PRIVACY & DATA SECURITY
Ninth Circuit Clears Path for Enforcing Portions of California’s Kids’ Privacy Law
The Ninth Circuit has partially lifted an injunction blocking California’s Age‑Appropriate Design Code Act (CAADCA), allowing key parts of the nation‑leading children’s privacy law to move forward. The court ruled that tech trade group NetChoice is unlikely to succeed on its First Amendment challenge to the law’s broad coverage of services “likely to be accessed by children” and its requirement that companies estimate users’ ages with reasonable certainty. As a result, those provisions may now be enforced.
However, the court left the injunction in place for provisions restricting how companies may use children’s data and banning so‑called “dark patterns” designed to nudge children into sharing unnecessary personal information or staying engaged longer. Further proceedings in the district court will determine the fate of these remaining blocked provisions.
BUSINESSES NEED TO KNOW: Practically speaking, what does this mean for businesses? We see four important takeaways:
- The law is not just about social media. The ruling emphasized that CAADCA can apply to a wide range of online services, including fintech, ticketing, fitness, education, and health, if they are “likely to be accessed by children.”
- Applicability analysis matters more than labels. The court made clear that whether a service is “likely to be accessed by children” turns on data and design signals, not whether a company considers itself “child‑directed.”
- Age‑related decision‑making is under scrutiny. With enforcement of the law’s age-estimation requirement back in play, covered businesses may need to assess user age with a “reasonable level of certainty,” even as litigation continues. Businesses should be prepared to justify how they assess age‑related risk and compliance obligations.
- Prepare, don’t wait. Businesses with products or services that attract under‑18 users should reassess applicability, data practices, and design choices as enforcement risk continues to evolve with portions of the law in effect during the pendency of NetChoice’s challenge.
CalPrivacy Fines Ford for Adding Friction to CCPA Opt‑Out Process
The California Privacy Protection Agency Board approved a settlement requiring Ford Motor Company to pay a $375,703 fine and change its data privacy practices after finding that the company violated the CCPA by making opt‑out requests unnecessarily burdensome. CalPrivacy alleged that Ford required consumers to verify their email addresses before opting out of the sale or sharing of personal information, creating an unlawful friction that prevented some requests from being processed. Under the CCPA, opting out must be simple and cannot be conditioned on identity verification.
In addition to the monetary penalty, Ford must revise its opt‑out process to minimize steps, audit its website tracking technologies, and comply with opt‑out preference signals such as the Global Privacy Control.
BUSINESSES NEED TO KNOW: California regulators are closely scrutinizing whether opt‑out mechanisms are truly easy to use, and any unnecessary steps, such as requiring identity or email verification, can violate the CCPA. Businesses should review their opt‑out flows across websites, apps, and connected products to ensure requests are honored immediately and without friction, and confirm technical compliance with opt‑out preference signals like the Global Privacy Control. The enforcement action also underscores that UX and design decisions, not just data management practices, can drive regulatory penalties.
Oklahoma Enacts 20th State Comprehensive Privacy Law
Oklahoma has become the 20th state to enact a comprehensive consumer data privacy law, with Senate Bill 546 taking effect January 1, 2027. The new law grants consumers rights to access, correct, delete and obtain copies of their personal data, as well as opt out of the sale and sharing of their personal data, including for targeted advertising and profiling purposes.
SB 546 also requires covered businesses to provide transparent privacy notices, maintain reasonable data security practices and obtain consent before processing sensitive personal information. It features a permanent 30‑day cure period for alleged violations, broad exemptions for nonprofits and employee data, and comparatively limited heightened protections for minors by defining “children” as those under 13.
BUSINESSES NEED TO KNOW: Unlike more stringent privacy regimes in states such as California and Maryland, Oklahoma’s law is widely viewed as more business‑friendly. We expect that businesses already in compliance with other state privacy laws will likely need only modest updates to meet Oklahoma’s requirements.
TCPA & TELESERVICES
FCC NPRMs Signal a New Era of Robocall Enforcement
At its March 26 Open Meeting, the FCC advanced two proposed rulemakings that would significantly expand its robocall enforcement playbook. Rather than focusing only on call content or consent, the FCC is moving “upstream” to target foreign call centers, access to telephone numbers, and the infrastructure that enables outbound calling.
One proposal places heightened scrutiny on foreign call centers, with potential requirements ranging from English‑language proficiency standards and limits on offshore call volume to mandatory consumer disclosures, transfer rights to U.S. call centers, and strict rules on handling sensitive data. U.S. companies using offshore resources could also face new compliance tracking and reporting obligations, increasing regulatory exposure for global customer service operations.
The second proposal focuses on how telephone numbers are obtained, resold, and managed. The FCC is signaling that poor numbering practices, including layered resale arrangements and rapid number rotation, may themselves become enforcement triggers. Proposed changes to the Numbering Resource Utilization/Forecast (NRUF) reporting and reseller transparency could require providers and calling platforms to reassess wholesale relationships and tighten oversight. Taken together, the proposals suggest a fundamental shift: numbering and call routing practices are now front‑and‑center compliance risks, not back‑office details.
BUSINESSES NEED TO KNOW: Taken together, the proposed rule changes suggest a fundamental shift: numbering and call routing practices are now front‑and‑center compliance risks, not back‑office details. The FCC is seeking comments on these proposals, and businesses and trade associations should consider submitting feedback, with particular focus on where the rules could create significant operational burdens or unintended consequences. If you’re wondering how these NPRMs affect your calling practices or would like help submitting comment, please reach out.
Eighth Circuit Reinforces Arbitration as a TCPA Risk Tool
A recent Eighth Circuit decision highlights the continued power of well‑drafted arbitration clauses for businesses using SMS and phone outreach. In VonDeylen v. Aptive Environmental, the court required a former customer’s TCPA claims over post‑termination text messages to proceed in arbitration—reversing a lower court and emphasizing that broadly worded arbitration provisions, paired with survival clauses, can remain enforceable long after a customer relationship ends.
The decision comes amid a rise in TCPA disputes involving texts and calls sent months or years after services conclude. As businesses increasingly rely on account‑related messaging, re‑engagement efforts, and automated communications, and plaintiffs continue to test the limits of arbitration language, courts are being asked more and more to decide whether post‑termination communications are still “related to” an underlying agreement. The ruling offers practical guidance for companies on how thoughtful agreement language can help manage TCPA litigation risk, even years after services conclude.
BUSINESSES NEED TO KNOW: How well would your customer agreements hold up to a challenge like this? Smart drafting can mean the difference between defending a costly TCPA class action in court and resolving a dispute on far more favorable terms. Don’t wait for a dispute to arise…pressure‑test your agreements now with a focus on arbitration scope, survival language, and enforceability.
No More Grace: FCC Uniform Call‑Blocking Notification Rule Fully in Effect
Effective March 25th, the FCC’s transition period for its new uniform call‑blocking notification rule ended and full compliance is now required. Under the FCC’s Eighth Report and Order, voice service providers must now use SIP Code 603+ as the exclusive method for notifying callers when voice calls are blocked based on “reasonable analytics.” Unlike legacy SIP codes, 603+ displays as “Network Blocked” and provides standardized information identifying the blocking provider, so legitimate callers know when a call was blocked, why it happened, and how to seek redress. The order also expands Do‑Not‑Originate (DNO) blocking obligations across the call path, reflecting the FCC’s continued focus on stopping illegal calls earlier in the network.
BUSINESSES NEED TO KNOW: If your outbound calls are being blocked, you’re now entitled to know that they were blocked—and how to fix it—but only if your providers are actually compliant. Businesses should confirm that their voice service providers are fully implementing SIP Code 603+, understand how blocking notifications and redress requests will be handled, and review contracts to ensure providers are contractually obligated to support FCC‑mandated transparency. If your agreements are silent or outdated, you may be left in the dark when legitimate calls fail to reach customers.
Federal Court Rejects FCC’s Written‑Consent Requirement for Telemarketing Calls
A Maryland federal judge has ruled that the TCPA does not require telemarketers to obtain “prior express written consent,”only “prior express consent,” in decertifying a proposed class action against a dental plan marketer. Echoing recent appellate decisions, including a Fifth Circuit ruling earlier this year, the court concluded that Congress did not clearly authorize the FCC to impose a written‑consent requirement for marketing calls.
The decision reflects the broader post‑Loper Bright landscape, in which courts are reassessing long‑standing FCC interpretations of the TCPA and declining to defer to agency rules that go beyond the statute’s text. While the court acknowledged that written consent may be a sensible policy choice, it emphasized that expanding statutory consent requirements is not a decision for the FCC, but for Congress.
BUSINESSES NEED TO KNOW: This ruling adds to a growing body of case law narrowing the FCC’s authority to “fill in the gaps” of the TCPA and may complicate class certification efforts in telemarketing cases. But it does not eliminate risk. Written consent remains a regulatory requirement in other contexts (including texts and prerecorded calls), and plaintiffs’ lawyers will not doubt continue testing theories across jurisdictions, especially where circuits have not yet weighed in. In addition, separate state laws governing “automated systems” may impose further consent requirements.
Resist the temptation to relax consent practices based on this ruling and instead view it as further evidence that TCPA compliance is becoming more fragmented, forum‑dependent, and litigation‑driven.
Did you catch our latest episode of ComplianceTalk? More from Michele Shuster and Chad Blackham coming soon!
ADVERTISING & MARKETING
FTC Reopens the Door on Negative Option Rule
The FTC is once again taking aim at negative option marketing, announcing an Advance Notice of Proposed Rulemaking (ANPRM) to reconsider and potentially modernize its long‑standing Negative Option Rule. The move follows the Eighth Circuit’s July 2025 decision vacating the FTC’s 2024 amendments on procedural grounds.
The current Rule applies only to prenotification plans and does not squarely address modern subscription models such as automatic renewals, continuity programs, or free‑to‑pay trial conversions. Citing tens of thousands of consumer complaints and persistent issues like unclear disclosures, lack of express informed consent, and difficult cancellation processes, the FTC is now seeking public input on whether to retain the existing Rule, revive aspects of the vacated amendments, pursue a new regulatory approach, or rely on non‑regulatory alternatives.
BUSINESSES NEED TO KNOW: Make no mistake with this “step back:” the FTC has also made clear it is not backing away from enforcement. Since January 2025 alone, the Commission has brought five enforcement actions and approved six settlements alleging unlawful negative option practices, relying largely on its general unfair and deceptive acts authority. The Commission is openly questioning whether current regulations adequately address modern practices and is inviting industry input on how these programs actually operate, where compliance breaks down, and what workable rules should look like.
Once published in the Federal Register, stakeholders will have 30 days to submit comments, making this a meaningful opportunity for businesses that rely on subscription‑based or recurring‑billing models to weigh in.
Washington Cuts CEMA Email Penalties Amid Surge in Lawsuits
Washington has reduced the statutory penalties for emails sent with false or misleading subject lines under its Commercial Electronic Mail Act (CEMA), cutting damages from $500 per email to $100. House Bill 2274 also replaces a strict liability standard with a “knew or reasonably should have known” requirement, limiting liability to misleading subject lines sent with knowledge, or reasonable foreseeability, of their deceptive nature.
The changes, signed into law by Governor Bob Ferguson and taking effect in mid‑June, are intended to ease the burden on small businesses that inadvertently violate the statute. The amendment comes as CEMA enforcement activity has surged following an April Washington Supreme Court decision that expanded the law’s reach, triggering dozens of lawsuits—many targeting promotional emails advertising time‑limited deals or discounts. The penalty reduction is not retroactive and will not affect cases already on file.
BUSINESSES NEED TO KNOW: Although this penalty decrease will allow businesses to recalibrate their exposure, the risk is far from gone. Promotional emails, especially those advertising limited‑time offers, remain a prime target under the law. Businesses marketing to Washington consumers should review email subject lines now to ensure they are accurate, clear, and not misleading, particularly while litigation activity under CEMA remains elevated.
State AGs Flex Independent Muscle in Live Nation Litigation
The U.S. Department of Justice reached a mid‑trial settlement with Live Nation in its antitrust case targeting alleged monopolistic conduct by Live Nation and Ticketmaster, but the deal has exposed a sharp rift with state regulators. While the proposed settlement would require venue‑related divestitures, loosen Ticketmaster exclusivity, cap certain service fees, and create a $280 million settlement fund, a bipartisan coalition of more than two dozen states and the District of Columbia has rejected the agreement as inadequate.
State AGs, many of whom say they were sidelined from negotiations, have vowed to continue litigating independently, retaining prominent outside antitrust counsel and pursuing more structural remedies, including a potential Ticketmaster divestiture. The court also criticized the timing and transparency of the settlement process, underscoring that the litigation is far from over and highlighting the increasingly assertive role of state AGs as independent, front‑line antitrust enforcers willing to break from federal regulators.
BUSINESSES NEED TO KNOW: Take this as a growing reminder that federal settlements don’t necessarily end multistate risk and state AGs no longer view federal regulators as the unquestioned lead. Bipartisan AG coalitions, often supported by experienced outside counsel, are stepping out on their own to drive national enforcement efforts, a trend that often accelerates under Republican administrations. The case also demonstrates that state-level regulators may use alternate methods to pursue businesses previously associated with anti-consumer “junk fee” add-ons, often taking the form of undisclosed ticket fees and surcharges, even in the face of Federal rollback of regulations governing the issue.
For businesses in highly regulated markets, this means enforcement timelines may stretch, settlement strategies may splinter, and exposure may increase if state and federal enforcers diverge.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.