ICYMI: Issue #6: January 2026

Letter from the Editor

The start of a new year always brings with it a sense of excitement for a clean slate and new possibilities ahead. It is also a time to clean house and get organized, which I am doing as I continue to be snowed in from Winter Storm Fern.

In the law, of course, clean slates are rare. The issues continue to build. We're seeing more AI legislation emerge from states despite the administration's efforts toward federal preemption. I suspect this tug of war isn't going anywhere anytime soon. Courts continue to address key wiretapping issues and refine interpretations of what constitutes a TCPA violation. Platforms that were once successful at insulating themselves from litigation are now facing liability and finding they need better oversight of their users and the nefarious activities occurring on their watch. Regulators remain active across the board.

So with the excitement of the new year comes predictable, repeatable patterns and persistent challenges. It has been busy, to be sure, but it is never dull, and it is always engaging.

Thank you, readers, for your continued support of ICYMI and the VisionAI+ Masterclass. We kicked off the new year with fresh VisionAI+ content, and we plan to offer regular webinars this year covering a variety of domestic and global AI issues. The exciting part? We don't yet know what all the topics will be as we wait for new developments to unfold in the AI space.

We continue to urge companies to focus on complying with AI state laws and continue to watch for legislative developments. As we predicted during our AI webinar last week, Federal preemption seems unlikely to happen anytime soon, and state attorneys general are not willing to wait and see what happens at the federal level.

As we look toward February, I hope to hear from you about the issues you find most interesting and what content you'd like us to deliver this year. In the meantime, I'm going to focus on thawing out my house, staying warm by sampling new teas, and conquering my 2026 goals.

Warmly,

Artificial Intelligence Regulation and Litigation

The artificial intelligence regulatory landscape in early 2026 reflects deepening tensions between federal preemption efforts and aggressive state-level action, with states introducing comprehensive frameworks targeting AI chatbot safety, data center energy costs, and copyright transparency while the Trump administration attempts to override state regulations through executive order. Congress advanced bipartisan legislation requiring AI training transparency for copyright holders and shifting data center infrastructure costs from ratepayers to tech companies, while state enforcement actions against Character.AI and xAI's Grok signal that AI companies face immediate liability for child safety failures and nonconsensual intimate imagery generation regardless of federal regulatory uncertainty.

Key Issues

• Federal legislation gives copyright holders access to AI training data. The newly introduced TRAIN Actenables copyright holders to access AI training records through discovery modeled after internet piracy laws to address transparency.

• States are shifting data center costs from ratepayers to AI Companies. Congress introduced the Power for the People Act that will require 300+ megawatt data centers to pay for transmission upgrades and meet clean energy requirements as conditions for grid access, isolating AI infrastructure costs rather than socializing them.

• State Enforcement Shows Immediate AI Chatbot Liability for Child Safety. Kentucky's lawsuit against Character.AI was filed shortly after Google settled private litigation against it for its support of Character.AI and demonstrates AI companies face substantial exposure for outputs harming minors even if the courts have not weighed in on product liability and Section 230 theories for platforms.

Federal Legislation & Regulation

TRAIN Act Introduced in House to Give Copyright Holders Access to AI Training Records. On January 22, 2026, Congresswoman Madeleine Dean (PA-04) and Congressman Nathaniel Moran (TX-01) introduced a bipartisan bill to help musicians, artists, writers, and other creators determine if their copyrighted work was used to train generative artificial intelligence (AI) models without their permission, with the Transparency and Responsibility for Artificial Intelligence Networks (TRAIN) Act giving copyright holders access to training records used for AI models to determine if their work was used. Currently, there is no process to determine if generative AI models use an artist's work, without consent or compensation, to train its system, and the TRAIN Act is modeled after the legal process for internet piracy, enabling creators to access training records used for AI models, with few AI companies currently sharing how their models are trained and nothing in the law requiring them to do so.Senators Peter Welch (D-Vt.), Marsha Blackburn (R-Tenn.), Adam Schiff (D-Ca.), and Josh Hawley (R-Mo.) reintroduced the TRAIN Act in the Senate. This bipartisan legislation represents the first federal effort to mandate transparency in AI training data, modeled after internet piracy discovery processes, and aimed at creating a legal pathway for copyright holders to determine if their works were used without authorization. The broad coalition of creative industry endorsements spanning music, film, television, theater, and scientific publishing signals unified support for transparency requirements as a foundation for any AI copyright framework, though the bill does not itself establish liability rules or compensation requirements but rather creates the procedural mechanism for copyright holders to obtain evidence that could support infringement claims or licensing negotiations.

Power for the People Act Will Require Data Centers to Pay for Grid Infrastructure Costs and Energy Demand. On January 22, 2026, Senator Peter Welch (D-Vt.), joined U.S. Senator Chris Van Hollen (D-Md.) and other cosponsors in introducing the Power for the People Act, which is legislation designed to rein in rising electricity costs Americans are facing by addressing the huge amounts of energy required by data centers. The bill targets increased consumer energy costs attributable to the prolific build out of data centers amid growing AI use. This legislation represents the first comprehensive federal effort to shift data center infrastructure costs from ratepayers to the AI and cloud computing industries and may significantly increase capital costs for new AI data center developments.Specifically, the Power for the People Act would ensure data centers pay for energy costs they cause by: (1) directing states to evaluate the need for new rate classes specifically for data centers; (2) directing FERC to issue a rule ensuring data centers pay for local transmission upgrades; (3) creating a system to manage data center interconnection to the grid that protects affordability and reliability by incentivizing data centers to bring their own new power generation and battery storage systems, use clean energy resources, and meet prevailing wage and registered apprenticeship requirements; and (4) providing resources to improve data center load forecasting.

State AI Regulations

California Senator Proposes Moratorium on Chatbot Toys for Children Under 13 Until 2031. On January 9, 2026, California Senator Steve Padilla introduced SB 867, which would prohibit the sale of toys that include a companion chatbot for use in play by children 12 years of age or less. This proposed California moratorium raises fundamental questions about technology regulation strategy by seeking to ban an entire product category (chatbot toys for children 12 and under) until 2031 rather than regulating how the technology is used, representing a more restrictive approach than California's existing companion chatbot law. The five-year moratorium creates a complete pause on AI companion toys while policymakers and researchers study long-term effects on child development, mental health, and behavioral formation and reflects the broader regulatory debate about whether to restrict tools based on misuse potential or focus enforcement on harmful applications. This moratorium will serve as a test case to determine if overall product bans are more effective than use-based regulations in protecting children from AI-related harms.

California AG Bonta Launches Investigation into xAI's Grok. On January 14, 2026, California Attorney General Rob Bonta announced opening an investigation into the proliferation of nonconsensual sexually explicit material produced using Grok, an AI model developed by xAI. The investigation responds to news reports documented Grok users taking ordinary images of women and children available online and using Grok to depict these people in suggestive scenarios andundressthem without consent. This investigation represents California's most aggressive enforcement action yet against an AI company for facilitating nonconsensual intimate imagery and potential child sexual abuse material, signaling that AI companies cannot hide behindoptional featureswhen their products are systematically used to create deepfake content. The AG's office also pointed out that marketing explicit content generation capabilities as a differentiator makes companies complicit in resulting harms rather than shielded by Section 230 or similar safe harbors. This investigation is consistent with AG Bonta's pattern of aggressive AI oversight, which includes meetings with OpenAI over child safety concerns, sending warnings to top AI companies to emphasize that they have legal obligations to children as consumers, and defending California's right to regulate AI amid federal preemption attempts by both the FCC and the incoming Trump Administration.

Kentucky AG Sues Character.AI for Preying on Children. On January 8, 2026, Kentucky Attorney General Russell Coleman announced Kentucky is the first state in the nation to launch a lawsuit against an artificial intelligence chatbot company that has preyed on children and led them into self-harm. Filed in Franklin Circuit Court, the complaint alleges Character Technologies, its owners, and its product Character.AI broke Kentucky law by prioritizing their own profits over the safety of children.Character.AI is marketed as providing harmless chatbots for interactive entertainment but its more than 20 million monthly users were logging on to a platform with a record of encouraging suicide, self-injury, isolation and psychological manipulation, and harming minors. The Attorney General's complaint alleges the company has violated the Kentucky Consumer Protection Act, the Kentucky Consumer Data Protection Act, and other laws.This first-in-the-nation state enforcement action shows that AI chatbot platforms face consumer protection and data privacy liability for algorithmic outputs that harm minors. Kentucky's dismissal of the company's safety features as comical and easily bypassed signals that superficial age verification or content moderation measures will not insulate AI companies from liability. Companies operating conversational AI, mental health apps, social platforms, or other services targeting or accessible to minors should urgently review content moderation systems, age verification mechanisms, psychological manipulation risks, and crisis intervention protocols.

Note. Google settled a lawsuit related to Character.AI earlier this month. Google was sued alongside Character.AI in the Florida wrongful death case with plaintiffs alleging Google's substantial investment in and technological support for Character.AI made it partially liable for the platform's harms.

Michigan Senate Introduce Four-Bill Package Targeting Social Media Addiction, AI Chatbot Exploitation, and Child Data Privacy. On January 22, 2026, Michigan announced a legislative package including four bills (Senate Bill 757, Senate Bill 758, Senate Bill 759, and Senate Bill 760) to regulate technology industry practices related to children, with legislators stating the bills create commonsense measures to ensure Big Tech puts kids' safety over clicks through protections for data privacy, rampant online targeting, and potential exploitation of minors.This Michigan package represents a comprehensive state approach targeting both social media platform design and AI chatbot interactions, joining Oregon's AI companion legislation and other state efforts to regulate technology's impact on minors, reflecting growing legislative momentum to address digital addiction, exploitative platform design, and AI-enabled child exploitation despite uncertainty about whether social media addiction will gain formal medical classification.

New Mexico Proposes AI Accountability Act Requiring Digital Watermarks in AI-Generated Content and Creating Civil Liability for Malicious Deepfakes. On January 20, 2026, New Mexico's Attorney General and State Representative Serrato announced the Artificial Intelligence Accountability Act (AI2A), creating the state's first comprehensive framework for regulating generative AI and synthetic media. The bill requires AI service providers, large platforms, and device manufacturers to embed latent digital markers in AI-generated images, audio, and video to enable tracking of content production and dissemination. Key provisions include mandatory watermarking of AI-generated content, free detection tools to verify authenticity, AG enforcement with penalties up to $15,000 per violation, civil liability for knowing dissemination of malicious synthetic content, and an added year of imprisonment for using AI to commit felonies. This is one of the most technically comprehensive state approaches to synthetic media, mandating watermarking at the point of generation rather than relying on voluntary disclosure, though effectiveness depends on whether watermarking survives content manipulation and whether bad actors simply use non-compliant international tools.

AI-Related Litigation

xAI Seeks Preliminary Injunction to Block California's AI Training Data Transparency Law. Elon Musk's xAI filed a motion for preliminary injunction on January 17, 2026, asking a California federal court to block enforcement of AB 2013, the new law requiring generative AI developers to publicly show information about their training datasets. xAI argues the law, which took effect January 1, 2026, is unconstitutional and provides no guidance as to which AI systems or datasets it covers or how much detail developers are required to provide. OpenAI and Anthropic have already posted AB 2013 disclosures that are high-level and general. Analysts note that if California accepts these generalized disclosures as compliant, that will weaken xAI's claim that compliance necessarily requires revealing proprietary information. This case will become a reference point for AI transparency regulation globally. The core tension, whether training data disclosures serve transparency goals without destroying trade secret value, has no easy resolution. Organizations developing or deploying GenAI should watch this litigation closely while preparing dual-track compliance strategies if AB 2013 survives or in the event of judicial narrowing. Similar disclosure requirements are emerging in other states (e.g., New York's RAISE Act) and may proliferate regardless of this case's outcome.

Google Reaches $68M Settlement Over Voice Assistant False Accept Recordings. Google and Alphabet have asked a California federal court to preliminarily approve a $68 million class action settlement resolving claims that Google Assistant-enabled devices recorded users' conversations without consent through false accepts, which are unintentional activations occurring without the Hey Google word. The settlement would create a points-based payment system favoring purchasers of Google-made devices ($18-$56 per device) over privacy-only class members ($2-$10). The case began in 2019, with plaintiffs alleging Google concealed that devices could activate and record unintentionally, then used or shared those recordings without consent. This settlement reinforces that consumer expectations matter even when privacy policies technically allow certain data practices, companies face liability when marketing creates different impressions about how voice-enabled devices function.

Privacy & Data Protection

The regulatory landscape for privacy, health data, and telemarketing continued its rapid evolution in early 2026, with enforcement authority shifting increasingly toward state actors and prescriptive compliance regimes. The FCC extended the TCPA's global revocation rule to January 2027, California intensified data broker enforcement with market bans for selling health and demographic targeting lists, and Texas obtained emergency injunctive relief against smart TV manufacturers' automatic content recognition data collection practices.

Key Issues

• State AGs Imposing Substantive Data Commodification Bans. California's Datamasters enforcement banned the company from selling Californians' data entirely, not just fining violations, for trafficking health condition targeting lists and vulnerability markers, signaling certain personal information cannot be commodified regardless of consent.

• Smart TV/IoT Facing Emergency Enforcement. Texas obtained a TRO within two days of filing against Hisense for technology that collects viewing data every 500 milliseconds, demonstrating courts will halt data collection deemed deceptive before full litigation, particularly for foreign manufacturers with potential government data access obligations.

• Telemarketing Regulation Intensifying. The FCC delayed the TCPA global revocation rule a second time to January 2027, reflecting operational challenges and in light of its open rulemaking proceeding, while Michigan's new telemarketing law adds enhanced penalties for targeting vulnerable individuals and multiple states propose expanded privacy legislation.

Federal Privacy

TCPA Global Revocation Rule Effective Date Extended to January 2027. The FCC's Consumer and Governmental Affairs Bureau extended the effective date of the TCPA's global revocation rule to January 31, 2027, marking the second delay of this controversial provision. The global revocation rule requires callers to treat an opt-out request made in response to one type of message as applicable to all future robocalls and texts from that caller on unrelated matters, meaning consumers can globally revoke consent across both calls and texts and across all topics (marketing and nonmarketing) with a single opt-out request. The FCC granted this additional extension after opening an October 2025 rulemaking proceeding examining whether the rule harms consumers by potentially blocking wanted communications from healthcare providers, financial institutions regarding fraud alerts, and utilities. While the global revocation provision remains delayed, other TCPA amendments that took effect in April 2025 remain in force, including the requirement to process opt-out requests within 10 business days, recognition of expanded opt-out commands (STOP, QUIT, END, REVOKE, OPT OUT, CANCEL, UNSUBSCRIBE), and provisions for alternate opt-out methods when two-way texting is unavailable.

California Privacy Protection Agency Fines Data Brokers for Delete Act Violations, Orders One to Stop Selling Californians' Data. On January 8, 2026, the California Privacy Protection Agency resulting from its Data Broker Enforcement Strike Force. The requires Datamasters, a Texas-based reseller of personal information, to pay a $45,000 fine for not registering as a data broker under California's Delete Act and orders the company to stop selling all Californians' personal information, effectively removing the company from the California marketplace. According to the decision, Datamasters bought and resold the names, addresses, phone numbers, and email addresses of millions of people with Alzheimer's disease, drug addiction, bladder incontinence, and other health conditions for targeted advertising, plus lists of people based on age and perceived race offering Senior Lists and Hispanic Lists, as well as lists based on political views, grocery store purchases, banking activity, and health-related purchases, all in 2024 without registering with the California Data Broker Registry. The requires S&P Global, Inc., a New York-based provider of data and technology, to pay a $62,600 fine for failing to register as a data broker due to an administrative error, and requires the company to adopt procedures for registration and compliance auditing to prevent similar errors in the future. The Datamasters enforcement is the most severe action to date under California's Delete Act by not only imposing a fine but also imposing a complete market ban for selling targeted advertising lists. This harsh penalty signals California's view that health-condition-based targeting, demographic segmentation by protected characteristics (age, race), and lists combining vulnerability markers pose exploitation, fraud, and discrimination risks beyond advertising concerns. The agency is moving beyond procedural registration requirements toward substantive restrictions on what types of personal information can be commodified, particularly sensitive health data, lists of seniors or racial groups, political views, and behavioral/transactional data from banking and purchases. The S&P Global action shows that even administrative errors in registration result in $62,600 penalties with no good faith exception.

On January 8, 2026, the California Privacy Protection Agency announced announced two enforcement actionsfrom its Data Broker Enforcement Strike Force. The first requires Datamasters, a Texas-based data reseller, to pay $45,000 and stop selling all Californians' personal information for failing to register under the Delete Act while selling lists of people with Alzheimer's disease, drug addiction, and other health conditions, plus Senior Lists and Hispanic Lists based on age and perceived race. The second requires S&P Global to pay $62,600 for failing to register due to an administrative error. The Datamasters' action is the most severe Delete Act enforcement to date, imposing a complete market ban rather than just a fine, signaling California's view that health condition targeting and demographic segmentation by protected characteristics pose exploitation and discrimination risks that cannot be cured by registration compliance.

Texas Court Issues TRO Blocking Hisense Smart TV from Collecting Automatic Content Recognition Data, Following AG Paxton Lawsuits Against Five TV Manufacturers. On December 17, 2025, a Texas court issued a temporary restraining order blocking Chinese smart TV manufacturer Hisense from collecting viewer data via Automatic Content Recognition (ACR) technology, just two days after AG Ken Paxton filed lawsuits against Hisense and four other manufacturers under the Texas Deceptive Trade Practices Act. ACR captures content displayed on screens every 500 milliseconds across all viewing sources including streaming apps, cable, and external devices, building detailed consumer profiles for advertising and third-party licensing. The lawsuits allege manufacturers failed to clearly disclose these practices, obtained consent through misleading defaults, used dark patterns making opt-out extremely difficult, and collected data exceeding what's necessary for device functionality, with complaints against Chinese manufacturers additionally alleging undisclosed risks that Chinese law may require turning over consumer data to the government. The AG is pursuing dual-track enforcement with immediate DTPA claims plus formal TDPSA cure notice, signaling aggressive state action against IoT behavioral surveillance and putting manufacturers of connected devices with content-recognition capabilities on notice to audit compliance, implement clear opt-in consent, eliminate dark patterns, and limit collection to what's genuinely necessary for operation rather than revenue generation.

Seven States Propose New Privacy Legislation Targeting Social Media, Data Brokers, and Children's Online Safety. Multiple states have introduced privacy legislation in recent weeks addressing digital choice, children's data protection, and data broker regulation. These proposals signal growing state-level activism on privacy issues with businesses operating across multiple states facing increasingly complex and potentially conflicting compliance obligations around age verification standards, default privacy settings, consent mechanisms (opt-out vs. express written consent), data broker registration requirements with fees ranging from modest to six figures, potential taxation of core data collection business models, and interoperability mandates that could fundamentally reshape platform architectures and competitive dynamics. The bills include:

• New Hampshire – Digital Choice & Interoperability. New Hampshire's Establishing Digital Choice Act (H.B. 1589) prefiled in mid-December would require social media companies to provide users with access to their personal data and enable data-sharing across platforms through open protocols and user-controlled interoperability interfaces, with enforcement authority granted to the state attorney general, representing a state-level effort to mandate data portability and platform interoperability similar to European Digital Markets Act provisions.

• Wisconsin – Children's Data Protection. Wisconsin's S.B. 758 introduced in December would limit social media platforms' data collection from minors by requiring reliable, industry-accepted age verification methods approved by the state Department of Justice, mandating prevention of targeted advertising to minors, and prohibiting platforms from gathering, using, selling, offering, or retaining data relating to minors' use of or interaction with platforms.

• New York – Default Privacy Settings for Children. New York Governor Kathy Hochul announced on January 5 a legislative package requiring children's accounts to be set to highest privacy settings by default on covered platforms, with location settings turned off by default and children under age 13 requiring parental approval for any new connections.

• Massachusetts – ISP Consent Requirements. Massachusetts Joint Committee on Consumer Protection and Professional Licensure recently advanced S.B. 289, which would restrict telecommunications and Internet service providers from collecting, using, disclosing, or disseminating personal information of customers without express written consent and prohibit additional charges or service denial for non-consent, going beyond traditional opt-out frameworks to require affirmative express written consent.

• Washington – Data Broker Tax. Washington's H.B. 1887 under consideration would establish a data broker registry and introduce a tax on data brokers effective January 1, 2027, based on the number of Washington residents whose data is collected, with tiered rates starting at 5 cents per individual for up to 500,000 residents and increasing incrementally, representing a novel taxation approach to data collection activities.

• Nebraska – Social Media Data Tax. Nebraska's Social Media Collection of Consumer Data Tax Act (L.B. 1025) introduced January 13 would establish a tiered excise tax on social media companies collecting data from Nebraska residents, using revenue to fund juvenile mental health services, creating a direct link between platform data monetization and youth mental health funding.

• Virginia – Data Broker Registration & Fees. Virginia's H.B. 638 would require data brokers to register annually with the state starting in December 2027, pay a $100,000 registration fee, and disclose information about their data collection, sales, opt-out mechanisms, security breaches, and handling of sensitive data categories, with all disclosed information made publicly available online, establishing registration fees that far exceed California's model and creating unprecedented transparency requirements.

Litigation

California Trial Court Holds Website Analytics Tools Are Not Illegal Pen Registers. On December 10, 2025, an LA state court rejected the theory that routine website analytics and tracking tools function as illegal pen registers under the California Invasion of Privacy Act (CIPA) in in Rodriguez v. Ink America Int'l Group LLC, . The plaintiff alleged the website collected IP addresses and deployed analytics software without consent, claiming these practices violated CIPA's pen register provisions. The court dismissed the claims, finding CIPA ambiguous in the website context and concluding that treating ordinary analytics as criminal pen registers would conflict with and undermine the CCPA's regulatory framework, which contemplates businesses collecting data through website operations with appropriate notice and consumer rights. The court emphasized CIPA's pen register provisions were designed for telephonic surveillance, not commercial website operations. While this nonbinding trial court decision provides persuasive authority to challenge pen register theories at the pleading stage, website operators should continue prioritizing CCPA compliance and monitoring evolving CIPA case law until an appellate decision issues, especially in light of the trend to file such claims under federal wiretapping laws.

Florida Federal Court Allows Nationwide Digital Wiretapping Claims to Proceed Against Company Using Common Website Tracking Tools.On January 14, 2026, a Florida federal judge in Cobbs v. PetMed Express, Inc. allowed federal (ECPA) and California (CIPA) wiretapping claims to proceed based on the company's use of common third-party website tracking tools. Plaintiffs alleged tracking technologies captured search terms, page URLs, and form field entries in real time and transmitted them to outside vendors without meaningful consent. The court found URLs, form entries, and button clicks can constitute protected contents of communications rather than mere routing data, rejected arguments that plaintiffs must show financial loss or data misuse for standing, and ruled that consent questions could not be resolved without discovery despite the presence of privacy policies. This decision marks Florida's emergence as a major venue for digital wiretapping litigation, ranking second behind California for privacy claims based on tracking technology. Businesses should audit tracking technologies, reevaluate consent mechanisms beyond passive privacy policies, and scrutinize collection of content data like search queries that pose higher litigation risk.

Ninth Circuit Rules Video Files in Text Messages are Not Prerecorded Voice Messages Under the TCPA. Ninth Circuit's January 2025 decision in Howard v. Republican National Committee, which addressed whether text messages having embedded video files violate the TCPA's prohibition on prerecorded voice calls. The court held that while text messages qualify as calls under the TCPA, sending a text with an embedded video file that requires the recipient to affirmatively tap a play button does not constitute making or initiating a call using prerecorded voice, as the statute requires the prerecorded voice to be used in beginning the call rather than being optionally accessible afterward. The majority reasoned that the TCPA targets the invasion of privacy from being immediately subjected to automated voices upon answering, which doesn't occur when recipients must choose whether to play embedded content, though Judge Rawlinson's dissent argued this interpretation improperly adds limiting language to the statute's plain text prohibiting any callusing prerecorded voice regardless of content. This split decision creates uncertainty for marketers and political organizations using multimedia messaging, particularly as it conflicts with how courts have interpreted similar voicemail scenarios and leaves open questions about auto-play settings and different messaging technologies.

Rent-a-Center faces TCPA Class Action over Unsolicited Text Messages. Plaintiff Dushawn Dante Minor filed a TCPA class action lawsuit against Rent-A-Center on January 7, 2026 in California federal court, alleging the company negligently, knowingly, and/or willfully sent unsolicited advertising and marketing text messages to his cell phone and others' phones that were registered on the National Do Not Call Registry for at least 31 days without obtaining prior express written consent. The lawsuit seeks to represent anyone in the United States who received more than one telephone solicitation from Rent-A-Center within any 12-month period during the four years prior to filing, with Minor requesting class certification, statutory damages of up to $1,500 per call, fees, costs, and a jury trial. This case (Minor v. Rent-A-Center Inc., Case No. 2:26-cv-00150, C.D. Cal.) mirrors similar TCPA litigation, such as the Fathom Realty settlement that resolved comparable unsolicited text message claims for $2.85 million and comes amid ongoing concerns about companies violating federal telemarketing laws by contacting consumers without proper consent.

University of Phoenix Student's Pixel Tracking Lawsuit. An Illinois federal judge denied the University of Phoenix's motion to dismiss a proposed class action alleging the school used Meta's Facebook pixel to share students' video-viewing behavior without consent, exposing the for-profit institution to potentially massive statutory damages. The court held the University of Phoenix was a video tape service provider under the VPPA because it supplied online recorded courses to its students in exchange for tuition. While the university argued a school could not qualify as a video tape service provider, the court walked through the words of the statute and had little problem concluding that providing video coursework for profit definitely met the definition. The court also found the university allegedly knowingly disclosed personally identifiable information by transmitting Facebook pixel information when the plaintiff visited the website. The university faces penalties of $2,500.00 per violation and likely over ten million in exposure, or more. The complaint also includes claims under federal and Illinois wiretap laws prohibiting electronic eavesdropping. This ruling extends the growing wave of VPPA pixel-tracking litigation squarely into higher education. For-profit educational institutions providing video coursework now face clear exposure under a statute written for Blockbuster-era video rentals. Any organization using tracking pixels on pages with video content particularly those collecting tuition, fees, or subscription revenue should conduct a privileged assessment of their pixel deployments, vendor contracts, and consent mechanisms. The $2,500 per-violation statutory damages make even limited class periods extremely costly.

Google Consumer Antitrust Class Action. A California federal court denied Google's motion to dismiss a proposed consumer class action alleging its default search agreements. The case follows the August 2024 DOJ ruling finding Google illegally monopolized search markets and blocked competition from rivals that could have offered users payment for searches or stronger privacy protections. The court found plaintiffs alleged that competitors like DuckDuckGo could provide better results with access to more data, and that any quality gap stems from anticompetitive effects rather than inherent privacy limitations. The court rejected Google's defense that it declined privacy features to prioritize user experience. Google won a partial victory on statute of limitations, limiting claims to conduct from 2017 forward absent amended allegations about concealment. This ruling creates a parallel private litigation track to the DOJ case, with potential damages exposure if plaintiffs can prove consumers were harmed by foreclosed competition. The court's receptiveness to search compensation and privacy as competition theories signal these frameworks may gain traction in future platform antitrust cases. Companies with dominant market positions should expect that exclusive or near-exclusive distribution arrangements will face continued scrutiny from both regulators and private plaintiffs.

Google Agrees to $8.25M Settlement Over Children's App Data Collection. Google agreed to an $8.25 million class action settlement to resolve a claims that its AdMob SDK secretly collected personal data from children under 13 through apps in its Designed for Families program even after banning the offending apps from the Play Store. The settlement, potentially covering 3.8-10 million children, landed just one day after final approval of a separate $30 million YouTube child tracking settlement. These back-to-back resolutions underscore that COPPA enforcement extends beyond platform-level compliance to advertising SDKs and data intermediaries. With the FTC's amended COPPA Rule taking effect April 2026, requiring opt-in consent for targeted advertising and imposing data retention limits, companies in the children's app ecosystem should audit their entire data collection stack, including third-party SDKs. The Ninth Circuit's 2023 ruling that COPPA preemption doesn't bar state-law claims means federal settlements won't necessarily foreclose private litigation exposure.

Supreme Court Review of FCC CPNI Fines Sought Amid Circuit Split. On January 9, 2026, the Supreme Court granted petitions for a writ of certiorari filed by Verizon and the FCC, agreeing to review conflicting appellate court decisions addressing the FCC's authority to impose monetary forfeitures for violations of the Commission's Customer Proprietary Network Information (CPNI) rules. In the Fifth Circuit, the court vacated an FCC order imposing more than $57 million in forfeitures against AT&T, holding that the FCC's in-house enforcement process violated the Constitution. In the Second Circuit, the court upheld an FCC order imposing $47 million in forfeitures against Verizon, rejecting similar constitutional challenges. Both cases arose from 2018 news reports that carriers' location-based services programs were misusing or failing to protect consumer location data. In 2024, the FCC issued fines to four major telecommunications carriers (Verizon, AT&T, Sprint, and T-Mobile) for allegedly failing to protect the geolocation data of their subscribers. At issue is whether the Communications Act allows the FCC to levy civil penalties without first providing a jury trial in an Article III court. The Fifth Circuit based its reasoning on the Supreme Court's 2024 SEC v. Jarkesy decision, which held that when agencies seek punitive civil penalties, the Constitution requires a jury trial. Under the current process, the FCC issues a Notice of Apparent Liability, reviews written responses, and votes on a forfeiture order. The target can either pay and appeal directly or refuse payment, forcing the Department of Justice to file a collection suit in federal district court, where a jury trial becomes available. The Fifth Circuit found this system unconstitutional because the FCC's initial liability finding imposes punitive penalties before a jury is ever involved. This case extends the Court's Jarkesy framework to telecommunications enforcement and could fundamentally reshape how the FCC, and potentially other agencies, pursue civil penalties. For telecommunications companies facing enforcement exposure, the outcome will determine whether they can demand jury trials before paying any forfeitures. Companies should monitor this case closely and consider whether to delay settlement discussions pending the Court's decision, particularly for matters involving substantial penalty exposure.

Marketing and Consumer Protection

Congress

Congressional Delegation Reintroduces Unsubscribe Act as FTC Reconsiders Click-to-Cancel Rule. On January 13, 2026, Representatives Mark Takano (D-CA), Mark Amodei (R-NV), and Seth Magaziner (D-RI) reintroduced the bipartisan Unsubscribe Act as the FTC quietly collects public input to restore its click-to-cancel rule following a federal court's decision striking down the original rule on a technicality. The legislation would require companies to provide simple cancellation processes as easy as sign-up, obtain affirmative consent before charging customers after free or reduced-cost trials, periodically notify customers of contract changes and charges plus cancellation instructions, and prohibit automatic enrollment into subscription contracts without explicit consent. The bill addresses corporate subscription models that rely on consumers forgetting to cancel free trials and companies making cancellation difficult through obstacles and lack of transparency, with companion legislation introduced in the Senate by Senators Brian Schatz (D-HI) and John Kennedy (R-LA). The legislation has been endorsed by Consumer Federation of America, Consumer Action, Truth in Advertising, National Consumer League, and Public Citizen. This legislative initiative demonstrates congressional intent to codify click-to-cancel protections into federal law rather than relying solely on FTC rulemaking, providing businesses with clarity that negative option subscription requirements including easy cancellation, affirmative consent for post-trial charges, and periodic consumer notifications may become statutory obligations regardless of regulatory developments, while signaling bipartisan support for aggressive enforcement against subscription trap practices and dark patterns in recurring billing models.

FTC Secures TRO Against Deceptive Health Insurance Telemarketing Scheme. On January 23, 2026, the FTC obtained a temporary restraining order halting operations of Top Healthcare Options Insurance Agency Inc. and 11 related defendants accused of causing tens of millions in consumer harm through deceptive health insurance telemarketing. The defendants allegedly used lead generators to collect consumer information from websites advertising comprehensive ACA/Obamacare plans, then misrepresented limited-benefit plans and medical discount memberships as comprehensive health insurance with PPO networks, specific coverage guarantees, and low out-of-pocket costs—leaving consumers exposed to thousands of dollars in uncovered medical expenses. The complaint alleges violations of both the FTC Act (deceptive practices) and the Telemarketing Sales Rule, and seeks consumer refunds and injunctive relief. This enforcement demonstrates the FTC's continued focus on deceptive health insurance marketing, particularly bait-and-switch schemes in the lead generation ecosystem, and serves as a warning to businesses operating in the health insurance marketplace that misrepresentations about coverage scope, network participation, and cost-sharing obligations will draw aggressive enforcement action—especially when targeting consumers seeking comprehensive coverage during open enrollment periods.

FTC Finalizes GM/OnStar Connected Vehicle Data Privacy Order. On January 14, 2026, the FTC finalized a consent order with General Motors LLC, General Motors Holdings LLC, and OnStar LLC settling allegations that they collected, used, and sold consumers' precise geolocation and driving behavior data from millions of connected vehicles without adequate notice or affirmative consent. The complaint alleged GM used misleading enrollment processes for OnStar's Smart Driver feature and failed to clearly disclose it was collecting and selling this sensitive data to third parties including consumer reporting agencies. The order imposes a five-year prohibition on disclosing geolocation and driver behavior data to consumer reporting agencies, and for the full 20-year term requires GM to obtain affirmative express consent before collecting, using, or sharing connected vehicle data (with exceptions for emergency services), provide consumers ability to request and delete their data, enable disabling of precise geolocation collection where technically feasible, and allow opt-out of geolocation and driver behavior data collection. This enforcement action signals strong FTC scrutiny of connected vehicle data practices and establishes important precedent for automotive manufacturers and telematics providers regarding transparency requirements, consent mechanisms, and restrictions on sharing sensitive location and behavioral data with third parties—particularly data brokers and consumer reporting agencies that could impact insurance rates or other consumer outcomes.

FTC Sues JustAnswer for Deceptive Subscription Billing Practices. On January 13, 2026, the FTC filed a complaint against JustAnswer LLC and its CEO Andrew Kurtzig alleging the online question-and-answer service deceives consumers into enrolling in recurring monthly subscriptions without affirmative consent by falsely advertising access to expert advice for a small one-time fee of $1 or $5 when in reality the company immediately charges consumers both the advertised fee and a monthly subscription fee ranging from $28 to $125 that continues until canceled. The complaint alleges JustAnswer failed to clearly and conspicuously disclose the subscription terms as required by the Restore Online Shoppers' Confidence Act (ROSCA), preventing consumers from making informed purchasing decisions, and charges violations of both ROSCA and the FTC Act's prohibition on deceptive practices. The FTC seeks injunctive relief, consumer refunds, and civil penalties against both the company and its CEO personally. This enforcement action underscores the FTC's focus on transparent pricing in e-commerce and subscription services, serving as a warning to online platforms thatnegative optionfeatures requiring recurring payments must be disclosed clearly and conspicuously before obtaining payment information, and that burying subscription terms in fine print or obscure disclosures will not satisfy ROSCA's affirmative consent requirements—particularly when advertising emphasizes low one-time fees while downplaying mandatory recurring charges.

Dun & Bradstreet Pays $5.7 Million for Violating 2022 FTC Order. On January 13, 2026, the Department of Justice announced a federal court entered a stipulated order requiring Jacksonville-based Dun & Bradstreet to pay $5.7 million to resolve allegations it violated the FTC's 2022 administrative order that was issued based on unfair and deceptive business practices prohibited by the FTC Act. The settlement includes a $2,063,000 civil penalty and $2,785,786 in customer refunds, in addition to $924,590 in refunds already issued, totaling approximately $5.7 million. The DOJ complaint, filed in the Middle District of Florida, alleged Dun & Bradstreet violated the 2022 order by sending customers inaccurate pricing notices for automatic renewals of credit-related services to small businesses, omitting or misrepresenting facts about its products during telesales calls, and failing to retain all call recordings as required by the order. The original 2022 FTC order addressed allegations that Dun & Bradstreet deceived businesses about the value of its CreditBuilder products and failed to provide a clear process for correcting errors on business credit reports, with the company profiting by selling products that purported to help improve reports but often delivered illusory benefits. Dun & Bradstreet stated it self-identified the violations through its compliance program, immediately notified the FTC, and has strengthened controls, training, and oversight. This enforcement demonstrates the FTC's commitment to order compliance monitoring and willingness to pursue civil penalties for violations of consent orders, serving as a warning to companies subject to FTC orders that compliance obligations including accurate pricing notifications, truthful product representations, and recordkeeping requirements will be actively enforced with significant financial consequences, while highlighting particular scrutiny of business credit reporting practices and automatic renewal billing targeting small businesses that may lack resources to challenge deceptive practices.

FTC Seeks Contempt Finding Against Payment Processor for Order Violations. On January 13, 2026, the FTC filed a motion asking the U.S. District Court for Nevada to hold Cliq, Inc. (formerly Cardflex, Inc.), CEO Andrew Phillips, and CTO John Blaugrund in contempt for systematically violating Cardflex's 2015 consent order that required reasonable steps to prevent and detect payment processing fraud. The FTC alleges the defendants processed hundreds of millions of dollars for at least three merchants on Mastercard's MATCH list (merchants terminated for card brand rule violations like high chargebacks), assisted clients in evading bank and card network fraud monitoring programs, processed transactions for high-risk clients without adequate screening for deceptive practices, and failed to monitor high-risk clients' activity or cease processing for those with high chargebacks without establishing they weren't engaged in deception—including processing for merchants later criminally indicted. The FTC seeks at least $52.9 million in consumer relief, permanent ban of Phillips and Blaugrund from payment processing, appointment of a receiver to ensure compliance, and modification of the 2015 order. This enforcement action demonstrates the FTC's willingness to pursue contempt proceedings and significant financial penalties against payment processors who ignore consent order obligations, and underscores compliance risks for payment processors subject to FTC orders including requirements to screen merchants, monitor for fraud indicators like chargeback rates, terminate relationships with high-risk merchants, and maintain robust anti-fraud compliance programs rather than facilitating merchant evasion of card network controls.

FTC Investigates Sports Agent Compliance with Student Athlete Protection Law. On January 12, 2026, the FTC sent information requests to 20 NCAA Division I universities to investigate whether sports agents are complying with the Sports Agent Responsibility and Trust Act (SPARTA), a 2004 federal law designed to protect student athletes. Under SPARTA, agents must provide student athletes with specific required disclosures before entering into contracts, notify the athlete's school within 72 hours after entering into an agency contract (or before the next athletic event, whichever is earlier), and are prohibited from recruiting student athletes through false or misleading information, false promises, or providing anything of value to the athlete or their associates before signing. The FTC is requesting information from universities about whether agents are providing required disclosures, dates when schools were notified of agency contracts, agent names, and any complaints or reports about agent-athlete relationships, with responses due by March 23, 2026. This investigation signals renewed FTC scrutiny of the sports agency industry and compliance with SPARTA's consumer protection provisions, particularly relevant given the evolving landscape of name, image, and likeness (NIL) deals in college athletics, and serves as a reminder to sports agents and athlete representatives that SPARTA's disclosure, notification, and anti-deception requirements remain enforceable regardless of NIL developments, with universities, student athletes, and parents encouraged to report suspected violations to the FTC.

FTC Issues Biennial Do Not Call Registry Report Showing Progress Against Robocalls. On January 6, 2026, the FTC issued its biennial report to Congress on the National Do Not Call Registry, revealing that more than 258 million telephone numbers were registered as of the end of FY 2025. This is an increase of 4.8 million from the prior year. The FTC received over 2.6 million DNC complaints during FY 2025 with violations primarily occurring via robocalls rather than live telemarketing. The report shows debt reduction schemes, imposter calls (government, business, or family/friends), and medical/prescription inquiries led complaint categories, followed by energy/solar/utilities and home improvement services, while noting that robocall complaints increased slightly in FY 2025 but remain substantially below their FY 2017 peak due to FTC enforcement strategies targeting VoIP providers, dialing platforms, and soundboard technology providers that facilitate illegal calls. Since the Registry's 2003 establishment, the FTC has filed 173 lawsuits against 570 companies and 449 individuals for making billions of unwanted calls, collecting nearly $400 million, and has supported technological solutions by providing daily complaint data to analytics companies and voice service providers for call-blocking/filtering products, while working with the FCC to combat caller ID spoofing. This report demonstrates continued FTC emphasis on technology-based enforcement approaches and public-private partnerships to combat illegal telemarketing, signaling to businesses that the agency will pursue not just direct violators but also the technology infrastructure providers enabling illegal robocalls, while encouraging voice service providers and analytics companies to leverage FTC complaint data for enhanced call-blocking capabilities.

Court Approves $10 Million Disney Settlement for COPPA Violations on YouTube. On December 31, 2025, a federal court approved a consent order requiring Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC to pay $10 million to settle FTC allegations that the companies violated the Children's Online Privacy Protection Rule by failing to properly label some videos uploaded to YouTube as Made for Kids (MFK), thereby enabling the collection of personal data from children under 13 who viewed child-directed content and the use of that data for targeted advertising without parental notification or verifiable parental consent. The DOJ complaint, filed in September 2025 upon FTC referral, alleged Disney's mislabeling allowed YouTube to collect personal information through cookies and similar tracking technologies from children viewing Disney's child-directed videos. Under the settlement, Disney must pay the $10 million civil penalty, comply with COPPA's notice and consent requirements, and establish a program to review whether YouTube videos should be designated as MFK unless YouTube implements age assurance technologies to determine user age or discontinues allowing content creators to label videos as MFK. This enforcement demonstrates FTC scrutiny of COPPA compliance in the platform content ecosystem and establishes important precedent for content creators' COPPA obligations when uploading child-directed content to third-party platforms like YouTube, signaling that responsibility for proper MFK designation rests with content creators not just platforms, while the order's age assurance provision reflects growing regulatory acceptance of technological solutions to protect children's privacy online and may foreshadow future COPPA enforcement expectations regarding implementation of age verification technologies.

FTC Launches Refund Claims Process for NGL Anonymous Messaging App Users. On January 6, 2026, the FTC announced a refund claims process to distribute $4.5 million to consumers affected by deceptive practices and unauthorized charges related to the NGL anonymous messaging app, following a July 2024 settlement with NGL Labs and its co-founders reached jointly with the Los Angeles District Attorney's Office that banned the defendants from marketing anonymous messaging apps to anyone under 18. The original complaint alleged NGL unfairly marketed to children and teens, sent fake messages appearing to come from real people to trick users into purchasing NGL Pro subscriptions by falsely claiming paid subscriptions would reveal sender identities, made deceptive claims about AI content moderation capabilities, and failed to obtain proper consent for recurring charges. This refund program demonstrates the FTC's commitment to consumer redress in youth-focused app enforcement and establishes important precedent regarding liability for dark patterns in subscription sign-ups, fake engagement tactics to drive conversions, and COPPA violations in anonymous messaging platforms, serving as a warning to social media and messaging app operators that deceptive subscription practices, unauthorized recurring billing, and marketing to minors through manipulative tactics will result in both operational restrictions (such as age-based bans) and substantial financial remediation obligations.

Live Nation and Ticketmaster Move to Dismiss FTC BOTS Act Lawsuit. On January 6, 2026, Live Nation and Ticketmaster filed a motion to dismiss the FTC's September 2024 lawsuit alleging BOTS Act violations, arguing the agency is improperly trying to hold the platform accountable for ticket resellers' actions. The FTC's complaint claimed Ticketmaster knowingly allowed scalpers to purchase large ticket blocks during on-sales, incentivized to look the other way because it triple dips on fees, collecting from brokers on primary purchases, again on secondary sales, and from consumers buying resold tickets. The defendants counter that the FTC failed to show any circumvention of anti-bot technology or Ticketmaster's awareness of such circumvention, and that ticketholders, not platforms, should bear responsibility for illegally acquired tickets. This case, separate from the pending DOJ antitrust lawsuit, tests whether secondary market platforms can be held liable for facilitating resales from bot-acquired tickets, with significant implications for ticketing platforms' obligations to police their ecosystems.

State

California AG Bonta Helps Double Capital One Settlement. On January 13, 2026, California Attorney General Rob Bonta announced the preliminary approval of a $425 million class action settlement requiring Capital One to compensate 360 Savings customers who were cheated out of higher interest rates, more than doubling an earlier settlement that a bipartisan AG coalition opposed as inadequate. Capital One marketed 360 Savings as high interest accounts with "one of the nation's best rates." However, even when rates rose nationwide starting in 2022, the bank kept 360 Savings rates artificially low while funneling new customers to nearly identical 360 Performance Savings accounts paying up to 14 times more. The new deal requires Capital One to match rates across both products, providing an estimated $530 million in future additional interest, with eight states gaining enforcement authority over the resolution. Notably, the announcement underscores the value of continued attorney general enforcement efforts in the wake of the Trump Administration's cuts to the CFPB, and is a clear signal that state AGs view themselves as filling federal gaps and will aggressively intervene when class action settlements shortchange consumers.

New Jersey AG Platkin Secures $200,000 Penalty Against Kim Kardashian's SKIMS for Improperly Collecting Sales Tax on Tax-Exempt Clothing. New Jersey AG Matthew Platkin announced that Skims, the apparel company co-owned by Kim Kardashian, will pay a $200,000 civil penalty for collecting sales tax on tax-exempt clothing from 2019 through 2024. Under New Jersey law, everyday clothing is exempt from sales tax, but Skims charged customers the state's 6.625% rate for five years. The AG alleged the activity was an unconscionable business practices under the NJ Consumer Fraud Act, despite Skims attributing it to a technical error in our sales tax collection system. The company has remitted the improperly collected tax to the state, begun reimbursing affected customers, and agreed to a four-year obligation to facilitate additional refund requests. This enforcement action signals that prolonged e-commerce tax misconfiguration will not be excused as an inadvertent technical failure, particularly when companies fail to self-correct basic compliance failures for years. Businesses should audit tax collection systems across all jurisdictions regularly because technical error claims are unlikely to protect companies from liability when its systems overcharge consumers for long periods of time.

Colorado Deceptive Pricing Law in Effect. The Colorado law (HB25-1090) mandating transparent pricing practices in an effort to eliminate junk fees across industries, including residential rentals went into effect on January 1, 2026. The law adds a new section to the Colorado Consumer Protection Act and requires businesses to disclose the total price upfront, including all mandatory fees. For residential landlords specifically, the law prohibits separately charging tenants for common area maintenance, pest control, property tax payment fees, and processing fees, while capping utility pass-throughs at the actual amount billed by providers (no markups) and limiting third-party service markups to the lesser of 2% or $10 per month. Landlords must advertise the total rental price including all mandatory fees and update lease agreements to eliminate prohibited charges; however, they can still separately bill for utilities (at cost), optional services like pet rent or covered parking, and certain government charges. The law builds on HB23-1095 from 2023, which prohibited lease provisions requiring tenants to pay markups exceeding 102% of landlord costs, and supporters estimate hidden fees cost Americans $90 billion annually or approximately $650 per household. Consumer advocates have raised concerns about enforcement after the Senate Judiciary Committee removed the private right of action from the bill, and early reports suggest some landlords are finding workarounds by raising base rents or creating new add-on charges to circumvent the transparency requirements.

California Announces $3.35 Million Settlement with Plastic Bag Manufacturers. In early January 2026, California Attorney General Rob Bonta announced settlements totaling $3.35 million with three major plastic bag producers Novolex Holdings LLC ($1.65 million), Inteplast Group Corporation ($1 million), and Mettler Packaging LLC ($700,000), resolving allegations that the companies violated Senate Bill 270, the Environmental Marketing Claims Act, False Advertising Law, and Unfair Competition Law by unlawfully marketing and selling non-recyclable plastic bags as recyclable in California. The settlement follows earlier October 2025 settlements with four other producers that collectively paid $1.753 million in civil penalties. After this January settlement, the total civil penalties for all seven producers exceeded over $5.1 million. AG Bonta's 2022 investigation revealed that despite manufacturers certifying their bags met recyclability requirements under SB 270 and displaying chasing arrows symbols directing consumers to recycle, these plastic bags cannot actually be recycled to any significant degree in California. In fact, a statewide survey found only 2 of 69 waste processing and recycling facilities claimed to accept plastic bags, and even those could not confirm the bags were actually recycled. Six of the seven producers agreed to stop selling plastic bags in California before the January 2, 2026 effective date of a new California law (SB 1053), which prohibits all retailers from providing plastic bags at checkout counters, requiring stores to offer only recycled paper bags or allow customers to bring reusable bags. It is notable that the AG asserted advertising violations as part of its enforcement action and retailers should take steps to check claims that its bags designated as recyclable meet California standards to carry this designation for compliance and advertising substantiation purposes. If bags are provided by third party vendors, businesses should consider auditing the bags and requesting that the vendor provide evidence and testing to demonstrate compliance.

Litigation

11th Circuit Largely Upholds FTC Victory Against Corpay (Formerly FleetCor) for Deceptive Fuel Card Advertising and Unfair Billing Practices. On January 6, 2026, the U.Eleventh Circuit largely affirmed summary judgment for the FTC against Corpay, Inc. (formerly FleetCor) and CEO Ronald Clarke for deceptive advertising and unfair billing practices related to fuel credit cards marketed to businesses. The court found Corpay made false "per gallon" discount promises negated by fine-print disclaimers (promising 5-10¢ discounts while delivering 0.1-6¢), falsely advertised "Fuel Only" cards that actually allowed non-fuel purchases, deceptively claimed "no transaction fees" while charging various per-transaction surcharges, and unfairly charged unauthorized fees without proper disclosure. The court upheld a permanent injunction requiring "Express Informed Consent" for all fees with "unavoidable" disclosures that cannot be hidden behind hyperlinks, while affirming CEO Clarke's personal liability on four counts based on emails showing he dismissed complaints as "fake news" and sought "opportunities to get more late fee revenue." This decision establishes that fine-print disclaimers cannot cure deceptive headlines, vague terminology cannot evade advertising promises, and courts have broad authority to mandate detailed compliance requirements—particularly significant for subscription-based and fee-laden business models using dark patterns like buried terms.

Litigation

Washington Anti-Spam Law Federally Preempted. A Seattle federal judge rejected Nike Inc.'s motion to dismiss a lawsuit on January 15, 2026, ruling that Washington's Commercial Electronic Mail Act is not preempted by federal law in a case accusing the sportswear company of sending false or misleading marketing emails to shoppers in Washington State. The decision allows the plaintiff's claims under Washington's state anti-spam statute to continue despite Nike's arguments that federal law should override the state regulation. The case appears to be part of broader litigation involving other retailers including Old Navy LLC, The Home Depot Inc., and Ulta Beauty Inc. and raises interesting questions about the interplay between state consumer protection laws regulating commercial email and federal telecommunications regulations. Businesses should continue to work to meet the requirements of the Washington Law as we will likely see increased litigation filings on this issue in the year ahead.

Of Note

When "Buy Now" Doesn't Mean "Own Forever:" The Digital Goods Disclosure Litigation Wave

When a gamer clicked "Buy" on GameStop's digital storefront to purchase Elden Ring Nightreign, he thought he was buying a game. Instead, according to a January lawsuit filed in California federal court, he was purchasing something far more tenuous: a revocable license that GameStop could theoretically yank away at any moment. The distinction between these two concepts, ownership versus permission, has become the flashpoint for a new wave of consumer protection litigation sweeping across digital marketplaces.

The GameStop case is not an isolated incident. It is the new leading litigation trend stemming from California's digital goods disclosure law (AB 2426), which took effect in January, 2025. If plaintiffs have their way, the fallout could reshape how every company, from Apple to Spotify to software giants, describes digital transactions to consumers.

The Wake-Up Call Nobody Saw Coming

The story behind these laws starts with Ubisoft's shutdown of The Crew, a popular racing game. In late 2024, Ubisoft pulled the plug on the game's servers and revoked all user licenses. Players who had clicked "Buy" and paid $60 for what they believed was a permanent purchase suddenly found themselves locked out entirely. No refunds. No downloads. No recourse. The game simply vanished from their libraries as if they'd never owned it at all.

California legislators took notice. Assemblymember Jacqui Irwin championed AB 2426 as a response to what she called the increasingly common instance of consumers losing access to their digital media purchases through no fault of their own. The law, codified at California Business and Professions Code § 17500.6, prohibits sellers from using terms like buy or purchase for digital goods when consumers receive only a revocable license, unless they provide specific disclosures.

Maryland followed suit with HB 208, which took effect October 1, 2025. New York has pending legislation (A8471) waiting in the wings. The message is clear: states are no longer tolerating the ambiguity that has defined digital marketplaces for decades.

Two Lawsuits, Two Very Different Strategies

The litigation emerging under these new laws reveals just how broad the exposure could be. Consider the contrasting approaches in two recent class actions. In Morehouse v. Apple, Inc., for example, the fact pattern is the standard purchase or an ebook. Plaintiffs allege that when consumers clicked these buttons to acquire e-books and audiobooks, they reasonably believed they were getting permanent ownership, just as they would with a physical book. Apple's terms of service, however, told a different story. If Apple's own content licenses expired, those digital "purchases" could disappear from users' libraries without warning or compensation. To plaintiffs, Apple charged ownership prices for rental-level rights, which they argue is a classic bait-and-switch.

The GameStop lawsuit in Weber v. GameStop, Inc. takes a more ambitious approach. Here, the plaintiff attacks the entire customer purchase flow, rather than the payment check out button, which was more generically labelled Place Order rather than Buy Now. Plaintiff points to marketing language throughout the site ("buy online," and "+4% back on all purchases") as well as the Add to Cart to alleged that the cumulative effect of the purchase process creates the false impression that digital game purchases are equivalent to buying a physical disc.

This theory is significant. If plaintiffs can hold companies liable for the overall net impression created across a purchase flow, instead of just the literal words on the final checkout button, the compliance burden expands dramatically. Every piece of marketing copy, every shopping cart icon, every rewards program promise becomes potential evidence of deception.

Beyond Games: Where the Litigation Is Headed

While video games grabbed the initial headlines, the statutory definition of "digital goods" casts a far wider net. Walk through what is actually covered, and the scope becomes clear and is likely to impact your:

• Kindle library purchases. Every e-book is a license, not a purchase. Amazon can and has removed books from user devices when licensing disputes arise.

• iTunes music collection. Those songs you "bought" in 2010 are licenses. If Apple's agreements with record labels lapse, your library could shrink.

• Favorite movies purchased on Amazon Prime or Google Play. It is there until it isn't. Streaming platforms routinely lose content when licensing deals expire, and purchased films can vanish just as easily.

• Cosmetic skin your kids bought for a Fortnite character. The battle pass purchased is explicitly covered under these statutes as add-ons or additional content.

• Software you bought like Microsoft Office or Adobe Creative Suite. You are increasingly buying a subscription or license. Did the marketing language or your purchase flow make that clear?

And then there are the emerging categories like Non-Fungible Tokes (NFTs) marketed as ownership of digital art, virtual real estate in metaverse platforms, digital trading cards. Any of these could face scrutiny if access proves revocable despite ownership language.

The Math That Should Worry Digital Platforms

Here is where the stakes get serious for companies processing high volumes of digital transactions. California's false advertising law allows penalties up to $2,500 per violation. Maryland's Consumer Protection Act creates exposure for civil penalties, restitution, and private claims for actual damages.

Now consider a gaming platform processing 10,000 microtransactions per day for in-game currency, skins, and battle passes. If each transaction violates the disclosure requirements, the theoretical exposure is not just substantial, it is potentially existential. Even if actual damages are modest, the civil penalty structure and attorneys' fees provisions in these consumer protection statutes make class certification attractive for plaintiffs' lawyers.

This math explains why Steam, the gaming platform operated by Valve, moved quickly to update its checkout flow last year. Before you complete a purchase, Steam now prominently discloses that "A purchase of a digital product grants a license for the product on Steam," with a link to complete terms. It's certainly not up to any marketing executive I have worked with presentation standards, not elegant, but it is compliant so the GC is happy. Notably, the GameStop complaint holds up Steam's approach as the proper benchmark.

What Companies Need to Do Now: Don't Hide the Ball

The compliance path isn't mysterious. Both California and Maryland offer two options:

The first route requires getting purchasers to affirmatively acknowledge, before completing the transaction, that they understand they are receiving a license, what restrictions apply, and that access may be revoked. This acknowledgment must be distinct from the general terms of service buried in fine print. The standard is similar to what is required under the FTC's ROSCA requirements. It should be in the sales flow and customers should see it as a stand alone disclosure.

The second path involves providing a clear and conspicuous statement disclosing that the transaction involves a license, along with a readily accessible link to the full terms. Again, this cannot be hidden in the standard terms and conditions.

Most notably, and this is the key take away from the GameStop, compliance may require more than tweaking the checkout page. Companies should audit their entire purchase flow and assess if the marketing language creates an impression of ownership (either expressly or in an implied way). Business should evaluate if rewards programs reference "purchases" in ways that suggest permanence or if the "Add to Cart" button subtly reinforce the idea that digital goods are equivalent to physical products.

The most important take away is not a legal one. It is about setting the right expectations with your customers and fostering consumer trust. The Ubisoft incident that sparked these laws generated genuine consumer outrage, not because users did not understand licenses exist, but because the disconnect between marketing promises and actual rights felt like a betrayal.

The Broader Context: Surveillance Pricing Meets Digital Ownership

These digital goods disclosure laws are emerging alongside a new consumer trend of increased scrutiny of "surveillance pricing" and algorithmic personalization. It is not coincidental. Both trends reflect growing legislative concern about digital marketplaces operating under opacity, where consumers can't meaningfully comparison shop or understand what they're actually buying.

Last year's loyalty programs data harvesting story from the Washington Post connected these dots explicitly. When Starbucks uses algorithmic pricing to offer different customers different deals based on detailed behavioral tracking, and when digital platforms describe licenses as purchases, the common thread is information asymmetry. Companies know everything about consumers and their willingness to pay, while consumers operate in the dark about both pricing and what rights they are actually acquiring.

Expect these trends to reinforce each other in future litigation and legislation. The companies facing digital goods disclosure claims today may face parallel claims tomorrow about personalized pricing, behavioral manipulation, and dark patterns in user interfaces.

What is Coming Next

Maryland's law has been in effect since October. California's has generated its first wave of lawsuits. New York's bill, while pending, signals that more states are watching closely. The pattern feels familiar with California leading the charge, then a handful of states follow, and eventually a critical mass emerges that forces companies to adopt nationwide compliance standards rather than maintain state-by-state variations.

The plaintiffs' bar is watching too. The Weber complaint's theory about cumulative impressions suggests lawyers are already testing the boundaries of these statutes, looking for creative applications beyond the obvious violations. Expect to see claims targeting not just marketplaces but also developers, publishers, and even payment processors in the chain of commerce.

For companies selling digital goods, and in 2026, that is almost every company in the entertainment, software, gaming, publishing, and streaming industries, the message is clear. The era of ambiguity about digital ownership is ending. The law now requires clarity about what consumers are actually buying, and plaintiffs' lawyers and regulators are ready to enforce it, one class action and investigation at a time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.