PRIVACY & DATA SECURITY
California Enacts Landmark Child Safety Laws for Social Media and AI
The California Privacy Protection Agency (now known as CalPrivacy) has created a Data Broker Enforcement Strike Force within its Enforcement Division to intensify investigations into privacy violations by data brokers. The initiative will focus on compliance with the state’s Delete Act registration and reporting requirements as well as the California Consumer Privacy Act (CCPA).
The Strike Force builds on the agency’s 2024 investigative sweep, which resulted in a record number of enforcement actions for registration violations. It will provide additional resources and empowers the agency to pursue additional investigations.
The Delete Act mandates annual registration and fees, which fund the California Data Broker Registry and the upcoming Delete Request and Opt-Out Platform (DROP) – a tool launching in January 2026 that will allow consumers to request deletion of their personal data across all data brokers in one step.
BUSINESSES NEED TO KNOW: Businesses that qualify as data brokers under the Delete Act should expected heightened enforcement activity with CalPrivacy’s expanded resources. They should also begin preparing now to ensure operational readiness for the August 1, 2026 deadline to start processing DROP requests. (Stay tuned for more helpful info on that coming from us soon!)
California AG Secures $1.4M Settlement with Jam City Over CCPA Violations
California Attorney General Rob Bonta announced a $1.4 million settlement with mobile gaming company Jam City, Inc. for violations of the CCPA. The settlement resolves allegations that Jam City:
- Failed to provide in-app opt-out mechanisms for consumers to stop the sale or sharing of personal data across its 21 apps.
- Improperly collected and shared children’s data, including users under 13, without proper consent.
- Sold or shared data of minors aged 13–15 without obtaining affirmative opt-in consent.
- Integrated third-party advertising and analytics tools that harvested sensitive data, including precise location and identifiers, for targeted advertising.
In addition to the $1.4 million penalty, Jam City must also provide in-app mechanisms for consumers to opt-out of the sale or sharing of their data and must not sell or share the personal information of minors aged 13 to under 16 without first obtaining their affirmative “opt-in” consent.
BUSINESSES NEED TO KNOW: This case reinforces a critical point: privacy compliance for mobile apps must be proactive, transparent, and user-friendly, especially when children’s data is involved. Mobile app publishers—and any business handling consumer data—must go beyond technical compliance and prioritize clear, in-app privacy controls and robust consent mechanisms.
Sling TV Hit with $530K CCPA Settlement
Sling TV will pay a $530,000 settlement to resolve alleged violations of the CCPA following a 2024 investigative sweep of streaming services. The California AG asserts that Sling TV failed to provide consumers with an easy, accessible way to opt out of the sale or sharing of personal information and did not implement adequate privacy protections for children.
Under the settlement, the company must:
- Make opt-out mechanisms simple and consistent across all devices.
- Provide in-app opt-out options on living-room platforms.
- Offer child-specific profiles with default privacy protections.
- Give parents clear disclosures and tools to safeguard children’s data.
BUSINESSES NEED TO KNOW: This case highlights a common compliance pitfall: confusing or incomplete opt-out processes, especially when businesses rely on off-the-shelf cookie management tools that mislead consumers by labeling toggles as “Do not sell or share my personal information.” when they only disable advertising cookies. Beware: regulators expect businesses to go beyond technical compliance and deliver transparent, user-friendly opt-out experiences.
TCPA & TELESERVICES
FCC Moves to Expand Robocall Compliance Rules to All Voice Service Providers
The FCC is set to vote on a new order at its December 18th Open Commission Meeting that would require all voice service providers with direct access to phone numbers – not just newly authorized ones—to comply with anti-robocall regulations.
Key provisions include:
- Providers must certify and disclose compliance measures related to robocall mitigation, public safety, and national security.
- Entities with older authorizations must meet the same standards adopted in 2023 for new applicants.
- Noncompliant providers risk losing their numbering authorizations if they fail to comply within 30 days of the rules taking effect.
The FCC also issued a Further Notice of Proposed Rulemaking to explore additional protections, including reclaiming numbering resources from VoIP providers whose authorizations were revoked and restricting access for entities on the covered list. These measures aim to curb bad actors who exploit numbering resources to bypass robocall mitigation.
BUSINESSES NEED TO KNOW: As the FCC pushes additional robocall mitigation measures onto voice service providers, those providers will continue to strengthen their Know Your Customer and anti-robocall measures. Even businesses with legitimate and legal use cases may find themselves needing extra time to complete service provider due diligence and prove their compliance with applicable regulations.
Register for our upcoming webinar! M&S Predicts: The 2026 Regulatory Outlook
ADVERTISING & MARKETING
Melissa Holyoak Departs FTC to Serve as Utah’s Interim U.S. Attorney
Melissa Holyoak abruptly left the Federal Trade Commission to become Utah’s interim U.S. attorney, reducing the FTC to just two Republican commissioners. Her appointment, announced the same day she departed the FTC, was made by U.S. Attorney General Pam Bondi and will last up to 120 days. Holyoak previously served as Utah’s solicitor general and held roles at Hamilton Lincoln Law Institute and O’Melveny & Myers LLP. Her departure leaves the FTC with just Chairman Andrew Ferguson and Commissioner Mark Meador.
This move comes as the Trump administration continues its controversial use of interim U.S. attorney appointments and challenges the independence of agencies like the FTC by removing Democratic commissioners. The Supreme Court is currently reviewing the legality of these firings.
BUSINESSES NEED TO KNOW: During her tenure as Commissioner in the prior administration, Holyoak was critical of some of the FTC’s rulemaking activities. We anticipate the FTC, under Ferguson, will continue to prioritize enforcement over rulemaking, focusing on core consumer protection issues, children’s privacy and online safety, and emerging AI and other tech risks. Businesses should anticipate fewer new regulations but more aggressive enforcement under existing statutes.
Retailer Loses Motion to Compel Arbitration in Online Pricing Class Action
A California federal judge denied retailer Maggy London International Ltd.’s motion to compel arbitration in a proposed class action alleging deceptive “phantom” discounts on its website.
Plaintiff Monica Sanchez asserts Maggy London violated California false advertising and unfair competition laws through misleading strikethrough pricing. The retailer argued that Sanchez’s claims were subject to the arbitration and class action waiver provisions located in the blue, underlined terms of service hyperlink displayed at checkout below the “Pay Now” button. However, the court ruled that simply providing a hyperlinked terms of service during checkout was insufficient to establish a binding arbitration agreement, noting that:
- The “Pay Now” button lacked explicit notice that clicking it would constitute legal assent.
- Ninth Circuit precedent, including Nguyen v. Barnes & Noble, requires clear textual advisal that a user’s action creates contractual obligations.
- A conspicuous hyperlink alone does not provide the inquiry notice necessary for enforceability.
The case now proceeds on the merits of Sanchez’ deceptive pricing claims.
BUSINESSES NEED TO KNOW: The ruling underscores that “browsewrap” agreements (where consent is implied by a user using a webpage with a linked set of terms) likely are insufficient, and terms need explicit consent, not passive links, to bind consumers. In this case, placing the terms hyperlink below the button, rather than above, and without indication of what action constituted consent to the terms heavily contributed to the finding. Businesses using similar structures should ensure the terms are linked before the button indicating consent, and that the consumer understands they are agreeing to them.
Williams-Sonoma Sues Quince Over “Dupe” Comparison Claims
Williams-Sonoma Inc. filed a lawsuit against direct-to-consumer retailer Quince in California federal court, alleging false advertising and unfair competition. The suit claims Quince misleads consumers by comparing its lower-priced products to Williams-Sonoma’s premium offerings through “Beyond Compare” charts and social media ads that suggest the same quality at a fraction of the price.
Williams-Sonoma argues these “brandwashing” comparisons constitute a bait-and-switch strategy, as Quince displays inflated pricing, never identifies the specific products Williams Sonoma supposedly charges more for, and fails to substantiate its claim that any Williams Sonoma product is the same as the advertised dupe. The company is seeking restitution for unjust gains.
The lawsuit follows on the heels of a proposed class action against Quince, alleging similar misrepresentation of “luxury-quality” goods and fabricated discounts.
BUSINESSES NEED TO KNOW: Comparative advertising can be powerful, but it comes with high legal risk if claims are misleading or unsubstantiated. Remember that:
- Accuracy matters: Price comparisons and quality claims must be truthful, current, and verifiable.
- Specificity is key: Identify exact products when making comparisons; vague or generic claims invite scrutiny.
- Avoid “dupe” language without proof: Suggesting equivalence in quality without evidence can lead to false advertising claims.
- Transparency in pricing: Inflating competitor prices or using “strikethrough” discounts without basis can be deemed deceptive.
If you use comparative advertising, document your claims, validate your data, and ensure disclosures are clear.
Former CFPB Enforcers Launch Consumer Litigation Initiative
Three former senior enforcement attorneys from the Consumer Financial Protection Bureau have joined advocacy group Protect Borrowers to spearhead a new litigation initiative. The project aims to combat what they describe as the “weaponization of corporate power that is plunging working people into financial crisis.”
Between 2021 and 2025, Eric Halperin, Cara Petersen, and Tara Mikkilineni led enforcement efforts that secured over $9.5 billion in penalties and consumer relief. Their new mission at Protect Borrowers is to “use legal and policy levers to challenge products and practices that exploit workers, consumers, and small business owners,” strategically partnering with private firms, state and local law enforcers, and advocacy organizations to maximize the impact of their efforts.
The move comes amid a sharp decline in CFPB enforcement under the Trump administration, which has rolled back or dismissed more than 40 cases and halted new contested actions.
BUSINESSES NEED TO KNOW: Under the current administration, federal enforcement may be quieter in some areas, but the risk hasn’t gone away. The launch of Protect Borrowers’ strategic litigation project signals a new wave of private enforcement and advocacy targeting consumer protection violations.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.