PRIVACY & DATA SECURITY
FTC Closes the Book on Kochava After Three-Year Location Data Fight
The FTC has reached a proposed settlement with data broker Kochava and its subsidiary, Collective Data Solutions (CDS), marking a significant expansion of federal enforcement targeting the commercial use of precise location data. The case stems from a 2022 FTC lawsuit alleging Kochava collected and sold geolocation data from hundreds of millions of mobile devices without meaningful consumer knowledge or consent. That data could be used to trace individuals’ movements, including visits to sensitive locations such as health care facilities and places of worship.
Under the proposed order, Kochava and CDS are prohibited from selling, licensing, or sharing sensitive location data unless they obtain a consumer’s affirmative express consent and use the data solely to provide a service directly requested by the consumer. The settlement also imposes extensive operational requirements, including restrictions on downstream data sharing, obligations to verify consent obtained by data suppliers, and mandates around consumer transparency, incident reporting, and data deletion.
BUSINESSES NEED TO KNOW: Coming on the heels of similar actions against Mobilewalla and X-Mode, the Kochava resolution confirms that the FTC’s focus on sensitive location data is not a trend, but a sustained enforcement priority. If your business touches location data in any way, consider this your recurring reminder:
- Consent at the source isn’t enough if you can’t verify it downstream. The FTC is requiring Kochava to audit its suppliers for consumer consent, meaning businesses purchasing location data from third parties need to ask hard questions about where that data came from and whether consumers actually agreed to its use.
- “Sensitive” locations are broadly defined. Health facilities, places of worship, political gatherings, military installations …the list is expansive and the FTC is not sympathetic to companies that claim they didn’t know their data touched these categories.
- A data retention schedule is now a compliance baseline. Both the Kochava and Mobilewalla orders require scheduled deletion. If you don’t have a formal retention and deletion program in place, it’s time to build one.
Connecticut Doubles Down on Privacy and AI with Two Sweeping New Laws
Connecticut has become one of the most active states on privacy and AI regulation, with Governor Lamont signing two significant bills into law. The first, SB 4, expands Connecticut’s existing privacy framework in several meaningful ways: it introduces a data broker registration requirement modeled after California’s Delete Act, and amends the state’s Data Privacy Act to ban the sale of geolocation data, and add specific provisions governing facial recognition technology. A consumer-facing deletion mechanism that allows residents to opt out of and request deletion from data broker lists in a single request must be operational by July 2028.
The second, SB 5, is the state’s long-awaited answer to the broader AI governance question, arriving after three years of debate and a near-veto of an earlier version. The law addresses automated decision-making in employment contexts, requiring disclosure when ADMT plays a prominent role in consequential decisions and making clear that existing anti-discrimination laws apply. It also covers frontier AI models, mandating internal reporting systems for employees to flag risks or malfunctions, and takes aim at AI companions, requiring disclosure of their non-human nature and prohibiting their use by minors under 18.
BUSINESSES NEED TO KNOW: Connecticut continues to punch above its weight on privacy and AI, and these two laws together represent a broad set of new obligations worth working through carefully. Data brokers face new registration requirements starting January 1, 2027, which means now is the time to map data flows and vendor relationships.
The ban on geolocation data sales mirrors what we’ve seen in Virginia, Maryland, and Oregon, and reinforces what is quickly becoming a national trend: the window for consent-based location data monetization is closing state by state. For businesses using automated tools in hiring or other consequential employment decisions, Connecticut now requires disclosure and makes clear that existing anti-discrimination obligations travel with those technologies. Perhaps the least-anticipated compliance area is AI companions. The prohibition on minors using AI companions and the disclosure requirements for non-human interactions are areas where many businesses may not yet have compliance frameworks in place.
California Hits GM with Record-Breaking $12.75 Million CCPA Penalty
California regulators secured a record-setting $12.75 million settlement with General Motors (GM) over alleged violations of the California Consumer Privacy Act (CCPA). This marks the largest CCPA penalty to date and a clear expression of the state’s focus on data minimization and purpose limitation requirements, which prohibit companies from retaining data beyond its original purpose or repurposing it for incompatible uses.
The case stems from GM’s connected vehicle platform (OnStar), which collected detailed consumer data, including precise geolocation and driving behavior, and allegedly sold that data to third-party data brokers without adequate notice or consent for use. These brokers, in turn, used the data to develop driver-risk products for insurance companies. According to California authorities, GM represented to consumers that their data would be used only to deliver requested services, while also stating in its privacy disclosures that it did not sell driving or location data. As part of the resolution, GM must stop selling driving data to consumer reporting agencies for five years, delete retained data within 180 days, and maintain a robust privacy program subject to ongoing state oversight.
BUSINESSES NEED TO KNOW: The GM settlement isn’t just an auto industry story, it’s a warning shot about how California intends to enforce data minimization and purpose limitations going forward. Three things all businesses should keep in mind:
- Purpose creep is a major liability trigger. Collecting data for one purpose and quietly monetizing it for another is exactly what got GM into trouble. Using data for a secondary purpose, especially one that is materially different from the original reason for collection, can violate the CCPA even if the data was lawfully collected initially and typically requires consumer consent.
- Your privacy policy is a legal commitment. GM’s own policy said it wouldn’t sell location data — and then it allegedly did. That gap between stated practice and actual conduct drove the enforcement action. Make sure yours reflects reality.
- Connected products face heightened scrutiny. Vehicles, wearables, smart devices, and any technology that passively collects location or behavioral data should be reviewed for data scope, retention, and third-party sharing arrangements.
Colorado’s AI Act Sheds Its Teeth (But Keeps Its Bite)
Once the most ambitious state-level AI regulation in the country, Colorado’s AI Act has been substantially scaled back after two years of debate, delays, and a failed special legislative session. Senate Bill 189, trades the law’s original risk-management framework for a narrower set of disclosure and transparency obligations, and pushes the effective date back to January 1, 2027. Gone are the duty of care, impact assessments, and risk management program requirements that made the original law so controversial. What remains centers on disclosure: companies deploying automated decision-making technology (ADMT) must be transparent about intended and potential harmful uses, training data categories, and oversight responsibilities.
The retreat reflects a deliberate policy choice amid growing federal and state pressure to prioritize AI innovation over precaution. Notably, the bill includes mandatory attorney general rulemaking, meaning key definitions, including what it means for ADMT to “materially influence” a consequential decision, remain unsettled and could significantly shape the law’s eventual scope.
BUSINESSES NEED TO KNOW: The Colorado AI Act is a bellwether for AI regulation nationally, and its evolution tells a story worth following closely. Here’s where things stand:
- The compliance burden is lighter (for now). The removal of risk assessments and duty-of-care obligations is meaningful relief, but the new transparency and disclosure requirements still need to be understood and operationalized before January 2027.
- Key definitions are still being written. Attorney general rulemaking will determine which AI systems are actually covered. Businesses using automated decision-making tools in consequential contexts (e.g., hiring, lending, housing) should monitor that process closely.
- The federal wild card. With the Trump administration actively challenging state AI laws it views as innovation-stifling, the regulatory landscape could shift again before the ink is dry.
When a BIPA Suit Lands, Will Your Insurer Show Up?
A biometric privacy dispute in Illinois has spawned a parallel coverage fight that businesses in every industry should pay attention to. A former employee of a group of Illinois auto dealerships filed a proposed class action alleging the dealerships violated Illinois’ Biometric Information Privacy Act (BIPA) by using employee fingerprint scanners without proper disclosure, failing to explain why the biometric data was collected or how it would be retained and destroyed after employment ended. The dealerships’ insurer, Clear Blue Specialty Insurance Co., responded by filing its own federal court action seeking a declaratory judgment that it has no obligation to defend or indemnify the dealerships under any of the three policies at issue: a commercial general liability policy, an auto dealers policy, and an umbrella policy.
Clear Blue’s arguments are a preview of the coverage battles businesses can expect when BIPA claims arrive. Amongst other arguments, the insurer contends the underlying claims don’t qualify as “bodily injury” or “property damage” under the CGL policy and that intentional violations are excluded under each policy’s intentional acts exclusion. In other words, the dealers are not covered when they intentionally violate the law.
BUSINESSES NEED TO KNOW: This case is a useful reminder that insurance coverage should never be treated as a substitute for regulatory compliance. The exclusions Clear Blue is invoking here (intentional acts, employment practices, unlawful recording and distribution of information) reflect a broader truth about how insurance policies are structured: they are built to respond to accidents and specific types of liabilities, not to clean up the consequences of legal non-compliance.
Businesses that collect biometric or other sensitive personal data should not be looking to their insurance plan as a backstop for a BIPA violation or similar regulatory exposure. The only reliable protection against that kind of liability is building a compliance program that meets the law’s requirements before a claim ever arises.
More information on an upcoming webinar in our Privacy Watch series coming soon!
TCPA & TELESERVICES
Tennessee Turns Up the Heat on Telemarketing Compliance — Even Without New Rules
Tennessee has added a quiet but meaningful new mechanism to its telephone and text message solicitation framework. Unanimously passed by both chambers and signed into law, HB 2408/SB 2659 doesn’t create new substantive obligations for solicitors but it requires the Tennessee Public Utility Commission to deliver an annual compliance report to key legislative committee chairs covering businesses that make telephone or text message solicitations to Tennessee residential subscribers. The effective date is July 1, 2026.
The significance isn’t in what the law requires of solicitors today, it’s in what it signals about tomorrow. With this reporting requirement, the state legislature is effectively putting the agency on notice that its enforcement activity will be scrutinized, and regulators will respond accordingly. Legislative committee chairs don’t receive annual reports without asking follow-up questions, and follow-up questions have a way of leading to new legislation. Businesses operating in Tennessee’s telemarketing space should treat this law less as a compliance event and more as an early warning that the regulatory temperature in the state is rising.
BUSINESSES NEED TO KNOW: This law is best understood as the opening move in a longer game. If your business calls or texts Tennessee residents, now is the time to confirm your compliance house is in order, including annual registration with the Commission, proper scrubbing against the Do Not Call/Do Not Text Register, calling hour controls, caller ID requirements, and vendor oversight documentation. At up to $2,000 per violation, the existing penalty framework hasn’t changed, but the likelihood of enforcement being measured and reported publicly has. Businesses with documented compliance programs are well positioned, while those operating on informal practices are not.
Is a Text Message a Phone Call? The Seventh Circuit Is About to Weigh In
One of the most consequential questions in telemarketing law is back before a federal appeals court, and the panel’s skepticism is worth paying attention to. The Seventh Circuit heard oral arguments in a proposed class action against Blackstone Medical Services over unsolicited text messages advertising home sleep tests, with the central question being whether the TCPA’s do-not-call provisions, which prohibit “telephone calls” to registered numbers, extend to text messages at all.
The court’s skepticism was pointed and came from multiple directions. Both judges questioned where the statutory line gets drawn if texts qualify as calls, raising the specter of email coverage, pressing on the ordinary public meaning of “telephone” as it was understood in 1991, and suggesting that texts, which can be silenced, are meaningfully less intrusive than voice calls. That last point carries real weight now that the Supreme Court’s 2024 decision in Loper Bright eliminated Chevron deference, stripping the FCC of its longstanding authority to declare texts covered under the statute. Blackstone and the U.S. Chamber of Commerce argued that “telephone call” plainly refers to oral communication, full stop.
BUSINESSES NEED TO KNOW: The honest answer is that nobody knows how this will end, and that uncertainty is exactly the problem. While most courts have held that texts are covered by the TCPA’s do-not-call provisions, a substantial minority have reached the opposite conclusion, and some businesses have begun treating that split as an invitation to test the boundaries of compliance. We’d caution against that approach. Regulatory uncertainty is not the same as regulatory permission, and the consequences of being wrong, particularly in a class action context, remain severe.
What makes this case different is the court it’s in. A Seventh Circuit ruling will carry far more weight than any district court decision on this question, and depending on how it lands, it could set the stage for a circuit split significant enough to attract Supreme Court attention. Businesses that use text messaging for marketing or outreach should be watching this case closely, maintaining full TCPA compliance in the meantime, and resisting the temptation to treat judicial ambiguity as a green light.
One Robocall Campaign, Two Lawsuits, and a Lesson About Contracts
A North Carolina plaintiffs’ firm is finding itself in an uncomfortable position: defending a TCPA class action over robocalls it says it didn’t make, while simultaneously suing the marketing company it hired to run the campaign. DeMayo Law Offices, which retained Converge Marketing LLC to promote its Camp Lejeune water contamination litigation practice, is now seeking indemnification from Converge.
At first, Converge suggested it would indemnify DeMayo and even hired counsel to appear on behalf of both Converge and DeMayo for almost a year. However, Converge abruptly withdrew from the defense nearly a year in, leaving DeMayo scrambling to hire new counsel and, by its own account, without a meaningful opportunity to negotiate a resolution.
The underlying suit, brought by Wesley Newman, alleges he received at least a dozen prerecorded robocalls to a number registered on the National Do Not Call Registry, pitching DeMayo’s legal services. Newman names DeMayo, Converge, and a third-party intake company as defendants. DeMayo’s position is that Converge — which inherited an indemnification clause when it purchased the original marketing agreement from a now-bankrupt predecessor firm — spent nearly a year conducting itself as though that clause applied, sharing in the defense and participating in negotiations, before pulling out without warning. DeMayo argues that conduct created an express or implied contract under North Carolina law obligating Converge to cover any damages and fees.
BUSINESSES NEED TO KNOW: This case provides a useful lesson for both sides of a marketing vendor relationship, but especially for lead generators, marketing companies, and anyone supplying outreach services to clients in regulated industries. Your contract with the client isn’t just paperwork — it is the document that determines who absorbs the financial consequences when a TCPA claim arrives. Converge’s situation illustrates what happens when indemnification obligations are ambiguous or inherited rather than expressly agreed upon: both parties end up in court arguing about what they thought the deal meant.
If you are a marketing company or lead supplier, your agreement should clearly define the scope of your indemnification obligations, which party controls campaign compliance, and what happens when a third-party claim arises. Conducting yourself as though an indemnification clause applies (as Converge allegedly did for nearly a year) without getting that commitment in writing is precisely the kind of ambiguity that turns a vendor dispute into its own litigation.
ADVERTISING & MARKETING
Decade-Old Consent Order, Brand New $6.5 Million Problem
A federal court ordered payment processor Cliq Inc., formerly known as Cardflex, and its two executives to pay $6.5 million in civil contempt sanctions for violating a 2015 court order that was itself the product of an FTC enforcement action. The Nevada federal court found that Cliq and operators Andrew Phillips and John Blaugrund spent years after entering that order doing precisely what it prohibited: facilitating fraud on behalf of bad actors in the payments ecosystem.
The court’s findings are damning. Cliq processed hundreds of millions of dollars in transactions for merchants on Mastercard’s high-risk MATCH list, helped merchants mask their true chargeback rates through mislabeled and so-called “friendly” transactions, assisted them in shifting activity from closed accounts to live ones, and accepted payment processing applications listing “obviously false” websites without investigation. The company also systematically failed to conduct the underwriting and reporting obligations it had agreed to ten years earlier.
BUSINESSES NEED TO KNOW: A consent order is not a chapter that closes once it’s signed. The FTC and federal courts treat these agreements as ongoing legal obligations and regulators will revisit them years or even decades later to verify compliance. Cliq agreed to its original order in 2015 and was still being held accountable for violating it in 2026. The $6.5 million sanction is the consequence of treating a court-ordered compliance program as a formality rather than a genuine operational commitment.
If your business operates under a consent order, settlement agreement, or any other regulatory resolution, the compliance obligations in that document do not have an expiration date. The FTC has made enforcement of its existing orders a stated priority, and the Cliq case is a pointed reminder that the agency is watching, even when it has been quiet for a while.
Regulators are Coming for Surveillance Pricing
Surveillance pricing, the practice of using consumers’ personal data to set individualized prices through AI-driven algorithms, has moved from regulatory curiosity to an active enforcement priority in a remarkably short period of time. In May, Maryland became the first state to ban the practice outright, prohibiting food retailers and third-party delivery services from using personal data to charge individual consumers different prices for the same goods, effective October 1, 2026. Colorado passed its own legislation making individualized price and wage setting a deceptive trade practice under its Consumer Protection Act, while New York has taken a disclosure-based approach, requiring companies to clearly notify consumers when personal data is used to set algorithm-driven prices.
At the federal level, momentum is building as well. The FTC is exploring whether a formal policy statement on surveillance pricing disclosures is warranted, and 16 state attorneys general have pushed the FTC to require food delivery platforms to be transparent about personalized pricing practices. House Member Frank Pallone, Jr. (D-NJ) has launched an inquiry into 25 major retailers, demanding answers about whether and how they use consumer data to set prices. Private litigation has also arrived, with JetBlue recently named in a proposed class action alleging it uses travelers’ personal data to adjust ticket prices.
BUSINESSES NEED TO KNOW: The patchwork of state laws taking shape is just the opening act. Businesses that use consumer data to inform pricing decisions in any way should be building compliance frameworks now rather than waiting for a federal standard to crystallize. The early state laws all have gaps and limitations, but those gaps are being studied, and future versions will be tighter. Companies that treat the current regulatory environment as permissive may be betting that the rules won’t catch up to them. Based on the pace of legislative and enforcement activity over the past six months, that is not a bet worth making.
Hear more about surveillance pricing enforcement and other consumer protection updates in our most recent ComplianceTalk episode.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.