Search TCPA

As we have previously discussed, the Federal Communications Commission (the “FCC”) recently issued a Declaratory Ruling (“Declaratory Ruling”) that, among other things, likely exposes companies to even greater liability under the Telephone Consumer Protection Act (the “TCPA”).

The TCPA regulates communications, from companies to their consumers, that utilize an automatic telephone dialing system (“ATDS”).  Under the TCPA, before contacting a consumer via an ATDS, a company must obtain prior express consent.  (If the communication is for “telemarketing” purposes, the company must obtain this prior consent in writing.)  TCPA lawsuits have been brought not only against predictable defendants, such as telemarketing firms and debt collectors, but also against social networking companies, sports franchises, schools and universities, pharmaceutical companies, travel and entertainment companies, retailers, and online service providers.  Companies that outsource their telemarketing services to third-party vendors, it is important to note, are not immune from TCPA liability and, in fact, may be held directly liable for their vendors’ TCPA violations.  Faced with the prospect of staggering, uncapped statutory damage liability, companies have routinely settled TCPA class actions for tens of millions of dollars.

Even in single-plaintiff cases, damages under the TCPA can accumulate in a hurry.  In a recently decided case, a U.S. District Court granted partial summary judgment in favor of a TCPA plaintiff, awarding her $229,500 in damages.  Beyond the high damages figure, the case raises concern for companies that utilize ATDS because it demonstrates the breadth of TCPA liability.  In this case, Plaintiff alleged that Defendant made over 163 automated or prerecorded calls to her mobile phone without her consent.  Defendant moved to stay trial, arguing that the Court should await interpretive guidance from the FCC on the definition of “called party” under the TCPA.  This definition is significant, Defendant argued, because, although it ultimately called Plaintiff, it had intended to call the previous owner of Plaintiff’s number – a customer who had consented to receive calls regarding his past due account balance.  The Court denied Defendant’s motion, holding that “called party” unequivocally refers to the party actually called.  Defendant’s intent, the Court held, was only relevant on the issue of willfulness.

The Court also rejected Defendant’s argument that the system it used to call Plaintiff was not an ATDS because it did not generate numbers to dial at random or in sequence, but instead made a list of customers that met certain criteria – in this instance, customers who were behind on their bills – and dialed them.  Whether Defendant’s system actually dialed Plaintiff’s number randomly, however, the Court found, was irrelevant.  Because the system had the capacity to dial numbers at random, it was an ATDS.  Period.

Defendant’s next argument – that it was only liable for the 70 calls it made that were connected – was likewise unavailing.  Defendant, the Court held, “violated the statute each time it placed a call using its ATDS without consent, regardless of whether the call was answered by a person, a machine, or not at all.”

Although it resulted in only a nominal victory for Defendant, the Court drew an important distinction in the area of consent.  Between July 3 and October 3, 2013, Defendant placed 10 calls to Plaintiff via its ATDS.  Plaintiff was not the intended recipient of these calls – the prior owner of Plaintiff’s number was.  Following the tenth call, Plaintiff informed Defendant that she had assumed ownership of the number previously held by the customer that Defendant was attempting to reach, and asked Defendant to stop calling her.  Defendant did not do so, but instead called Plaintiff an additional 153 times.  The Court found that the first 10 calls – those preceding Plaintiff’s request that Defendant cease calling her – were covered by the broad consent given to Defendant under its Service Agreement (“We may call you . . . for any purpose . . .”), and thus were not violative of the TCPA.   Once Plaintiff requested that Defendant stop calling her, however, she effectively revoked her consent, and all calls thereafter violated the TCPA.  The Court held that Defendant’s violation of the TCPA was knowing and willful because it had ignored Plaintiff’s request that it cease calling her.  The Court thus awarded Plaintiff treble damages.

Had the Court issued its decision after the Declaratory Ruling was released, it likely would have tagged Defendant with an additional nine TCPA violations.  To encourage businesses to institute new and/or better safeguards against calling reassigned numbers, the Declaratory Ruling limits companies to one call following reassignment before liability begins to accrue.  To avail itself of even this narrow safe haven, a company must have a reasonable basis for believing that its one call was consented to.

In sum, the Declaratory Ruling has opened the door to even greater liability under the TCPA.  Additionally, as we covered back in May, the U.S. Supreme Court will soon decide the fate of a valuable strategy to limit TCPA liability – offers of judgment under Rule 68 of the Federal Rules of Civil Procedure.  If the Court rules that TCPA defendants may no longer utilize this tool, the settlement leverage of TCPA plaintiffs will be dramatically enhanced, and the plaintiff’s bar will be emboldened in its search for TCPA plaintiffs.  In light of the present breadth of liability under the TPCA, and the possibility that it may soon become even more expansive, companies should strongly consider the following preventative measures, among others:

  1. Review the policies and practices of third party vendors to ensure that they are not sending communications violative of the TCPA;
  2. Either obtain written consent for all ATDS communications, or be sure to carefully delineate between telemarketing and non-telemarketing campaigns, obtaining written consent prior to sending any ATDS communication in connection with the former;
  3. Utilize consent forms that are conspicuous and easily understood, thereby mitigating the risk that the form will be deemed invalid;
  4. Maintain all consent records for at least four years (the statute of limitations period for TCPA claims);
  5. Assess the efficacy of current safeguards against calling reassigned numbers and, if necessary, improve or replace those safeguards; and
  6. Provide consumers user-friendly mechanisms– such as texting “STOP” or “UNSUBSCRIBE” – to opt-out of receiving TCPA-covered communications.

 

As anticipated, on July 10, 2015, the Federal Communications Commission (FCC) released its Telephone Consumer Protection Act (TCPA) Omnibus Declaratory Ruling which had previously been approved on June 18, 2015.  The Declaratory Ruling takes effect immediately.

In short, the Declaratory Ruling provides numerous rulings including:

  • Dialing equipment that simply has the capacity to store or produce, and dial random or sequential numbers meets the TCPA’s definition of “autodialer.”
  • Predictive dialers meet the definition of “autodialer.”
  • Callers cannot avoid obtaining consent by dividing ownership of pieces of dialing equipment that work in concert among multiple entities.
  • App developers do not make or initiate calls when one of the app users sends an invitational message using the app.
  • App developers do not make or initiate a text when an individual merely uses its service to set up auto-replies to incoming voicemails.
  • A called party may revoke consent at any time and through any reasonable means.
  • A calling party may not limit the manner in which revocation may occur.
  • If a question arises as to whether prior express consent was provided, the burden is on the calling party to prove that it obtained the necessary prior express consent.
  • The TCPA requires the consent not of the intended recipient of a call, but of the current subscriber (or non-subscriber customary user of the phone) and caller best practices can facilitate detection of number reassignment before calls are made.
  • Callers who make calls without knowledge of reassignment and with a reasonable basis to believe they have valid consent to make the call are permitted to initiate one call after reassignment as an opportunity to gain actual or constructive knowledge of the reassignment and cease future calls to the new subscriber.
  • For telemarketing calls, prior-express-written-consent requirements apply for each call made to a wireless number, rather than to a series of calls to wireless numbers made as part of a marketing or advertising campaign as a whole.
  • Nothing in the Communications Act or the FCC’s rules or orders prohibits carriers or VoIP providers from implementing call-blocking technology that can help consumers to stop unwanted robocalls.

In connection with the release of the Declamatory Ruling, FCC Chairman Tom Wheeler, who previously proposed the rulings said:

The American public has asked us – repeatedly – to do something about unwanted robocalls. Today we help Americans hang up on nuisance calls.

The text of the Declaratory Ruling makes it clear that the FCC’s interpretation of the TCPA is extremely broad, with the intent of protecting those who are called — often to the detriment of companies which are trying to reach their customers/clients, potential customers/clients, or other interested parties, often with no ill intent.

Yesterday, the Federal Communications Commission (FCC) adopted a package of declaratory ruling which is meant to provide clarity to the Telephone Consumer Protection Act (TCPA).  This ruling was previously proposed by FCC Chairman Tom Wheeler on May 27, 2015.

According to the FCC, the declaratory ruling is meant to protect consumers against unwanted robocalls and spam texts.  As we have previously discussed, complaints related to unwanted calls are the largest category of complaints received by the FCC.  The declaratory ruling was influenced by those complaints and is focused on addressing 23 petitions and requests for clarity on the FCC’s interpretations of the TCPA.

Key provisions of the ruling for consumers who use either landline or wireless phones include:

  • Green Light for ‘Do Not Disturb’ Technology – Service providers can offer robocall blocking technologies to consumers and implement market-based solutions that consumers can use to stop unwanted robocalls.
  • Empowering Consumers to Say ‘Stop’ – Consumers have the right to revoke their consent to receive robocalls and robotexts in any reasonable way at any time.
  • Reassigned Numbers Are Not Loopholes – If a phone number has been reassigned, companies must stop calling the number after one call.
  • Third-Party Consent – A consumer whose name is in the contacts list of an acquaintance’s phone does not consent to receive robocalls from third-party applications downloaded by the acquaintance.

Additional highlights for wireless consumers include:

  • Affirming the TCPA’ Definition of Autodialer – “Autodialer” is defined in the TCPA as any technology with the capacity to dial random or sequential numbers. This definition ensures that robocallers cannot avoid consumer consent requirements through changes in calling technology design or by calling from a list of numbers.
  • Text Messages as Calls – The FCC reaffirmed that consumers are entitled to the same consent-based protections for texts as they are for voice calls to wireless numbers.
  • Internet-to-Phone Text Messages – Equipment used to send Internet-to-phone text messages is an autodialer, so the caller must have consumer consent before calling.
  • Very Limited/Specific Exemptions for Urgent Circumstances – Free calls or texts to alert consumers to possible fraud on their bank accounts or remind them of important medication refills, among other financial alerts or healthcare messages, are allowed without prior consent, but other types of financial or healthcare calls, such as marketing or debt collection calls, are not allowed under these limited and very specific exemptions. Also, consumers have the right to opt out from these permitted calls and texts at any time.

While the ruling provides clarity as to the FCC’s interpretation of the TCPA, it also makes it clear that the FCC intends to interpret the provisions of the TCPA very broadly in an effort to afford the greatest protections to consumers – often at the expense of legitimate businesses.  Declaratory Ruling and Order (FCC 15-72) was approved by a 3-2 vote, with Chairman Wheeler and Commissioner Clyburn, Commissioners Rosenworcel and O’Rielly approving and dissenting in part and Commissioner Pai dissenting.   The ruling takes effect immediately upon release of the full text.  For additional information concerning the TCPA and its potential impact on you or your business, please see our TCPA FAQs.

 

Last week, Federal Communications Commission (FCC) Chairman Tom Wheeler circulated proposed declaratory rulings to provide clarity for consumers and businesses regarding the Telephone Consumer Protection Act (TCPA).  The proposal addresses two dozen petitions that sought clarity on how the FCC enforced the TCPA.  In addition to circulating his proposal to the other FCC commissioners for their consideration, Chairman Wheeler also issued a fact sheet to the public concerning the proposal.

As highlighted by Chairman Wheeler, unwanted calls and texts are the number one consumer complaint to the FCC, including 215,000 TCPA complaints in 2014.

The proposed rulings would include:

  • Giving consumers the right to revoke their consent to receive robocalls and robotexts in any way at any time.
  • Allowing carriers to implement market-based solutions to block robocalls.
  • Making clear that a reassigned number would not permit a barrage of robocalls which the previous subscriber consented to, and instead require calls to stops after one call.
  • Defining an “autodialer” as any technology with the capacity to dial random or sequential numbers.
  • Allowing very limited and specific exceptions to urgent circumstances which would be exempt from TCPA liability and permitting consumers to opt out of these calls and texts as well.

In addition, the proposal would leave in place many existing protections which exist under the TCPA including, but not limited to, the Do-Not-Call List, limits on Telemarketing Robocalls, and no exception for Political Calls.  Notably, the proposal would also stress the FCC’s strong enforcement of the TCPA.

The proposal will be voted on at the FCC’s Open Meeting on June 18, 2015 and if approved, would be considered in effect immediately upon release.

For more information concerning the TCPA and its potential impact on you or your business, please see our TCPA FAQs.

 

On May 18, 2015, the United States Supreme Court granted a petition for a writ of certiorari to address (1) whether a case becomes moot when the plaintiff receives an offer of complete relief on his claim and (2) whether the answer to the first question is any different when the plaintiff has asserted a class claim under Federal Rule of Civil Procedure 23, but receives an offer of complete relief before any class is certified.   The Court will also address the applicability of the doctrine of derivative sovereign immunity.

The case, Campbell-Ewald Co. v. Gomez, No. 14-857, comes before the Court on the petition of Campbell-Ewald after the Ninth Circuit ruled on September 9, 2014, that Campbell-Ewald could be held liable under the Telephone Consumer Protection Act (TCPA) for text messages it sent to approximately 100,000 individuals in connection with Navy recruitment.

In the underlying case, Campbell-Ewald offered the plaintiff, Jose Gomez, $1503 per violation of the TCPA.  The TCPA permits statutory damages ranging from $500 to $1500 per violation.  Accordingly, Campbell-Ewald’s offer would have afforded Gomez his full measure of damages available.  Gomez subsequently rejected the offer by allowing it to lapse in accordance with its terms.  Campbell-Ewald then moved to dismiss the case under Rule 12(b)(1), arguing that Gomez’s rejection of the offer mooted the personal and putative class claims.  In denying Campbell-Ewald’s motion, the Ninth Circuit held that the plaintiff’s individual claim was not mooted by the plaintiff’s refusal to accept a settlement offer under Federal Rule of Civil Procedure 68 – commonly known as the Offer of Judgment Rule.  Additionally, the Ninth Circuit held the putative class claims are not moot because an unaccepted offer of judgment – for the full amount of the named plaintiff’s individual claim and made before the named plaintiff files a motion for class certification – does not moot a class action.  In support of its motion, Campbell-Ewald argued that the Supreme Court’s holding in Genesis Healthcare Corp. v. Symczyk was controlling.  The Ninth Circuit rejected Campbell-Ewald’s assertion finding that the Genesis holding, which involved a collection action brought pursuant to the Fair Labor Standards Act, does not apply to class actions brought under Rule 23 – such as claims for violations of the TCPA.

It is expected that the Supreme Court’s decision in this case will clarify a split among the Circuit Courts as to whether a full offer of relief to the named plaintiff ends the case or not.  As we previously discussed, the Eleventh Circuit, similar to the Ninth Circuit, has held that an unaccepted offer of judgment to a named plaintiff did not moot the named plaintiff’s claims.  In contrast, the Seventh Circuit, has held that an offer of judgment to the named plaintiff, made prior to the filing of a motion for class certification, can moot the class action.  As a plaintiff’s damages under the TCPA are specified by the statute and thus easily ascertainable, this split has likely affected the defense and prosecution of TCPA claims.  In particular, the plaintiffs’ bar may prefer to bring TCPA claims in a Circuit where an offer of judgment cannot render a class action moot; while the defense bar may seek to utilize the offer of judgment to eliminate potential class claims where a limited number of plaintiffs are actually named in the suit.

The Supreme Court’s decision in this case will likely have a significant impact on TCPA claims, as well as class actions brought pursuant to Rule 23.    Should the Court agree with Campbell-Ewald, a TCPA defendant will be permitted to address a specific plaintiff’s damages without concern for a theoretical class of plaintiffs.  By contract, should the court disagree with Campbell-Ewald, defendants will need to reconsider how they defend, and seek to resolve, class action complaints brought under the TCPA.

For additional insight, please see the related post from our Class and Collective Action group.

One of the most complex issues under the Telephone Consumer Protection Act (TCPA) is determining whether the technology utilized qualifies as an “automatic telephone dialing system” (ATDS) or “autodialer.”  The TCPA prohibits using an ATDS to make calls to cell phone numbers, absent prior consent of the called party.  An ATDS  is generally define as equipments which has the capacity to store or generate telephone numbers randomly or sequentially and dial those numbers.
The U.S. District Court for the Southern District of California recently held that the electronic platform for sending promotional text messages was not an autodialer because it could not generate random or sequential numbers.  While guidance from the Federal Communications Commission, as well as decisions at the district and circuit court level, have focused on whether a system has the capacity to generate and dial numbers without human intervention (even if the numbers came from a defined list, as opposed to randomly generated), the Court here distinguished such reasoning.
Here, the plaintiff joined defendant’s fitness center in 2012.  The defendant utilized a 3rd-party, web-based platform to then send promotional text messages to members and prospective members on their cell phones.  The system utilized could enter numbers manually; by collecting numbers individuals entered on the defendant’s website, or by collecting numbers when individuals responded via text message to marketing campaigns.  The plaintiff allegedly received 3 unwanted text message and brought suit.  Thereafter, the defendant moved for summary judgment asserting that the platform used with not an ATDS and the Court agreed.
Despite FCC guidance which states that equipment that can generate and dial numbers without human intervention would qualify as an ATDS, whether or not the numbers are randomly or sequentially generated, the Court found that the definition of ATDS within the statute is clear and unambiguous and the FCC does not have rule making authority.  Agreeing with some other cases which have addressed this issue, the Court found that “capacity” means the systems current capabilities, not its “potential.”  The Court said that focusing on “capacity” would subject a wide array of devices to the TCPA (e.g. all computers and smartphones).
As the defendant’s platform required human intervention, it was not an ATDS and thus the Court granted summary judgment in defendant’s favor.

In a recent ruling, the U.S. Court of Appeals for the Second Circuit revived a claim against debt collector under the Telephone Consumer Protection Act (“TCPA”), finding that the recipient of the call never expressly consented to the calls.

The plaintiff, Albert Nigro, called the power company to discontinue service at the home of his recently deceased mother-in-law, Joan Thomas.  As required by the power company, Nigro provided his own telephone number.  Thereafter, the power company hired a third party, Mercantile Adjustment Bureaus (“MAB”) to collect on Thomas’ outstanding debt to the power company.  In connection with those collection efforts, MAB called Nigro. 

Nigro subsequently filed suit against MAB alleging MAB’s calls to Nigro violated the TCPA.  The district court granted MAB’s motion for summary judgment holding that MAB was not liable under the TCPA because Nigro had consented to the calls by providing his number to the power company.

On appeal to the Second Circuit, the Court reversed the district court’s granting of summary judgment and stated that Nigro “plainly did not consent” to the calls.  The Court went on to say that Nigro was apparently not event aware of the debt to the power company, was not responsible for same, and did not provide his telephone number in connection with the transaction that resulted in the debt.  Specifically, the Court cited a 2008 Federal Communications Commissions (“FCC”) ruling finding that Nigro did not consent because his number was not “provided during the transaction that resulted in the debt owed.”

Notably, the FCC also filed a brief in the Second Circuit asking the Court to reverse to district court’s ruling.  In their brief, the FCC similarly argued that Nigro’s provision of his cell phone number to the power company did not qualify as consent to receive autodialed or prerecorded debt collection calls to that number.

As highlighted by this case, often one of the most difficult issues to navigate when considering TCPA compliance is the issue of consent and how it was obtained.

A blend of evolving judicial interpretation, aggressive plaintiffs’ counsel, and decades-old statutory language has brought new life to the Florida Security of Communications Act (FSCA) as a vehicle for challenging commonplace website technologies.

At its core, the FSCA was enactedto protect privacy by prohibiting the unauthorized interception of wire, oral, or electronic communications — with far stricter requirements than federal law. Unlike the federal Wiretap Act (which allows one-party consent), Florida typically requires all-party consent before recording or intercepting electronic communications. The FSCA also generally prohibits the interception of any wire, oral, or electronic communications, as well as the use and disclosure of unlawfully intercepted communications “knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication.”

The New Wave of FSCA Claims

For plaintiffs, an attractive provision of the FSCA is that actual damages need not be established to recover for violations. Under the FSCA, a plaintiff can recover liquidated damages of at least $1,000 for violations without a showing of actual harm, as well as punitive damages and attorneys’ fees. One need only examine the explosion of litigation under other laws with similar damages provisions (e.g., the California Invasion of Privacy Act (CIPA), Telephone Consumer Protection Act (TCPA), Illinois Biometric Information Privacy Act (BIPA), the Illinois Genetic Information Privacy Act (GIPA)) to see this model in action.

For years, courts were reluctant to apply the FSCA to digital technologies like website trackers or analytics tools. Courts routinely dismissed early FSCA lawsuits targeting session-replay software and cookies—finding that these tools didn’t intercept the “contents” of communications in a manner the statute was meant to reach. See Jacome v. Spirit Airlines, Inc., No. 2021-000947-CA-01 (Fla. 11th Cir. Ct. June 17, 2021). This view may be shifting.

Recent cases suggest courts may be more open to digital wiretapping-type claims brought in Florida that previously indicated.

  • A nationwide class action pending in the Southern District of Florida, Cobbs v. PetMed Express, Inc.,  alleges that PedMed Express,  an online veterinary pharmacy, used embedded tracking technologies that enabled third-party companies to capture information about consumers’ prescription-related browsing and purchase activity  on its website.   The tracking tools allegedly intercepted URLs, search queries, and personally identifiable information such as email addresses and phone numbers.   This case highlights the growing litigation risks associated with embedded website tracking technologies – particularly when sensitive data such as prescription or health-related information is involved.
  • In Magenheim v. Nike, Inc., filed in December 2025  in the Southern District of Florida, the plaintiffs allege that Nike triggered undisclosed tracking technologies on visitors’ web browsers immediately upon visiting the website – before users could review privacy disclosures or provide consent – and even when users enabled Global Privacy Control (GPC) signals or selected do not share my data on the site.   This lawsuit seeks class certification to include all Florida visitors to Nike’s website over the past two years.  This case underscores the increasing litigation risk surrounding online privacy expectations and the handling of browser-based tracking data.
  • In a lawsuit filed against a large health system in Florida and pending before the U.S. District Court for the Middle District of Florida, the plaintiff, a patient of that health system, alleges that the hospital system embedded tracking technologies within its website and patient portal.   As plead in the putative class action,  the tracking tools allegedly intercepted patients’ online queries regarding symptoms, treatments and other health related content.   The FSCA claims and the federal Wiretap Act survived a motion to dismiss, inline with the growing trend of courts scrutinizing the use of tracking technologies – particularly in the health care context.

What Courts Are Grappling With

At the heart of these disputes are questions that courts nationwide are wrestling with:

  • What constitutes an “interception” under an analog-era statute when applied to digital data?
  • Do URLs, clicks, form inputs, and other web interactions qualify as the “contents” of communications protected by wiretapping laws?
  • When (and whether) consent provided via privacy notices or cookie banners is sufficient to defeat a statutory wiretapping claim?

Courts have reached different answers, leaving Florida business in limbo with the uncertainty driving increasing claims from plaintiffs.

What This Means for Your Business

Whether you operate a website, mobile app, or digital marketing campaign, the Florida FSCA litigation trend shows no signs of slowing. To mitigate risks and avoid becoming a target of wiretapping claims, consider the following practical steps:

1. Audit All Tracking Technologies

Inventory all third-party pixels, session-replay tools, analytics scripts, and email tracking. Understand what data they capture, when it’s transmitted, and what third parties receive it.

2. Reevaluate Your Consent Mechanisms

Passive privacy disclosures may not be enough. Use clear, affirmative consent mechanisms (e.g., click-to-accept banners) that disclose what is collected and how it is used before any tracking occurs.

3. Limit Data to What’s Necessary – Minimization

Where possible, restrict the capture of high-risk data (e.g., URLs revealing sensitive information or form content) and weigh whether aggressive tracking is essential for business purposes.

4. Update Privacy Policies and Terms

Make your data collection and sharing practices transparent and easily accessible. Regularly update legal disclosures to mirror how tools actually function.

5. Tighten Vendor Contracts

Ensure contracts with analytics, marketing, and tracking vendors allocate compliance responsibility and include indemnification clauses where appropriate.

6. Monitor Legal Developments

Florida’s legal landscape is shifting rapidly. Maintain awareness of new decisions and legislative changes that may clarify or expand FSCA applicability.

Conclusion

The surge of digital wiretapping claims under the Florida Security of Communications Act illustrates how old statutes can take on new life in an era of ubiquitous data collection. What once was a niche privacy theory now threatens to expose businesses — large and small — to class action exposure and costly litigation.

By understanding the evolving legal landscape and implementing proactive compliance strategies, companies can better safeguard their digital practices and reduce the risk of costly FSCA claims.

To celebrate Data Privacy Day (January 28), we present our top ten data privacy and cybersecurity predictions for 2024.

  1. AI regulations to protect data privacy.

Automated decision-making tools, smart cameras, wearables, and similar applications, powered by technology commonly referred to as “artificial intelligence” or “AI” will continue to expand in 2024 as will the regulations to protect individuals’ privacy and secure data when deploying those technologies. Last year, we saw a comprehensive Executive Order from the Biden Administration, the New York City AI law take effect, and states like Connecticut passed laws regarding the state use of AI. Already in 2024, several states have introduced proposed AI regulation, such as  New York developing an AI Bill of Rights.

The use of “generative AI” also exploded, as several industries sought to leverage its benefits while trying to manage risks. In healthcare, for example, AI and HIPAA do not always mix when it comes to maintaining the confidentiality of protected health information. Additionally, generative AI is not only used for good, as criminal threat actors have enhanced their phishing attacks against the healthcare industry.

  1. The continued expansion of the patchwork of state privacy laws.

In 2023, seven states added comprehensive consumer privacy laws. And several other states enacted more limited privacy laws dealing with social media or health-related data. It looks like 2024 will continue the expansion. Already in 2024, New Jersey has passed its own consumer privacy law, which takes effect in 2025. And New Hampshire is not far behind in potentially passing a statute.

  1. Children’s data protections will expand.

In 2023, several states passed or considered data protection legislation for minors with growing concerns that the Children’s Online Privacy Protection Act (COPPA) was not sufficient to protect children’s data. Connecticut added additional protections for minors’ data in 2023.

In 2024, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking pertaining to COPPA, in addition to several states proposing legislation to protect children’s online privacy.

  1. Cybersecurity audits will become even more of a necessity to protect data.

As privacy protection legislation increases, businesses must start working to protect the data they are collecting and maintaining. The importance of conducting cybersecurity audits to ensure that policies and procedures are in place.

In 2023, there California Privacy Protection Agency considered regulations pertaining to cybersecurity audits. The SEC and FTC expanded obligations for reporting security breaches, making audits, incident response planning, and tabletop exercises to avoid such incidents all the more important.

It is anticipated there will be further regulations and legislation forcing companies to consider their cybersecurity in order to protect individuals’ privacy.

  1. Genetic and health data protection will continue to rise.

In 2023, Nevada and Washington passed health data privacy laws to protect data collected that was not subject to HIPAA. Montana passed a genetic information privacy law. Already this year Nebraska is advancing its own genetic information privacy law. It is likely concerns about health and genetic data will grow along with other privacy concerns and so too will the legislation and regulations. We also have seen a significant uptick in class action litigation in Illinois under the state’s Genetic Information Privacy Act (GIPA). A close relative to the state’s Biometric Information Privacy Act (BIPA), GIPA carried nearly identical remedy provisions, except the amounts of statutory damages are higher than under BIPA.

  1. Continued enforcement actions for data security.

As legislation and regulations grow so too will enforcement actions. Many of the state statutes and city regulations only allow for governmental enforcement, however, those entities are going to start enforcing requirements to ensure there is an incentive for businesses to comply. In 2023, we saw the New York Attorney General continue its active enforcement of data security requirements.

  1. HIPAA compliance will continue to be difficult as it overlaps with cybersecurity.

In 2023, the Office of Civil Rights (OCR) which enforces HIPAA, discussed issues with driving cybersecurity and HIPAA compliance as well as other compliance concerns.  In 2024, entities required to comply with HIPAA will be challenged to determine how to use new and useful technologies and data sharing while maintaining privacy, while also protecting HIPAA-covered information as cybersecurity threats continue to flourish.

  1. Website tracking technologies will continue to be in the hot seat.

In 2023, both the FTC and the Health and Human Services (HHS) took issue with website tracking technologies such as through “pixels”. By the time that guidance was issued, litigation concerning these technologies pertaining to data privacy and data sharing concerns had already been expanding. To help clients identify and address these risks Jackson Lewis and SecondSight joined forces to offer organizations a website compliance assessment tool that has been well received.

In 2024, it is anticipated that there will be further website-tracking litigation as well as enforcement actions from governmental agencies that see the technology as infringing on consumers’ privacy rights.

  1. Expect biometric information to increasingly be leveraged to address privacy and security concerns.

As we move toward a “passwordless” society,  technologies using biometric identifiers and information continue to be the “go-to” method for authentication. However, also increasing are the regulations on the collection and use of biometric information. While the Illinois Biometric Information Privacy Act (BIPA) is most prolific in its protection of biometric information, many of the new comprehensive privacy laws include protections for biometric information. See our biometric law map for developments.  

  1. Privacy class actions will continue to increase.

Whether it is BIPA, GIPA, CIPA, TCPA, DPPA, pixel litigation, or data breach class actions, 2024 will likely see an increase in privacy-related class actions. As such, it becomes more important than ever for businesses to understand and ensure the protection of the data they collect and control.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2024, and Jackson Lewis will continue to track relevant developments. Happy Privacy Day!

On May 25, 2023, the Governor of Florida signed a bill amending the Florida Telephone Solicitation Act (FTSA). The amendments under Florida’s House Bill (HB) 761, become effective immediately upon signing by the Governor. Moreover, the amendments apply retroactively to any class action not certified on or before May 25, 2023.

The FTSA is Florida’s version of the federal Telephone Consumer Protection Act (TCPA), however, the FTSA was previously considered more restrictive than the federal version.

HB 761 however makes the following changes to FTSA:

  • Revises the prohibition on telephonic sales calls that use an automated system to specifically include unsolicited calls using automated systems for the section and dialing of telephone numbers or playing of a recorded message.
  • Clarifies what constitutes consent and clear and conspicuous disclosure.
  • Revises what constitutes a consumer’s “signature” for purposes of giving prior express written consent to include either an electronic or digital signature or an “act demonstrating consent,” which may include a simple affirmative response.
  • Provides a safe harbor period of 15 days from the date a consumer notifies the telephone solicitor that he or she does not want to receive text message solicitations.

While these amendments will take some of the sting out of the FTSA, businesses should still be aware of their practices when it comes to Florida to ensure compliance with the TCPA and the scaled-back FTSA.

If you have questions regarding FTSA or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.