Category: Communication Media & Internet

Texas Attorney General Launches Investigation into 15 Tech Companies

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment (“SCOPE”) Act and the Texas Data Privacy and Security Act.

The SCOPE Act places guardrails on digital service providers, including AI companies, including with respect to sharing, disclosing and selling minors’ personal identifying information without obtaining permission from the child’s parent or legal guardian. Similarly, the Texas Data Privacy and Security Act imposes strict notice and consent requirements on the collection and use of minors’ personal data.

Attorney General Paxton reiterated the Office of the Attorney General’s (“OAG’s”) focus on privacy enforcement, with the current investigations launched as part of the OAG’s recent major data privacy and security initiative. Per that initiative, the Attorney General opened an investigation in June into multiple car manufacturers for illegally surveilling drivers, collecting driver data, and sharing it with their insurance companies. In July, Attorney General Paxton secured a $1.4 billion settlement with Meta over the unlawful collection and use of facial recognition data, reportedly the largest settlement ever obtained from an action brought by a single state. In October, the Attorney General filed a lawsuit against TikTok for SCOPE Act violations.

The Attorney General, in the OAG’s press release announcing the current investigations, stated that technology companies are “on notice” that his office is “vigorously enforcing” Texas’s data privacy laws.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.
For more on Texas Attorney General Investigations, visit the NLR Communications Media Internet and Consumer Protection sections.

“Don’t You Have to Look at What the Statute Says?” – IMC’s Oral Arguments

As we noted earlier on TCPAWorld, the IMC odds against the FCC might be better than initially thought due to the panel of judges from the Eleventh Circuit hearing the oral arguments. Oral argument recordings are available online.

And the panel did not disappoint in pushing back on the FCC.

The conversation hinged on the FCC’s power to implement regulations in furtherance of the TCPA’s statutory language. This is important because the FCC is limited to implementation, and they are do not have the authority “to rewrite the statute” as was mentioned in the oral arguments.

Judge Luck (HERE) had some concerns with the FCC’s limitations on the consumer’s ability to consent. The statute, according to Luck, intends to allow consumers to agree to receive calls. If that is the case, then a limitation of the consumer’s ability to exercise their rights is an attempt to rewrite the statute.

Luck agreed that implementing the statute is fine, but limiting the right of consumers to receive calls they consent to receive is over reach. Luck continued “Just because you [the FCC] are ineffective at enforcing the authority doesn’t mean you have the right to limit one’s right, a statutory right, or rewrite those rights to limit what it means.”

The FCC attempted to argue that implementation of statute by their very nature is going to lead to restriction, but Judge Luck pushed back on that. According to Luck, there are ways to implement statutes that don’t restrict a consumer’s statutory rights. This exchange was also telling:

LUCK: Without the regulation do you agree with me that the statute would allow it?

FCC: Yes.

LUCK: If so, then it’s not an implementation. It’s a restriction.

Luck was not the only Judge who pushed back on the FCC. Judge Branch (I believe because she was not identified) also strongly pushed back on the FCC’s restriction on topically and logically associated as an element of consent. Branch stated that the FCC was looking at consumer behavior and essentially stated too many consumers didn’t know what they were doing in giving consent. The FCC stated “I think we have to look at how the industry was operating…” only to be interrupted by Branch who questioned that statement by asking “Don’t you have to look at what the statute says?”

YIKES.

Finally, the FCC’s turn in oral argument ended with this exchange:

JUDGE: Perhaps the question should be “We have a problem here. We should talk to Congress about it.”

FCC: Congress did task the agency to implement here.

JUDGE: It’s given you power to implement, not carte blanche.

DOUBLE YIKES.

There was also a conversation around whether or not the panel should issue a stay in this case. The IMC argued that yes – a stay was appropriate due to the uncertainty in the market.

It’s pretty clear that the judges questioned the statutory authority of the FCC to implement the 1:1 consent and the topically and logically related portions of the definition of prior express written consent.

While we don’t have a definitive answer yet on this issue, we do know this is going to be a lot more interesting than everyone thought before the oral arguments.

We will keep you up to date on this and we will have more information soon.

© 2024 Troutman Amin, LLP
For more on the TCPA, visit the NLR Communications Media Internet section

CFPB Takes Aim at Data Brokers in Proposed Rule Amending FCRA

On December 3, the CFPB announced a proposed rule to enhance oversight of data brokers that handle consumers’ sensitive personal and financial information. The proposed rule would amend Regulation V, which implements the Fair Credit Reporting Act (FCRA), to require data brokers to comply with credit bureau-style regulations under FCRA if they sell income data or certain other financial information on consumers, regardless of its end use.

Should this rule be finalized, the CFPB would be empowered to enforce the FCRA’s privacy protections and consumer safeguards in connection with data brokers who leverage emerging technologies that became prevalent after FCRA’s enactment.

What are some of the implications of the new rule?

  • Data Brokers are Now Considered CRAs. The proposed rule defines the circumstances under which companies handling consumer data would be considered CRAs by clarifying the definition of “consumer reports.” The rule specifies that data brokers selling any of four types of consumer information—credit history, credit score, debt payments, or income/financial tier data—would generally be considered to be selling a consumer report.
  • Assembling Information About Consumers Means You are a CRA. Under the rule, an entity is a CRA if it assembles or evaluates information about consumers, including by collecting, gathering, or retaining; assessing, verifying, validating; or contributing to or altering the content of such information. This view is in step with the Bureau’s recent Circular on AI-based background dossiers of employees. (See our prior discussion here.)
  • Header Information is Now a Consumer Report. Under the proposed rule, communications from consumer reporting agencies of certain personal identifiers that they collect—such as name, addresses, date of birth, Social Security numbers, and phone numbers—would be consumer reports. This would mean that consumer reporting agencies could only sell such information (typically referred to as “credit header” data) if the user had a permissible purpose under the FCRA.
  • Marketing is Not a Legitimate Business Need. The proposed rule emphasizes that marketing is not a “legitimate business need” under the FCRA. Accordingly, CRAs could not use consumer reports to decide for an advertiser which consumers should receive ads and would not be able to send ads to consumers on an advertiser’s behalf.
  • Enhanced Disclosure and Consent Requirements. Under the FCRA, consumers can give their consent to share data. Under the proposed rule, the Bureau clarified that consumers must be provided a clear and conspicuous disclosure stating how their consumer report will be used. It would also require data brokers to acknowledge a consumer’s right to revoke their consent. Finally, the proposed rule requires a new and separate consumer authorization for each product or service authorized by the consumer. The Bureau is focused on instances where a customer signs up for a specific product or service, such as credit monitoring, but then receives targeted marketing for a completely different product.

Comments on the rule must be received on or before March 3, 2025.

Putting It Into Practice: With the release of the rule so close to the end of Director Chopra’s term, it will be interesting to see what a new administration does with it. We expect a new CFPB director to scale back and rescind much of the informal regulatory guidance that was issued by the Biden administration. However, some aspects of the data broker rule have bipartisan support so we may see parts of it finalized in 2025.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on the CFPB, visit the NLR Financial Institutions Banking section

…But Wait, There’s More!

In 2025, eight additional U.S. state privacy laws will go into effect, joining California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia:

  1. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  2. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  3. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  4. New Hampshire Privacy Act (effective Jan. 1, 2025)
  5. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  6. Tennessee Information Protection Act (effective July 1, 2025)
  7. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  8. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

While many of these eight state privacy laws are similar to current privacy laws in effect, there are some noteworthy differences that you will need to be mindful of heading into the New Year. Additionally, if you did not take Texas, Oregon and Montana into consideration in 2024, now is the time to do so!

Here is a roadmap of key considerations as you address these additional state privacy laws.

1. Understand What Laws Apply to Your Organization

To help determine what laws apply to your organization, you need to know the type and quantity of personal data you collect and how it is used. Each of the eight new state laws differ with their scope of application, as their thresholds vary based on the 1) number of state residents whose personal data controlled or processed and 2) the percentage of revenue a controller derives from the sale of personal data.

Delaware, New Hampshire, and Maryland have the lowest processing threshold – 35,000 consumers.

Nebraska’s threshold requirements are similar to Texas’ threshold requirements: the law applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration.

Notably, Maryland and Minnesota will apply to non-profits, except for those that fall into a narrow exception.

See our chart at the end of this article for ease of reference.

2. Identify Nuances

Organizations will need to pay particular attention to Maryland’s data minimization requirements as it is the strictest of the eight. Under Maryland, controllers will have unique obligations to meet, including the following:

  • Limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
  • Cannot process minors’ (under 18 years old) personal data for targeted advertising.
  • A broad prohibition on the sale of sensitive data.

If a controller engages in the sale of sensitive data, under Texas’ privacy law, which went into effect in July 2024, requires controllers to include the following notice in the same place your privacy policy is linked: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller engages in the sale of biometric personal data, the following notice must be included in the privacy policy: “NOTICE: We may sell your biometric personal data.” Nebraska requires companies to obtain opt-in consent before selling sensitive data. Maryland prohibits the sale of sensitive data altogether.

Minnesota takes data inventory a step further, requiring companies to maintain an inventory of personal data processed and document and maintain a description of the policies and procedures that they adopt to comply with the act.

3. Refine Privacy Rights Management

All states provide consumers with the right to access, delete, correct (except Iowa), and obtain a copy of their personal data.

Minnesota’s law provides consumers with two additional rights:

  1. The right to request the specific third parties to whom a business has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the name of third parties to which it has disclosed any personal data.
  2. The right to question the results of a controller’s profiling, to the extent it produced legal effects. Consumers will have the right to be informed of the reason that the profiling resulted in a specific decision and be informed of the actions the consumers may take to secure a different decision in the future.

Aligning with California and Utah, Iowa requires controllers to provide notice and an opportunity to opt out of the processing of sensitive data.

Interestingly, Iowa does not affirmatively establish a right to opt-out of online targeted advertising.

4. Conduct Data Privacy Impact Assessments

Most state privacy laws require controllers to conduct data privacy impact assessments for high-risk processing activities such as the sale of personal data, targeted advertising, profiling, and sensitive data processing. Nebraska, Tennessee, Minnesota, and Maryland follow Oregon by including any processing activities that present a heightened risk of harm to a consumer. Maryland takes this a step further in requiring the assessment include an assessment of each algorithm that is used.

5. Update Privacy Notices

All state privacy laws require privacy notices at the time of collecting personal data. It is essential you keep your privacy notice up-to-date and ensure (at a bare minimum) it covers data categories, third-party sharing, consumer privacy rights options, and opt-out procedures. Minnesota also requires controllers to provide a “reasonably accessible, clear, and meaningful” online privacy notice, posted on its homepage using a hyperlink that contains the word “privacy.”

As state privacy laws stack up, having a structured, adaptable, and principles-based approach paves the path to sustainable compliance.

Make 2025 the year your privacy program doesn’t just meet the minimum—it excels.

Click here to view the 2025 US State Privacy Laws Applicability Chart

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more on Privacy Laws, visit the NLR Communications Media Internet section

Public Urged to Use Encryption for Mobile Phone Messaging and Calls

On December 4, 2024, four of the five members of the Five Eyes intelligence-sharing group (the United States, Australia, Canada, and New Zealand) law enforcement and cyber security agencies (Agencies) published a joint guide for network engineers, defenders of communications infrastructure and organizations with on-premises enterprise equipment (the Guide). The Agencies strongly encourage applying the Guide’s best practices to strengthen visibility and strengthen network devices against exploitation by reported hackers, including those hackers affiliated with the People’s Republic of China (PRC). The fifth group member, the United Kingdom, released a statement supportive of the joint guide but stated it had alternate methods of mitigating cyber risks for its telecom providers.

In November 2024, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement to update the public on its investigation into the previously reported PRC-affiliated hacks on multiple telecommunications companies’ networks. The FBI and CISA reported that these hacks appeared to focus on cell phone activity of individuals involved in political or government activity and copies of law enforcement informational requests subject to court orders. However, at the time of the update, these U.S. agencies and members of Congress have underscored the broad and significant nature of this breach. At least one elected official stated that the hacks potentially expose unencrypted cell phone conversations with someone in America to the hackers.

In particular, the Guide recommends adopting actions that quickly identify anomalous behavior, vulnerabilities, and threats and respond to a cyber incident. It also guides telecoms and businesses to reduce existing vulnerabilities, improve secure configuration habits, and limit potential entry points. One of the Guide’s recommended best practices attracting media attention is ensuring that mobile phone messaging and call traffic is fully end-to-end encrypted to the maximum extent possible. Without fully end-to-end encrypted messaging and calls, the content of calls and messages always has the potential to be intercepted. Android to Android messaging and iPhone to iPhone messaging is fully end-to-end encrypted but messaging from an Android to an iPhone is not currently end-to-end encrypted. Google and Apple recommend using a fully encrypted messaging app to better protect the content of messages from hackers.

The FBI and CISA are continuing to investigate the hacks and will update the public as the investigation permits. In the interim, telecom providers and companies are encouraged to adopt the Guide’s best practices and to report any suspicious activity to their local FBI field office or the FBI’s Internet Crime Complaint Center. Cyber incidents may also be reported to CISA.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.
For more on Mobile Phones, visit the NLR Communications Media Internet section

Telehealth Update: DEA/HHS Temporary Rule, Medicare Coverage of Telehealth Services, Potential for Increased Oversight, and What to Watch For in 2025

Telehealth companies and other industry stakeholders have had a watchful eye towards the end of 2024 and the impending “telehealth cliff” as COVID-era Drug Enforcement Agency (DEA) flexibilities and Medicare expanded telehealth coverage are set to expire. Although a recent temporary joint rule from the DEA and the Department of Health and Human Services (HHS) along with the 2025 Medicare Physician Fee Schedule final rule has provided some hope, questions regarding telehealth access in 2025 and under a new Administration remain unclear. Further, calls continue for increased oversight of telehealth services. Below, we breakdown recent updates for the telehealth industry.

DEA Telehealth Flexibilities

Providing some good news, late last month the DEA and HHS jointly issued a temporary rule (the Temporary Rule) extending the COVID-era flexibilities for prescribing controlled substances via telehealth through the end of 2025. The flexibilities, which previously were twice extended and set to expire December 31, 2024, temporarily waive the in-person requirements for prescribing under the Controlled Substances Act.

The DEA and HHS issued the Temporary Rule to ensure that providers and patients who have come to rely on telehealth services are able to smoothly transition to the new requirements, which as previously covered, are likely to significantly limit providers’ ability to prescribe controlled substances without an in-person interaction. The Temporary Rule also acknowledges that the DEA and HHS continue to work with relevant stakeholders and will use the additional time to promulgate proposed and final regulations that “effectively expand access to telemedicine” in a manner that is consistent with public health and safety, while mitigating the risk of diversion. The agencies also note that the limited time period of the extension is aimed at avoiding investment in new telemedicine companies that may encourage or enable problematic prescribing practices.

The Temporary Rule effectively allows all DEA-registered providers to prescribe Schedule II-V controlled substances via telehealth through the end of 2025, regardless of when the provider-patient relationship was formed. Consistent with the prior temporary rules, the following requirements continue to apply:

  • The prescription must be issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice.
  • The prescription must be issued pursuant to a telehealth interaction using two-way, real-time audio-visual technology, or for prescriptions to treat a mental health disorder, a two-way, real-time audio-only communication if the patient is not capable of, or does not consent to, the use of video technology.
  • The practitioner must be authorized under their DEA registration to prescribe the basic class of controlled medication specified on the prescription or be exempt from obtaining a registration to dispense controlled substances.
  • The prescription must meet all other requirements of the DEA regulations.

Providers should also be cognizant of applicable state laws that may place additional restrictions on the ability to prescribe certain medications or otherwise provide treatment via telehealth.

Medicare Coverage of Telehealth Services 

Unlike the DEA flexibilities, many of the COVID-era flexibilities for traditional Medicare coverage of telehealth services will end on December 31, 2024. Despite bipartisan support, congressional action is required to extend broad coverage for certain telehealth services existing since March 2020. Most notably, unless Congress acts, beginning January 1, 2025 expiring flexibilities include waiving the originating site requirements to allow beneficiaries to receive services in their homes and expanding the list of Medicare-enrolled providers who can furnish telehealth services.

Further, beginning January 1, 2025, Medicare coverage of telehealth services for beneficiaries outside of rural health care settings will be limited to:

  • Monthly End-Stage Renal Disease visits for home dialysis;
  • Services for diagnosis, evaluation, or treatment of symptoms of an acute stroke;
  • Treatment of substance use disorder or a co-occurring mental health disorder, or for the diagnosis, evaluation or treatment of a mental health disorder;
  • Behavioral health services;
  • Diabetes self-management training; and
  • Nutrition therapy.

For its part, the Centers for Medicare & Medicaid Services (CMS) recently issued its 2025 Medicare Physician Fee Schedule Final Rule (the MPFS Final Rule) extending and making permanent certain telehealth flexibilities within its authority. In particular, through December 31, 2025, practitioners may continue to utilize live video to meet certain Medicare direct supervision requirements and reference their currently enrolled practice when providing telehealth services from their home. The MPFS Final Rule continues to remove frequency limitations for certain hospital inpatient/observation care, skilled nursing facility visits, and critical care consultation services furnished via telehealth. Additionally, the MPFS Final Rule makes permanent the utilization of audio-only telehealth for any Medicare-covered telehealth service.

Increased Telehealth Oversight 

Recent months also have seen renewed calls for increased oversight of telehealth services. In September, the HHS Office for Inspector General (OIG) issued a report (the OIG Report) recommending increased oversight of Medicare coverage of remote patient monitoring. As a basis for its findings, the OIG Report cites the dramatic increased utilization of and payments for remote patient monitoring from 2019 to 2022, the fact that over 40% of Medicare beneficiaries receiving remote patient monitoring did not receive all three components of the service (i.e., education and setup, device supply, and treatment management), and the observation that Medicare lacks key information regarding the data being collected and the types of monitoring devices utilized. Notably, OIG conducted its review in part because of the potential for significant expansion of remote patient monitoring in the Medicare population.

Given these factors, the OIG Report recommends that CMS:

  1. Implement additional safeguards to ensure that remote patient monitoring is used and billed appropriately in Medicare.
  2. Require that remote patient monitoring be ordered and that information about the ordering provider be included on claims and encounter data for remote patient monitoring.
  3. Develop methods to identify what health data are being monitored.
  4. Conduct provider education about billing of remote patient monitoring.
  5. Identify and monitor companies that bill for remote patient monitoring.

Separately, concerns also have been raised regarding the recent emergence of direct-to-consumer telehealth platforms sponsored by pharmaceutical companies. In this model, patients seeking specific medications are linked to a health care provider who can virtually prescribe the requested medication. In October, U.S. Senate Majority Whip Dick Durbin (D-IL), joined by Senators Bernie Sanders (I-VT), Peter Welch (D-VT), and Elizabeth Warren (D-MA) sent letters to several pharmaceutical companies requesting written response to questions regarding these platforms including the cost of direct-to-consumer advertising, the arrangements between the telehealth providers and the pharmaceutical companies, and whether the virtual consultation comply with the standard of care.

Conclusion

Despite attempts to preserve and expand telehealth access and affordability, effective January 1, 2025, many Medicare beneficiaries will be cut off from certain telehealth services unless one of the bills currently pending in Congress is passed. Crucially, bipartisan support for increased access to telehealth services is likely to continue in both chambers of Congress. Although the incoming Administration has not detailed its plans regarding telehealth access on a permanent, or even temporary basis, telehealth will continue to play an important role in the United States health care system through 2025 and beyond. As telehealth continues to play an important role in increasing access to care, increased oversight and enforcement is almost certain, even if future oversight priorities are unclear. As always, we will continue to monitor and report on important telehealth developments.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on Telehealth, visit the NLR Health Law Managed Care section

Checklist for Transitioning Founder-Owned Law Firms

When transitioning from a founder-owned law firm, it’s essential to establish a clear plan to ensure the firm’s continued growth and stability. A successful transition depends on strategic priorities that enhance operational efficiency, improve client satisfaction, and secure long-term success.

Below, we outline the key areas to analyze and implement for a seamless shift in leadership and operations.

  1. Work-Life Timelines

Work-life timelines act as a roadmap for planning the future of the firm. They provide a structured planning horizon that helps leadership forecast and prepare for critical milestones, such as retirements or leadership transitions. For instance, mapping out partner retirement dates allows the firm to identify when leadership gaps may occur and develop succession plans proactively.

  1. Marketing Effectiveness

Effective marketing strategies are the backbone of a firm’s revenue growth. Assessing your marketing effectiveness involves analyzing the ability to meet revenue goals while considering the business risks associated with exiting partners. For example, if a founder has historically been a key rainmaker, your marketing plan must address how to replace their client development efforts with targeted campaigns and new initiatives, such as digital outreach or niche practice area marketing.

 

  1. Attorney Development

Attorney development ensures that the firm maintains a continuous and adaptable skill set. As founders exit, having a pipeline of well-trained attorneys is critical to sustaining client relationships and maintaining institutional knowledge. Regular mentorship programs, skill-building workshops, and tailored career growth plans help prepare attorneys to take on leadership roles in the future.

 

  1. Recruiting Effectiveness

Strong recruiting processes are essential for addressing capability and capacity gaps created by departing founders. Recruiting effectiveness goes beyond hiring; it involves attracting and retaining top legal talent who align with the firm’s culture and goals. Offering competitive benefits, a clear career trajectory, and a supportive environment can position the firm as a destination for top-tier candidates.

 

  1. Compensation and Incentives

A well-designed compensation and incentive structure is vital to the firm’s profitability and transition success. Attracting high-profit lateral hires, ensuring partners are practicing profitably, and facilitating smooth transitions for senior partners require thoughtful compensation planning. For example, implementing performance-based bonuses tied to billable hours or collections can motivate both current attorneys and incoming talent.

 

  1. Policy Development

Clear and consistent policies build trust and promote a culture of fairness among partners, associates, and staff. Whether it’s defining work-from-home expectations or delineating the decision-making process, policy development ensures that the firm operates smoothly during and after the leadership transition.

 

  1. Partnership or Operating Agreements

A robust partnership or operating agreement ensures that decision-making processes are clear and actions carry appropriate weight. These agreements provide a framework for resolving disputes, allocating equity, and governing major decisions—such as onboarding new partners or adjusting compensation structures. This clarity helps reduce friction during transitional periods.

 

  1. Equity Transfer Processes

Equity transfer is one of the most sensitive aspects of transitioning a founder-owned firm. Establishing clear processes for equity transfer ensures that the firm can perpetuate itself without unnecessary controversy. By structuring buyouts or equity redistribution in advance, the firm avoids disruptions that could harm operations or morale.

 

  1. Technology

Investing in technology is critical for maintaining efficiency and gaining a competitive edge. Technology tools, such as practice management systems, client portals, and AI-driven analytics, streamline operations and strengthen client relationships. For instance, adopting cloud-based platforms allows for seamless collaboration among team members and improves data security during the transition.

 

  1. Supportive Platforms

Creating a supportive platform that elevates the success of lawyers and staff is key to a smooth transition. This might include mentorship programs, robust professional development opportunities, and fostering a collaborative work culture. A supportive platform not only helps retain existing talent but also enhances the firm’s reputation as a desirable place to work.

 

  1. Trained and Motivated Staff

A well-trained and motivated staff is essential for maintaining operational continuity during a leadership transition. Cross-training employees on various roles and responsibilities ensure that knowledge is retained and transferred effectively. For example, ensuring paralegals are familiar with new practice management systems or administrative protocols reduces the risk of disruption.

 

  1. Implementation

Strategic planning is only as good as its implementation. Moving from the planning phase to actionable steps is vital for securing the firm’s long-term interests. By setting clear timelines, assigning responsibilities, and tracking progress, the firm can ensure that the transition plans lead to tangible outcomes.

Conclusion

By focusing on these critical areas, your firm can develop a comprehensive, thoroughly analyzed, and ready-to-implement set of priorities. These steps will help your firm thrive in the post-founder era while ensuring smooth transitions, client retention, and operational excellence. Transitioning a founder-owned law firm may seem daunting, but with careful planning and execution, your firm can secure a prosperous future.

Listen to this article

©2024 PerformLaw
For more on Law Firms, visit the NLR Law Office Management section

Upcoming Telephone Consumer Protection Act (TCPA) Changes in 2025

The Telephone Consumer Protection Act (TCPA), enacted in 1991, protects consumers from unwanted telemarketing calls, robocalls, and texts.

New FCC Consent Rule

On January 27, 2025, the Federal Communications Commission’s (FCC) new consent rule for robocalls and robotexts will take effect. The FCC aims to close the “lead generator loophole” by requiring marketers to obtain “one-to-one” consumer consent to receive telemarketing texts and auto-dialed calls. While the rule primarily targets lead generators, it could affect any business that relies on consumer consent for such communications or purchases leads from third parties.

Under the rule, businesses must clearly and conspicuously request and obtain written consumer consent for robocalls and robotexts from each individual company. Companies can no longer rely on a single instance of consumer consent that links to a list of multiple sellers and partners. Instead, individual written consent will be required for each marketer. Additionally, any resulting communication must be “logically and topically related” to the website where the consent was obtained.

To meet this requirement, businesses may allow consumers to affirmatively select which sellers they consent to hear from or provide links to separate consent forms for each business requesting permission to contact them.

New Consent Revocation Rules

Another change takes effect on April 11, 2025, when the FCC’s new consent revocation rules for robocalls and robotexts are implemented. These rules allow consumers to revoke prior consent through any reasonable method, and marketers may not designate an exclusive means for revocation. Reasonable methods include replying “stop,” “quit” or similar terms to incoming texts, using automated voice or opt-out replies, or submitting a message through a website provided by the caller.

Marketers must honor revocation requests within a reasonable timeframe, not exceeding 10 business days. After that period, no further robocalls or robotexts requiring consent may be sent to the consumer.

Preparing for Compliance

To comply with the January 27, 2025, one-to-one consent rule and the April 11, 2025, consent revocation rule, lead generators and businesses that use or facilitate robocall and robotext communications should:

  • Review their current consent and revocation practices.
  • Ensure compliance by updating policies before the deadlines.
  • Examine where consumer leads are being obtained and adjust policies for using this information to meet the new requirements.

This advisory provides only a summary of the upcoming changes to the Telephone Consumer Protection Act.

© 2024 Varnum LLP
For more on the TCPA, visit the NLR Communications Media Internet section

NSA Wants Industry to Disclose Details of Telecom Hacks in Light of Chinese Involvement

On November 20, 2024, the director of the National Security Agency, General Timothy Haugh, urged the private sector to take swift, collective action to share key details about breaches they have suffered at the hands of Chinese hackers who have infiltrated US telecommunications.

Gen. Haugh said he wants to provide a public “hunt guide” so cybersecurity professionals and companies can search out the hackers and eradicate them from telecommunications networks.

US authorities have confirmed Chinese hackers have infiltrated US telecommunications in what Senator Richard Blumenthal, a Connecticut Democrat, this week described as a “sprawling and catastrophic” infiltration. AT&T Inc., Verizon Communications Inc. and T-Mobile are among those targeted.

Through those intrusions, the hackers targeted communications of a “limited number” of people in politics and government, US officials have said. They include Vice President Kamala Harris’ staff, President-elect Donald Trump and Vice President-elect JD Vance, as well as staffers for Senate Majority Leader Chuck Schumer, according to Missouri Republican Senator Josh Hawley.

Representatives of the Chinese government have denied the allegations.

“The ultimate goal would be to be able to lay bare exactly what happened in ways that allow us to better posture as a nation and for our allies to be better postured,” – Gen. Tim Haugh.
©2024 Katten Muchin Rosenman LLP
For more on Telecom, visit the NLR Communications Media Internet section

SPAM FROM HOME?: Home Shopping Network (HSN) Hit With New TCPA Class Action Over DNC Text Messages

TCPA class actions against retailers arising out of SMS channel communications continue to roll in, despite Facebook severely limiting the availability of TCPA ATDS claims.

The issue, of course, is the DNC rules that prevent SMS messages to residential phones for marketing purposes absent prior express invitation or permission or an established business relationship.

For instance a consumer in Florida filed a TCPA class action lawsuit against HSN (home shopping network) yesterday in federal court claiming the company sent him promotional text messages without his consent and despite the fact he was on the national DNC list.

Complaint here: HSN COmplaint

The Complaint alleges HSN had a “practice” of sending text messages to consumers on the DNC list and seeks to represent a class of:

All persons throughout the United States (1) who did not provide their
telephone number to HSN, Inc., (2) to whom HSN, Inc. delivered, or
caused to be delivered, more than one call or text message within a 12-
month period, promoting HSN, Inc. goods or services, (3) where the
person’s residential or cellular telephone number had been registered
with the National Do Not Call Registry for at least thirty days before
HSN, Inc. delivered, or caused to be delivered, at least two of the calls
and/or text messages within the 12-month period, (4) within four years
preceding the date of this complaint and through the date of class
certification.

As these cases continue to roll in it is critical that retailers and brands keep the DNC rules in mind. Most companies only seek to contact consumers that sign up for their messages but numerous challenges to compliance exist:

  1. Third-party lead suppliers often provide false information;
  2. Consumers enter the wrong phone numbers on POS systems and online; and
  3. Phone numbers change hands regularly.

While tools exist to help limit exposure on these challenges it is critical to maintain a strong DNC policy and attendant training to provide a defense. And don’t forget about the new revocation rules!

© 2024 Troutman Amin, LLP
For more on the TCPA, visit the NLR Communications Media Internet section