ICYMI: Issue #5: December 2025 | Year-End Editon

Letter from the Editor

As the year ends, I find myself reflecting on what a wonderful and exciting year it has been for the regulatory landscape ICYMI covers, and for me personally.

I want to take a moment to thank our subscribers who continue to make ICYMI a success. Your engagement and support mean more than you know, and we hope you will continue sharing these resources with others who might benefit from staying ahead of the compliance curve.

With compliance in mind, we have created a comprehensive 2026 Compliance Calendar covering the privacy, AI, telecom, and healthcare deadlines heading your way. The Compliance Calendar is designed to help you plan and implement the changes necessary to meet new regulatory requirements, even amid ongoing uncertainty around state AI laws and evolving regulations. This will help you hit the ground running in January. As my gift to you, and in response to all those who asked, the Compliance Calendar has links to add compliance reminders directly to your Google or Outlook calendars.

This issue also marks the end of my first year back in private practice. What a year it has been! I have had the privilege of meeting so many new people, traveling across the country, speaking at amazing events, diving into meaty regulatory issues, and working on meaningful matters for incredible clients. The journey back has been everything I hoped for and more.

Many thanks to everyone who makes ICYMI happen each week. None of this would be possible without the people who surround and support me. To my clients who trust me with their challenges, to my in-house friends and colleagues who keep me sharp, to the friends who cheer me on, and most especially to my family, thank you for encouraging and believing in me throughout this year. I am so excited to see what 2026 has in store for all of us on the regulatory, professional, and personal fronts.

Wishing you a joyful holiday season and a happy New Year.

Warmly,

Artificial Intelligence Regulation and Litigation

The artificial intelligence regulatory landscape entered a period of unprecedented federal-state tension in late 2025 with the new AI Executive Order attempting to preempt state AI regulations, which triggered pushback from state attorneys general and other lawmakers questioning whether the AI Executive Order can override state law. Meanwhile, states continued advancing their own AI frameworks, with New York enacting disclosure requirements for AI-generated content in advertising and posthumous likeness protections. Courts simultaneously expanded potential liability for AI developers and deploying companies through class action decisions establishing that automated voice and biometric data collection can violate California's wiretapping law and Illinois's biometric privacy statute even when users never directly consented to the AI service.

Key Issues

• The new AI Executive Order escalates the federal-state conflict over AI regulation. The December 11 Executive Order directs DOJ to challenge state AI laws as unconstitutional, threatens to withhold BEAD funding from states with onerous regulations, and orders the FCC to adopt preemptive federal AI disclosure standards. The order faces state opposition, and other lawmakers have expressed skepticism about its enforceability.

• New York mandates AI disclosure in advertising and establishes posthumous likeness protections. New York's newly signed legislation requires anyone producing advertisements in the state to disclose the use of AI-generated synthetic performers.

• AI voice and biometric data collection triggers expanding CIPA and BIPA class action exposure. Courts allowed CIPA claims to proceed against AI phone and meeting transcription services, and BIPA claims against Google's Gemini email scanning parties.

Federal Legislation & Regulation

Executive Order Establishes National AI Policy Framework. On December 11, 2025, President Trump signed an Executive Order ("AI EO") establishing what the administration describes as a "minimally burdensome national policy framework for AI" designed to preempt state-level artificial intelligence regulations. The AI EO directs multiple federal agencies to act against state AI laws that the administration views as obstacles to U.S. competitiveness in the global AI race. Specifically, a Department of Justice ("DOJ") AI Litigation Task Force must be established within 30 days, and it is tasked with challenging state AI laws on grounds including unconstitutional regulation of interstate commerce and preemption by existing federal regulations. The US Attorney General is directed to consult with the Special Advisor for AI and Crypto regarding which state laws warrant legal challenge. Within 90 days, the Secretary of Commerce must publish an evaluation identifying "onerous" state AI laws that are determined to conflict with the AI EO's deregulatory policy. The AI EO also includes a provision noting that states with onerous laws may be ineligible for remaining Broadband Equity Access and Deployment ("BEAD") Program funding. The FTC Chairman is directed to issue a policy statement within 90 days explaining when state laws requiring alterations to AI outputs are preempted by the FTC Act's prohibition on deceptive practices. The FCC Chairman must initiate a proceeding to determine whether to adopt a federal AI disclosure standard that would preempt conflicting state requirements. The order does carve out specific categories from preemption, including state laws relating to child safety protections, AI compute and data center infrastructure (other than general permitting reforms), and state government procurement and use of AI. The executive action faces significant legal and political hurdles. Critics have called the approach most likely illegal, noting that the president cannot simply negate state laws through executive order without Congressional action. Florida Governor Ron DeSantis, a Republican, previously characterized the preemption effort as "federal government overreach." Legal scholars point to the 2023 Supreme Court decision upholding California's authority to regulate its pork industry despite interstate commerce implications as precedent that may complicate federal preemption claims. State lawmakers from both parties have indicated they will continue passing AI regulations regardless of the AI EO.

State Reactions to the AI EO. A bipartisan coalition of 23 state attorneys general filed reply comments with the FCC, urging the agency to stand down on preempting state AI regulations, arguing the agency lacks authority to do so. The letter, signed by AGs from California, Tennessee, Nevada, Connecticut, and 19 other states, responds to an FCC notice of inquiry asking whether AI regulations interfere with telecom services. The states argue this question is beyond the FCC's reach, noting that AI is software the agency has never tried to regulate. The states noted their legitimate interests in regulating deepfakes, AI-powered scams, algorithmic rent-setting, and automated decision-making, none of which relate to telecom network operations. The letter came days after FCC Chairman Brendan Carr praised a Trump executive order directing the agency to adopt federal AI disclosure standards that would preempt "conflicting state laws." California AG Bonta said he would "strongly oppose" any effort to block state AI regulation.

FTC Withdraws AI-Related Enforcement Order Against Rytr. The FTC announced on December 22, 2025, that it has reopened and set aside afinal order against Rytr, an AI writing tool, in response to the Trump Administration's AI Action Plan directing federal agencies to eliminate barriers to AI innovation. The original order prohibited Rytr from providing services that help users generate fake reviews, testimonials, or other deceptive endorsements, and required the company to screen for and block such misuse. The Commission voted 3-2 to withdraw the order, with Chair Ferguson stating the action aligns with the Administration's directive to foster AI innovation, while Commissioners Slaughter and Bedoya dissented, warning that the decision undermines consumer protection and emboldens deceptive practices. Notably, this decision was released the same day that the FTC sent ten warning letters citing violations of its Consumer Review Rule, which prohibits fake reviews and deceptive review practices, the very conduct that was the subject of the Rytr investigation. This reversal represents a significant policy shift that prioritizes AI development over enforcement against tools used to create deceptive content, signaling that companies developing generative AI tools may face reduced regulatory scrutiny for facilitating fake reviews and testimonials under the current administration.

Markey Reintroduces AI Civil Rights Act. Senator Edward J. Markey (D-Mass.) and Representative Yvette Clarke (D-N.Y.) reintroduced the Artificial Intelligence Civil Rights Act on December 2, 2025. This comprehensive legislation is designed to prevent companies from using biased AI-powered algorithms to make critical decisions affecting Americans' lives. The legislation rests on three pillars: (1) it prohibits companies from offering, licensing, or using algorithms that discriminate based on protected characteristics such as race or sex; (2) it requires independently audited impact assessments before and after algorithm deployment; and (3) it mandates transparency about when algorithms are involved in consequential decisions affecting housing, employment, lending, healthcare, and education.

AI Workforce Prepare Act. Sens. Hassan, Hickenlooper, and Husted co-sponsored the AI Workforce Prepare Act, which is bipartisan legislation to establish an AI Workforce Research Hub at the Department of Labor, incentivize innovation in workforce impact forecasting, enhance expertise at DOL, and improve data collection on AI and the workforce. The legislation comes in response to leading economists urging the DOL to gather high-quality data on AI's impact on jobs.

One Fair Price Act. Senator Ruben Gallego introduced the "One Fair Price Act" to stop companies from using consumer data to set individualized prices. A national investigation claims that Instacart is using AI-driven pricing tests that cause online grocery prices to vary from person to person for the same item. The investigation by Consumer Reports found price differences of up to 23%, potentially costing families $1,200 extra annually. This legislation is another effort to aim at surveillance pricing, which sets pricing based on what the consumer will pay rather than relying on market forces, like supply or aggregate demand. Senator Gallego argues that this disadvantages smaller businesses that want to charge consumers fair and predictable prices. The bill gives consumers redress options, directs the FTC, the DOT, and state AGs with enforcement authority.

SUCCESS for BEAD Act. Senators Roger Wicker (R-Miss.) and Shelley Moore Capito (R-W.V.) introduced the SUCCESS for BEAD Act, which would allow states to redirect unused funds from the $42.5 billion Broadband Equity, Access and Deployment (BEAD) program toward AI workforce development, next-generation 911 services, and submarine, mobile, and fiber infrastructure. Federal officials estimate $20 to $22 billion in BEAD funds may go unused after the Trump administration clawed back state awards in June to strip the program's fiber-first focus and adopt a technology-neutral approach, requiring states to submit revised plans with smaller budgets. The bill is one of several congressional proposals for repurposing leftover BEAD funds since NTIA revealed the expected surplus.

State AI Regulations

New York Requires AI Disclosure in Advertisements. Under newly signed legislation (S.8420-A/A.8887-B), anyone who produces or creates an advertisement in New York must disclose if it includes "AI-generated synthetic performers." The companion bill (S8391) creates posthumous protections requiring consent from heirs or executors before using a person's name, image, or likeness commercially after death. Governor Hochul emphasized that these measures respond to the increasing use of AI-generated content across digital platforms.

42 State AGs Push for AI Chatbot Safety Measures. A bipartisan coalition of 42 state attorneys general, led by New York AG Letitia James, sent a letter to major AI developers, including Meta and Microsoft, urging them to adopt safety measures for generative AI chatbots. The AGs expressed alarm at reports of chatbots engaging in grooming, encouraging suicide, sexual exploitation, emotional manipulation, suggesting drug use, proposing secrecy from parents, and promoting violence, particularly with child-registered accounts. They noted that reinforcement learning from human feedback can cause chatbots to become sycophantic, validating users' delusions rather than delivering objective responses, which poses heightened risks for users with mental health conditions. The letter warned that such conduct may violate state laws on children's online privacy, defective product marketing, and criminal statutes prohibiting encouragement of criminal acts, coercion into suicide, or corrupting minors. The attorneys general called on companies to commit to safety testing, recall procedures, and clear warnings. Businesses deploying or developing AI chatbots should review their safety testing protocols and content moderation, particularly for products accessible to minors or vulnerable populations, as state enforcement and civil litigation in this space are accelerating.

AI Litigation

CIPA Class Action Against AI Voice Assistant Provider. A Northern District of California court allowed a CIPA class action to proceed against ConverseNow Technologies, which provides AI virtual assistants to process phone orders for clients like Domino's. Plaintiff alleged she called Domino's, was routed to ConverseNow's virtual assistant without notice, and provided PII, including payment information and delivery address. The critical issue: CIPA exempts parties to a conversation, and ConverseNow argued its AI was simply an extension of Domino's. The court disagreed, adopting the "capability test" — under which the inquiry is whether the software provider could use the communication for its own purposes, regardless of whether it actually did. Because ConverseNow could potentially use call data to improve its products, the claim survives. This ruling serves as a cautionary note to both software companies and — because of potential aiding and abetting liability — companies that use those technologies.

Illinois Lawsuit Alleges AI Meeting Assistant Illegally Collects Voiceprint Data. A class action filed in Illinois federal court alleges that Fireflies.AI, a California-based AI meeting assistant that provides transcription services for platforms like Zoom and Microsoft Teams, illegally collects, stores, and uses biometric voice data without informed consent in violation of the Illinois Biometric Information Privacy Act ("BIPA"). The plaintiff claims the software automatically joins meetings once enabled by the host and analyzes participants' unique vocal characteristics to distinguish speakers and generate transcripts, effectively creating voiceprints, even for individuals who never created a Fireflies account or agreed to its terms of service. The complaint alleges that Fireflies never informed participants in writing of its intent to collect biometric data, never obtained written consent, and lacks a publicly available retention and destruction policy as BIPA requires. The plaintiff seeks statutory damages and injunctive relief on behalf of a proposed class of all individuals whose voice data was collected by the software. Businesses using AI transcription or meeting assistant tools should be aware that BIPA liability can potentially extend to third-party software deployed in meetings, and that consent obligations may apply to all meeting participants, not just the account holder who enabled the feature.

Google Hit with Class Action Over Gemini AI "Secret" Email Scanning. A new putative class action filed in the Northern District of California alleges Google activated Gemini AI's Smart features across Gmail, Chat, and Meet accounts without user consent, violating CIPA. The complaint claims Google previously offered Gemini "Smart features" as an opt-in tool, but allegedly switched this setting on for all accounts on or around October 10, 2025, enabling its AI to track users' private communications without knowledge or consent. Making matters worse, despite this setting being in default "opt out" status since October 10, the setting is still worded as an opt-in feature, rendering Google's privacy settings effectively meaningless, according to the plaintiff. The proposed class covers all U.S. residents whose private communications were tracked by Gemini AI after Google flipped the switch. Google has issued a statement refuting claims that it uses Gmail content to train the Gemini AI model, but the allegations remain untested.

Privacy & Data Protection

The regulatory landscape for privacy, health data, and telemarketing continued its rapid evolution in late 2025, with enforcement authority shifting increasingly toward state actors and prescriptive compliance regimes. Companies operating in these spaces face a patchwork of evolving obligations with meaningful enforcement consequences for missteps.

Key Issues

• Data security enforcement is increasingly coming from state AGs rather than federal agencies. The settlement with Illuminate Education illustrates this with the FTC imposing no financial penalty, while state AGs secured $5.1 million in combined fines plus prescriptive technical requirements.

• Telemarketing regulation is intensifying at both state and federal levels, with expanding liability. The FCC is proposing new caller ID and overseas call rules. Michigan passed sweeping new telemarketing restrictions with enhanced penalties for targeting vulnerable individuals.

• Health data privacy is shifting from permissive to prescriptive regulation. Senator Cassidy's proposed HIPRA would extend HIPAA-like obligations to consumer health tech (wearables, apps, wellness programs) that currently operate outside HIPAA's reach, while states like Washington and New York are already implementing their own restrictive health data laws.

Federal Privacy

Health Information Privacy Reform Act. Senator Bill Cassidy (R-LA) introduced the Health Information Privacy Reform Act ("HIPRA"), which would extend "medical-grade" HIPAA-like privacy, security, and breach obligations to consumer-focused digital health companies, including smartwatches, wearables, health apps, wellness programs, and data/AI vendors that currently fall outside HIPAA coverage. HIPRA would cover "applicable health information" (any information identifying or linkable to an individual relating to health status, care, or payment) and apply to entities determining the purpose and means of processing such data, with limited exceptions for governmental bodies and existing HIPAA-covered entities. The law would require new privacy rules on data use and sharing with minimum necessary standards and written authorization requirements, security safeguards aligned with NIST frameworks, and HIPAA-style breach notification requirements. HHS would enforce with FTC consultation using HIPAA's tiered penalty structure, while maintaining state law preemption similar to HIPAA's approach.

Wyden Calls on Health Tech Companies to Add Privacy Features for Patient Medical Records. Senate Finance Committee Ranking Member Ron Wyden (D-OR) sent letters on December 16, 2025, to ten major electronic health record (EHR) companies urging them to adopt privacy measures that let patients view and control who accesses their medical records. The request follows Epic Systems (the largest EHR provider) recently adding new privacy controls at Wyden's request that enable patients to see who accessed their records and restrict access. Current law under a 2016 statute requires Americans' health records to be widely available by default to any healthcare provider nationwide, even doctors who have never treated the patient. Wyden's push was prompted by a 2021 Department of Defense Inspector General investigation that found military personnel's health records were vulnerable to improper access "for purposes of extortion, public embarrassment, or sale to others," raising national security concerns about foreign spies or hackers accessing confidential information on military officers and defense personnel. A June 2025 follow-up DOD investigation is examining efforts to protect health records from improper access.

FTC and State AGs Take Action Against Illuminate Education Over Student Data Breach. The FTC and AGs from California, Connecticut, and New York have reached separate settlements with Illuminate Education, an edtech provider for K-12 schools, over a December 2021 breach that exposed the personal information of more than 10 million students. The breach occurred when a hacker used credentials from a former employee who had left the company more than three years earlier, accessing databases where student data was stored in plaintext. The FTC's proposed consent order, now open for public comment until January 5, 2026, requires Illuminate to implement a comprehensive security program and delete unnecessary data, but notably imposes no financial penalty. The states took a harder line, securing $5.1 million in combined penalties (California: $3.25M, New York: $1.7M, Connecticut: $150K) along with prescriptive technical requirements, including backup database isolation, penetration testing, and proactive outreach to schools on data retention. The case marks California's first enforcement under its California K-12 Pupil Online Personal Information Protection Act ("KOPIPA") and Connecticut's first under its Student Data Privacy Law, signaling that meaningful data security enforcement may increasingly come from the states.

FCC Proposes Fresh Approach to Combat Illegal Robocalls with Caller ID and Overseas Call Rules. On October 28, 2025, the FCC adopted a Notice of Proposed Rulemaking (NPRM) proposing requirements for providers to give consumers accurate caller identity information, ensuring they no longer have to guess whether a call is one they want to answer, and measures to combat illegal calls originating from overseas. The agency's decision means the FCC will broaden the definition of "caller identity information," implement new requirements for service providers, and mandate that providers alert consumers when calls are coming from overseas and block the use of U.S. area codes for calls that originate in foreign countries. The rule also requires voice providers to verify that the caller's name and other information transmitted to consumers is accurate. Comments are due January 5, 2026, with reply comments due February 3, 2026.

FCC Cease and Desist to SK Teleco. The FCC issued a cease-and-desist order to SK Teleco over a widespread robocall scam impersonating Walmart employees. The robocalls used an artificial voice identifying itself as a Walmart employee named "Emma" or "Carl," claiming a $919.45 PlayStation purchase had been made on the recipient's Walmart account. Recipients who pressed "1" to cancel were transferred to live scammers seeking Social Security numbers and other personal data. Nearly 8 million robocalls tied to this scam flooded Americans' phones between January 21 and April 11, 2025. If SK Teleco fails to comply, the FCC may order all U.S. carriers to block its traffic entirely.

FTC Data finds Robocall Complaints Spiked in 2025. According to data released by the FTC, complaints about robocalls spiked this year. The FTC fielded over 2.6 million complaints in 2025, with the top five categories consisting of reducing debt, impostors, medical and prescriptions, energy and utilities, and home improvement and cleaning. Arizona, Tennessee, Nevada, and Illinois were the states with the most Do Not Call complaints.

State Privacy

CPPA Fines Nevada Marketing Firm $56,600 Under the Delete Act. On December 3, 2025, the California Privacy Protection Agency ("CPPA") issued an enforcement decision against ROR Partners LLC ("ROR"). The company was fined for failing to register as a data broker under California's Delete Act. ROR Partners created consumer profiles and custom audience lists using data points covering demographic, socioeconomic, and behavioral information of over 262 million Americans, selling custom audience segments for targeted advertising without registering. The CPPA emphasized that "a sale is a sale," selling personal information as part of a larger suite of products and services still requires compliance. Data brokers should ensure they are registered in the Delete Request and Opt-Out Platform ("DROP") before January 1, 2026.

New CCPA Regulations Effective January 1, 2026. Revisions to the California Consumer Privacy Act (CCPA) regulations were recently approved by the California Office of Administrative Law (OAL) and take effect on January 1, 2026. Key changes include mandatory written security programs with multi-factor authentication, access controls, vendor management, and regular testing; annual independent cybersecurity audits for businesses meeting specific thresholds; and audit reports that must be kept for five years with signed executive certification due to the CPPA by April 1. Businesses must also implement formal data minimization practices and update contracts with service providers to meet detailed new standards.

Michigan Senate Passes Sweeping Telemarketing Law. The Michigan State Senate passed Senate Bill 351 (S-4), which amends the state's Telephone Solicitation Act and adds new restrictions on telemarketing to Michigan consumers. The bill broadly defines telephone solicitation to include calls or texts encouraging purchases, requesting personal information, promoting employment opportunities, prize promotions, or attempts to defraud. The key provisions include mandatory disclosure requirements (caller name and organization, and organization name for texts), exclusions for express written consent and existing customer relationships, enhanced enforcement through the Attorney General with civil fines up to $25,000 per violation, and a private right of action allowing consumers to recover actual damages or $1,000, whichever is greater, plus attorneys' fees. In addition, the bill imposes heightened penalties of $50,000 to $100,000 for violations targeting vulnerable individuals (those 75+ or with disabilities) or vulnerable telephone numbers. The legislation awaits final enactment.

Texas Mini-TCPA Update: Settlement Confirms Consent-Based Marketers Do Not Need to Register. On November 6, 2025, Texas settled the challenge to Senate Bill 140 (SB 140), which amended the state's "mini-TCPA." In its Joint Motion to Dismiss, the state clarified that businesses that only send marketing texts to users who have opted in need not register with the state as telephone solicitors. The guidance applies equally to consent-based telemarketing calls, not just texts. The Secretary of State's website now specifies that "any business that sends text messages with prior consent of the consumer is not required to complete the Telephone Solicitation Registration Statement under Business and Commerce Code Chapter 302." Companies that already filed registration applications may withdraw their applications if the SOS has not acted on their applications. It is important to note that courts are not bound to follow this settlement or the upcoming Attorney General guidance, and plaintiffs could still attempt to enforce registration requirements via the mini-TCPA's private right of action, which creates statutory penalties of $5,000 per violation. Businesses should ensure they can demonstrate consent if relying on the exception.

2025 State AG Robocall Enforcement Trends: VoIP Providers in the Crosshairs. State AGs continue to lead efforts against unlawful robocalls, with a particular focus on VoIP service providers throughout the call chain. In 2025, the state AG Task Force issued three rounds of warning notices to a total of 50 VoIP wholesalers and issued its most recent tranche on December 3, 2025. Initially targeting gateway or point of entry providers, the latest letters additionally target companies simply for routing calls transferred to them by other domestic telecom providers, so-called intermediate providers accepting traffic indirectly.

Privacy Litigation

Texas Judge Blocks T-Mobile's Price Comparison Tool That Scraped AT&T Customer Data. A Texas federal judge granted AT&T a temporary restraining order blocking T-Mobile from using its "Easy Switch" price-comparison tool, which AT&T alleges scraped customer data from AT&T's password-protected systems without authorization. According to AT&T, the tool allowed AT&T customers to enter their login credentials on T-Mobile's app, after which T-Mobile sent a bot to access and extract sensitive data from AT&T's non-public websites. T-Mobile argued the tool was legal because customers, not T-Mobile, initiated the access, and the tool only pulled data from three or four web pages. The judge rejected that defense, finding AT&T had shown likely success on the merits and irreparable harm. Businesses should note that using customer credentials to access a competitor's systems, even with customer consent, may still violate the Computer Fraud and Abuse Act and trigger injunctive relief.

eXp Realty TCPA Class Action. A Washington federal court ruling in Hollis v. eXp Realty held that the allegations in the complaint were sufficient to state a claim for direct liability against eXp Realty. In addition, the court found eXp Realty could be held vicariously liable for calls based on its connection with an agent. This ruling is concerning for brokerages, which previously did not worry about liability for the behavior of their franchisees or agents. The case has now proceeded to discovery. Real estate brokerages should urgently review their TCPA compliance programs.

Are SMS Messages "Calls" Under TCPA? Following the Supreme Court's McKesson decision removing binding FCC deference, courts are now split on whether text messages qualify as "calls." Hugo Boss was sued in a TCPA class action over alleged SMS messages sent outside of the TCPA's time-of-day requirements. Boss moved to dismiss, arguing that SMS messages are not calls under the TCPA's DNC rules. The court, relying on an earlier Ninth Circuit ruling, refused to dismiss and certified the issue for immediate interlocutory review to resolve the split.

LovePop Sued in TCPA Class Action Over Holiday Messages. A new TCPA class action was just filed in the Central District of California against LovePop, Inc., for allegedly sending text messages to Plaintiff Richard Evans outside the quiet hours and while his phone number was on the National DNC Registry. The complaint alleges many of those texts were pushing holiday card purchases. This case is part of a growing wave of "quiet hours" lawsuits under the TCPA, and it is a TCPA violation to contact a consumer between the hours of 9:00 p.m. and 8:00 a.m. at the called party's location. The case also raises the open question of whether text messages remain covered under the DNC provisions post-McKesson.

QuoteWizard Faces TCPA Class Action Over Prerecorded Telemarketing Calls. A recent lawsuit filed in North Carolina alleges that QuoteWizard, an insurance comparison subsidiary of LendingTree, violated the Telephone Consumer Protection Act ("TCPA") by making unsolicited prerecorded telemarketing calls to consumers' cell phones without obtaining express written consent. According to the complaint, Shelly Toledo received a prerecorded voice message on her cell phone from QuoteWizard. The message purported to follow up on an auto insurance quote request, encouraged her to visit the QuoteWizard website, and offered a callback number. Toledo claims that she never provided QuoteWizard with her express written consent to receive marketing communications via prerecorded messages. Toledo seeks to certify a nationwide class of individuals who received similar prerecorded telemarketing calls from QuoteWizard in the past four years. This settlement follows QuoteWizard's $19 million settlement in a separate TCPA class action earlier this year.

Marketing & Consumer Protection

The FTC and state attorneys general continued their aggressive enforcement posture against deceptive consumer practices in late 2025, with particular focus on subscription services, hidden fees, and misleading advertising. Despite the Eighth Circuit vacating the Click to Cancel rule on procedural grounds, federal and state regulators demonstrated their commitment to combating "dark patterns" through individual enforcement actions, securing substantial settlements against major companies. Meanwhile, courts sent mixed signals on the viability of consumer class actions, and the FCC proposed rolling back specific broadband transparency requirements.

Key Takeaways

• FCC proposes changes to its Broadband Label Requirement. The FCC proposes to eliminate several broadband label requirements, including telephone disclosure, itemization of state and local fees, and machine-readable formats, signaling a shift toward streamlined rather than comprehensive consumer disclosures.

• Subscription and cancellation practices remain prime enforcement targets despite the Click to Cancel setback. The FTC secured major settlements against Instacart and NextMed and filed suit against Uber (with 21 states) for deceptive subscription practices. At the same time, consumer groups petitioned to restart the Click to Cancel rulemaking.

• Junk fees and misleading pricing disclosures draw heightened scrutiny across industries. Greystar settled for $24M over hidden rental fees, and Menards paid $4.25M for misleading rebate advertising, reinforcing that headline claims must accurately reflect actual offers and fine print won't cure deceptive promotions.

Federal Actions and Enforcement

FCC Comments on Streamlining Broadband Label Requirements. On October 28, 2025, the FCC adopted a Second Further Notice of Proposed Rulemaking proposing to eliminate specific broadband label requirements and seeking comment on other ways to streamline the broadband label rules. Specifically, the FCC proposes to eliminate requirements that providers: (1) read the label to consumers over the phone; (2) itemize state and local passthrough fees that vary by location; (3) provide information about the now-concluded ACP; (4) display labels in customer account portals; (5) make labels available in machine readable format; and (6) archive labels for at least two years after a service is no longer offered to new customers. The FCC also seeks comment on eliminating the multilingual display requirement. The FCC proposes to eliminate the requirement that providers read broadband labels to consumers by telephone, but clarifies that this deletion does not prevent providers from conveying this information over the phone at a customer's request. Comments are due on January 2, 2026, and reply comments are due on February 2, 2026.

FTC's Click to Cancel Rule. Consumer advocacy groups petitioned the agency to restart the rulemaking process, and the FTC quietly published their petition in the Federal Register. The Consumer Federation of America and American Economic Liberties Project argue that the Eighth Circuit only found procedural issues (not substantive problems), so the FTC should restart rulemaking using the original proposed language. Comments are due January 2, 2026, for interested companies.

FTC Settles with Instacart for $60 Million Over Deceptive Subscription and Delivery Practices. Instacart has agreed to pay $60 million to resolve FTC allegations that it misled consumers through deceptive advertising and subscription practices. The FTC alleged Instacart engaged in deceptive tactics, including falsely advertising "free delivery" while charging undisclosed service fees of up to 15% to deliver groceries. The FTC also alleged that Instacart failed to honor its 100% satisfaction guarantee by offering small credits instead of refunds and hiding the refund option. In addition, the FTC took issue with its Instacart Plus enrollment process for failing to disclose that consumers would be charged after free trials ended. Under the settlement, Instacart must stop misrepresenting delivery costs and satisfaction guarantees, clearly disclose subscription terms, and obtain express informed consent before charging consumers. Instacart denied wrongdoing, stating its practices are transparent and its cancellation process is simple. This action is in line with the FTC's actions against Amazon, Uber, and Adobe. It reinforces that it will continue to crack down on deceptive subscription practices despite its Click to Cancel rule being vacated by the Eighth Circuit in July 2025.

FTC Approves Consent Order Against NextMed for Deceptive Advertising, Cancellation, Billing, and Review Manipulation Practices. The Federal Trade Commission approved a final consent order on December 3, 2025 (by a 2-0 vote) against telehealth company NextMed and its two founders for allegedly deceptive advertising, billing, cancellation practices, and review manipulation related to subscription weight-loss programs. The FTC originally filed the administrative complaint in July 2025, alleging deceptive marketing by failing to disclose that monthly subscription prices excluded the cost of GLP-1 drugs themselves, lab work, and required medical consultations. The FTC also alleged the company did not disclose the subscription term and associated cancellation fees, and delayed cancellation and refund processing. In addition, the FTC alleged that NextMed suppressed negative reviews by selectively challenging critical reviews, offering gift cards as incentives to remove negative reviews, conditioning refunds on review removal, and creating fake positive reviews using testimonials and before-and-after pictures from people who never used NextMed's services or GLP-1 drugs. NextMed and its founders are required to pay $150,000 to the FTC, and the consent order prohibits misrepresentations about telehealth service costs, unsubstantiated claims about typical results, misrepresentations about review truthfulness, and any review manipulation, including selective solicitation or offering removal incentives. The order also mandates clear disclosure of cancellation/refund terms before payment, simple cancellation methods, and prompt processing of cancellation/refund requests.

FTC and 21 States Sue Uber for Deceptive Billing Practices. The Federal Trade Commission, joined by 21 states and the District of Columbia, filed an amended complaint on December 15, 2025, against Uber, alleging deceptive billing and cancellation practices related to its Uber One subscription service. The lawsuit alleges Uber enrolled users in subscriptions without consent, overstated savings by omitting the $9.99/month fee, hid key terms in hard-to-read text, and made cancellation a 23-screen ordeal despite promising users could cancel anytime. The amended complaint seeks civil penalties for violations of the Restore Online Shoppers' Confidence Act ("ROSCA") and state consumer protection laws. The 21 states include Alabama, Arizona, California, Connecticut, Illinois, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Virginia, West Virginia, and Wisconsin.

FTC and State AGs Reach $24M Settlement with Greystar Over Rental "Junk Fees." The FTC and the Colorado AG reached a $24 million settlementwith apartment rental company Greystar for allegedly charging "junk fees." Greystar is one of the largest providers of rental housing in Colorado, managing approximately 45,000 units. The lawsuit, filed in January and joined by the FTC, alleged that Greystar used deceptive advertising to entice consumers into applying for rental housing, and then bilked those consumers out of hundreds of millions of dollars by charging hidden fees. Specifically, after attracting prospective tenants with deceptively low rental prices, Greystar failed to adequately disclose mandatory recurring fees charged to tenants for things such as pest control, valet trash service, package concierge service, utility administration fees, and specific amenities, often not revealing actual costs until after tenants paid a non-refundable application fee. Under the settlement, Greystar will be required to disclose upfront the total monthly leasing price, disclose all fees or costs, the nature and purpose of the fee or cost, the amount of the fee or cost, and whether the fee or cost is mandatory.

FTC Targets Review Manipulation Practices. The FTC issued warning letters to 10 companies on December 22, 2025, for potentially violating the FTC's Consumer Review Rule by misrepresenting the reviewer's experience with the product or services, buying positive or negative reviews, and using company insiders to write reviews without disclosing a material connection to the business, representing that a website or entity it controls provides independent reviews of products or services, engaging in "gatekeeping," which is representing that reviews represent all or most of reviews submitted when certain reviews are excluded (e.g., negative reviews), and making threats to prevent or remove a negative consumer review. The letters, sent to businesses across retail, healthcare, automotive, hospitality, and financial services sectors, cite concerns about practices such as only soliciting reviews from customers who report positive experiences or filtering out dissatisfied customers before they can post feedback. Companies have 15 days to describe their review collection practices and explain compliance with the rule. This enforcement action signals the FTC's commitment to maintaining the integrity of online review ecosystems. It serves as a clear warning that review-gating and selective- solicitation practices will face scrutiny. Businesses should audit their review of collection processes to ensure compliance with the Consumer Review Rule.

State Enforcement

Florida AG Files Lawsuit Against Roblox Over Child Safety Failures. Florida's AG filed a lawsuit accusing Roblox of failing to protect children and misleading families about the platform's safety. Investigators say kids as young as seven were able to access thousands of games, including violent and sexually explicit content, with no age verification. The state claims predators used the platform to identify children, gain their trust, and transition conversations to apps like Discord or Snapchat. The AG alleges Roblox violated Florida's consumer protection laws and COPPA by collecting data from children under 13 without verified parental consent.

Menards Pays $4.25 Million to Settle 10-State Deceptive Marketing Probe. Menards has agreed to pay $4.25 million to resolve a multi-state investigation into allegedly deceptive advertising of its 11% Rebate Program and COVID-era price gouging. Attorneys general from Illinois, Ohio, Michigan, Minnesota, Wisconsin, Iowa, Arizona, Kansas, Nebraska, and South Dakota alleged the home-improvement chain's marketing misled customers into believing they would receive immediate discounts at checkout, when the savings actually came as in-store merchandise credit, with that detail buried in fine print. The investigation also targeted Menards' early-2020 price increases on essential goods like garbage bags, isopropyl alcohol, dish soap, and gloves. Under the settlement, Menards agreed to stop representing that customers will receive point-of-sale discounts when the actual offer is store credit, clearly disclose rebate program terms, give customers at least one year to file rebate claims, update its online rebate tracker within 48 hours, and refrain from price gouging during abnormal economic disruption. This settlement reinforces that headline advertising claims must accurately reflect the actual offer, and fine print disclaimers will not cure a misleading promotion.

NAD and Litigation

Sapphire ads were 'puffery,' BBB says. The National Advertising Division ("NAD") determined that JPMorgan Chase's claims that its Chase Sapphire Reserve card is the most rewarding constitute non-actionable puffery when used without additional context. However, NAD found Chase had a reasonable basis for the claims when connected to specific product features and recommended the bank disclose its methodology given the numerous assumptions required in its analysis, while also recommending Chase discontinue claims that overstated the card's superiority regarding $2,500 in annual value and noting Chase voluntarily discontinued a "best offer ever" claim during the Capital One challenge proceedings.

Eighth Circuit Reverses Folgers Class Certification. In a significant win for defendants in consumer deception cases, the Eighth Circuit reversed class certification in Sorin v. The Folger Coffee Company, a lawsuit alleging Folgers misrepresented how many cups of coffee each container could produce. The appellate court determined that individual questions about whether consumers saw, interpreted, or relied upon the product representations would predominate over common questions. The court explained that "many class members weren't deceived, and figuring out who was and who will require consumer-by-consumer inquiries into each class member's individual tastes, interpretations, and circumstances." The court also rejected the plaintiffs' "overcharge" theory that all purchasers paid inflated prices regardless of whether they relied on the representations.

Of Note: 2025 Year-End Wrap-Up

2026 Compliance Calendar Now Available

As you finalize budgets and plan for 2026, we compiled a comprehensive compliance calendar to help you navigate the regulatory landscape ahead. From new state privacy laws in Indiana, Kentucky, and Rhode Island taking effect January 1st, to California's sweeping AI disclosure requirements, the Colorado AI Act in June, and updated COPPA rules in April 2026, is shaping up to be another regulation-heavy year. The calendar covers privacy, AI, telecom, and healthcare deadlines with clickable links to add reminders directly to your Google or Outlook calendar. Even with ongoing uncertainty around state AI regulations and potential federal preemption, the compliance obligations we do know about require significant preparation. Whether you are implementing risk assessment frameworks, updating consent mechanisms, or building AI disclosure protocols, now is the time to start. Download the 2026 Compliance Calendar to see what's coming and develop your implementation roadmap.

This is the link to the compliance calendar: https://claude.ai/public/artifacts/af1b51d0-cdd3-4776-8a78-2d3112037abc

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.