PRIVACY & DATA SECURITY
Connecticut Privacy Law Issues its First Enforcement Action
TicketNetwork Inc. became the first company penalized under Connecticut’s Data Privacy Act (CTDPA), which took effect July 1, 2023. The company allegedly failed to correct deficiencies in its privacy notice, including unreadable content, missing consumer data rights, and malfunctioning rights mechanisms, even after receiving a cure notice in November 2023. Despite assurances of compliance, TicketNetwork missed the January 2024 deadline and did not respond to follow-ups, prompting enforcement action.
TicketNetwork will pay an $85,000 fine and has updated its privacy policy to improve transparency, clarity and accessibility, including a dedicated privacy page, clearer formatting, and easier opt-out options. The company will also maintain metrics for consumer rights requests received under the statute and provide a report of these metrics to the attorney general.
BUSINESSES NEED TO KNOW: Timely compliance matters. The CTDPA’s “right to cure” provision allowed companies a 60-day grace period to fix alleged violations after notice from the Attorney General, but that cure period sunset on January 1, 2025. Most state privacy laws offer a 30 to 60-day cure period, and the cure period in about half of those states will expire in the next two years, like the CTDPA. The right to cure is meant as a safety net, not a crutch, and failing to comply may result in penalties without prior notice.
One last thing: ignoring a regulatory notice or request won’t make it vanish. Treat these communications with the seriousness they deserve. Most times, prompt and thoughtful responses can prevent minor issues from escalating into major challenges.
Healthline Media Fined $1.55M in California’s Largest CCPA Privacy Settlement
California’s Attorney General announced a landmark $1.55 million settlement with Healthline Media LLC, marking the largest financial penalty to date under the California Consumer Privacy Act (CCPA). The case centered on Healthline’s sharing of user browsing data – specifically, the titles of health-related articles – with ad network partners, enabling advertisers and other third parties to infer medical diagnoses and other sensitive health information about users. Although Healthline does not directly collect health data, the Attorney General argued that the site’s practices violated the CCPA’s purpose limitations. Healthline also allegedly failed to honor requests to opt out of targeted advertising and did not implement CCPA-required contracts with third parties and service providers.
The settlement includes a novel term that prohibits Healthline from sharing information that can associate a specific consumer with an article title that could suggest they have been diagnosed with a disease. It also requires the company to improve its privacy disclosures, honor privacy requests, and establish a compliance program.
BUSINESSES NEED TO KNOW: California’s unique privacy framework does not require consent for processing sensitive health data but does mandate that consumers be allowed to limit its use and opt out of its sale. The AG’s interpretation of the CCPA’s purpose limitation principle underscores the importance of data minimization and transparency, especially when handling sensitive information. Businesses should also be mindful of the growing scrutiny of online tracking technologies, especially those that operate invisibly and transmit personal data without user awareness.
California Finalizes Privacy Rules on Automated Decision-Making and Risk Assessments Under CCPA
On July 24th, the California Privacy Protection Agency (CPPA) approved a comprehensive rulemaking package that updates the California Consumer Privacy Act (CCPA) with new regulations on automated decision-making technology (ADMT), cybersecurity audits, and risk assessments. The rules, shaped by over a year of public debate and revisions, notably removed references to artificial intelligence and behavioral advertising, while expanding the scope of ADMT usage.
Among other provisions, businesses using ADMT for “significant decision,” such as those affecting employment, housing, or healthcare, will need to provide clear disclosures before use, allow ADMT opt-outs when technology replaces or substantially replaces human decision-making, and allow rights to know about, and appeal, decisions made using ADMT. The regulations also introduce mandatory cybersecurity audits for certain businesses that pose significant risks to consumer data, a standard based on how much annual revenue is derived from selling or sharing personal information or based on revenue plus other data volume thresholds. Certification of cybersecurity audit completion is due to the CPPA by April 1 each year. Risk assessments are required for activities such as selling or sharing personal data, processing sensitive data, using ADMT for significant decisions, and profiling in employment or education contexts.
BUSINESSES NEED TO KNOW: The rules will take effect beginning January 1, 2027. While the new regulations impact all business subject to the CCPA, businesses that use ADMT for significant decisions will face the most compliance obligations. As businesses continue to rapidly integrate AI into processes, regulatory obligations are starting to multiply and take effect.
We will be sharing a complete breakdown of these new regulations soon.
Minnesota’s Comprehensive Privacy Law Takes Effect
The Minnesota Consumer Data Privacy Act (MCDPA) is now in effect, bringing comprehensive privacy rights for Minnesota residents to access, correct, delete, and opt out of data sales and targeted advertising. Similar to other comprehensive privacy laws, covered businesses are required to:
- Provide a clear privacy notice that details the categories and purpose of personal data being processed, third-party sharing, data retention policies, and how consumers can exercise their privacy rights
- Apply data minimization practices that limit collection to only what is “adequate, relevant, and necessary”
- Implement a robust data security protocol governing administrative, technical and data security practices, including maintaining an inventory of the data being managed
MCDPA has a few novel requirements as well, including an extended right to know that allows consumers to request a list of third parties to whom their personal information was disclosed to, and the maintenance of a policy documenting processes and procedures to comply with the MCDPA. There is no private right of action and enforcement lies with the Minnesota Attorney General, who may issue civil penalties up to $7,500 per violation after a 30-day cure period following a warning letter. However, after January 31, 2026, no warning letter will be required prior to initiating an enforcement action.
BUSINESSES NEED TO KNOW: If your business was complying with other state privacy laws in effect prior to the MCDPA, it is likely in substantial compliance with the MCDPA. Now is the time to implement processes and strategies to comply with the nuanced MCDPA requirements. The Minnesota Attorney General maintains helpful MCDPA resources (available here) that are worth checking out.
TCPA & TELESERVICES
Supreme Court Ruling Sparks Divergent Interpretations of TCPA Texting Rules
It was just in June that the U.S. Supreme Court ruled in McLaughlin Chiropractic Associates, Inc. v. McKesson Corp. that federal district courts are not bound to defer to the FCC’s interpretations of the TCPA during enforcement proceedings, setting the stage for conflicting rulings on TCPA-related matters. We now have an immediate judicial divergence – on the same day, no less.
Two different federal courts issued conflicting rulings on whether text messages qualify as “calls” under the TCPA. In both cases, plaintiffs alleged that the defendants violated the TCPA by sending unsolicited text messages in violation of the TCPA’s do not call provisions. In Jones v. Blackstone Medical Services, the court ruled that text messages are not telephone calls under the TCPA, emphasizing that texting technology did not exist when the TCPA was enacted in 1991 and that modern usage distinguishes texts from calls. Conversely, in Wilson v. Skopos Financial, the court upheld the FCC’s authority to include texts within the TCPA’s scope, arguing that the statute’s structure and congressional intent support evolving interpretations aligned with technological advancements.
BUSINESSES NEED TO KNOW: The contradictory rulings underscore the legal uncertainty now facing sellers and telemarketers. We anticipate a continued wave of TCPA lawsuits and challenges to other agency interpretations as plaintiffs are emboldened to pursue claims previously thought barred by FCC rulings. Businesses must continue to monitor case law developments and adjust compliance strategies as necessary.
FTC Settlements Spotlight Deceptive Telemarketing and Lead Generation
In its recent enforcement actions, the FTC has taken significant steps against Assurance IQ, LLC and MediaAlpha, Inc. for engaging in deceptive practices related to telemarketing and lead generation. Assurance IQ, LLC, allegedly employed misleading telemarketing tactics to sell health plans, deceiving consumers about the costs and benefits associated with these plans. As a result, the FTC imposed a hefty $100 million judgment against Assurance IQ. The order also prohibits the company from making false claims about health plans and mandates that they substantiate any claims with reliable evidence.
Similarly, MediaAlpha, Inc. was penalized for using misleading websites and advertisements to gather consumer information, which it then sold to businesses that it knew did not offer the advertised products and services. The result: millions of unwanted and deceptive telemarketing calls. The FTC’s judgment against MediaAlpha amounts to $45 million. The order bars the company from making false claims and requires them to implement robust monitoring practices and obtain explicit consumer consent before collecting personal information.
BUSINESSES NEED TO KNOW: The FTC’s recent actions highlight the vital importance of transparency in marketing practices. It is illegal to make false or misleading claims about your products or services, identity, affiliations, or how consumer data will be used. Integrity in every consumer interaction is the key, not only for regulatory compliance but for consumer trust.
ADVERTISING & MARKETING
FTC Warns Companies Over Misleading “Made in USA” Claims
The FTC issued warning letters to four companies—Americana Liberty, Oak Street Manufacturing, LLC, Pro Sports Group LLC, and USA Big Mountain Paper Inc.—for potentially deceptive “Made in USA” product claims. The FTC reminded these businesses that such labels must mean products are “all or virtually all” made in the U.S., as required by the FTC Act and the Made in USA Labeling Rule.
The FTC also sent letters to Amazon and Walmart regarding third-party sellers on their platforms who may be violating these rules. The Commission emphasized that misleading origin claims not only breach federal law but may also violate marketplace terms of service. Companies failing to comply with these laws could face federal lawsuits, civil penalties, injunctive relief, or other legal actions.
BUSINESSES NEED TO KNOW: FTC Chairman Andrew Fergusen has proclaimed July as “Made in America” month. With the current administration’s focus on “America First,” businesses should anticipate increased scrutiny and enforcement regarding U.S. origin claims in marketing. Be sure that such labels comply with strict FTC standards and accurately reflect the origin of all significant components or processing. Review labeling practices, maintain clear documentation of sourcing and manufacturing processes, and train marketing teams on compliance to avoid legal challenges.
Judge Denies J. Jill’s Arbitration Bid in False Pricing Class Action
A California federal judge rejected J.Jill’s attempt to compel arbitration in a proposed class action alleging deceptive pricing practices on its website. The plaintiff, Annette Cody, claimed the retailer violated California consumer protection laws by advertising false and fictitious reference prices to create the illusion of discounts. Although J.Jill argued that Cody agreed to arbitration by placing an online order, Judge Todd W. Robinson ruled that the guest checkout process did not provide clear and conspicuous notice of binding terms, distinguishing it from cases involving ongoing customer relationships.
The court emphasized that website owners bear the responsibility of clearly informing users of binding terms. Despite the disclosure statement being visibly placed and Terms of Use hyperlinked near the “Place Order” button, the judge found the context of Cody’s one-time transaction insufficient to enforce the agreement.
BUSINESSES NEED TO KNOW: Context matters, and courts may consider the nature of a transaction in evaluating whether a user is bound by its terms and conditions. In this case, it all came down to the consumer conducting their purchase through a guest checkout mechanism rather than creating an account with the retailer. With plaintiff’s counsel calling it a “how-to manual” for challenging unfair digital contracts, this ruling may influence future litigation around online terms and conditions. Businesses offering their products or services online should take steps to ensure that consumers are made aware of, or have the opportunity to view, all material terms relevant to the transaction.
AI Income Scheme Lands Owner $15M Settlement and Decades of FTC Scrutiny
A New Jersey-based e-commerce coaching firm owned by Bratislav Rozenfeld will pay more than $15 million to settle an FTC lawsuit alleging deceptive marketing of AI-driven success through online storefronts. Rozenfeld and his company, FBA Machine (formerly Passive Scaling), are permanently banned from promoting business opportunities and from using contract clauses that limit or penalize consumers for leaving negative reviews, violating the Consumer Review Fairness Act. The settlement also includes surrendering frozen assets and proceeds from a Florida property sale, which will go to consumer redress.
This enforcement action is part of the FTC’s broader Operation AI Comply initiative, which targets misleading and fraudulent claims about AI-powered products and services. As part of the agreement, Rozenfeld and the defendant company must submit annual compliance reports for 20 years, maintain detailed records of customer interactions, advertising materials and complaints and cooperate with FTC oversight.
BUSINESSES NEED TO KNOW: Businesses that skirt the law, play in the gray zone, or even unintentionally find themselves on the wrong side of regulations can learn the hard way that enforcement actions may encompass much more than a fine and some quick remediation, including long-term agency scrutiny. Whatever his future business endeavors look like, this individual now faces 20 years of FTC oversight.
In case you missed it…
BLOG: FTC’s Negative Option Rule (Click-to-Cancel) VACATED by Eighth Circuit is available to read on our website.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.