PRIVACY & DATA SECURITY
CPPA Sues Tractor Supply Co. to Enforce Privacy Investigation Subpoena
The California Privacy Protection Agency (CPPA) has filed a legal petition in Sacramento County Superior Court to compel Tractor Supply Co. to comply with an investigative subpoena related to its data privacy practices under the California Consumer Privacy Act (CCPA). This marks the CPPA’s first public disclosure of an ongoing investigation and its first court action to enforce its regulatory authority since its enforcement efforts began in July 2023.
The investigation stems from a consumer complaint received in early 2024 and alleges Tractor Supply failed to 1) provide a clear sale/share opt-out link on its website; 2) honor browser-based opt-out signals; and 3) update its privacy policy since November 2021, violating the CCPA’s 12-month update requirement. The subpoena seeks information dating back to January 1, 2020, the CCPA’s initial operative date. Tractor Supply declined to provide data prior to January 1, 2023, arguing that the five-year scope is overly broad and “logistically burdensome,” and that that its pre-2023 practices fall outside the agency’s enforcement authority due to the lack of finalized regulations at the time.
BUSINESSES NEED TO KNOW: CPPA has countered that the law has been in effect since 2020, and its investigatory powers extend back to that date, arguing that while “regulations implementing aspects of the law followed over time, including in 2020, 2021, and 2023, any changes in the law do not abrogate the agency’s authority to investigate possible violations.” We will be closely watching the outcome of this case as it may set a precedent for how far back the CPPA can investigate alleged violations of the CCPA, thus impacting future enforcement strategies and compliance expectations for businesses conducting business with California consumers.
Colorado Delays AI Law Implementation Amid Ongoing Debate Over Scope and Liability
During a special session focused on fiscal impacts, the Colorado Legislature voted to delay implementation of the Colorado Artificial Intelligence Act (CAIA) from February 1 to June 30, 2026, but otherwise did not make substantive changes to the law. This leaves businesses facing continued uncertainty over liability, compliance obligations, and the law’s scope. For example, businesses are still struggling to understand the scope of the law’s definition of a “substantial factor” that seems to broaden the law to potentially cover certain uses of AI that assist humans in making decisions but do not make the decisions on behalf of the human.
Passed in 2024, the CAIA regulates “high-risk” AI uses in areas like lending, housing, and employment. Despite proposals to narrow liability and increase clarity, lawmakers were unable to reconcile business compliance concerns with consumer protection goals. Legislators will revisit the law when they reconvene in the next general session in early 2026.
BUSINESSES NEED TO KNOW: Arguably the most encompassing law in the U.S. to regulate the development and deployment of AI systems and controversial from the start due to its sweeping nature, the CAIA is expected to influence AI regulation nationwide as other states watch its progress closely. Despite the delay in its implementation, businesses can, and should, begin working with experienced counsel to take steps toward compliance, as many provisions align with emerging best practices for AI development and use, as well as international standards such as the EU AI Act.
TCPA & TELESERVICES
FCC Blocks Almost 1500 VSPs from U.S. Networks in August
The FCC took significant steps in August targeting illegal robocall traffic with two sweeping orders that, in total, removed almost 1500 voice service providers (VSPs) from its Robocall Mitigation Database (RMD) for failing to comply with updated robocall mitigation rules. The actions effectively ban these providers from U.S. phone networks, following their failure to maintain accurate certifications and implement required mitigation plans.
A larger enforcement wave followed the earlier removal of 185 providers, and came after the FCC warned 2,411 companies in December 2024 to correct deficient filings or face removal. The delisted providers must now obtain express approval from both the FCC’s Enforcement Bureau and Wireline Competition Bureau to rejoin the database. Companies relying on the impacted providers could suffer sudden disruptions in outbound communications, increased risk of call blocking or mislabeling, or increased enforcement scrutiny.
BUSINESSES NEED TO KNOW: The FCC means business here. Chair Brendan Carr noted: “Providers that fail to do their duty when it comes to stopping [illegal robocalls] have no place in our networks. We’re taking action and we will continue to do so.”
It’s more important than ever for businesses relying on VSPs for their outbound calls, texts, or SMS to understand their potential exposure and protect themselves by vetting their providers, assessing (and tuning up if necessary) their compliance tools and training, and staying ahead of regulatory developments.
FTC Raises Do Not Call Registry Access Fees for FY 2026
The Federal Trade Commission announced updated fees for telemarketers accessing the National Do Not Call (DNC) Registry for Fiscal Year 2026. The new, increased fees take effect October 1, 2025. All telemarketers calling U.S. consumers must annually subscribe to download DNC numbers to avoid calling consumers who have registered. The first five area codes downloaded remain free, and exempt organizations like certain charities and political callers can access the full list at no cost.
The new fees are:
- $82 per area code (up from $80 in FY 2025)
- $22,626 maximum annual fee for a single entity for full access (up from $22,038)
- $41 for half-year access to an additional area code (up from $40)
BUSINESSES NEED TO KNOW: Although the cost of everything seems to be on the rise these days, here’s a reminder that the price of noncompliance in this area remains significantly greater. It’s a violation of the TCPA to call a DNC-registered number without consent or an established business relationship (EBR), with fines of $500 per call (trebled to $1,500 per call for willful violations). Just one noncompliant call or text campaign can lead to millions of dollars in liability.
In case you missed it…
The FTC is taking aim (again) at deceptive lead practices. Did you catch our blog on the Commission’s $145 million August settlements?
ADVERTISING & MARKETING
FTC Sues LA Fitness Over Allegedly Unfair Membership Cancellation Practices
The Federal Trade Commission filed a lawsuit against LA Fitness in California federal court accusing the gym chain of deterring consumers from exercising their rights by using burdensome and opaque cancellation procedures in violation of the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA).
The FTC alleges that LA Fitness forces its 3.7 million members to cancel memberships either 1) in-person, during limited weekday hours, and only through a specific operations manager, or 2) via registered/certified mail, requiring a trip to the post office and out-of-pocket expense. The complaint further asserts additional barriers, including a hard-to-find cancellation form on the website, a complicated login process to access cancellation forms, and contradictory instructions across sign-up materials, membership agreements, and online resources.
BUSINESSES NEED TO KNOW: The lawsuit follows a broader push to simplify cancellation processes for recurring services and subscriptions, including the Agency’s “click-to-cancel” rule initiated under the previous administration, which was vacated earlier this summer by the Eighth Circuit Court due to procedural concerns. However, that rule may yet reappear in another form as House Democrats recently introduced the Click to Cancel Act of 2025; companion legislation has also been introduced in the Senate.
Match Group Settles FTC Lawsuit for $14M Over Misleading Guarantees and Cancellation Barriers
Match Group Inc., the parent company of dating platforms like Match.com, OkCupid, and Plenty of Fish, has agreed to pay $14 million and reform its subscription cancellation practices to settle a long-running FTC lawsuit alleging deceptive practices and unfair treatment of consumers.
The FTC’s 2019 complaint accused Match of misleading consumers with a “six-month guarantee” that was deceptively difficult to qualify for due to undisclosed conditions, unfairly suspending accounts and otherwise penalizing users who filed billing disputes, and obstructing cancellations, making it hard for users to exit paid services.
Match did not admit wrongdoing but agreed to the settlement terms, which include requirements to clearly disclose the terms of its guarantees and simplify the cancellation process, and a prohibition on retaliating, threatening adverse action, or taking adverse action against users who dispute charges.
BUSINESSES NEED TO KNOW: The recent FTC actions against companies like Match Group and LA Fitness are a loud reminder: customer retention should be built on trust and satisfaction, not barriers to exit. Consumers expect transparency, simplicity, and respect from businesses. Making it hard to leave doesn’t just frustrate them – it signals that your product might not be strong enough to stand on its own. And let’s be honest: if your retention strategy depends on confusion and roadblocks, maybe it’s time for a rethink.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.