PRIVACY & DATA SECURITY
Multistate Privacy Crackdown Targets GPC Opt-Out Violations
The California Privacy Protection Agency (CPPA), along with the Attorneys General of California, Colorado, and Connecticut, announced a multi-state investigative sweep targeting businesses that may be failing to honor consumer opt-out requests under state privacy laws. The focus is on compliance with Global Privacy Control (GPC), a browser-based setting that allows consumers to automatically opt out of the sale and sharing of their personal data across websites.
This enforcement action reflects a broader trend toward coordinated state-level privacy enforcement. Businesses receiving GPC signals are legally required to treat them as valid opt-out requests under laws such as the California Consumer Privacy Act (CCPA), Colorado Privacy Act, and Connecticut Data Privacy Act. As part of the sweep, regulators have begun contacting businesses that may not be processing consumer opt-out requests submitted through the GPC as required by their laws and are urging them to correct their practices.
With 19 states now having passed comprehensive privacy laws, businesses operating across jurisdictions face increasing regulatory complexity and risk. Regulators are prioritizing cross-state collaboration, and noncompliance with opt-out mechanisms—especially GPC—has become a key enforcement focus.
BUSINESSES NEED TO KNOW: This sweep builds on previous enforcement actions and the formation of a ten-state privacy enforcement consortium, signaling that businesses operating across jurisdictions must ensure technical and procedural compliance with universal opt-out mechanisms (UOOMs) in relevant states:
- Companies must recognize and process GPC signals as opt-out requests
- Opt-out mechanisms must be clear, accessible, and functional—no hidden links or barriers
- Noncompliance may result in enforcement actions, including fines and public scrutiny
The $1.35M Wake-Up Call: CPPA Signals a New Era of Enforcement
The California Privacy Protection Agency (CPPA) issued a $1.35 million fine against Tractor Supply Company for alleged multiple violations of the California Consumer Privacy Act (CCPA), including privacy policy deficiencies, opt-out mechanism failures, lapses in employment data privacy practices, and gaps in contractual safeguards with third parties handling personal data.
The fine is the largest ever issued by the CPPA, but the enforcement action also includes numerous “firsts” for the agency and significant implications for businesses navigating California’s privacy landscape. Among these:
- The CPPA publicly disclosed an ongoing investigation when it initiated a court action to enforce a subpoena issued to Tractor Supply to provide information dating back to 2020, 3 years before the agency’s enforcement authority was finalized
- The enforcement action explicitly cited deficiencies in the content of the company’s privacy policy as a violation of the CCPA
- The CPPA identified issues with Tractor Supply’s privacy notice for job applicants, a move illustrating a focus not only on data practices related to consumers, but employees and applicants as well
- The enforcement order includes a provision for longer-term compliance oversight than in previous actions
BUSINESSES NEED TO KNOW: Ultimately, Tractor Supply acknowledged the CPPA’s broad authority to investigate its earlier conduct, which will likely impact the agency’s investigatory demands going forward. Additional points to note: 1) simply having a privacy policy is not sufficient, as the specific content of it is now an enforcement target, 2) make sure your privacy practices are as robust for your California employees as they are for consumers, and 3) technical compliance is crucial: cookie tools, opt-out mechanisms, and browser-based tools must function correctly.
California Passes Landmark AI Safety Law
With Governor Gavin Newsom’s signature of SB 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA), California became the first state to enact a comprehensive law regulating frontier AI systems, the most advanced and potentially risky artificial intelligence models. California is home to 32 of the world’s top 50 AI companies, making this law a potential blueprint for national and global regulation.
Aiming to balance innovation with public safety, the TFAIA establishes new guardrails for AI companies. Specifically, the new law:
- Requires major AI companies (such as OpenAI, Google, Meta) to publicly publish on their websites how they’re following national and international safety standards and best practices
- Creates a system for reporting serious AI-related safety issues to the state
- Protects whistleblowers who raise concerns about AI risks
- Imposes civil penalties for companies that don’t comply, enforced by the state attorney general
- Establishes CalCompute, a public computing consortium to support ethical and equitable AI research
BUSINESSES NEED TO KNOW: If you’re building or using advanced AI systems, transparency and safety protocols are coming under significant scrutiny in California. More importantly, in the absence of federal AI legislation, SB 53 may follow a similar path as the CCPA with regard to impact on state privacy laws, influencing how other states and countries approach AI oversight.
EU Court Greenlights U.S. Data Transfer Framework but Legal Uncertainty Persists
Good news for companies moving personal data from the EU to the U.S.: the EU General Court upheld the EU-U.S. Data Privacy Framework, giving businesses a much-needed breather after years of uncertainty. This framework replaces the old Privacy Shield and Safe Harbor agreements, both of which were struck down over concerns about U.S. surveillance and lack of legal protections for EU citizens. It includes stronger safeguards, including limits on U.S. government access to EU data, mechanisms to address data subject concerns, and a new Data Protection Review Court to handle complaints.
About 3,500 companies already use this framework to support cross-border data flows, and the court’s decision helps keep that pipeline open – for now. However, privacy advocates are already preparing a broader legal challenge and potential appeal. They argue the new deal is too similar to the old ones and could be overturned again, especially since many of its protections are based on executive orders, not laws passed by Congress. That means a future U.S. president could undo key parts of the agreement.
BUSINESSES NEED TO KNOW: This ruling is a win for businesses but it’s not the end of the story. As such, we recommend the following:
- U.S. businesses can continue using the framework but should monitor legal developments
- If you’re transferring EU data to the U.S., make sure your privacy practices and documentation are robust
- Consider maintaining alternative transfer mechanisms (e.g., Standard Contractual Clauses, Binding Corporate Rules) in case of future invalidation
Did you catch it?
One Year into Oregon’s Consumer Privacy Act: Insights, Updates, and What Comes Next. Read the blog here.
TCPA & TELESERVICES
FTC Enforcement Action Targets Deceptive SSDI Marketing Tactics
Citizens Disability and its subsidiary will pay a $1 million penalty to settle alleged violations of the FTC’s Telemarketing Sales Rule and FTC Act. The FTC claims the companies made more than tens of millions of illegal telemarketing calls, including calls to more than 25 million numbers on the Do Not Call Registry, and misrepresented to consumers that the calls were in response to inquiries about their eligibility for Social Security Disability Insurance benefits. The complaint also alleges the companies used deceptive lead generation tactics, collecting personal contact information through websites offering sweepstakes and coupons, then using that data to make the misleading sales calls while failing to disclose that the information would be used for that purpose.
The proposed consent order bans the companies from using pre-recorded robocalls and calling numbers on the Do Not Call Registry for certain telemarketing purposes, prohibits misleading claims including that the call is in response to SSDI inquiries, and requires them to monitor their lead generators to prevent deceptive practices. It also includes a $2 million penalty that will be partially suspended after payments totaling $1 million are made within one year after the order is entered.
BUSINESSES NEED TO KNOW: Don’t let headlines lull you into a TCPA-only compliance trap. Businesses relying on telemarketing or third-party lead generation must also ensure full compliance with the Telemarketing Sales Rule and the FTC Act, as well as the individual telemarketing laws of each state to which they are making calls.
ADVERTISING & MARKETING
Temu Hit with $2M Fine in First-Ever Enforcement of Online Marketplace Transparency Law
Online retail platform Temu will pay a $2 million penalty to settle allegations that it violated the INFORM Consumers Act, a federal law aimed at protecting shoppers from counterfeit, stolen, or unsafe goods sold by high-volume third-party sellers. In effect since mid-2023, the INFORM Act requires marketplaces to offer plain-language reporting options and display seller details like name, address, and contact info across all platforms.
In its first enforcement action under the INFORM Act, the FTC found Temu failed to provide clear, accessible tools for reporting suspicious products, didn’t disclose required seller contact information on its mobile site, and gamified shopping features, making it harder for consumers to identify or reach sellers directly, and made reporting tools hard to find or use.
Under the settlement, Temu must:
- Offer easy-to-use electronic and phone reporting tools that let users review and confirm their reports
- Clearly display seller information and reporting tools on its app, website, and gamified listings
- Comply with FTC guidelines across all versions of its platform
BUSINESSES NEED TO KNOW: The INFORM Act is now being actively enforced. If you run or sell through an online marketplace, make sure your platform is transparent, user-friendly, and legally compliant. Creative sales approaches are great, but remember, gamified, incentivized, or non-traditional shopping experiences aren’t exempt, and every listing must meet the legal requirements.
Amazon to Pay $2.5 Billion in Landmark FTC Settlement Over Prime Subscription Practices
Just days into what was expected to be a lengthy trial, Amazon has agreed to a historic $2.5 billion settlement with the FTC, resolving allegations that it deceptively enrolled millions of consumers into Prime subscriptions and made cancellation intentionally difficult. The settlement includes:
- A $1 billion civil penalty, the largest ever for an FTC rule violation
- $1.5 billion in consumer refunds, the second-largest restitution award in FTC history
- Mandated reforms to Prime’s enrollment and cancellation processes, including transparent subscription terms, closures, and easier opt-out mechanisms
The FTC asserts that Amazon did not clearly disclose Prime’s subscription terms, charged consumers before obtaining their express, informed consent, and did not offer a straightforward and accessible mechanism for cancellation, all actions that violate the Restore Online Shoppers’ Confidence Act (ROSCA). Notably, three Amazon executives were also named in the suit and faced personal liability for the alleged violations.
BUSINESSES NEED TO KNOW: Two areas of non-compliance are coming under increased scrutiny by regulators these days: 1) the use of online dark pattern tactics that can manipulate consumers into taking unwanted actions, and 2) making it difficult, confusing, or time-consuming for consumers to cancel subscriptions. And of course, transparency is non-negotiable. Companies must clearly and conspicuously disclose all material terms of subscription services (such as pricing, renewal frequency, and cancellation procedures) before charging consumers.
Skechers Joins Growing List of Retailers Facing Washington CEMA Lawsuits
Footwear brand Skechers is the latest retailer facing a proposed class action lawsuit in Washington federal court for allegedly sending hundreds of misleading marketing emails that falsely created urgency around limited-time deals. The plaintiffs claim Skechers violated Washington’s Commercial Electronic Mail Act (CEMA) by repeatedly extending promotional offers while using subject lines like “Flash Sale Alert! Don’t Miss Today-Only Savings,” thereby wasting consumers’ time and clogging inboxes with deceptive messages.
The lawsuit claims that Skechers sent out marketing emails to thousands of putative class members at a rate of at least 388 per year over a four-year period. At a potential $1,500 in damages per email, the company could be facing tens of millions of dollars in liability.
BUSINESSES NEED TO KNOW: Business engaged in email marketing to Washington residents should pay close attention – we’re seeing a significant increase in CEMA class action lawsuits. This case follows an April Washington Supreme Court ruling against Old Navy, which broadened the interpretation of CEMA to include any false or misleading subject lines in commercial emails, regardless of whether or not consumer consent exists. A similar suit was also filed against Nike in June.
GENERAL COMPLIANCE
FTC Retreats from Noncompete Ban but Signals Future Targeted Enforcement
On September 5, the FTC officially dropped its appeals in two federal cases that had invalidated its rule banning most employee noncompete clauses, marking a strategic shift away from broad regulation. Originally adopted in April 2024, the rule was struck down by courts in Texas and Florida for exceeding the FTC’s authority.
Under new leadership, the FTC is pivoting from a broad ban to case-by-case enforcement. Just one day before the dropping the appeals, the Commission announced a settlement with Gateway Services Inc. that bars the company from enforcing noncompete clauses affecting 1,800 workers. It also issued a Request for Information, soliciting public input on the scope and impact of noncompete agreements, to help shape future enforcement targets.
BUSINESSES NEED TO KNOW: Employers should expect continued scrutiny of these agreements, particularly those affecting low-wage workers. Read on for steps you can take to safeguard your employment contracts with regard to this issue.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.