Photo of Kyle Dull

Kyle Dull

Contact:Read more about Kyle Dull

In February of last year, Privacy World reported on the Federal Communications Commission’s (“FCC” or “Commission”) clarification and codification of its Telephone Consumer Protection Act (TCPA) consent rules (“Revocation Order”). Among other things, the agency confirmed that consent to receive autodialed calls and texts could be revoked by “any reasonable means” and included specific examples of such of such methods.Continue Reading FCC Approved Limited, One Year Waiver of Key Element of New TCPA Consent Revocation Rules

We recently published a blog about a slew of class action complaints alleging that marketing text messages cannot be sent between the hours of 9:00 pm and 8:00 am (“Quiet Hours”) unless the recipient provides prior express invitation or permission to receive such messages during Quiet Hours (“Quiet Hour Claims”). As noted, based on the plain language of the Telephone Consumer Protection Act (“TCPA”), we disagree with this argument because marketing text messages already require prior express written consent from the called party. The Ecommerce Innovation Alliance (EIA) and others filed a petition for declaratory ruling (“Petition”) with the Federal Communications Commission (“FCC”) to address this application of Quiet Hours to marketing messages.Continue Reading FCC Seeks Comment on Quiet Hours and Marketing Messages

Actual spam calls have become a pervasive annoyance. On the other hand, text messages delivering information about exclusive sales and discounts are surely not if you have signed up for such messages.  But what about if those coveted discount code text messages are received late at night or early in the morning? That’s the question being raised in a flurry of class action complaints filed by the same Florida-based law firm.  

Key Takeaways

While these claims are sorted out, we recommend that businesses who send marketing messages ensure that such marketing messages are sent between the hours of 8:00 am and 9:00 pm based on the call recipient’s location. How do you determine the call recipient’s location for cell phones? A defensible position is using the call recipient’s area code to determine the caller’s location, although this is not a fool-proof method as people travel to different time zones with their cell phones. However, using the area code to assess location gives the business a defensible position, for now, as the plaintiffs in these recent class actions claim that they live in the area associated with their telephone’s area code. That defense may still be subject to challenge, though. In the alternative, businesses could obtain prior express written consent to receive marketing messages throughout the day, although from the plain reading of the Telephone Consumer Protection Act (“TCPA”), this should not be required.Continue Reading New Class Action Threat: TCPA Quiet Hours and Marketing Messages

In December 2023, Privacy World reported on an order from the Federal Communications Commission’s (“FCC”) designed in part to close the “lead generator loophole” in the agency’s Telephone Consumer Protection Act (“TCPA”) consent rules. Now, just over a year later, on January 24, 2025, the United States Court of Appeals for the Eleventh Circuit (“11th Circuit” or “Court”) resoundingly rejected the FCC’s closure efforts, finding that the agency exceeded its statutory authority under the TCPA.Continue Reading Circuit Court Employs Loper Bright to Knock Out the FCC’s TCPA One-to-One Consent Rule

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and FTC Final Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

Building a customer base is time-consuming and expensive. Engaging existing customers is often easier and more profitable than acquiring new customers.  In the US, email and other targeted marketing is a low-cost and high-ROI way to foster this engagement, which makes collecting customers’ email addresses (and other personal information) a high priority for marketers.  But, marketers beware: laws in California and Massachusetts that limit the collection of email addresses (and other personal information) at the point of purchase are an increasingly popular source of class action legal risk. While the laws in California and Massachusetts are popular with plaintiffs’ counsel now, several other states have similar laws, applying to different categories of information (e.g., some state laws only apply to address and telephone number) and transactions and varying enforcement mechanisms (e.g., criminal penalties or state attorney general enforcement).

Key Takeaways

  • Ensure that retail location staff understand that the collection of a customer’s personal information that is not required to complete a transaction must be the customer’s choice.  Requesting a customer email address or other contact data during the purchase process – such as for tailored discounts and rewards – is permitted as long as the customer knows it is voluntary, i.e., not required to complete the purchase transaction.  Further, to avoid errors and discourage claims clearly delineate subscriptions from transactions by separating sign-ups from purchases.
  • Check that etailer (i.e., e-commerce stores)  purchase transaction flows do not require additional personal information that is not necessary to complete the transaction and clearly disclose to customers what is and is not required. 
  • Beware of personal information collection by cookies, pixels and similar technology active on purchase transaction web pages.
  • Implement written policies and procedures – whether online or off – to document what personal information collected is mandatory vs. voluntary.

Continue Reading Collecting Personal Information during Checkout: Balancing Consumer Rights with Business Marketing

The Federal Communications Commission (“FCC” or “Commission”) continues its regulatory focus on Artificial Intelligence (“AI”) in the communications world, with the issuance of new proposed regulations designed to protect consumers from harmful AI-generated communications, targeting robocalls, automated texting, and political advertising.

The FCC has formally moved forward with a combined Notice of Proposed Rulemaking and Notice of Inquiry (“NPRM/NOI”) “to protect consumers from the abuse of AI in robocalls alongside actions that clear the path for positive uses of AI, including its use to improve access to the telephone network for people with disabilities.”

The NPRM/NOI, released on August 8, 2024, seeks public comment on many of the major provisions that Squire Patton Boggs previously reported on in the draft proposal, albeit with some changes.  These include, for example:Continue Reading FCC Moves Forward with Proposed Rules for Use of Artificial Intelligence with Robocalls and Political Advertisements

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?