PRIVACY & DATA SECURITY
California Enacts Landmark Child Safety Laws for Social Media and AI
California Governor Gavin Newsom has signed a suite of bills aimed at protecting minors from the risks of social media and emerging technologies like AI. Key highlights include:
- Age Verification (A.B. 1043): App stores and operating systems must implement age verification signals to help prevent minors from accessing inappropriate content.
- AI Chatbot Safeguards (S.B. 243): Platforms must disclose that interactions are artificially generated, remind minors to take breaks, and block explicit content. They must also implement protocols to detect and respond to expressions of self-harm. Chatbots are prohibited from impersonating healthcare professionals.
- AI Accountability (A.B. 316): Those that develop, modify, or use AI cannot avoid liability for alleged harm by claiming the technology acted autonomously.
BUSINESSES NEED TO KNOW: These laws are intended to create critical safeguards and accountability measures and continue to establish California as a national leader in privacy regulation. However, while many child advocacy groups praise the legislation as a major step forward in child safety online, critics have raised concerns related to the definition of age verification and the implications of codifying reliance upon user-declared age.
Nvidia Faces Class Action Over Alleged Deceptive Cookie Practices and Privacy Violations
Nvidia Corporation is being sued in a proposed class action that accuses the company of misleading users about their ability to control tracking and data sharing on its website. The lawsuit claims that Nvidia falsely assured visitors they could opt out of tracking by selecting options like “decline all” or disabling performance and advertising cookies. Despite these choices, the suit alleges that Nvidia continued to install cookies and transmit user data to third parties such as Meta, Google, TikTok, LinkedIn, and Salesforce.
The Plaintiff, a California resident, argues that Nvidia’s cookie consent interface gave users a false sense of security, leading them to believe their privacy preferences were respected. However, technical evidence provided by the Plaintiff allegedly shows network traffic to third-party sites occurring even after users declined all cookies, transmitting data that includes information like browsing history, geolocation, and shopping behavior.
BUSINESSES NEED TO KNOW: Businesses should view this lawsuit as a critical wake-up call on digital transparency and effective data management. Our key takeaways:
- Privacy Promises Must Match Reality. If your website offers users the ability to opt out of tracking or cookies, those settings must be honored in practice, not just in appearance. Misleading or ineffective consent interfaces can expose companies to serious liability, especially under privacy laws like CIPA.
- Third-Party Integrations Require Scrutiny. Integrating cookie management tools from third-party companies means you’re responsible for how those tools handle user cookie preferences. Businesses must audit these integrations to ensure they work as intended and as presented to the consumer. Often, “out of the box” solutions still require some level of configuration to work appropriately.
Federal Court Grants Summary Judgment for CIPA Defendant, Urges Legislative Update
In Jane Doe v. Eating Recovery Center (ERC), a California resident seeking treatment for anorexia alleged that ERC enabled Meta to intercept sensitive health-related data during her website visit, which later appeared to inform targeted ads and emails. U.S. District Judge Vince Chhabria granted summary judgment in favor of ERC, dismissing claims that the company violated the California Invasion of Privacy Act (CIPA) by embedding Meta’s Pixel tracking code on its website, and included a scathing critique of the law in his decision.
The court’s ruling turned on two key legal questions:
- Whether the data shared with Meta constituted the “contents” of a communication.
- Whether those contents were accessed while “in transit,” as required by CIPA.
The judge ruled that while the data could be considered “contents,” Meta’s automated filtering process did not amount to reading the data “in transit.” He emphasized that CIPA’s language does not clearly apply to modern internet technologies and invoked the rule of lenity, which requires ambiguous criminal statutes to be interpreted narrowly, even in civil cases.
BUSINESSES NEED TO KNOW: The ERC case is creating quite a buzz as it underscores the need to update legacy laws for the digital age. Originally enacted in 1967 to address wiretapping, CIPA’s outdated language has led to inconsistent court rulings and confusion for businesses. The judge urged the California Legislature to modernize the law, warning that its current form is ill-suited for today’s digital environment and imposes disproportionate criminal and civil penalties. It remains to be seen if this will be an impetus to drive reform efforts that bring clarity, but until then businesses should rely on existing case law as an, albeit imperfect, guide.
California’s Opt Me Out Act Sets New National Standard for Browser-Based Privacy Controls
Governor Gavin Newsom signed the California Opt Me Out Act into law, making California the first state in the U.S. to require web browsers to offer a built-in, user-friendly opt-out preference signal (OOPS). The law enables consumers to automatically communicate their privacy preferences to websites with a single browser setting.
Taking effect January 1, 2027, the law mandates that browsers operating in California (including Chrome, Safari, and Edge) must provide users with the ability to opt out of the sale or sharing of personal data for targeted advertising. While the signal doesn’t need to be enabled by default, it must be easily accessible and functional.
BUSINESSES NEED TO KNOW: Companies subject to the CCPA and similar laws should begin preparing now to honor an anticipated surge in opt-out requests. Technological systems will need to be able to ingest and respond to browser-based opt-out signals at scale. The California Privacy Protection Agency (CPPA) is expected to issue supporting regulations, including guidance on mobile browser inclusion and signal configuration.
TCPA & TELESERVICES
FTC Takes Do Not Call Registry Offline During Government Shutdown
As a result of the federal government shutdown that began October 1, the FTC has suspended several reporting platforms and consumer services, including the National Do Not Call Registry, which is now offline. Practically speaking, what does this mean for businesses?
- No Access to the DNC Registry. Companies cannot download updated lists or manage their subscriptions through the usual portal.
- Compliance Risks Remain. Federal telemarketing laws, including the TCPA and TSR, are still in effect. Businesses are still legally prohibited from calling numbers on the DNC list, even if they can’t access updates during the shutdown.
- No Technical Support. Technical support related to accessing, using, or updating the registry list is unavailable during the shutdown. This could delay resolution of access problems or subscription renewals.
- Delayed Enforcement….for Now. While the FTC’s enforcement actions are paused or slowed, violations can still be investigated retroactively once the agency resumes normal operations.
BUSINESSES NEED TO KNOW: Although the FTC has suspended most consumer protection activities and historically has not pursued enforcement for compliance failures caused by system outages or agency inactivity, businesses should not assume plaintiffs will show similar leniency. As always, there are eager plaintiffs seeking to exploit the uncertainty. Be sure you are scrubbing against the most recent DNC list you have and are fully documenting your compliance efforts during this time to build a strong defense to support your actions once the FTC fully resumes operations.
Foreign Robocall Elimination Act Advances in Senate
The U.S. Senate Commerce Committee has approved the Foreign Robocall Elimination Act, moving it closer to a full Senate vote. The bipartisan bill directs the FCC to establish a task force focused on blocking unlawful robocalls originating from outside the U.S.
The task force will include federal agencies and private sector representatives and must deliver a comprehensive report to Congress within 360 days. The report will analyze the scope, origin, and financial impact of foreign robocalls, assess the effectiveness of current technologies like STIR/SHAKEN, and explore international cooperation and enforcement strategies.
The Committee also adopted four amendments to the Act. These include requiring companies to post an up-to-$100,000 bond to register in the Robocall Mitigation Database, deterring repeat offenders from re-entering the system; incorporating the previously stalled Robocall Traceback Enhancement Act to strengthen efforts to trace and identify illegal call origins; expanding reporting requirements; and clarifying definitions within the legislation.
BUSINESSES NEED TO KNOW: What changes could be ahead for businesses? Voice service providers may face new financial and technical obligations, including bonding requirements and enhanced reporting. Adoption of caller ID authentication standards (e.g., STIR/SHAKEN) and traceback capabilities could become more critical, especially for providers handling international traffic. And businesses using international call centers or third-party telecom services could see heightened oversight as a result of the task force’s investigations and the report it provides to Congress.
FCC Adopts Amended Version of Call Branding FNPRM
At its October 28th Open Meeting, the FCC adopted an amended version of the Call Branding FNPRM, part of Chairman Brendan Carr’s “Delete, Delete, Delete” initiative. The proposed rule changes present sweeping reforms to robocall regulations under the TCPA with objectives to stop illegal and foreign-originated calls, enhance caller identity verification, modernize outdated rules, and reduce compliance burdens, especially for small businesses.
Key elements of the proposal include:
- Eliminating outdated call abandonment rules
- Modernizing caller ID rules for artificial and pre-recorded voice calls
- Strengthening caller identity verification using STIR/SHAKEN and Rich Call Data (RCD)
- Mandating secure transmission of caller identity
- Labeling and restricting foreign-originated calls
- Narrowing consent revocation rules to allow more tailored opt-outs
- Removing redundant call blocking rules
BUSINESSES NEED TO KNOW: Although the FCC removed the proposal to eliminate internal DNC list requirements from the adopted FNPRM, significant changes to TCPA regulations remain under consideration. Notably, the FCC has signaled a possible additional delay or modification of its broad universal opt-out rule. Currently scheduled for April 2026 implementation, this rule requires callers to treat a consumer’s opt-out for one type of call as a revocation of consent for all call types from that company. Affected businesses now have an opportunity to influence the outcome. A 30-day public comment period will commence once the FNPRM is published in the Federal Register and there may be further changes to the rules before they are finalized. More info can be found on our blog and there will be much more to come.
ADVERTISING & MARKETING
A Surge in False Advertising Lawsuits? Time to Shore Up Your Claims Strategy
It’s good time to remind folks of the importance of substantiating product claims and clearly communicating performance benefits in marketing and product labeling. We’ve been seeing an uptick in consumer lawsuits accusing businesses of misleading consumers through exaggerated or false product claims, especially in the health and wellness sector. In just the last month, major brands hit with proposed class actions include:
- Reckitt Benckiser for its Neuriva brain health supplements, which allegedly promise cognitive benefits unsupported by clinical evidence.
- Trader Joe’s for probiotics that reportedly contain far fewer live “good bacteria” than advertised, undermining claimed health benefits.
- Edgewell Personal Brands for Hawaiian Tropic SPF 50 sunscreen, which allegedly tested at SPF 20, raising concerns about consumer safety and deceptive premium pricing practices.
- Arcadia Consumer Healthcare for allegedly misleading buyers by marketing Fungi-Nail as a nail fungus treatment, despite package disclaimers stating it’s ineffective for nails.
BUSINESSES NEED TO KNOW: We can’t overstate the importance of ensuring your marketing claims are truthful, substantiated, and clearly communicated. These class actions are lucrative business for both professional plaintiffs and plaintiffs’ attorneys. No less important is the value of your brand’s credibility and customer loyalty.
- Substantiate All Claims: Ensure product claims, especially those related to health, efficacy, or performance, are backed by reliable scientific evidence or validated testing.
- Avoid Misleading Packaging: Prominent front-label claims must not contradict disclaimers or fine print. Consumers rely heavily on visible packaging when making purchasing decisions.
- Know the difference between marketing puffery language and product claims that must be backed by scientific evidence or validated testing.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk
Want to receive Regulatory Roundups right to your inbox? Subscribe.