Listen to this post

As in years past, the government continued its efforts to combat cybersecurity threats utilizing the False Claims Act (FCA). Overall, 2025 saw the highest FCA recoveries amount to date — over $6.8 billion in recoveries were awarded. With the ongoing Civil Cyber-Fraud Initiative, the focus remained on companies’ noncompliance with cybersecurity controls and allegations of knowledge of failed security requirements. As the Civil Cyber-Fraud Initiative moves into its fifth year, all federal contractors should remain mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2025 Year in Review, our 14th annual review of significant FCA cases, developments, and trends.

Listen to this post

Florida lawmakers are once again weighing whether to provide litigation protections to companies that invest in meaningful cybersecurity safeguards. A revised proposal now pending before the Florida Legislature seeks to strike a balance between encouraging proactive data security measures and preserving consumer remedies following a breach. Data incidents are commonly met with class action lawsuits filed on behalf of individuals alleging harm stemming from the unauthorized access, acquisition, or exposure of personal information. As a result, what begins as a criminal act against a business often evolves into a complex web of regulatory, reputational, and litigation challenges.

A cyber incident, in and of itself, is not necessarily evidence of a breach of a duty to safeguard data. The unfortunate reality of our modern age means extremely secure entities may still be breached due to the evolving techniques of adversaries, both foreign and domestic. Even so, companies that experience cybersecurity incidents are often met with a wave of class action lawsuits in the aftermath. These complaints frequently rely on broadly framed allegations that the organization failed to implement or maintain “reasonable” data security measures, often without regard to the specific safeguards that were in place or the evolving nature of cyber threats.

Prompted by the escalating cost of these class action data breach litigations and the numerous headline-grabbing cyberattacks, particularly those in the healthcare industry, the Florida Legislature is once again pushing for cyber litigation reform that raises the liability standard for class action lawsuits arising from cybersecurity events.

The 2024 Effort and Its Veto

In 2024, the Florida Legislature passed House Bill 473, a measure designed to provide litigation protections to companies that suffer data breaches despite maintaining robust cybersecurity programs. The bill conditioned immunity on two primary requirements: compliance with Florida’s data breach notification law and implementation of a cybersecurity program aligned with recognized industry frameworks or legal standards.

The legislation was intended to address the growing wave of class action lawsuits filed in the wake of data incidents — many of which allege technical statutory violations even where companies have acted in good faith and maintained reasonable security controls. Proponents argued that offering a litigation presumption in favor of compliant businesses would incentivize stronger cybersecurity practices while helping mitigate the mounting costs of opportunistic breach litigation.

Although the Legislature approved the bill in March 2024, Gov. Ron DeSantis vetoed it. In his veto message, the governor expressed concern that the proposed immunity could limit meaningful recourse for consumers harmed by data breaches. He encouraged stakeholders to continue working with the Florida Cybersecurity Advisory Council to develop a framework that protects both businesses and consumers. See our previous blog on House Bill 473 here.

Senate Bill 635: A More Targeted Approach

Two years later, lawmakers have returned with Senate Bill 635, a revised version that attempts to address the concerns raised in 2024 while preserving incentives for cybersecurity investment. Like its predecessor, SB 635 would provide a presumption against liability in certain class action lawsuits arising from cybersecurity incidents. However, the scope of the protection has been narrowed, and the standards have been heightened.

Key provisions include:

  • Substantial Compliance Standard – Defendants must demonstrate “substantial compliance” — not merely “substantial alignment” — with standardized cybersecurity frameworks, such as from the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS) Critical Security Controls, ISO/IEC 27000, HITRUST CSF, SOC 2 Type 2, and/or other similar industry frameworks or standards.
  • Limited to Class Actions – The presumption applies only to class action lawsuits. Individual plaintiffs would retain the ability to pursue damages, and the presumption would not apply in those individual cases.
  • Government-Specific Requirements – Government entities must maintain a disaster recovery plan to qualify for the presumption.
  • Defined Personal Information – The bill includes a specific definition of “personal information,” clarifying the scope of covered incidents.

Under SB 635, private businesses and their third-party agents would be entitled to a presumption against liability in class action litigation if they substantially comply with the Florida Information Protection Act and implement cybersecurity policies consistent with recognized frameworks. The law aims to incentivize better, documented security practices rather than just penalizing breaches after they occur. 

The bill also includes provisions offering complete liability protection to local governments in certain circumstances and restricts local governments from imposing heightened cybersecurity standards on IT vendors beyond those imposed on the governmental entity itself, subject to limited exceptions.

Current Status and Implications

On February 11, 2026, the Senate Committee on Governmental Oversight and Accountability advanced SB 635. The bill now awaits consideration by the Appropriations Committee. If enacted, the legislation could alter the cybersecurity litigation landscape in Florida. Supporters contend it would reduce cyber liability insurance costs, encourage stronger adherence to established security frameworks, and decrease the volume of class action litigation following data incidents.

As cyber incidents remain a persistent operational risk across industries, Florida’s renewed effort reflects a broader national debate: how to encourage meaningful cybersecurity investment without insulating companies from accountability. The outcome of SB 635 may signal how far states are willing to go in recalibrating that balance.

Listen to this post

Retailers. Banks. Healthcare systems. E-commerce platforms. Across industries, live chat, session replay software, and website analytics have become standard tools for customer engagement. These technologies help businesses respond to consumer inquiries in real time, improve website functionality, reduce cart abandonment, train customer service teams, and resolve disputes.

For companies operating nationally, the landscape is shifting quickly. Most businesses are already familiar with litigation under California’s Invasion of Privacy Act (CIPA), which has become one of the highest per-violation risk statutes in the country for website-based claims. Florida is now emerging as a growing and unsettled litigation front under its own wiretapping statute, and other states are watching closely. From a compliance standpoint, businesses should treat Florida website disclosures and consent mechanisms with the same seriousness they now apply in response to CIPA, recognizing that proactive risk mitigation is far less costly than defending statutory damages claims after the fact.

The Florida Security of Communications Act

In Florida, these commonplace tools are increasingly being challenged under a statute enacted in 1969 — long before the internet existed. The Florida Security of Communications Act (FSCA), codified in Chapter 934 of the Florida Statutes, prohibits the intentional interception of “wire, oral, or electronic communications” without the prior consent of all parties. Florida is a two-party consent state. The statute was designed to prevent covert surveillance: hidden tape recorders, wiretapped phone lines, and unauthorized eavesdropping. It was not drafted with website analytics, customer service chatbots, or session replay software in mind. Yet plaintiffs’ attorneys have filed hundreds of lawsuits alleging that modern website technologies violate the FSCA by “intercepting” communications between website visitors and businesses.

How Standard Website Tools Became Litigation Targets

1. Live Chat Recording

Live chat features, often recorded for quality assurance, dispute resolution, compliance monitoring, or AI training, are now being characterized as unlawful electronic interceptions when prior express consent is not allegedly obtained. Plaintiffs argue that a website visitor engaging in live chat is engaged in an “electronic communication,” and recording or storing that chat without explicit consent violates the FSCA.

2. Session Replay Software

Session replay tools capture user interactions such as mouse movements, scrolls, clicks, and form entries. Businesses use this data to identify technical problems and improve user experience. The litigation theory asserts that these tools intercept communications between the visitor and the website itself.

3. Analytics and Tracking Tools

Standard analytics platforms that track navigation patterns, page views, and site interaction have likewise been targeted. Plaintiffs argue that tracking how a visitor interacts with a site constitutes interception of electronic communications, particularly where there is no explicit, real-time consent mechanism.

The Litigation Pattern

These cases follow a familiar pattern seen in ADA, TCPA, CIPA, and biometric privacy litigation:

  • Nearly identical complaints filed by a small number of firms
  • Heavy reliance on statutory damages
  • Minimal allegations of concrete consumer harm
  • Settlement demands calibrated below the cost of full defense

Under the FSCA, statutory damages may be awarded at $1,000 per violation or $100 per day, whichever is greater, along with attorneys’ fees. In a class context involving thousands of website users, the theoretical exposure can escalate rapidly. Even in individual cases, fee-shifting risk alone can drive significant settlement pressure. Adding to the uncertainty, many cases resolve before courts issue definitive rulings. Where courts have addressed these issues, results have been mixed. Some have dismissed claims where disclosures were deemed sufficient. Others have allowed cases to proceed past the pleading stage. This lack of uniformity is precisely what fuels ongoing filings.

Why Privacy Policies Alone May Not Be Enough

Many businesses assume that general privacy policy disclosures provide sufficient protection. That assumption is increasingly being tested. Plaintiffs argue that buried privacy policy language stating that a business “may collect website usage data” or “may record customer service interactions” does not constitute the “prior consent of all parties” required under Florida’s two-party consent framework. Whether passive website disclosures satisfy statutory consent requirements remains an unsettled legal question. Until appellate clarity emerges, or the Legislature acts, businesses face continued litigation risk.

Industries Being Targeted

The defendants in these suits are not engaging in covert surveillance. They are using standard commercial website tools. Industries increasingly targeted include:

  • Online retailers using session replay to optimize checkout
  • Banks and financial services firms improving digital banking interfaces
  • Healthcare providers offering appointment scheduling and inquiry chats
  • SaaS and technology companies tracking user interaction

The common denominator is meaningful website traffic combined with routine data collection tools.

The Broader Trend

Florida’s website wiretapping litigation reflects a broader national trend: Legacy statutes drafted for analog surveillance are being applied to digital commerce. Until appellate courts provide consistent guidance or legislative clarification narrows the scope of the FSCA in the website context, consumer-facing businesses must operate in a legally unsettled environment.

Live chat and analytics tools are not fringe technologies. They are central to modern customer engagement. But in Florida, businesses deploying them should do so thoughtfully, with an understanding that yesterday’s wiretapping statute is today’s website litigation vehicle.

While no compliance strategy eliminates risk entirely, proactive steps can materially reduce exposure. Businesses should (1) audit the use of website technology, including evaluating the business necessity or value of certain technology; (2) implement categorization, notice, and consent mechanisms to manage website technology; (3) review website privacy notices and related terms of use; and (4) review vendor agreements with website technology providers; and (5) evaluate change control processes for the implementation of technology that pose risk under the FSCA.

An ounce of prevention is (still) worth a pound of cure.

Listen to this post

Age Verification Compliance Obligations

Age verification requirements have rapidly moved from a niche policy concept to a central feature of the U.S. regulatory landscape. Over the last two years, and accelerating sharply in 2025, states have increasingly adopted laws that require online services to confirm a user’s age before allowing access to certain types of content or platform features. What began as a targeted effort to restrict minors’ access to sexually explicit material is now expanding into broader regulation of social media platforms, account creation, and even algorithm-driven feeds.

For companies operating online, this shift creates a familiar modern compliance challenge: a fast-growing patchwork of state laws with inconsistent requirements, evolving definitions, and uncertain enforcement outcomes driven by ongoing constitutional litigation.

Age Verification Goes Mainstream

By 2025, age verification had crossed a critical threshold. Roughly half of U.S. states now mandate some form of age gating for adult content or social media access, and additional laws are expected to take effect in 2026. The practical result is that companies can no longer treat age verification as a niche issue limited to a handful of jurisdictions. For many businesses, it has become an operational reality with immediate implications.

This trend reflects broader legislative momentum around children’s privacy and online safety. State lawmakers have increasingly focused on perceived harms to minors online, including exposure to inappropriate content, excessive social media use, and the design features that encourage prolonged engagement.

The Texas Model and the First Amendment Framework

A key development driving legislative confidence in this space stems from litigation over Texas H.B. 1181, enacted in 2023. That law requires certain commercial websites that publish sexually explicit content deemed obscene to minors to verify that visitors are at least 18 years old. Industry representatives challenged the statute as unconstitutional under the First Amendment, arguing that adults have a right to access lawful content without being forced to identify themselves or pass through an age gate.  The U.S. Supreme Court upheld Texas’s age-verification statute, H.B. 1181, in Free Speech Coalition v. Paxton (June 2025). The Court concluded that Texas may require certain websites featuring substantial sexually explicit content to verify that users are adults before granting access. Applying intermediate scrutiny, the Court determined the law permissibly advances the state’s interest in shielding minors from inappropriate material and does not create a First Amendment entitlement for adults to access that content without confirming age.

Practical and Privacy Consequences for Users

Age gates often require users to provide personal information, interact with third-party verification tools, or submit identification credentials. This can deter lawful adult access, reduce anonymity, and create friction that changes consumer behavior. Some individuals may be blocked entirely, including those who lack government-issued identification or are incorrectly flagged by automated systems.

Age-verification age gates can create significant privacy and cybersecurity risk because they often require users to submit sensitive personal information — such as date of birth, government ID credentials, or biometric verification — frequently through third-party tools. That process reduces user anonymity and can generate records linking individuals to particular categories of online activity, which may be highly sensitive. From a security standpoint, collecting and transmitting identity data expands the company’s attack surface and increases exposure if systems or vendors are compromised, since ID images and related verification data are high-value targets for fraud, identity theft, and extortion. Even when implemented with good intentions, age verification can therefore introduce new compliance and incident-response risks if businesses do not tightly control vendor access, data minimization, retention, and security safeguards.

The Expansion to Social Media: Parental Consent and Account Restrictions

In 2025, lawmakers increasingly moved beyond adult content and began targeting minors’ social media usage. Multiple states passed laws that require platforms to verify age and obtain parental consent before allowing minors to create accounts or access certain services. Some proposals focus on younger children, while others extend restrictions to anyone under age 18.

In total, eight states have enacted laws that either ban minors from obtaining social media accounts outright and/or require parental consent for certain minors to open accounts. During the 2025 legislative session alone, nearly 30 bills were introduced across 18 states attempting to impose similar restrictions.

These laws vary widely in scope, age thresholds, definitions of covered platforms, and enforcement mechanisms. For companies operating nationwide, that inconsistency is a major compliance obstacle. A product design and onboarding process that works in one state may be noncompliant in another.

Regulating Design and “Addictive” Features

A related legislative trend involves targeting features viewed as designed to increase usage among minors. In 2024, California and New York pioneered efforts to regulate “addictive algorithms” by restricting the delivery of certain feeds or engagement-driven features to minor accounts without parental consent. Some states followed with their own versions of “addictive feed” legislation in 2025, with varying levels of success.

These efforts represent an important shift. Rather than regulating only what content minors can access, lawmakers are increasingly attempting to regulate how platforms deliver content and how digital products are designed to keep users engaged.

For companies, these proposals can implicate product design decisions, internal testing, algorithmic ranking systems, and even liability theories tied to youth mental health. Even where laws are challenged or delayed, the legislative intent is clear: Design-based regulation is likely to remain on the table.

Practical Takeaways

For companies navigating this landscape, the challenge is not only meeting legal requirements, but it is building a program that can adapt quickly as laws change and court decisions reshape what is enforceable.

Key steps include:

  • Inventory applicable state requirements. Companies should map where their users are located and which laws may apply based on access and operations.
  • Assess verification tools with privacy and security in mind. Age verification solutions can create significant data risk if they involve collection, storage, or third-party processing of identity information.
  • Prepare for rapid legal shifts. Many laws are being challenged, modified, or replaced, meaning compliance strategies must be designed for change rather than permanence.
  • Coordinate across legal, privacy, cybersecurity, and product teams. Age verification impacts product architecture, user experience, and security posture — not just legal risk.
  • Document decisions and risk tradeoffs. Given uncertainty and evolving standards, maintaining a record of compliance reasoning and design choices can be valuable for regulatory inquiries and litigation defense.

Companies should expect continued state activity in 2026 and beyond and should plan now for a future in which age verification, youth safety compliance, and platform design restrictions remain central issues for online business.

Listen to this post

In 2026, a wide range of California laws regulating the development, marketing, and use of artificial intelligence (AI) go into effect. Together, these bills impose new requirements on generative AI developers, frontier-model companies, healthcare-related AI tools, platforms distributing AI-generated content, and businesses that rely on algorithmic pricing. With the deadline to comply coming up quickly, companies operating in California (or offering AI-enabled products or services to California residents) should assess how these laws apply to their technologies and update their governance and disclosure practices accordingly.

Most of the new obligations take effect in 2026, with some requirements extending into 2027 and 2028. Below is an overview of the key components of enacted bills AB 316, AB 325, AB 489, AB 621, and AB 2013.

AB 316: Liability for AI-Related Harms (Effective: January 1, 2026)

AB 316 applies broadly to any civil action where AI involvement is alleged to have caused damage. The bill limits affirmative defenses for civil liability, prohibiting defendants (which could include developers, modifiers, or users of AI) from raising an “autonomous-harm defense” in lawsuits alleging harm caused by AI-generated or AI-modified content. This defense, which might otherwise allow parties to shift blame to the technology’s independent decision-making, is explicitly barred to ensure human responsibility remains as AI models are deployed.

AB 325: Algorithmic Pricing and Antitrust (Effective: January 1, 2026)

AB 325 amends the Cartwright Act, a California anti-trust statute, to prohibit anticompetitive use or distribution of “common pricing algorithms.” A common pricing algorithm includes any methodology (computer-based or otherwise) that uses competitor data to recommend, align, stabilize, or influence prices or commercial terms. The statute creates two categories of liability: (i) use or distribution of a common pricing algorithm as part of a contract, combination, or conspiracy to restrain trade; and (ii) coercion to adopt an algorithm-recommended price or commercial term.

AB 489: Misleading Statements on Health Care Professional Oversight of  Artificial Intelligence (Effective: January 1, 2026)

AB 489 prohibits developers and deployers of AI and generative AI technologies from using titles, terms, icons, post-nominal letters, or design elements that could falsely suggest the system is providing services from a licensed healthcare professional. Any implication — direct or subtle — that a licensed professional oversees the output is barred unless such oversight exists. This prohibition applies both to advertising and to in-product functionality for both AI and generative AI systems. Each misleading representation may constitute a separate offense, and state licensing boards are authorized to investigate and enforce violations, including through civil penalties.

AB 621: Expanded Protections Against Digitized Sexually Explicit Deepfakes (Effective: January 1, 2026)

AB 621 strengthens legal protections against non-consensual, sexually explicit “deepfakes.” The law broadens the definition of “digitized sexually explicit material,” clarifies that minors cannot consent to its creation or distribution and increases damages (up to $250,000 for malicious violations), and grants public prosecutors civil enforcement authority. These expanded remedies meaningfully increase the risks for individuals and entities involved in creating or distributing such material.

AB 2013: Mandatory Dataset Disclosure for Generative AI Developers (Compliance by: January 1, 2026)

AB 2013 requires developers of generative AI systems to publicly disclose detailed information about the datasets used to train their models. Disclosures must be posted on the developer’s website and updated when substantial system modifications occur. The law raises concerns from developers related to protection of intellectual property, confidentiality, and potential litigation exposure due to the breadth of required disclosures.

Takeaways to Prepare for Compliance

With multiple California AI-related statutes becoming enforceable in 2026 (and additional obligations later in 2027, and 2028 that will be covered in a subsequent post) companies need to assess the applicability of these laws now, which may include:

  • Mapping and documenting training datasets now to ensure readiness for AB 2013.
  • Evaluating the use of shared or third-party algorithmic pricing tools under AB 325.
  • Reviewing their risk exposure related to the enabling of deepfake pornography under AB 621.
  • Considering the allocation of liability in agreements given the prohibition on autonomous harm defenses by AB 316.
  • Ensuring that their use of AI does not imply that their services are provided by a licensed healthcare professional unless overseen by a healthcare provider to comply with AB 489.

California’s AI regulatory framework is expanding rapidly. These new statutes are in addition to California’s regulations regarding Automated Decision-Making Technology, which were promulgated under the California Consumer Privacy Act and go into effect on January 1, 2026. Early preparation will help your company navigate the state’s emerging compliance landscape. If you have questions about these new California laws or their impact on your operations, please contact one of the authors.

Listen to this post

A New Approach to Data Regulation

With the U.S. Department of Justice’s Data Security Program (DSP) now in full effect, companies that handle sensitive personal data, operate across borders, or rely on global vendor ecosystems face an increasingly complex compliance environment. The DSP restricts certain data transactions involving individuals and countries of concern, imposes new compliance contractual obligations, and signals a clear national-security approach to data governance.

The DSP marks a new era in the federal government’s regulation of data transactions, applying concepts traditionally used in U.S. export control law to bulk or sensitive data exchanges. The DSP is designed to address what the DOJ has described as “the extraordinary national security threat” posed by U.S. adversaries acquiring Americans’ most sensitive data through commercial means to “commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.”

Key Compliance Practices

U.S. businesses should work on the following:

  • Identifying where covered data resides, who has access, and which external parties interact with the information. Businesses should focus on (i) bulk datasets or datasets relating to sensitive government activities and (ii) any technical, contractual, or operational links to foreign jurisdictions that could implicate the DSP’s restrictions.
  • Evaluating existing vendor, service-provider, and data-processing agreements in light of the DSP. This includes updating provisions to address data-access controls, obligations, audit rights, and restrictions on subcontracting or data relocation. A business that holds or anticipates holding DSP-covered data should incorporate DSP-aligned terms by default in all new agreements.
  • Aligning their data compliance program to ensure effective data classification and accountability, documented vendor due-diligence procedures, and demonstrable oversight over the data they hold.
  • Training key personnel—including legal, procurement, IT, HR, and executives—so they can recognize when a transaction, vendor, or relationship may fall within the DSP’s scope.
  • Conducting thorough due diligence before engaging in a merger or acquisition transaction involving covered data or a transaction with parties that own or have access to such data.

U.S. businesses engaged in restricted transactions must also:

  • Maintain a sufficient data compliance program that verifies data flows and confirms vendor identities.
  • Develop a written description of their compliance program and implement the Cybersecurity and Infrastructure Security Agency (CISA) security requirements, which must be certified annually.
  • Conduct independent audits of their compliance program.
  • Retain all relevant records for at least ten years.

Persons and Countries of Concern

The DSP grants the federal government broad authority to designate “countries of concern” and “covered persons.” Currently designated countries are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. A covered person generally includes any entity, contractor, or employee affiliated with one of these countries. The Attorney General may designate additional countries or individuals.

What Data is Covered?

The DSP regulates two primary categories of information: bulk U.S. sensitive personal data and government-related data. Sensitive personal data includes precise geolocation information, biometric identifiers, genomic and other “’omic” data, personal health data, personal financial data, and certain personal identifiers—each subject to specific volume thresholds. Government-related data includes precise location data associated with designated sensitive government sites and any sensitive personal data marketed as linked or linkable to U.S. government employees, contractors, or officials, which is covered regardless of volume. These categories are broad enough to encompass data controlled or processed by banking, healthcare, and technology firms. Importantly, DSP requirements apply even to de-identified, pseudonymized, or encrypted data.

Enforcement

The DOJ’s Foreign Investment Review Section (FIRS) is responsible for enforcing the DSP. Although enforcement activity has been limited thus far, the penalties for non-compliance are significant. Failing to comply with the DSP can result in civil and criminal penalties under the International Emergency Economic Powers Act, including prison sentences of up to twenty years and fines as high as $1,000,000. The DOJ’s Whistleblower Award program also provides financial incentives for individuals to report violations, increasing the likelihood that prohibited or non-compliant activities will come to the government’s attention.

Compliance Resources

For organizations preparing to comply with the DSP, additional resources are invaluable. The DOJ has published an FAQ, a compliance guide, and offers periodic enforcement updates, while CISA has released the required security controls for restricted transactions. Bradley is ready to assist businesses in interpreting these complex rules, weighing possible exceptions, assessing their exposure, and building effective compliance programs. If you have questions about the DSP or its impact on your operations, please contact one of the authors.

Listen to this post

On May 12, 2025, the Federal Trade Commission’s Rule on Unfair or Deceptive Fees  took effect, thereby thrusting the United States’ primary regulator of unfair or deceptive practices once more into the spotlight. But the spotlight given to the FTC rule, which only applies to the short-term lodging and live-event ticketing industries, has obscured the simultaneous expansion of broader reaching state legislation. These state laws, which are either currently in effect or pending in nearly half of all states, pose a far greater liability for the majority of businesses. If you’ve been comforted by the limited scope of the FTC rule and ignored the rise of these state laws, it’s not too late — this article will quickly catch you up to speed on your potential liability and the next steps your business should take.

What Are These New State Laws?

Some of the obfuscation around the growing number of state fee legislation has to do with their different naming conventions. The FTC rule refers to “unfair or deceptive” fees, but the types of activities that states seek to regulate are also known as junk fees, hidden fees, bait-and-switch pricing, or drip pricing, among others. This article will use the phrase “fee legislation” to encompass the wide variety of conventions in use. Regardless of what they’re ultimately named, these laws and regulations target fees added to the mandatory total price a consumer pays that were not disclosed prior to that consumer’s commitment to pay. In fact, in some cases, the price advertised must include all of the fees the consumer will pay.

Under both federal and state law, a business will incur liability from fee legislation when it asks the consumer to pay a fee that was not disclosed prior to expecting final payment from the consumer. But state fee legislation varies, and some states have independent requirements of how and when a fee must be disclosed. A state usually requires a “clear and conspicuous” disclosure ahead of final payment, but how that may be defined depends on the state. For those states that have only implemented regulations to bolster their unfair or deceptive acts and practices (UDAP) statutes, knowing how to properly comply is typically even less clear.

Liability Imposed by Fee Legislation

Just how severe is the liability incurred by these new state laws? Using its powerful statutory authority, the FTC can seek upwards of $53,000 per violation of its own fee rule. In a similar fashion, many states have passed regulations to expand their preexisting UDAP statutes in lieu of formal fee legislation. This means businesses can expect to incur similar “per violation” penalties from states themselves. The FTC has cautioned its rule only establishes a baseline, and nothing forecloses the ability of a state to bring its own action.

Even though a state may not have passed formal fee legislation or amended its UDAP statute to incorporate hidden fees, a business could still incur liability from a state. Take Texas for example. Recently, the state brought an action against Booking.com alleging the site’s failure to disclose mandatory fees violated Texas’ UDAP statute — even though Texas had not passed formal regulations enumerating hidden fees as part of its UDAP statute like other states. Nonetheless, the Texas attorney general was able to settle the case against Booking.com for a total of $9.5 million.

What if a state’s attorney general chooses not to pursue legal action on behalf of the state? There is still potential liability since many states have built-in private rights of action within their UDAP statutes. Depending on the state, the private right of action may exist under the statute’s “catch-all” unfair or deceptive provision or remain limited to only the statute’s enumerated unfair or deceptive business practices. Since fee legislation is an evolving area of law and many state UDAP statutes look to the FTC’s guidance on what is unfair or deceptive, it is likely that state UDAP liability could evolve to include hidden fees, even in the absence of specific state fee legislation. As such, the private rights of action within state UDAP statutes will always remain a consistent and threatening source of liability, regardless of whether formal fee legislation or expansive regulations have been passed in the state.

Finally, the most concerning challenge posed by this rise in fee legislation is the inclusion of private rights of action separate from a state’s UDAP statute. At least eight states currently have private rights of action in their fee legislation, with multiple states allowing for the recovery of punitive damages as well. Failure to properly comply with these new state laws can therefore lead to a sea of lawsuits with millions of dollars at stake. And given that this fee legislation is typically triggered based on the status of the consumer’s state residency, rather than the residency of the business, one small mistake can mean defending multiple suits across different states — including class action lawsuits.

What Steps Should You Take Now?

If your business has been watching from the sidelines under an expectation that the FTC rule doesn’t apply, it’s not too late to start ensuring compliance with the broader wave of state fee legislation. For now, consider the following:

  • Evaluate your ecommerce flows. It is vital to understand when mandatory fees are being presented to the consumer to ensure your business is in compliance.
  • Map where you conduct your business. If you’re selling to consumers in a state that has fee legislation, you are vulnerable. Knowing where your business conducts its sales ensures you know where a lawsuit may originate.
  • Keep a watchful eye on your primary state’s attorney general. Because some states have added regulations to support their existing UDAP statutes, monitoring the state attorney general’s office or related UDAP enforcer is key to managing expectations of liability.
  • Don’t wait for your industry to change. Liability for hidden fees is now a case of “when” not “if.” Private rights of action make this new legislation unpredictable. Be on the forefront of your industry by taking steps to ensure compliance today, without waiting for someone else to take the lead.

These are only the first steps your business should take. Given the threat of costly litigation from private rights of action and “per violation” liability, the national interest surrounding fee enforcement, and the FTC rule overshadowing the wider net of state legislation, staying proactive on your business’s compliance is crucial. With new fee legislation springing up, the narrative on compliance is rapidly changing.

For more information on fee legislation and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog, Online and On Point, or reach out to one of our authors.

Listen to this post

If you run an ecommerce brand or handle marketing compliance, you’ve probably heard about Texas Senate Bill 140 (SB 140) and its potential impact on text message marketing. Earlier this month, a group of plaintiffs, including an industry association and two e-commerce companies, asked a federal court in Austin to block the state from enforcing parts of the law. The state recently filed its brief opposing that request. This post examines the state’s position and its practical implications for text message marketing programs.

Texas’ SB 140

Texas Senate Bill 140 (SB 140), signed on June 20, 2025, by Gov. Greg Abbott and effective September 1, 2025, expands the Texas Business & Commerce Code’s regulation of a “telephone solicitation” to include text messages and other sales solicitation methods. Significantly, SB 140 requires businesses using telemarketing through text messages to register with the Texas secretary of state, pay a $200 fee, post a $10,000 security bond, and submit quarterly reports prior to making any telemarketing solicitations to prospective customers.

However, a key carve-out may be significant for many brands: the “customer” exemption. Under Section 302.058, Chapter 302’s requirements don’t apply when a business solicits a current or former customer and has operated under the same name for at least two years. The statute defines “purchaser” but not “customer,” leaving the ordinary meaning of “customer” to control.

Industry analysis noted that “customer” in everyday usage often includes people who patronize or otherwise deal with a business — not only those who have already completed a purchase. That reading supports treating opt-in subscribers (people who visited your store and consented to receive your promotional texts) as “customers,” even if they haven’t bought a product yet. If that interpretation holds, many established brands that text only to opted-in subscribers could fall within the exemption.

The motion seeking to block enforcement of SB 140 argued that it violates federal law. Specifically, the plaintiffs argued that the law is unconstitutional and places unreasonable burdens on businesses that send text messages to individuals who have consented to receive them.

The State’s Filing

According to the state’s filing opposing the plaintiffs’ motion for a preliminary injunction, SB 140 is about stopping unwanted, deceptive solicitations — especially spam texts sent without permission.

Two definitions matter here:

  • “Telephone call” – SB 140 tells us to use the meaning in Chapter 304. That chapter excludes transmissions that a mobile customer has agreed to receive as part of an ad-based service. In short, permission matters.
  • “Telephone solicitation” – Chapter 302 now says it’s “a call or other transmission,” and it expressly mentions texts and images.

The state argued to the court that when Chapter 302 uses the word “call,” it still refers to a “telephone call” — the same concept Chapter 304 defines. In other words, the change from “telephone call” to “call” in the solicitation definition did not expand the law to capture everything; it still ties back to a definition that carves out communications a customer has consented to.

Why does that matter? Because the state also emphasizes that Chapter 302’s purpose is to protect people from false, misleading, or deceptive telephone solicitations — not to punish businesses who send consented messages that consumers want. In fact, the state’s brief points out that the plaintiffs’ business model is consent-based texting — and says that is not a “deceptive practice.”

Put simply: If your program sends texts only to people who opted in, the state argues SB 140 is not aimed at you.

Other interesting tidbits appear in the state’s filing about who is or, in this case, is not enforcing the registration requirements.

  • Secretary of State (SoS) – The SoS administers registrations (accepts filings, keeps certificates, helps the public) but, per the state’s filing, does not investigate or enforce violations of SB 140 or Chapter 302. The office states it has not taken — and does not plan to take — enforcement actions.
  • Attorney General (AG) – The AG states it has discretionary authority to bring civil enforcement actions (for example, to seek an injunction) and to pursue civil penalties for violating an injunction. The AG also states it understands “call” in the statute to mean a “telephone call” as defined in Chapters 302 and 304.

“Discretionary” is significant here: The AG is telling the court there’s no mandatory duty to bring actions in every situation.

So, Do I Need to Register and Post a $10,000 Bond?

SB 140 folds texts into the “telephone solicitation” framework, and Chapter 302 generally requires registration and a $10,000 security (bond, letter of credit, or CD).

Taking the state’s filing at face value, three practical takeaways emerge:

  1. Consent is the bright line. The state is focused on stopping unwanted or deceptive text solicitations. Programs built on clear, documented opt-in consent do not appear to be the target the state describes to the court.
  2. “Call” tracks phone-based communications. The state reads “call” as a telephone call (which, under Chapter 304, includes certain text transmissions), with an express exclusion for ad-based transmissions the consumer agreed to receive. That reinforces the centrality of permission and how your messages are delivered.
  3. Registration may not apply to everyone. If your audience qualifies as current or former customers and you’ve been operating under the same name for two years, the Chapter 302 registration and bond requirements may not apply — particularly for consent-only programs.

Action Items for Brands and Platforms

Even with the state’s positions, SB 140 is still a live issue — and the court hasn’t ruled on the preliminary injunction yet. Here’s how to stay ready:

  • Audit your consent. Confirm your opt-in flows are clear and documented (who opted in, when, how, what disclosures they saw). This supports both the consent-based exclusion and any “customer” argument. (The state’s brief itself acknowledges the plaintiffs send texts only to consumers who want them.)
  • Check the two-year rule. If you’ve operated under the same name for two years, the “customer” exemption may help. If you’re newer or recently rebranded, consult with counsel about whether registration is advisable while the case proceeds.
  • Map your sending framework. Determine whether your delivery path fits within Chapter 304’s definition and exclusions (e.g., transmissions the user agreed to receive as part of a service), as highlighted by the state.
  • Monitor enforcement signals. The SoS says it isn’t enforcing. The AG says enforcement is discretionary and frames consent-based messaging as non-deceptive. Still, maintain robust compliance practices.
  • Private right of action. It remains an open question whether courts will recognize a consumer’s ability to sue a business directly under SB 140 for failure to register. No court has squarely decided that issue yet. However, the state’s brief narrows the statute’s focus to deceptive, non-consented solicitations and emphasizes discretionary public enforcement. That framing makes it harder for plaintiffs to argue for a broad private cause of action against consent-based text programs. Until a court rules, the question is unresolved, but the state’s position pushes against the expansive reading plaintiffs would need.
  • Stay tuned for the ruling. The court will decide whether to issue preliminary relief; until then, keep compliance tight and documentation complete.

As always, facts matter. If you’re unsure whether your program qualifies for exemptions, or whether your consent path fits within the state’s framing, seek tailored advice. But for now, if you’re only texting people who asked to hear from you — and you can prove it — you’re much closer to “compliant” than a “cautionary tale.”

Listen to this post

A new Mississippi law, known as the Walker Montgomery Protecting Children Online Act, has prompted several companies to block Mississippi IP addresses from accessing their platforms. In fact, social media company Bluesky posted a response to the enactment of the law on its website. Bluesky explained the decision to make their app unavailable to Mississippi residents, stating:

Mississippi’s HB1126 requires platforms to implement age verification for all users before they can access services like Bluesky. That means, under the law, we would need to verify every user’s age and obtain parental consent for anyone under 18. The potential penalties for non-compliance are substantial — up to $10,000 per user. Building the required verification systems, parental consent workflows, and compliance infrastructure would require significant resources that our small team is currently unable to spare as we invest in developing safety tools and features for our global community, particularly given the law’s broad scope and privacy implications.

Bluesky’s decision to block certain users came after the U.S. Supreme Court permitted the Mississippi act to take effect while First Amendment challenges to the law are pending. The Mississippi act requires any website or app that allows users to post content, create a profile, and interact with other users to verify the age of each user, no matter the type of content. The law provides hefty penalties up to $10,000 per user for failure to comply and permits parents and guardians to bring legal actions.

In its company statement explaining its decision, Bluesky highlighted the substantial financial burdens required to comply with broad age-verification laws. Bluesky specifically cited the “substantial infrastructure and developer time investments, complex privacy protections and ongoing compliance monitoring” required by such laws, noting that these costs can easily push smaller providers out of the market. The same is true for small companies that never intended to be social media platforms but nonetheless fall within the coverage of the statute.

The uncertainty about what verification efforts qualify as “commercially reasonable” further complicates compliance. The statute specifically requires the platform or application provider to verify the age of every user “with a level of certainty appropriate to the risks that arise from the information management practices” of the provider. Are companies required to store state-issued IDs or use fingerprint or facial recognition? Is use of AI permissible to determine age? What is clear is that whichever method is utilized, the costs and risks associated with storing users’ private information will increase.

While the Mississippi act continues to face legal challenges, the push to protect children online, including more stringent parental consent and age-gating is not going away. State legislatures around the country are enacting similar laws, and the U.S. Supreme Court has signaled that it will not stand in the way of enforcement while legal challenges are pending.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog, Online and On Point, or reach out to one of our authors.

Listen to this post

July 1 marked the official enforcement date of the Tennessee Information Protection Act (TIPA), the state’s comprehensive consumer privacy law. Signed into law in 2023, TIPA grants consumers specific rights concerning their personal information and regulates covered businesses and service providers that collect, use, share, or otherwise process consumers’ personal information. With all TIPA provisions now enforceable, it is important for regulated companies to understand the law’s comprehensive requirements.

Covered businesses and organizations

TIPA regulates entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents, exceed $25 million in revenue, and meet one of the below criteria:

  • Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
  • Control or process information of at least 175,000 Tennessee consumers during a calendar year.

Consumer Rights

TIPA grants consumers (Tennessee residents acting in a personal context only) the rights to confirm, access, correct, delete, or obtain a copy of their personal information, or opt out of specific uses of their data (such as selling data to third parties, using data for targeted advertising, or profiling consumers in certain instances). Companies must respond to authenticated consumer requests within 45 days, with a possible 45-day extension, and they must establish an appeal process for request denials. Controllers, which TIPA defines as companies that (alone or jointly) determine the purpose and means of processing personal information, must also offer a secure and reliable means for consumers to exercise their rights without requiring consumers to create a new account.

Company Responsibilities

Companies must limit data collection and processing to what is necessary, maintain appropriate data security practices, and avoid discrimination. Companies must provide a clear and accessible privacy notice detailing their practices, and, if selling personal information or using it for targeted advertising, disclose these practices and provide an opt-out option.

Opt-In for Sensitive Personal Information

TIPA prohibits processing sensitive personal information without first obtaining informed consent. Sensitive personal information is defined broadly and includes any personal information that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive information also includes any data collected from a known child younger than age 13, precise geolocation data (i.e., within a 1,750-foot radius), and the processing of genetic or biometric data for the purposes of identifying an individual.

Controller-Processor Requirements

Processors must adhere to companies’ instructions and assist them in meeting their obligations, including responding to consumer rights requests and providing necessary information for data protection assessments. Contracts between companies and processors must outline data processing procedures, including confidentiality, data deletion or return, compliance demonstration, assessments, and subcontractor engagement. The determination of whether a person is acting as a company or processor depends on the context and specific processing of personal information.

Data Protection Assessments

Companies must conduct and document data protection assessments for specific data processing activities involving personal information. These assessments must weigh the benefits and risks of processing, with certain factors considered. Assessments apply to processing of personal data created or generated on or after July 1, 2024, and in investigations by the Tennessee attorney general, are to be treated as confidential and exempt from public disclosure without a waiver of attorney-client privilege or work product protection.

Major Similarities to CCPA

TIPA shares many similarities with the California Consumer Privacy Act (CCPA), including:

  • Similar consumer rights;
  • Contractual requirements between controllers and processors; and
  • Requiring data protection assessments for certain processing activities.

Affirmative Defense

TIPA provides for an “affirmative defense” against violations of the law by adhering to a written privacy policy that conforms to the NIST Privacy Framework or comparable standards. The privacy program’s scale and scope must be appropriate based on factors such as business size, activities, personal information sensitivity, available tools, and compliance with other laws. In addition, certifications from the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors systems may be considered in evaluating the program.

Enforcement

The Tennessee attorney general retains exclusive enforcement authority, and TIPA expressly states that there is no private right of action. The Tennessee attorney general must provide 60 days’ written notice and an opportunity to cure before initiating enforcement action. If the alleged violations are not cured, the Tennessee attorney general may file an action and seek declaratory and/or injunctive relief, civil penalties up to $7,500 for each violation, reasonable attorneys’ fees and investigative costs, and treble damages in the case of a willful or knowing violation.

Exemptions

The law includes numerous exemptions, including:

  • Government entities;
  • Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA);
  • Insurance companies;
  • Covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
  • Nonprofit organizations;
  • Higher education institutions; and
  • Personal information that is subject to other laws, such as the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).

TIPA is just one of seven laws slated to go into effect this year. With three more laws going into effect next year, companies should review and determine whether laws such as TIPA apply to them and take steps to comply now that the law is in effect.