Stalkerware Showdown: U.S. FTC Invites Public to Comment on SpyFone CEO's Petition to Vacate Order
On July 18, 2025, the U.S. Federal Trade Commission ("FTC") indicated in a press release that it is seeking public comment on a request from Scott Zuckerman, the CEO of a company that marketed "stalkerware" apps, to vacate or modify the FTC's order banning monitoring products and services and requiring implementation of an information-security program. Zuckerman filed a petition (the "Petition") claiming that the FTC's order imposed an "excessive and unnecessary burden" on him and his businesses. It is unclear how the FTC will vote on the Petition, but the public can submit comments until August 19, 2025.
According to the FTC's complaint (the "Complaint"), dated September 1, 2021, the FTC alleged that Support King LLC d/b/a SpyFone ("SpyFone") was engaging in unfair and deceptive acts and practices through its phone monitoring applications, which captured and logged activity and other personal information from devices that had SpyFone downloaded, even if not with user permission. Among other logged activities, these included GPS location, web history, and text messages. Notably, this Complaint marked a new focus by the FTC on spyware tools, which have faced scrutiny from government authorities outside of the United States, including a 2022 proposed ban recommendation by the European Data Protection Supervisor (see Cyber Bits Issue 8).
In December 2021, the settlement order banned SpyFone and Zuckerman from "offering, promoting, selling or advertising" any surveillance app. The order also required SpyFone and Zuckerman's other businesses to develop an information-security program and conduct biennial assessments.
Takeaway:Under former FTC Chair Lina Khan, the FTC took a more aggressive stance on consumer protection matters, even if that meant imposing heavier compliance requirements on companies. If the FTC opts to vacate or modify the order, it could indicate that the current FTC leadership is taking a more flexible enforcement approach that might reduce the compliance costs for businesses.
UK Considers Stronger Regulation of Ransomware Payments
On July 22, 2025, the UK Government published its response to feedback on its ransomware consultation. The consultation requested feedback on legislative proposals aimed at mitigating the threat posed by ransomware attacks. The consultation sought views on three legislative proposals.
The first proposal is for a targeted ban on ransomware payments for all public sector bodies (including schools, local councils and the National Health Service) and for private entities that are responsible for critical national infrastructure. The consultation showed strong support (72%) for this proposal.
The second proposal is for a ransomware payment prevention regime requiring private companies to report to authorities an intention to make ransomware payments and with the government having the ability to offer guidance on, discourage, or block such payments. This regime received mixed reviews in the consultation. Responses favoured an economy-wide regime to avoid displacing attacks onto those sectors not included.
The third proposal, a mandatory ransomware incident reporting regime, was largely supported. However, detail about reporting thresholds is still to be developed.
Takeaway: The UK Government's proposals mark a transition from guidance-driven policy to legislation-backed enforcement. However, a recurring theme in the consultation responses was that penalties should be proportionate to avoid revictimizing victims of ransomware attacks. The Government confirmed its intention to continue developing each of the proposals. With ransom coverage an integral part of insurance policies, we would expect any significant regulatory action to have an impact on that industry. Moreover, whilst a mandatory reporting requirement may seem like a good idea in principle, in reality, if reporting is publicly available it may diminish the benefit of paying ransom and possibly even further imperil those reporting entities.
CPPA's Executive Director Reveals Bold Vision for Enforcement and AI
The California Privacy Protection Agency's ("CPPA") Executive Director Tom Kemp, appointed in March 2025, recently offered insights into the CPPA's upcoming focuses. Kemp explained that while the CPPA is still a young regulator, it is rapidly scaling its resources and expertise. Moreover, the CPPA's mission remains focused on consumer privacy, with special attention on artificial intelligence and data broker oversight (see CyberBits Issue 73).
Kemp noted that CPPA priorities include: (1) increasing enforcement activity, guided by consumer complaints and investigative sweeps, to address potential violations and backlog cases; (2) introducing new regulations on automated decision-making technology, risk assessments, and cybersecurity audits; (3) coordinating activities with other regulators and under other acts, such as the General Data Protection Regulation and the Colorado AI Act; (4) encouraging public reporting and ensuring that businesses provide clear "Do Not Sell or Share" opt-outs; (5) implementing the "Delete Act" via a new Delete Request and Opt-Out Platform ("DROP"); and (6) building the audit division and hiring a chief auditor to enhance compliance reviews.
On enforcement, Kemp underscored the shift from advisory measures to active settlement negotiations and penalties, highlighting the Honda settlement (see CyberBits Issue 73) and the Todd Snyder decision. He also confirmed that the CPPA will continue conducting investigative sweeps and leveraging consumer complaints to detect violations, including Global Privacy Control missteps and nonregistration by data brokers. The forthcoming audit division will further bolster the CPPA's compliance resources and capabilities.
Takeaway: Rather than providing warnings and giving businesses the opportunity to correct any deficiency, the CPPA's emphasis on active enforcement, new regulations, and a developing audit division indicates that penalties and enforcement actions are now the CPPA's primary enforcement tool. Businesses operating in California or processing personal data of California residents should consider prioritizing reviewing and strengthening their privacy practices, particularly around AI, data broker compliance, and "Do Not Sell or Share" opt-outs. Staying current on the CPPA's regulatory developments, including the "Delete Act" and risk assessment rules, will also be necessary to maintain compliance as the regulatory landscape continues to evolve.
European Commission Decides to Renew UK Adequacy Decision
The European Commission (the "Commission") has concluded that the UK data protection regime continues to provide safeguards for personal data that are equivalent to those in the EU. It has therefore initiated the process to renew the existing adequacy decisions for the UK to facilitate the flow of personal data between the EU and the UK in accordance with the GDPR.
The Commission had delayed its review of the UK adequacy decisions in order to assess the UK's recently-enacted Data (Use and Access) Act 2025 (the "DUA Act"), which provides for the most substantive reforms to the UK's data protection regime since leaving the EU (see our OnPoint here). Some commentators had raised concerns that the reforms would be seen by the Commission as too substantial a divergence from the EU GDPR for adequacy to be maintained. Those concerns have now been answered.
The Commission's draft decisions will now undergo a review by the European Data Protection Board and EU Member States, approval by a Member State committee, and scrutiny by the European Parliament before formal adoption.
Takeaway: The EU is considering ways to reform the GDPR (including looking to the UK for inspiration – see Issue 79) and the DUA Act maintains the overall framework of the GDPR with relatively targeted amendments, so it is unsurprising that the Commission has decided to maintain the UK's adequacy status. With much of the detail of the UK's reforms yet to be provided in further regulations, the fact that the Commission has reached its conclusion without waiting for such regulations suggests a strong political desire to ease compliance for EU-UK personal data flows. If adopted, the adequacy decision could last up to six years, maintaining the eased compliance burden for EU-UK data transfers which will be a welcome relief for businesses.
EU Guidelines on General-Purpose AI Models Under the AI Act
On July 18, the European Commission (the "Commission") published detailed guidelines on the scope of obligations for general-purpose AI ("GPAI") models under the EU AI Act.
The guidelines provide specific criteria to determine whether an AI model is GPAI, introducing an important indicative threshold of training compute of 1023 floating-point operations (FLOP), which should be used together with qualitative factors to determine whether a model is GPAI. The Commission also sets out detail on how to calculate training compute and provides examples of when models are in or out of scope of the definition of GPAI. In addition, they provide criteria to determine whether a GPAI model is one with "systemic risk," which are the subject of additional requirements under the AI Act, or offered under a free, open-source licence, which are exempt from certain requirements.
The Commission also sets out its position on significant scoping issues under the AI Act such as what it means to be a "provider" and for AI to be "placed on the market." The guidelines consider the AI supply chain and indicate which entity is responsible for which obligations under the AI Act in various situations, such as where an AI system is based on a GPAI model and where a GPAI model is modified by another entity.
Takeaway: The guidelines are targeted at GPAI and provide valuable practical criteria to apply the more nebulous definition of GPAI in the AI Act itself. Although principally focused on GPAI, the guidelines also address issues of wider application and are an important resource for organizations across the AI supply chain, particularly given that many other key guidelines are still awaited. Organizations assessing their EU AI Act obligations will find these guidelines valuable to their analysis, even if they believe they are not subject to the GPAI rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
