ADVERTISING & MARKETING
FTC’s Negative Option Rule (Click-to-Cancel) VACATED by Eighth Circuit
Hot off the press! The Eighth Circuit Court of Appeals has vacated the FTC’s amended Negative Option Rule, also known as the Click-to-Cancel Rule, due to procedural errors. With an enforcement date set to take effect in July 2025, the rule was challenged by industry associations who argued that the FTC exceeded its authority and failed to conduct a necessary preliminary regulatory analysis, as the rule’s economic impact exceeded $100 million. The court agreed, emphasizing the FTC’s failure to comply with procedural requirements under the FTC Act, which mandates a preliminary analysis for rules with significant economic impact. Despite the FTC’s argument that its final analysis and public comments addressed the issue, the court found the omission prejudicial, as it deprived stakeholders of the opportunity to propose less burdensome alternatives. As a result, the prior version of the rule remains in effect, covering only prenotification plans.
BUSINESSES NEED TO KNOW: Although an FTC appeal seems unlikely, businesses should closely monitor changes in state-level automatic renewal laws. Many states have recently updated their regulations on subscription services. It’s crucial to keep up with these varying and frequently changing state laws when developing or assessing consent and opt-out processes for automatically renewing products or services.
Xlear Sues FTC For Overreach in Claims Substantiation Requirements
Nasal spray manufacturer Xlear Inc. has filed a lawsuit against the FTC in Utah federal court, challenging the agency’s authority to demand scientific substantiation for marketing claims that are not explicitly false or misleading. The suit follows the FTC’s dropped enforcement action, which had accused Xlear of misrepresenting studies to promote its Sinus Care spray as protective against COVID-19.
Xlear argues that the FTC is overstepping its statutory bounds by requiring randomized controlled trials (RCTs) as proof, effectively shifting the burden of proof onto companies and chilling their First Amendment rights. The company maintains that its claims are supported by studies on similar formulations and argues it should be able to share this information without fear of regulatory retaliation. Xlear is seeking a court ruling that the FTC Act does not mandate RCTs or substantiation for non-deceptive claims.
BUSINESSES NEED TO KNOW: This case is a wake-up call for companies making health-related claims: the FTC expects more than just good intentions and adjacent science. Even if your marketing isn’t outright deceptive, regulators may still demand rigorous proof—like randomized controlled trials—to back up your statements. Xlear’s challenge could reshape how far the FTC can go in requiring that level of substantiation. Until the courts weigh in, businesses should tread carefully and ensure their claims are not only truthful but also well-supported, especially when public health is involved.
TCPA & TELESERVICES
Supreme Court Resets TCPA Litigation by Ending Deference to FCC Orders
In a landmark decision, the U.S. Supreme Court ruled that district courts are not bound by the FCC’s interpretations of the TCPA, overturning decades of precedent under the Hobbs Act. This ruling, in McLaughlin Chiropractic Associates v. McKesson Corp., allows courts to independently interpret the TCPA, opening the door to widespread legal challenges against long-standing FCC rulings. The case stemmed from a dispute in which McLaughlin Chiropractic challenged the FCC’s 2019 declaration that online faxes are not covered by the TCPA. The Court held that the Hobbs Act does not bar district courts from evaluating the validity of agency interpretations during enforcement proceedings.
This decision builds on the Court’s 2024 ruling in Loper Bright Enterprises v. Raimondo, which overturned the Chevron doctrine, and signals a broader shift toward judicial—not agency—interpretation of federal statutes.
BUSINESSES NEED TO KNOW: The implications of this ruling are enormous. Agency interpretations are no longer a presumed safe harbor and businesses that are relying on previous favorable FCC guidance may want to revisit those practices. Expect a surge in litigation, especially class actions, as this decision opens the door to broader class eligibility. And get ready for greater legal uncertainty as district courts revisiting and potentially overturning FCC interpretations may lead to inconsistent rulings and circuit splits on issues such as consent and online fax liability.
Texas Raises the Stakes on Telemarketing Compliance
Texas has officially enacted Senate Bill 140, significantly expanding the state’s telemarketing laws and taking effect on September 1, 2025. The new law broadens the definition of “telephone solicitation” in the telemarketing registration and call disclosures law to include not just voice calls but also text messages, image messages, and other digital transmissions. It also strengthens enforcement by enhancing private rights of action under multiple sections of the Texas Business & Commerce Code. Consumers can now sue businesses directly under the Texas Deceptive Trade Practices Act (TDTPA) for violations, with the potential for actual, statutory, and even treble damages for willful violations. SB140 allows for repeat violations to result in multiple recoveries but does not resolve how overlapping claims under different statutes will be handled – an ambiguity that opens the door to potentially substantial cumulative damages.
BUSINESSES NEED TO KNOW: SB140 turns up the heat for any business using calls, texts, or digital messages to reach customers in Texas. With an expanded “telephone solicitation” definition and stronger consumer enforcement rights, even a single misstep in your outreach could lead to costly legal consequences. We will be watching to see how courts will interpret and address the overlapping liability under multiple statutes.
FCC Gets Republican Majority – and a Quorum – with Olivia Trusty
Olivia Trusty, a Capitol Hill aide with expertise in telecommunications and security, has been sworn in to the Federal Communications Commission, giving Republicans a 2-1 majority on the regulatory body. The FCC now has a quorum composed of three members, including Chair Brendan Carr and Democratic Commissioner Anna Gomez. Two seats remain vacant, and the Trump administration has yet to nominate additional commissioners.
BUSINESSES NEED TO KNOW: With the FCC now leaning Republican, expect a shift toward policies favoring private sector innovation and more business-friendly regulation. While the commission still lacks a full roster, the new majority could accelerate deregulatory moves and reshape the FCC’s agenda in the coming months.
PRIVACY & DATA SECURITY
Texas Takes Up the AI Governance Torch with TRAIGA
Texas has enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), becoming the most recent U.S. state to pass a comprehensive AI law. Taking effect January 1, 2026, TRAIGA focuses on preventing and responding to harms caused by AI misuse—differentiating itself from Colorado’s risk-based approach. The law introduces several key provisions: disclosure requirements for government use of AI, bans on biometric data collection without consent, and prohibitions against AI systems designed to manipulate behavior, discriminate, or exploit children through means including deepfakes. It also establishes an AI regulatory sandbox program enabling companies to develop and test AI programs in a less stringent regulatory environment, as well as a new Artificial Intelligence Council to oversee implementation.
Notably, TRAIGA includes an “intent” element for enforcement, meaning violations must involve knowing disregard of the law. Penalties can reach up to $200,000 per violation if a violation is not cured within 60 days after notice. It does not allow for private lawsuits.
BUSINESSES NEED TO KNOW: While federal legislators battle over the future of AI regulation nationwide, states are taking steps now to enact their own laws. These laws vary in scope, enforcement mechanisms, and definitions of risk, creating a patchwork of compliance demands for businesses operating across multiple states. Businesses should monitor state-specific developments closely, prepare for overlapping obligations, and anticipate enforcement.
FTC Clarifies Data Security Duties for Auto Dealers Under Safeguards Rule
The FTC has released new guidance to help automobile dealers comply with the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). The Rule mandates that financial institutions, including dealers who finance or lease vehicles, implement robust administrative, technical, and physical safeguards to protect customers’ nonpublic personal information.
The Commission’s Frequently Asked Questions address a range of issues, including which types of nonpublic personal information about financial institution customers fall under the Rule, what elements should be included in written information security programs required by the Rule, and how the Rule’s requirements compare to a dealer’s obligations under the GLBA’s Privacy Rule.
BUSINESSES NEED TO KNOW: Dealers should be aware that, under the Safeguards Rule, a robust information security program is required to protect the nonpublic information a customer has provided when in the dealer’s possession and when processed by the dealer’s service providers. Dealers should be careful to vet their service providers’ data security practices.
New Jersey Proposes Enhanced Data Privacy Regulations
The New Jersey Division of Consumer Affairs has released proposed regulations under the New Jersey Data Privacy Act (NJDPA), making it the third state—after California and Colorado—to implement a comprehensive set of regulations under its consumer privacy framework. These draft rules borrow heavily from California and Colorado but also introduce new layers of specificity that help clarify compliance expectations for businesses. Key provisions include:
- Material Changes Defined & Clarified: The rules provide specific examples of what constitutes a “material change” in data use.
- Record Retention Requirements: The rules specify exactly what records must be kept and for how long, filling a gap left by other states’ more vague requirements.
- Teen Consent Standards: The rules introduce heightened consent obligations for processing sensitive data of teens aged 13–17, including a requirement to refresh consent every 24 months in certain circumstances.
- Targeted Advertising Restrictions: Consent is also required for targeted advertising to teens, signaling a shift toward more protective, age-aware privacy practices.
BUSINESSES NEED TO KNOW: The NJDPA’s proposed rules bring clarity—but also complexity—especially around how businesses handle teen data, manage consent over time, and maintain detailed records. For example, the requirement to refresh consent every 24 months for teens aged 13–17 in certain circumstances adds a recurring compliance task that systems may not be currently built to handle. Public comments on the proposed rules are open until August 1, 2025.
Check out our latest webinar!
Privacy Watch Series: Legislative Shakeups and Enforcement Hot Spots. Watch here.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.