PRIVACY & DATA SECURITY
Supreme Court Rules Geofence Warrants Trigger Fourth Amendment Protections
The Supreme Court has ruled that geofence warrants, which compel technology companies to hand over location data for all mobile devices within a specified area during a defined time window, constitute a search under the Fourth Amendment. The case involved a 2019 Virginia bank robbery in which police served Google with a geofence warrant seeking location history data for all devices within the crime scene perimeter in the hour before and after the robbery. Writing for the majority, Justice Kagan held that law enforcement invades a cell phone user’s reasonable expectation of privacy when it accesses location history data, regardless of how short the time period or the fact that the data was held by a third party. The case was remanded to a lower court to reconsider whether the warrant met constitutional standards.
The decision extends the Court’s existing skepticism of broad government access to digital location data and deals a significant blow to a surveillance tool law enforcement has relied on heavily in recent years. It also reinforces that the third-party doctrine, the longstanding legal principle that information voluntarily shared with a third party carries no reasonable expectation of privacy, has real limits when it comes to sensitive digital data.
BUSINESSES NEED TO KNOW: This decision has practical implications that go well beyond law enforcement and touch directly on how businesses manage government data requests and the contractual commitments they make to their own clients. If your privacy policy or customer-facing contracts state that you will only share data in response to lawful government requests, this ruling raises the stakes on what “lawful” actually means. A geofence warrant that does not satisfy Fourth Amendment requirements is not a lawful request. Depending on your contracts and privacy commitments, you may now have an affirmative obligation to push back rather than simply comply.
Data processing agreements with clients that commit to processing data only to the extent required by law deserve a fresh look as well. Businesses should be asking whether a government request actually clears that bar before responding, not just assuming that a warrant, subpoena, or other request on its face, is sufficient. If your contracts obligate you to coordinate with your client prior to responding to government requests received relating to data you process on their behalf, review and update your policies and procedures for such coordination.
Washington AG Says How Not to Notify Customers of a Data Breach
Four years after a data breach exposed the personal information of more than 79 million people nationwide, T-Mobile is still dealing with the legal fallout. The Washington Attorney General has filed a motion for partial summary judgment arguing that T-Mobile’s breach notifications to affected customers violated the state’s Consumer Protection Act on two independent grounds: wrong delivery method and wrong content. According to the motion, Washington law requires breach notifications to be sent by email, but current customers received only text messages. The required content, including the type of information exposed, the timeframe of the breach, and credit reporting agency contact information, allegedly was absent entirely.
The more damaging allegation is that the notifications were affirmatively misleading. Rather than telling customers what data had been compromised, T-Mobile’s messages emphasized what had not been exposed, a framing the Attorney General characterizes as deliberately downplaying the breach’s scope. The state’s underlying lawsuit, filed in early 2025, also alleges T-Mobile had ignored known cybersecurity vulnerabilities in the years leading up to the breach. If granted, the summary judgment motion would resolve the notification claims and streamline the remaining issues for trial.
BUSINESSES NEED TO KNOW: T-Mobile’s purported notification failures offer a useful compliance checklist in reverse. State breach notification laws are specific about form and content. Getting either wrong, even if the notification goes out promptly, can itself become the basis for an enforcement action. More importantly, this case makes clear that crafting notifications to emphasize what wasn’t exposed rather than what was is not a defensible communications strategy, it is a potential legal violation.
For those who think a breach eventually fades from regulatory view, note that T-Mobile’s 2021 incident is still generating active litigation in 2026. Data breach liability has a long tail, and the decisions made in the immediate aftermath of an incident, including how and what you communicate to affected consumers, will be scrutinized long after the headlines have moved on.
That Quiet Bot in the Corner of Your Meeting Could Be a Legal Liability
AI notetaking tools like Otter.ai and Fireflies have become fixtures in virtual meetings, but a wave of class action lawsuits is forcing businesses to reckon with a question that most never stopped to ask: did everyone in that meeting actually consent to being recorded? The answer depends heavily on where participants are located. While federal law requires only one-party consent, twelve states including California, Illinois, Florida, and Massachusetts require all-party consent before a recording begins. In an all-party consent state, a single unannounced AI notetaker can expose both the person who activated the tool and the meeting host to significant liability.
The risks extend beyond wiretapping law. AI tools that identify speakers by voice characteristics may be collecting biometric data subject to Illinois BIPA, for example. Meeting hosts also face exposure when attendees bring their own notetakers, since default platform settings typically place consent responsibility on the account holder, not the bot itself. And when AI tools process meeting audio through third-party servers, privileged communications and trade secrets can be inadvertently exposed.
BUSINESSES NEED TO KNOW: M&S Partner Josh Stevens breaks down the full scope of the risk and what businesses should do about it. Read the full blog post here.
Supreme Court Upholds FCC’s Authority to Fine Carriers for Privacy Violations
The Supreme Court handed the FCC a significant enforcement victory, ruling 8-1 that the agency’s authority to issue monetary penalties does not violate the Seventh Amendment right to a jury trial. The decision clears the way for nearly $200 million in fines against the Big Three wireless carriers for failing to protect consumer location data. The carriers had challenged these fines on constitutional grounds following the Court’s 2024 Jarkesy decision, which sharply curtailed the SEC’s ability to impose penalties through in-house proceedings.
The Court’s reasoning turned on the nonbinding nature of FCC forfeiture orders. Because the orders can only be enforced through a Department of Justice civil suit, where the penalized party has the right to contest the fine through a de novo jury trial, the majority found no constitutional violation.
BUSINESSES NEED TO KNOW: The practical takeaway here is straightforward: the FCC’s enforcement toolkit is intact, and the agency has made clear it intends to use it. The carriers’ constitutional challenge was a high-stakes bet that did not pay off for them with regard to the penalties they already paid but provides clarity for businesses facing forfeiture orders moving forward. More broadly, this decision reinforces that consumer data privacy obligations imposed by federal regulators carry real financial consequences that courts will uphold. If your business is subject to FCC jurisdiction, compliance with its data privacy and consumer protection rules is not a negotiable line item.
Did you catch the latest webinar in our Privacy Watch series? Check it out!
TCPA & TELESERVICES
Intent Over Language: Ninth Circuit Reinstates TCPA Suit Against Keller Williams
The Ninth Circuit has reinstated a TCPA class action against Keller Williams Realty and an Arizona real estate solutions company, ruling that calls and texts asking a homeowner whether she had “given up on selling” her property were telephone solicitations under the TCPA, even though the messages never explicitly offered a product or service for sale. The court vacated the district court’s dismissal, finding that the plaintiff had pled sufficient facts to show the communications were designed to encourage the purchase of real estate brokerage services, which satisfies the statutory definition regardless of how the pitch is framed.
The panel leaned on its 2012 Chesbro decision, which established that a message need not explicitly reference a good or service to qualify as a solicitation — the implication is enough. The defendants argued the messages were merely inquiries about buying the plaintiff’s home, not solicitations, and that any potential purchase of brokerage services was too speculative and future-oriented to trigger the TCPA. The Ninth Circuit was unmoved, finding that one purpose of the communications was to ultimately encourage the eventual purchase of brokerage services, which turned the communications into solicitations sufficient to survive dismissal.
BUSINESSES NEED TO KNOW: This case is a useful reminder that TCPA solicitation liability does not hinge on explicit sales language. If the purpose of a call or text, even one framed as an inquiry or offer to buy, is ultimately to steer the recipient toward purchasing your services, courts will look past the framing to the underlying intent. Businesses in real estate, home services, and any industry that uses outreach to generate leads for downstream service sales should treat those communications as solicitations under the TCPA and comply accordingly. Do Not Call registry scrubbing, proper consent, and documented compliance procedures are not optional just because your script does not contain a direct sales pitch.
Two Providers, One Clear Message: The FCC Will Pull the Plug on Robocall Enablers
Two recent FCC enforcement actions make clear that voice service providers who fail to actively police illegal robocall traffic on their networks do so at the risk of losing their ability to operate in the United States entirely. In the first case, Montana-based SK Teleco was permanently removed from the Robocall Mitigation Database after transmitting millions of scam calls impersonating Walmart employees. These calls prompted recipients to press 1 to cancel a fictitious order, at which point callers were phished for Social Security numbers and other personal information. SK Teleco had been warned, did nothing, and then made matters significantly worse by rerouting the traffic to another provider in an apparent attempt to avoid detection. The FCC’s response was to require all downstream providers and carriers to block their traffic entirely.
The second case involves Denver-based Digital Solutions, which is potentially facing the same fate if it does not cure deficiencies in its Robocall Mitigation Database filings within a two-week deadline. The FCC traced 51 illegal robocalls back to Digital Solutions through USTelecom’s Industry Traceback Group, including calls falsely promising preapproved loans and IRS relief programs. Digital Solutions responded to the agency’s outreach but failed to provide investigation results, confirm it was blocking the identified traffic, or explain how it planned to prevent similar calls going forward. That incomplete response was not enough to satisfy the FCC, and the company was put on notice that a final determination order is coming if it does not adequately address the agency’s concerns.
BUSINESSES NEED TO KNOW: These two cases reflect a deliberate and escalating FCC enforcement strategy: providers that transmit illegal robocall traffic and cannot demonstrate they are actively working to stop it will be cut off from the U.S. network. The message from Enforcement Bureau chief Patrick Webre has been explicit that providers must actively police the traffic on their network, and the agency is deploying new tactics to make sure that happens. For voice service providers, maintaining current and complete Robocall Mitigation Database certifications is not just a paperwork exercise. When the FCC comes calling with questions about illegal traffic, a vague or incomplete response may be almost as damaging as no response at all.
ADVERTISING & MARKETING
Kalshi Skips the NAD Process and Lands on Regulators’ Radar
The National Advertising Division, a self-regulatory body operated under BBB National Programs that reviews advertising complaints and monitors marketing practices across industries, has referred prediction market platform Kalshi to regulators for possible enforcement action after the company declined to participate in an inquiry into its influencer marketing practices. The NAD opened its investigation following credible public reporting that influencers promoting Kalshi had not clearly disclosed their financial ties to the platform, potentially running afoul of the FTC’s endorsement and testimonials guidelines. When Kalshi declined to engage, the NAD referred its concerns to relevant state attorneys general, the FTC, and certain social media platforms. Kalshi has said it complies with all applicable advertising laws and has since strengthened its communications with influencers on the topic.
Prediction market platforms have exploded in popularity in part through aggressive social media promotion, and scrutiny of their marketing practices is one of several regulatory fronts the industry is currently navigating, including challenges from state gaming regulators and ongoing jurisdictional disputes before multiple federal circuit courts.
BUSINESSES NEED TO KNOW: One thing worth noting about the NAD: despite operating under the BBB umbrella, it is a private organization and not a government agency. Many consumers and businesses don’t realize that, which is part of what makes it influential. The NAD has cultivated strong relationships with FTC staff and state attorneys general over many years, and its referrals are taken seriously by the regulators who actually do have enforcement authority.
Will this particular referral result in an FTC or state AG action against Kalshi? Possibly. But the real takeaway here is that declining to engage with the NAD process rather than addressing its concerns head on is the kind of decision that signals to regulators that a company is not taking compliance seriously. For any business using influencer or affiliate marketing, take note: your promoters’ disclosures and statements are your responsibility, the FTC’s endorsement guidelines apply regardless of your industry, and when the NAD comes calling, engaging is nearly always the smarter answer vs. walking away.
New Jersey Joins the Growing State War on Junk Fees
New Jersey has launched a coordinated executive initiative targeting hidden and excessive consumer fees, with Governor Sherrill signing an executive order directing all state agencies to identify junk fee practices in the industries they regulate and report recommendations by September 14. The order is paired with a seven-page enforcement statement from Attorney General Davenport making clear that certain fee practices may already violate New Jersey’s Consumer Fraud Act, one of the strongest consumer protection statutes in the country. The initiative explicitly positions itself as a response to the Trump administration’s rollback of federal consumer protection enforcement at the CFPB and FTC.
The enforcement statement identifies specific conduct in its crosshairs: bait-and-switch pricing that excludes mandatory fees from advertised prices, hiding costs in fine print or deceptively designed interfaces, misrepresenting whether a fee is mandatory, and tacking on vague or overpriced fees that provide little value to consumers. New Jersey has been building toward this moment for months, with prior enforcement actions targeting rental application fees, hotel and short-term rental pricing ahead of the FIFA World Cup, and a multistate lawsuit against subprime lender OneMain Financial over hidden loan fees.
BUSINESSES NEED TO KNOW: New Jersey is not acting alone, it’s just the most visible current example of a coordinated state-level consumer protection movement that includes Illinois, Connecticut, Colorado, and Massachusetts, all of which have adopted new fee-related rules or legislation since early last year (though many of these rules have yet to take effect). Businesses that operate across multiple states and use any form of add-on, surcharge, or tiered pricing should treat New Jersey’s enforcement statement as a compliance checklist worth reviewing regardless of where they are headquartered. The specific practices the AG has flagged — drip pricing, buried fees, misleading fee descriptions — are not unique to New Jersey law, and similar conduct is drawing scrutiny in every state that has stepped up its consumer protection posture. Businesses that designed their fee practices around a permissive federal environment should not assume that environment extends to the states where their customers actually live.
Hear more about these topics and other consumer protection updates in our most recent ComplianceTalk episode.
A $60 Refund Dispute Becomes a California Class Action Against Mint Mobile
Mint Mobile is facing a proposed class action in California over allegations that it advertised discounted home internet pricing to existing customers and then refused to honor it. The plaintiff, a Los Angeles resident and longtime Mint Mobile customer, says he responded to a targeted email offering MINTernet home internet service at $25 per month for twelve months. When he called to enroll, a customer service representative told him the offer had expired and charged him $360 instead of the advertised $300, but promised a $60 refund. The refund never came. When he followed up, he was told he had never been eligible for the discount in the first place because it required simultaneously opening a new mobile account, a limitation that appeared nowhere in the email he received or in his initial conversation with the company.
The complaint alleges violations of California’s Consumer Legal Remedies Act, its Business and Professions Code, the federal False Advertising Law, and common law fraud. The proposed class covers California residents who received similar targeted communications promising discounts and were either charged more than advertised or denied the promised discount entirely.
BUSINESSES NEED TO KNOW: In class action litigation, the size of the original grievance is less important than how many customers had the same experience. Mint Mobile’s exposure arose not from a deliberate fraud scheme, but from a gap between what a marketing email promised, what a customer service representative said on a call, and what the company’s back-end eligibility rules actually allowed. That is precisely the kind of disconnect a disciplined quality assurance and auditing process is designed to catch before it reaches a customer.
It doesn’t matter how well-crafted your pricing policies and terms of service are if the people executing them, the marketing materials promoting them, and the back-end systems implementing them are not aligned with those policies in practice. Businesses that regularly audit those concerns and follow through on commitments made during the sales process are far less likely to find a single unhappy customer turning into a proposed class of thousands.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.