industries, and that remedies can include not just stopping enforcement, but affirmatively notifying current and former employees that restrictions no longer apply.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.