In February of last year, Privacy World reported on the Federal Communications Commission’s (“FCC” or “Commission”) clarification and codification of its Telephone Consumer Protection Act (TCPA) consent rules (“Revocation Order”). Among other things, the agency confirmed that consent to receive autodialed calls and texts could be revoked by “any reasonable means” and included specific examples of such of such methods.

Continue Reading FCC Approved Limited, One Year Waiver of Key Element of New TCPA Consent Revocation Rules

As reported previously, the California Privacy Protection Agency (“CPPA”) closed the public comment period for its proposed cybersecurity audit, risk assessment and automated decision-making technology (“ADMT”) regulations (the “Proposed Regulations”) in late February. In advance of the CPPA’s April 4 meeting, the CPPA released a new draft of the Proposed Regulations, which proposed relatively minor substantive changes, but pushed back the dates for when certain obligations would become effective. The Agency’s Board met on April 4, 2025, to discuss the new proposals and comments received, as well as the potential for some very different alternatives, especially related to ADMT. Members of the CPPA Board debated the staff’s approach and ultimately sent the staff back to narrow the scope of the Proposed Regulations, clarify what was in and out of scope with more examples, and to further consider how to reduce the costs and burdens on businesses. While it is unclear exactly what staff will come back with, the alternatives discussed provide some hints on what a more constrained approach may look like.

Continue Reading The Future for California’s Latest Generation of Privacy Regulations is Uncertain

Our very own Alan Friel, Julia Jacobson, Kyle Dull and Samuel Marticke will be featured in a series of upcoming CLE webinars designed to equip legal professionals with practical strategies for drafting enforceable terms of use, managing privacy risks in AI, and navigating the latest state data privacy laws.

Continue Reading Join Us in April for Three Upcoming Strafford Webinars

In our earlier blog on recent changes affecting the Competition and Markets Authority (CMA), we anticipated more changes to come. The month of March has lived up to our expectations. On 12 March, the CMA launched a “call for evidence” for the review of its approach to merger remedies as well as a “Mergers Charter” for businesses, stating that:

“Both the merger remedies review and the Mergers Charter are part of the CMA’s programme of work to implement the ‘4Ps’ – pace, predictability, proportionality and process – across all its work, helping to drive growth and enhance business and investor confidence.”[1]

Continue Reading Ch-ch-ch-ch-changes… Part 2

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

FCC Seeks Comment on Quiet Hours and Marketing Messages | Privacy World

New Class Action Threat: TCPA Quiet Hours and Marketing Messages

CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

We recently published a blog about a slew of class action complaints alleging that marketing text messages cannot be sent between the hours of 9:00 pm and 8:00 am (“Quiet Hours”) unless the recipient provides prior express invitation or permission to receive such messages during Quiet Hours (“Quiet Hour Claims”). As noted, based on the plain language of the Telephone Consumer Protection Act (“TCPA”), we disagree with this argument because marketing text messages already require prior express written consent from the called party. The Ecommerce Innovation Alliance (EIA) and others filed a petition for declaratory ruling (“Petition”) with the Federal Communications Commission (“FCC”) to address this application of Quiet Hours to marketing messages.

Continue Reading FCC Seeks Comment on Quiet Hours and Marketing Messages

Actual spam calls have become a pervasive annoyance. On the other hand, text messages delivering information about exclusive sales and discounts are surely not if you have signed up for such messages.  But what about if those coveted discount code text messages are received late at night or early in the morning? That’s the question being raised in a flurry of class action complaints filed by the same Florida-based law firm.  

Key Takeaways

While these claims are sorted out, we recommend that businesses who send marketing messages ensure that such marketing messages are sent between the hours of 8:00 am and 9:00 pm based on the call recipient’s location. How do you determine the call recipient’s location for cell phones? A defensible position is using the call recipient’s area code to determine the caller’s location, although this is not a fool-proof method as people travel to different time zones with their cell phones. However, using the area code to assess location gives the business a defensible position, for now, as the plaintiffs in these recent class actions claim that they live in the area associated with their telephone’s area code. That defense may still be subject to challenge, though. In the alternative, businesses could obtain prior express written consent to receive marketing messages throughout the day, although from the plain reading of the Telephone Consumer Protection Act (“TCPA”), this should not be required.

Continue Reading New Class Action Threat: TCPA Quiet Hours and Marketing Messages

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

Join Team SPB this Spring for Three Engaging Webinars

As we have covered, the public comment period closed on February 19th for the California Privacy Protection Agency (CPPA) draft regulations on automated decision-making technology, risk assessments and cybersecurity audits under the California Consumer Privacy Act (the “Draft Regulations”).  One comment that has surfaced (the CPPA has yet to publish the comments), in particular, stands out — a letter penned by 14 Assembly Members and four Senators. These legislators essentially charged the CPPA for being over its skis, calling out “the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI.” 

Continue Reading CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:

Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations