PRIVACY & DATA SECURITY
California AG Sends Clear Message on CCPA Opt‑Outs in Record Disney Settlement
California Attorney General Rob Bonta announced a $2.75 million settlement with the Walt Disney Company—the largest CCPA settlement to date—over allegations that Disney failed to fully honor consumers’ requests to opt out of the sale or sharing of their personal information. The investigation, which followed a 2024 enforcement sweep of streaming services, found that Disney’s opt‑out mechanisms often applied only to a single device, service, or data pathway, allowing personal information to continue flowing elsewhere in Disney’s ecosystem. According to the AG, that outcome violates the CCPA’s core requirement that opt‑out rights be effective and easy to exercise.
While Disney offered multiple opt‑out tools, such as toggles, a webform, and recognition of Global Privacy Control (GPC) signals, the AG concluded that none reliably stopped all sale or sharing of personal information across devices, services, and third‑party ad‑tech integrations tied to a consumer’s account. Under the settlement, Disney must pay civil penalties, implement opt‑out mechanisms that fully stop data sales or sharing, and maintain a compliance program to assess the effectiveness of those mechanisms.
BUSINESSES NEED TO KNOW: The takeaways here for businesses are clear:
- Opt‑outs must actually stop the data. California regulators are focused on results, not just disclosures or tools.
- Account‑level tracking means account‑level opt‑outs. If you recognize consumers across devices or services for advertising or analytics, you’re expected to honor their opt‑out across that entire ecosystem.
- Device‑by‑device opt‑outs won’t fly. Requiring consumers to repeat opt out steps across platforms, apps, or devices is likely to be viewed as unlawfully burdensome under the CCPA.
- Third‑party ad tech remains your responsibility. Pixels, SDKs, and embedded tracking tools don’t shift responsibility. If data keeps flowing to vendors after an opt‑out, regulators will hold the business accountable.
- GPC signals must have real effect. Limiting Global Privacy Control signals to a single device or narrow context is unlikely to satisfy California regulators.
Court Allows Privacy Suit Over LiveRamp Tracker Use to Proceed Against Reddit
A federal judge in California refused to dismiss a proposed class action alleging that Reddit violated the California Invasion of Privacy Act (CIPA) by embedding a third‑party LiveRamp tracking tool on its website without user consent. The court held that the LiveRamp tracker plausibly qualifies as a “pen register” under California law, allowing the case to move forward past the pleading stage.
The lawsuit claims Reddit embedded LiveRamp’s tracking technology to collect and transmit visitors’ IP addresses and related routing information for targeted advertising and cross‑platform identity matching. While Reddit argued that collecting IP addresses is a routine website function and outside the scope of decades‑old pen register statutes, the court disagreed. Instead, it aligned with a growing number of California federal courts holding that modern web tracking tools—including pixels and trackers—can plausibly fall within CIPA’s pen register provisions when they capture and transmit addressing information to third parties for advertising and profiling purposes. Time will tell whether LiveRamp continues to litigate this matter or settle the claim.
BUSINESSES NEED TO KNOW: The decision underscores the continued litigation risk around third‑party tracking technologies and signals that courts remain receptive to claims challenging online advertising infrastructure—even when those tools resemble standard web functionality. Businesses using LiveRamp and similar technologies should work with counsel to develop risk mitigation strategies that account for this changing landscape.
California’s One‑Click Data Deletion Tool Takes Off
Consumer enthusiasm for California’s newly launched Delete Request and Opt‑out Platform (DROP) is exceeding regulators’ expectations. Despite minimal public promotion, more than 225,000 residents signed up for the landmark system in the first 6 weeks following its January 1st launch. Created under the Delete Act, DROP allows consumers to submit a single request directing all registered data brokers in California to delete their personal information and stop selling it going forward.
Although consumers may sign up now, data brokers are not required to begin processing deletion requests until August 1st. California privacy officials have emphasized that enforcement will be aggressive, building on existing actions against companies that fail to register as data brokers or comply with statutory obligations.
BUSINESSES NEED TO KNOW: The centralized, state‑run nature of DROP sets it apart from traditional consumer deletion rights and has drawn national attention, with policymakers in states like New York, Connecticut, and Vermont openly considering similar systems. As California prepares for full enforcement later this year, the platform is increasingly viewed as a potential model for other states, and businesses should expect heightened regulatory and operational expectations for data brokers nationwide.
FTC Signals Safe Harbor for Age Verification Under COPPA
The FTC issued a new policy statement clarifying that it will not bring Children’s Online Privacy Protection Act (COPPA) enforcement actions against certain website and online service operators that collect limited personal information from children solely to verify a user’s age—without first obtaining parental consent—so long as strict safeguards are met. The policy applies to general‑audience and mixed‑audience sites using age‑verification technologies only to determine whether a user is under 13 years old. It does not apply to websites or services primarily directed to children, which must continue treating all users as children under COPPA.
To qualify, covered businesses must use age‑verification data only for age determination, retain data no longer than necessary and delete promptly after verification, protect data with reasonable security safeguards, and not repurpose or disclose data for any purpose except to determine a user’s age. Operators must also provide clear notice, limit third‑party sharing to vetted vendors with appropriate safeguards, and otherwise comply with COPPA in all other respects.
BUSINESSES NEED TO KNOW: The FTC is signaling flexibility—not a free pass—when it comes to using age‑verification tools. Businesses operating general or mixed‑audience sites can use age‑verification technologies without first obtaining parental consent if the data collected is strictly limited to age determination and protected by strong guardrails. That means no secondary use of the data, minimal retention, clear disclosures, reasonable security, careful vetting of vendors, and confidence that the technology produces accurate results. Companies considering age‑gating or age‑verification should treat this policy as encouragement to build compliant, privacy‑by‑design solutions now, while keeping an eye on upcoming COPPA rulemaking that could formalize (or narrow) these expectations.
TCPA & TELESERVICES
Fifth Circuit Holds Written Consent Not Required for ATDS or Prerecorded Messages
The Fifth Circuit has ruled that under the TCPA, “prior express consent” may be given verbally or in writing, even for telemarketing calls made with prerecorded messages or an ATDS. In Bradford v. Sovereign Pest Control of Texas, Inc., the court held that the TCPA’s statutory text does not require written consent for prerecorded telemarketing calls and does not distinguish between telemarketing and informational calls for consent purposes.
The court rejected the FCC’s regulatory framework, which imposes a written‑consent requirement for telemarketing calls, as exceeding the statute’s plain language. Citing recent Supreme Court and appellate decisions limiting judicial deference to agency interpretations, the Fifth Circuit emphasized that courts must follow what Congress actually enacted. While the ruling narrows the FCC’s consent distinctions, its practical impact is limited because the FTC’s Telemarketing Sales Rule and many state laws still require written consent for certain types of telemarketing calls, including prerecorded telemarketing calls. Additionally, the decision currently applies only in Louisiana, Mississippi, and Texas, and other circuit courts may continue to rule differently.
BUSINESSES NEED TO KNOW: Aligning with a broader ruling trend, the Fifth Circuit’s decision signals a more text‑focused reading of the TCPA and growing judicial skepticism toward agency interpretations that go beyond the statutory text. However, with the ruling limited to just 3 states and other telemarketing regulations in effect, businesses should continue taking a conservative approach to compliance, ensuring consent is clearly obtained, well documented, and compliant with all applicable federal and state requirements.
Court Rules iPhones Are Not Telephones Under Washington Consumer Protection Law
A federal judge in Washington dismissed a proposed class action against Apple, Best Buy, and Walmart, after ruling that iPhones are not “telephone handsets” covered by the state’s Telephone Buyers’ Protection Act (TBPA). In a decision of first impression, the court held that iPhones instead qualify as “radio equipment,” which the 1984 statute expressly excludes from its disclosure requirements.
The plaintiffs alleged that retailers failed to provide warranty and repair disclosures required under the TBPA. The court rejected that argument, finding that the law was designed to regulate wired landline telephones following the breakup of AT&T—not modern, wireless devices that rely on radio‑based communication. Emphasizing the statute’s plain language and legislative history, the judge concluded that extending the TBPA to smartphones would require legislative action, not judicial interpretation. The case was dismissed with prejudice, though plaintiffs are considering an appeal.
BUSINESSES NEED TO KNOW: While this case involved a telephone buyer statute—not a calling or texting law—the reasoning could influence how courts evaluate state TCPA‑style statutes that predate smartphones, SMS, or app‑based communications. Businesses may increasingly argue that older state laws were never intended to cover modern mobile devices, wireless technologies, or non‑traditional communication channels. For example, cases have increasingly applied the 1960s-era California Invasion of Privacy Act to modern tracking systems such as web browser-based “pixel” capture technologies.
Did you catch this blog? Unlocking the TCPA’s Do Not Call Safe Harbor. Read here.
ADVERTISING & MARKETING
Washington AG Actively Defends CEMA Amid Wave of Retailer Challenges
Washington’s attorney general is taking an increasingly active role in defending the state’s Commercial Electronic Mail Act (CEMA) as national retailers mount constitutional and federal preemption challenges. In recent weeks, the AG has intervened—or announced plans to intervene—in proposed class actions against Ulta and Hanesbrands, underscoring the state’s commitment to preserving CEMA’s broad reach following a key Washington Supreme Court decision.
Both cases allege that the retailers sent Washington consumers marketing emails with misleading subject lines designed to create a false sense of urgency, such as promotions supposedly ending “today” only to be extended days later. After the state supreme court ruled in April that CEMA bans all commercial emails with false or misleading subject lines, defendants have increasingly argued that the 1998 law unlawfully burdens interstate commerce and is preempted by the federal CAN‑SPAM Act. The AG has rejected those claims, maintaining that CEMA applies equally to in‑state and out‑of‑state businesses that email Washington residents and fits squarely within CAN‑SPAM’s exception for state laws that prohibit falsity or deception in commercial email.
BUSINESSES NEED TO KNOW: Washington is all in on defending its anti-spam law, and this AG is not just watching from the sidelines. Moreover, compliance with CAN‑SPAM is not a safe harbor: with the statute’s explicit carve out for laws that prohibit falsity or deception, CEMA survives federal preemption. Careful legal review of email subject lines and promotional timing is essential. With statutory damages of up to $500 per email, even routine marketing campaigns can create outsized exposure if subject lines are aggressive or promotional claims are overstated.
Rawlings Hit with Class Action Over “Upgraded” Bat Marketing Claims
Baseball equipment maker Rawlings is facing a proposed class action in Utah federal court alleging it charged premium prices for “upgraded” and “next‑gen” bats while representing to certification bodies that the bats underwent only cosmetic—or no—material changes. The lawsuit claims this disconnect between Rawlings’ certification submissions and its consumer‑facing marketing misled buyers about whether the bats actually delivered performance improvements.
According to the complaint, Rawlings allegedly relied on a certification pathway that allows approval without new performance testing by attesting that newer models were not materially changed from previously certified bats, even as the company marketed those same models as redesigned or enhanced. The plaintiff argues that reasonable consumers would find it material to know that purported performance upgrades were characterized as cosmetic when seeking certification. The suit seeks damages, injunctive relief, and corrective disclosures for customers who purchased certain bat models over the past four years.
BUSINESSES NEED TO KNOW: This case spotlights the danger of saying one thing to consumers and another to certifying bodies. Marketing products as “upgraded,” “redesigned,” or “next‑gen” can create exposure if those claims conflict with representations that the product underwent only cosmetic or no material changes to obtain certification—even where the certification process itself is technically valid.
Premium pricing and performance‑focused messaging further raise the stakes. Plaintiffs are increasingly arguing that consumers overpaid based on implied performance improvements, and courts may view those claims as material. Companies should pressure‑test whether their advertising accurately reflects what certifications do—and do not—mean, and whether internal regulatory submissions could be used to challenge consumer‑facing claims.
Check out our upcoming webinar! Privacy Watch Series: The New Rules of AI Accountability. Register here.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.