PRIVACY & DATA SECURITY
GM Hit with 20-Year FTC Order Over Alleged Deceptive Connected‑Vehicle Data Practices
The Federal Trade Commission has finalized its enforcement order against General Motors and its OnStar subsidiaries for allegedly misleading consumers and unlawfully collecting and selling precise geolocation and driving behavior data from millions of vehicles. According to the FTC’s complaint, GM used deceptive enrollment flows for OnStar and its Smart Driver feature, failing to clearly disclose that the program harvested sensitive data and shared it with third parties, such as data brokers and consumer reporting agencies, without consumers’ affirmative consent.
Under the final order, GM is banned for five years from sharing consumers’ precise location or driver behavior data with consumer reporting agencies. For the full 20‑year duration of the order, GM must implement extensive privacy reforms, including:
- Obtaining affirmative express consent before collecting, using, or sharing connected‑vehicle data
- Providing all U.S. consumers a way to request copies of their data and request deletion
- Allowing consumers to disable precise geolocation tracking if supported by their vehicle
- Offering an opt‑out mechanism for the collection of geolocation and driving behavior data (with narrow exceptions, such as emergency response)
BUSINESSES NEED TO KNOW: The GM settlement is a clear warning shot: the FTC expects any company collecting sensitive telemetry or location data—whether from cars, devices, or apps—to use transparent onboarding, obtain affirmative opt‑in consent, and give consumers real control, including access, deletion, and opt‑outs. Deceptive enrollment flows and quietly bundled tracking features are enforcement magnets. If your business collects and discloses precise geolocation data or other information that could result in consumer harm, now is the time to audit those data flows, tighten disclosures, and ensure consumers genuinely understand—and affirmatively choose—what you collect and to whom you disclose it.
Supreme Court to Decide Who Counts as a “Consumer” Under the VPPA
The U.S. Supreme Court has agreed to hear Salazar v. Paramount Global, a case that will determine who qualifies as a “consumer” under the Video Privacy Protection Act (VPPA). The decision could resolve a longstanding circuit split and significantly reshape VPPA class‑action litigation.
The case stems from a Sixth Circuit ruling that dismissed a lawsuit against Paramount, finding that a subscriber to its 24/7 Sports digital newsletter was not a VPPA “consumer” because he did not subscribe directly to video content. Other federal appellate courts have taken a broader view, holding that a person qualifies as a consumer if they subscribe to any of a company’s goods or services, even non-video ones.
Although the VPPA was enacted in 1988 to stop video rental stores from disclosing patrons’ viewing histories, plaintiffs have increasingly used it as a vehicle for challenging modern data‑sharing practices—particularly websites that embed tracking technologies transmitting video‑related interactions to third parties like Meta. The Court will now decide whether these plaintiffs must be video subscribers specifically, or whether any customer relationship with a video provider is enough to trigger VPPA protections.
BUSINESSES NEED TO KNOW: A ruling adopting the Sixth Circuit’s narrower interpretation would dramatically reshape businesses’ VPPA liability and could significantly reduce the surge of modern VPPA litigation targeting websites’ data‑sharing practices for businesses. Regardless of the eventual ruling, businesses should review current tracking and data sharing practices as tracking pixels and analytics tools on pages that include any video content remain high‑risk. Confirm whether third parties receive information about video views, autoplay events, or device interactions, and obtain clear, opt-in consent for sharing viewing data with third parties.
Judge Greenlights Class Claims Alleging Apple Collected Voiceprints Without Consent
An Illinois judge has certified a class of roughly 3 million Illinois residents alleging that Apple violated the state’s Biometric Information Privacy Act (BIPA) by collecting and storing Siri users’ voiceprint data without proper consent.
According to the lawsuit, when people set up Siri, they are prompted to repeat certain phrases, and Apple analyzes the recordings to create voice “feature vectors” that help identify the speaker. Plaintiffs argue these recordings amount to biometric “voiceprints,” which require clear, informed permission under BIPA – something they say Apple never obtained. Judge Michael Mullen rejected Apple’s arguments that user‑specific differences in Siri activation, device type, or data flows should prevent certification. The court emphasized that these individual variations do not outweigh central, common issues of whether Siri’s voice feature vectors qualify as BIPA‑regulated “voiceprints” and whether Apple failed to secure proper consent.
BUSINESSES NEED TO KNOW: This is an important reminder that voiceprints and voice derived feature vectors may be treated as biometric identifiers under Illinois’ BIPA, triggering strict consent, disclosure, and data handling requirements. Any business using voice enabled tools, AI assistants, call center analytics, or speech recognition technologies should assess whether captured voice data may be considered biometric information. If so, now is the time to audit any voice-based technologies, confirm that informed written consent is being obtained, and ensure transparent practices before collecting, analyzing, or storing voiceprint data.
FTC Announces February 26th Workshop on Measuring Data‑Driven Consumer Harm
The FTC will host a workshop on February 26, 2026, titled “Measuring Injuries and Benefits in the Data‑Driven Economy,” focusing on how the agency evaluates consumer harm and benefit arising from the collection, use, and disclosure of personal data. This marks the agency’s first major revisit of the issue since 2017.
Topics will cover:
- How to quantify injuries and benefits to consumers
- The impacts of data breaches on consumers and strategies for reducing harm
- The costs and benefits of behavioral and contextual advertising
- Measuring consumer privacy preferences and decision‑making
This free, public event will be available both online and in person. A webcast link will be posted on the FTC’s event page.
ADVERTISING & MARKETING
New Jersey Hits Apple with Record Penalty Over Repeated In-Store Pricing Violations
Apple will pay a $150,000 civil penalty—the largest ever under New Jersey’s Merchandise Pricing Act—and must change its in‑store practices after investigators found widespread violations across all 11 Apple Stores in the state. The investigation revealed that Apple failed to comply with a 2017 consent order requiring clear and continuously available price information for devices and accessories.
During recent reinspections, investigators found numerous products and accessories with no price displayed on or near them, and several stores failed to post refund policies at required locations. Regulators said Apple’s reliance on digital pricing that required customers to interact with devices still violated state law, which mandates that prices be plainly marked on or near merchandise.
As part of the new consent order, Apple must ensure that all products have clear, conspicuous price markings, cannot require customers to interact with devices to find prices unless they are immediately visible on the device, and must properly display refund policies at designated locations.
BUSINESSES NEED TO KNOW: New Jersey’s action against Apple is a clear reminder that price transparency rules are actively enforced, even against major national brands. The state confirmed that digital or interactive pricing systems do not satisfy requirements under the Merchandise Pricing Act unless prices are immediately visible with minimal interaction, and physical price markings remain mandatory for most products. Businesses operating in New Jersey or other states with robust consumer‑protection laws should ensure that all merchandise displays include clear, conspicuous pricing and that refund policies are posted where customers can easily see them. Moreover, it should go without saying – falling back on noncompliant marketing practices after being warned by regulators is always risky business.
Sonesta Hit with Class Action Over Alleged Hidden Hotel Fees
Sonesta International Hotels Corp. is facing a proposed class action in Massachusetts federal court alleging it uses deceptive “drip pricing” by advertising lower room rates upfront and adding undisclosed fees, such as “destination” and “resort” fees, only at checkout. The plaintiff, a Sonesta Travel Pass member, claims the practice misleads customers under the Massachusetts Consumer Protection Act by luring them in with artificially low prices and then tacking on “junk fees” after they’ve already invested time in the booking process. The lawsuit highlights ongoing regulatory scrutiny of hidden fees: under the Biden administration, the FTC implemented a junk fee rule in May 2025 requiring hotels and event companies to clearly disclose total prices, including mandatory fees, at the start of the transaction. Additionally, states including Oregon, Connecticut, and Colorado have also begun implementing their own junk fee laws requiring clear and conspicuous disclosures of terms and additional pricing considerations.
BUSINESSES NEED TO KNOW: With pricing transparency high on the regulatory radar, drip pricing and hidden fees are high‑risk practices. Businesses that advertise a low initial rate but reveal mandatory charges only at checkout risk not only class‑action exposure under state consumer protection laws, but also federal enforcement. Companies should review online and mobile booking flows, ensure all mandatory fees are disclosed clearly before customers begin the transaction, and eliminate any “bait‑and‑switch” pricing structures that could be deemed deceptive.
TCPA & TELESERVICES
FCC Pushes Back TCPA’s “Revoke All” Rule to January 31, 2027
The FCC again postponed the effective date of a portion of its “Revoke All” rule under the TCPA, this time pushing it to January 31, 2027. The delayed portion of the rule would require businesses to treat any reasonable revocation of consent (no matter how it’s delivered or in response to which type of call or text) as a complete revocation of prior express written consent and prior express consent unless an exemption applies. Originally set to take effect in April 2025, this portion of the rule’s implementation was first delayed to April 2026 after financial institutions requested more time to update their systems. As part of a broader October 2025 rulemaking, the FCC sought comments on whether the “Revoke All” standard is too burdensome, and many stakeholders urged further delay. The FCC agreed—saying another extension avoids unnecessary compliance costs while it considers whether to revise the rule.
Importantly, all other TCPA consent‑revocation requirements remain fully in force. This includes: honoring opt‑out requests made through any reasonable method; treating common terms like “stop,” “quit,” “end,” “cancel,” and “unsubscribe” as valid revocations; and recognizing reasonably worded opt-outs even when consumers use non-standard language (e.g., “I don’t want to hear from you anymore”). Revocation and internal do‑not‑call requests must be processed as soon as possible and not later than 10 business days.
BUSINESSES NEED TO KNOW: This portion of the “Revoke All” rule may be delayed, but it’s not dead. Businesses should not assume the rule will disappear; its final form may change, but some version of it is likely to return. In the meantime, it is important to continue honoring revocations of consent in a timely manner and recognizing non-standard opt outs.
Litigation Trends: TCPA Filings Hold Steady While Class Actions Remain High
The numbers are in and December closed out a busy year for TCPA litigation. Although TCPA filings dipped slightly month‑over‑month, they ended up roughly on par with the previous year (up about 1%), with 2,810 lawsuits filed. Notably, 68% of December TCPA cases were putative class actions, remaining historically high and signaling continued elevated exposure for companies relying on outbound communications.
BUSINESSES NEED TO KNOW: Heightened TCPA risk continues into 2026, especially for class actions. Businesses should ensure airtight consent capture, frictionless opt‑out processes that honor revocations timely, and strong Do Not Call list management across platforms and vendors. With filing concentrations in courts such as Atlanta, Chicago, Los Angeles, and South Florida, companies should monitor activity in these hotspots and confirm their compliance programs—including lead sourcing, revocation handling, and recordkeeping—are audit‑ready.
Did you catch our latest webinar? Privacy Watch 2026: Key Risks, New Laws & What to Watch. View here.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.