• The first AI-powered camera with Fall Detect, offering full-body detection, 24/7 monitoring, real-time alerts, and direct links to first responders for unmatched home safety and peace of mind.
• With AI technology, Kami Fall Detect ensures 99% accuracy, meaning no more false alerts.
• Fall Detect is available through the Kami Home app and leverages proprietary Vision AI algorithms that detect falls with 99.5% accuracy. Fall Detect can help caregivers understand why someone fell, helping to prevent future falls.

After NAD started the inquiry, Kami Vision informed NAD that it’s no longer marketing the Kami Home Fall Detect System and that it had permanently stopped making the challenged claims. Because of that, NAD’s decision doesn’t include an analysis of the claims.

If there’s no analysis, why is this case worth noting? 

This is the fourth NAD-initiated challenge involving AI claims in the past 12 months. (We’ve covered two of those here and here.) These cases demonstrate that NAD is paying close attention to AI claims and proactively checking whether companies can substantiate them.

A Rose by Any Other Name: Dynamic, Differential, Surveillance, and Algorithmic Pricing

This panel echoed many of the same themes as a pricing panel at the NAAG Annual Conference earlier this year. Panelists compared variations in pricing to buying a car or discounts for students, seniors, and military members – practices generally considered acceptable. But where does greater granularity step over the line, particularly as new tools like AI enable increasingly customized offerings? 

Critics of surveillance pricing included a representative from the Electronic Privacy Information Center (EPIC), who theorized that surveillance pricing targets willingness to pay rather than ability to pay. A Consumer Reports’ representative added that surveillance pricing can cause consumers to lose comparison shopping tools which could result in an individualized pricing experience, similar to car-buying (which she used as an example of a hated consumer experience). 

Panelists also highlighted benefits of personalized pricing, including understanding inventory management – for example, bringing in more drivers when there is high demand, and saving customers time by providing personalized offers. According to an economist from the International Center for Law & Economics, on average, data-driven pricing provides more discounts to lower income families, though others disputed this conclusion.   

Consumer Reports further observed that beyond specific algorithmic pricing and UDAP laws, states can also use reference pricing laws, where differential pricing may be evidence of fake discounts. Minnesota’s Deputy Attorney General Jessica Whitney noted that unfairness may be a better tool than deception in some instances, similar to how states have relied on unfairness in the absence of specific price gouging laws. 

Panelists warned not to throw the baby out with the bathwater and ensure any legislation preserves consumer benefits. Whitney agreed, saying this new frontier is really old in some ways, and regulation should include experts and consumers to find the right way to stand the test of time.

Making CID “Meet and Confers” Work

Panelists from both sides of AG Civil Investigative Demand (CID) meet-and-confer discussions participated in this panel, including Jared Libet, Assistant Deputy Attorney General, South Carolina Attorney General’s Office; Jeff Hill, Special Counsel to Consumer Protection, Tennessee Attorney General’s Office; Deputy Attorney General Whitney (Minnesota, discussed above); and Paul Singer of Kelley Drye.  

Regarding CID authority, Whitney explained pre-lawsuit investigative power is taken seriously; staff do not want to abuse such authority and risk losing it. Nor do they want to unnecessarily review a burdensome amount of documents. Some AG offices have the ability to issue CIDs at the staff level, while others require multiple levels of approval that include specific justifications. Libet explained that in his office, due to the formalities of the CID process, typically if a CID is issued, the office will eventually expect a formal resolution to the investigation. 

Singer shared the business perspective that CIDs often result in massive burden and shock. While some companies respond in an adversarial manner, he recommended that it is often better to engage with the office to minimize burden. If the business better understands what is most important to the state, it can offer the most helpful information instead of a document dump. Whitney agreed that early engagement by the business could be helpful to both sides and encouraged reaching out well in advance of any deadlines. Singer noted that as more consumer cases are front office driven, discussions at that level may occasionally be appropriate. However, all panelists agreed that if elevating a matter to the front office is necessary, providing notice to staff is generally best practice.

Age Assurance Verification: The Technology, the Tradeoff, and the Path Forward

The panel kicked off with Amy Winecoff, Senior Technologist at the Knight-Georgetown Institute, providing the age assurance landscape. About half of states now have age assurance laws. She outlined three types of age assurance: age verification (such as using ID), age estimation (such as using picture/video), and age inference (using records). Winecoff recommended systems should be measured on a balance of accuracy, privacy, accessibility, and circumvention resistance, including through public reporting on methods and results and independent validation by third parties. She further suggested accountability should lie with the service provider as best positioned to act. 

Annie Chiang, Acting Deputy Director for Litigation and Enforcement Strategy, Federal Trade Commission, shared the FTC’s perspective on age assurance. The FTC leans on tech experts for guidance in this space. She noted privacy and age verification must go hand in hand. COPPA enforcement is a huge priority for both the FTC Chair and the President. The agency has had to take a step back to consider a lurking question: age verification itself may involve collecting children's data, which implicates COPPA. Following an FTC workshop, the FTC issued a policy statement indicating it would not enforce COPPA when entities collect children's personal information for age verification purposes, provided certain circumstances are met. When Chiang was asked what the FTC considers “reasonable accuracy” for age verification, she stated that the FTC is trying to understand what industry and experts are doing. While she could not offer a concrete standard, she said the agency wants to empower parents, protect kids, and promote innovation. She encouraged stakeholders to stay tuned.

***

Consumer protection has long been, and will undoubtedly remain, a key focus for state attorneys general. Reflecting that priority, NAAG hosts two consumer protection conferences each year, with the public portion of its Fall Consumer Protection Conference scheduled for October 27 in Washington, D.C. Kelley Drye will continue to report on developments in this space, including through its coverage of AG conferences.

SharkNinja explained that the “100%” reading indicates that particle levels are below the sensor’s measurable threshold—not that the air is completely free of contaminants. The company also pointed to a disclosure stating that the percentage corresponds to particle concentration, with higher percentages reflecting lower levels of particles.

NAD found that explanation incomplete. While the disclosure described the function of the display, it did not clearly communicate the key limitation—that “100%” does not mean the absence of all pollutants. In NAD’s view, reasonable consumers could still take away an unsupported message of complete air purification. 

Ultimately, NAD recommended that when ads feature a “Clean Air 100%” message—even if just on the product display—SharkNinja should include a clear and conspicuous disclosure explaining what the claim actually means and, importantly, what it does not mean. If the product display is obscured, a disclosure may not be necessary.

The decision is a useful reminder that absolute claims may be taken literally unless they are clearly qualified. Even when a claim originates from a product feature, advertisers should expect NAD to evaluate the net impression—and require disclosures that directly address the takeaway message consumers are likely to draw.

Background

In April 2021, the Supreme Court’s decision in AMG Capital Management, LLC v. FTC significantly curtailed the FTC’s enforcement authority, holding that Section 13(b) of the FTC Act does not permit the agency to obtain equitable monetary relief. The decision eliminated what had been one of the FTC’s most potent tools for consumer redress, leaving a substantial gap in the agency’s remedial toolkit. In response, the FTC has pivoted to alternative statutory authorities that independently support equitable monetary relief. Chief among these are GLBA and the Restore Online Shoppers’ Confidence Act (ROSCA). 

GLBA’s pretexting provisions make it unlawful for “any person” to obtain customer financial information through false, fictitious, or fraudulent statements. In 2023, the Southern District of New York validated the FTC’s expanded interpretation of this provision in FTC v. RCG Advances, LLC, holding that any misrepresentation, even about underlying products or services, coupled with the collection of financial information may constitute a pretexting violation. The court rejected arguments that the statute was limited to impersonation-style fraud, finding that “the plain text of the statutory provision controls.” The FTC has since invoked GLBA pretexting to obtain consumer redress in diverse cases, including challenges to cryptocurrency platforms, rental housing practices, and debt relief schemes. 

That reading, however, may face durability questions when measured against Congress’s apparent target. Section 521 appears to trace to House legislation aimed at the then-emerging information-broker industry, where brokers obtained account information by impersonating consumers or using other ruses to induce unwitting disclosures. The accompanying reports described the provision as a specific response to that “gray area” brokering model, not as a general redress mechanism for any Section 5 deception claim that happens to involve payment information. That history gives defendants a ready limiting principle: GLBA pretexting may be strongest where the alleged deception resembles broker-style access to financial information, and less stable as a broad substitute for Section 13(b) monetary relief in ordinary Section 5 cases. 

Under ROSCA, the FTC has also targeted negative-option marketing practices (i.e., automatic renewals, free-to-paid trial conversions, and subscription traps) to seek redress in cases involving inadequate disclosure, unauthorized charges, and difficult cancellation mechanisms. 

Mufarrige’s Workshop Comments 

At the Workshop, Director Mufarrige offered a spirited defense of the FTC’s use of GLBA and ROSCA as penalty‑bearing enforcement tools. The plain‑text argument is direct, he said. Section 521’s prohibition on obtaining financial information through “false, fictitious, or fraudulent” statements is not limited to obtaining customer data under false pretenses; rather, FTC believes, any misrepresentation combined with the collection of customer financial data is actionable under the statue. According to Mufarrige, the same reasoning applies to ROSCA’s requirements for express informed consent and clear disclosures in negative‑option transactions. Mufarrige framed this enforcement posture as a natural fit for an agency that sees itself as a law enforcer focused on “reinforcing markets, not replacing them”—a theme he returned to repeatedly. 

Mufarrige’s broader remarks emphasized these themes. He stressed that competition remains the “first line of defense” for consumer protection—a framing aligned with Chairman Ferguson’s stated priorities and recent public remarks. On emerging issues, he identified impersonation cases as the agency’s most pressing concern, referencing the Impersonation Rule and the Take It Down Act as key tools. He also noted the agency’s continued focus on junk fees and price transparency. His comments largely echoed statements we’ve heard in recent months from the Commission, although Mufarrige’s defense of GLBA pretexting and ROSCA as redress tools was notably direct. 

AI as a Vehicle for Fraud

Director Mufarrige’s comments on AI were brief but pointed. He emphasized that the FTC’s focus remains on enforcing existing laws and pursuing conduct where AI is used as a vehicle for fraud. This approach aligns with Chairman Ferguson’s stated priorities: the agency sees its role as targeting bad actors who weaponize new technology, not as a regulator of AI development itself. AI-enabled fraud schemes (i.e., synthetic identities and deepfake impersonations) remain squarely within the FTC’s enforcement crosshairs. 

Workshop panelists highlighted how fraud has evolved into a sophisticated, industrialized enterprise. Synthetic identities, which blend fabricated data with real personal information, can slip past traditional verification systems. Account takeover schemes weave together phishing, automated bot attacks, and credentials harvested from data breaches to create what amounts to a criminal supply chain.

First-party fraud has also grown as dispute channels expand. Unlike traditional fraud, where a third party misuses stolen credentials, first-party fraud occurs when the customer who authorized or benefited from a transaction later disputes it. Institutions must then classify the case accordingly, which complicates both liability allocation and dispute resolution. Kelvin Chen, Head of Policy at the Consumer Bankers Association, cautioned that dispute and chargeback volumes could spike as new payment rails emerge and authorization boundaries blur, especially where consumer protections lag behind the established norms of card networks and ACH systems. 

Conclusion

Post-AMG, the FTC has made its enforcement strategy plain. The agency will continue pairing Section 5 deception claims with redress-capable statutory hooks, where available. Although this workshop focused on the financial services sector, the FTC’s position on GLBA pretexting’s reach extends well beyond traditional financial institutions. Section 521’s pretexting prohibition applies to “any person” who makes a false statement to obtain customer financial information. Under the FTC’s expansive interpretation, any misrepresentation coupled with the collection of payment credentials could trigger an ostensible pretexting violation. The impact is significant: most consumer transactions involve obtaining financial information to complete a purchase or service. Companies outside the financial services industry that are not actively thinking about GLBA compliance may nonetheless find themselves subject to GLBA-pretexting claims if their challenged practices involve alleged misrepresentations and consumer payment information.

According to the AG’s complaint, Homeaglow advertised a three-hour cleaning for $19 without clearly disclosing that consumers who took advantage of the offer were signing up for a $59-per-month ForeverClean membership (that did not actually include the cost of cleanings themselves) or that each cleaning was subject to a transaction fee of between 5% and 15%.

Homeaglow also advertised that consumers could “cancel at any time” and that their purchase was “fully refundable.” However, cancellation was subject to an early termination fee over $100. Although this information was disclosed in “fine print” and later in a pop-up tooltip on the website, Washington alleged the disclosures weren’t clear or conspicuous, required the consumer to do a calculation, and didn’t include all material terms. The signup process also included a countdown timer, alleged to rush consumers into avoiding disclosures altogether.

The AG also alleged that Homeaglow suppressed negative reviews on its site to maintain a 4.8-star average, soliciting reviews after all cleanings but only publishing positive reviews.  Moreover, it advertised a five-star rating on Trustpilot based on 6,406 reviews, even though Trustpilot’s data showed a 1.3-star average from approximately 2,000 reviews. Homeaglow continued running the ratings ad even after Trustpilot sent the company a letter claiming to have detected numerous fabricated reviews.

Washington alleged this conduct violated its general Consumer Protection Act.

The settlement terms are familiar, but interesting given the context that Washington does not have specific state automatic renewal or “hidden fees” laws. (Washington alleged this conduct violated its general Consumer Protection Act.) Among other things, Homeaglow must:

• Clearly and conspicuously disclose subscription terms including the existence of the early termination fee “immediately adjacent” to the mechanism they use to obtain consent, 
• Include language in the “call to action” button that references membership such as “Purchase and Join”
• Ensure that cancelling is “at least as easy to use as the method consumers used to enroll” And immediately effective.
• Communicate any limitations on refundability near any refund claims. 

This case and the one we posted about last week serve as two more in a series of reminders that federal and state regulators are paying close attention to automatic renewals, fees, and how companies advertise consumer reviews – even if they don’t have specific laws addressing the conduct.

One Feed, Multiple Formats 
Privacy Perspectives episodes appear on the same Ad Law Access feed hosted by Simone Roach, so if you’re already subscribed, you’ll get these automatically. If not, subscribe now on your preferred podcast platform.

We’ve got more podcast conversations and formats planned for 2026—one subscription gets you everything. Find the episode and more here.

This week, the FTC announced a $35 million settlement with Shutterstock over alleged violations involving auto‑renewals, disclosures, and cancellation. The complaint reflects the Commission’s continued focus on “negative option” features and the ways in which companies present—and obtain consent for—recurring charges. 

According to the FTC, Shutterstock failed to clearly and conspicuously disclose key material terms, including that certain products would automatically renew and that consumers could incur cancellation fees. The Commission alleges that these terms were often buried in fine print or otherwise presented in a way that consumers were unlikely to notice before being charged. 

The FTC also focused on Shutterstock’s marketing of certain “on‑demand packs” as being suitable for a “one‑time project” with “no commitment,” while allegedly failing to adequately disclose that these products could trigger automatic renewals. As in other recent cases, the agency is scrutinizing the disconnect between headline claims and the underlying billing structure. 

In addition, the complaint alleges that Shutterstock failed to obtain consumers’ express informed consent before charging their payment methods and made it difficult to cancel subscriptions. Consumers were allegedly required to navigate time‑consuming customer support channels rather than using simple online cancellation methods. 

Under the proposed order, Shutterstock will pay $35 million and will be required to clearly disclose material terms, obtain express informed consent, and provide straightforward cancellation mechanisms. These requirements mirror the FTC’s now‑familiar framework for negative option cases. 

If you’re reading this post, wondering whether your company will be next and whether you can get away with it, the answer is maybe. But getting it wrong can be very expensive.

Consumer Protection in Kansas: Organization and Priorities

Kansas’s Public Protection Division houses the office’s largest section, consumer protection, while also focusing on antitrust, charities, financial scams, open records and meetings, and sexually violent predators. Priorities are set through a combination of consumer complaint screening—where patterns of conduct trigger escalation—and monitoring regional and national trends through multistate AG meetings and collaborative investigations. Chief Deputy Sciarrotta noted that under Kris Kobach, the current Attorney General, Kansas is “a national player when it comes to investigating and holding large companies to account” while also investigating and civilly prosecuting local businesses for misleading consumers. The Division’s approach is to first make consumers whole, escalating penalties and investigative fees as patterns emerge, and joining multistate efforts where scale warrants. Despite its relatively small size, the office reported over $180 million in consumer recoveries and judgments since January 2023, more than $3 million in settlements for state funds in FY 2025, and roughly 4,000 consumer complaints received and resolved each year.

Consumer Protection Authorities in Practice

Kansas’s primary consumer protection statute is the Kansas Consumer Protection Act (K.S.A. 50-623 et seq.), which provides broad UDAP-style authority and has incorporated additional statutes over time—including, as Smith noted, requirements related to “age verification of website content that’s harmful to minors.” The guest speakers indicated that existing law generally provides a sufficient basis to address emerging technologies like AI, though it may be more challenging without legislative updates, and emphasized that consumer protection authority remains broad as to misleading products and services. At the same time, the office expressed support for more targeted legislation to provide clearer priorities and refine existing authority as applied to AI.

Kansas conducts pre-suit investigations using its subpoena authority (functionally equivalent to a civil investigative demand). The office stressed using that authority with due process and a problem-solving posture, which facilitates pre-litigation dialogue, preserves confidentiality, and, where nothing is found, allows matters to close without public filings.

The Kansas AGO resolves consumer protection matters primarily through consent judgments; assurances of voluntary compliance are disfavored because they lack express statutory grounding and are harder to enforce over time. Per court precedent, there is no statute of limitations on AG consumer protection actions, and pre-suit notice is not required by statute—though businesses will likely hear from the office multiple times before any suit is filed. Civil penalties under the KCPA are up to $10,000 per violation, with the possibility of a per-day cadence for ongoing conduct, plus an additional $10,000 enhancement where the consumer is part of a protected class which includes military, a veteran or military spouse, elderly (over 60), disabled, or non-English-speaking.

Restitution is the central focus of consumer protection matters. Injunctive relief is tailored to the case; for example, in appropriate local matters with egregious conduct, permanent injunctions barring future operations may be the decisive remedy, while larger national matters may employ prescriptive behavioral terms similar to those in opioid and tobacco settlements aimed at reshaping business models going forward.

Artificial Intelligence and Protecting Children

The guest speakers discussed artificial intelligence as it relates to youth, including SB 405, a proposed bill regarding AI chatbots in which Attorney General Kobach testified to the Kansas Legislature (video of testimony played during the webinar). Kobach cited a growing body of incidents in which AI chatbots have “encouraged teen suicide,” generated child sexual abuse material, created sexualized conversations with minors, and “pretended to be a licensed therapist.” He described a fact pattern in which a 13-year-old girl begins by asking a chatbot for fashion advice, then for relationship advice, and ultimately relies on it for mental health guidance with potentially catastrophic consequences.

SB 405 would have made it unlawful to train an AI chatbot to simulate human relationships or develop emotional bonds with users; pose as a healthcare provider, physical or mental; encourage or support suicide; or encourage isolation. The office characterized the bill as an enhancement of already broad UDAP authority, sharpening penalties and adding tools tailored to AI risks that were not contemplated when most consumer protection statutes were enacted. Although the bill did not advance beyond a February 2026 committee hearing, its framework signals the categories of conduct Kansas is likely to target under existing authority or in a future session.

Beyond legislation, General Kobach sent letters to AI companies—separate from a contemporaneous multistate effort—citing reports of chatbots impacting young Kansas children. The office reiterated that AI development cannot get ahead of guardrails against deception and child-targeted risks, and that pre- and post-litigation discovery will probe what companies knew and when.

Practical Guidance for Engaging with the Office

The office encouraged proactive, transparent engagement—beginning with introductions when there is no live issue and continuing through timely, fulsome responses if a letter or subpoena is issued, with rolling productions honored and explained. Sciarrotta cautioned that ignoring inquiries, minimizing them, or adopting a scorched-earth approach sets a poor tone, prolongs matters, and increases the likelihood of more aggressive remedies later.

Kansas welcomes substantive meetings, but high-level claims of good conduct untethered to documents or data will not move the needle if state findings or media reports point the other way. Smith added that cooperation in good faith is the surest route to the best possible outcome, particularly where matters are technically complex or involve proprietary systems in which the office could benefit from explanatory walkthroughs with the business. Conversely, dumping unmanageable volumes of information without context or impeding reasonable requests reduces the office’s flexibility as investigations advance.
 

• Mandatory facility registration and product listing, including ingredient disclosure;

• Serious adverse event reporting requirements;

• Recordkeeping obligations to substantiate product safety;

• Mandatory recall authority for adulterated or misbranded cosmetics;

• FDA rulemaking mandates for cosmetic Good Manufacturing Practices (GMPs), fragrance allergen labeling, and asbestos testing methods for cosmetic products containing talc; and

• Mandatory assessment of the use and safety of perfluoroalkyl and polyfluoroalkyl substances (PFAS) in cosmetic products.

The law provides for limited exemptions for certain small businesses from the facility registration, product listing and GMP requirements. 

While new shakeups in leadership at FDA with the departure of Commissioner Marty Makary and the appointment of Kyle Diamantas as acting Commissioner may change other priorities and policy positions, we do not expect a significant shift in FDA’s implementation of MoCRA.

FDA’s Ongoing MoCRA Implementation Efforts 

Since MoCRA was passed, FDA has issued industry guidance addressing cosmetic product facility registration, product listing requirements and its mandatory recall and records access authority. FDA has also engaged stakeholders through listening sessions to inform forthcoming cosmetic GMP regulations, which are expected to establish mandatory minimum standards for how cosmetics are manufactured, processed, packed, and stored. In addition, the agency has launched Cosmetics Direct and ESG NextGen portals for electronic submissions for registration and listing of cosmetic product facilities and products, and enhanced adverse event reporting tools. 

FDA also highlighted its focus on PFAS in cosmetic products. Relying on the new—and now mandatory—cosmetic product listings, FDA identified and published its report on the 25 most used PFAS in cosmetics. Although FDA did not reach definitive safety conclusions, the report underscores continued regulatory and public scrutiny around PFAS. 

MoCRA has materially increased FDA visibility into the cosmetics marketplace. Through mandatory facility registrations and product listings, FDA now has significantly greater insight into which entities are manufacturing and processing cosmetic products, where products are being manufactured, what cosmetic products are being marketed in the U.S., and the ingredients used in those products. FDA reports that there are more than 15,000 active cosmetic product facility registrations and over 1 million cosmetic product listings—a dramatic increase compared to the 5,176 cosmetic facility registrations and 35,102 cosmetic product listings received through FDA’s prior Voluntary Cosmetic Registration Program. 

While FDA did not highlight an increase in the number of warning letters or other enforcement for cosmetic products, it is reasonable to expect that the expanded authority and increased visibility may lead to new enforcement, litigation, and reputational risk for cosmetic companies. Indeed, FDA’s Adverse Event Reporting System (FAERS) Public Dashboard for Cosmetic Products gives the public access to cosmetic product safety issues in real-time, including plaintiffs’ attorneys, consumer advocacy organizations, and competitors that may use the information to scrutinize cosmetic products and marketing practices. As MoCRA implementation advances, cosmetic companies should evaluate compliance programs, including safety substantiation and adverse event reporting, amid heightened regulatory and litigation risk.

FDA Continues Regulatory and Compliance Efforts under the FD&C and Fair Packaging and Labeling Acts

In addition to its MoCRA implementation efforts, FDA has continued enforcement under the broader FD&C Act and the Fair Packaging and Labeling Act. Recent actions—including guidance on microbial contamination in tattoo inks and a consumer alert regarding gel nail polish removers containing prohibited methylene chloride—underscore FDA’s ongoing focus on cosmetic safety and ingredient compliance. Companies should continue monitoring FDA scrutiny of potentially unsafe ingredients and assess whether existing formulations remain compliant.

Key Takeaways 

MoCRA marked a fundamental shift in FDA’s regulation of cosmetics, and implementation efforts will likely continue throughout the next few years. We expect that these efforts will continue for years to come under FDA leadership. As FDA issues additional guidance and regulations, proactive compliance planning will be critical to managing regulatory, litigation, reputational, and business risk.

The decision may also have effects outside of the nonprofit space, giving organizations an argument that they have injury in fact any time a state AG issues a subpoena requesting information that burdens a constitutional right.

Case Background

First Choice Women’s Resource Centers, a nonprofit organization offering pregnancy counseling and resources, became the subject of a New Jersey Attorney General investigation into whether it misled donors or clients about its anti-abortion mission.

As part of that investigation, the Attorney General issued a broad subpoena requesting the identities and contact information of thousands of donors over multiple years, staff and employment information, and 28 categories of internal documents.

The subpoena warned that failure to comply could result in contempt or other penalties, which is typical of civil subpoenas (i.e., civil investigative demands) issued by state attorneys general. First Choice argued that donor anonymity was critical to its mission and that compelled disclosure would chill donor participation.

Rather than complying, First Choice filed suit in federal court under Section 1983, asserting that the subpoena violated its First Amendment associational rights. Lower courts dismissed the case, concluding that the organization lacked standing because, absent any state court order compelling production, Choice had not yet suffered any injury from the subpoena. 

The Supreme Court reversed. Drawing on NAACP v. Alabama and Americans for Prosperity Foundation v. Bonta, the Court held that:

• Compelled disclosure of donor information inherently burdens associational rights.  The Court explained, “An injury in fact arises when a defendant burdens a plaintiff’s constitutional rights, and government demands for a charity’s private donor information have just that effect” (emphasis added). This occurs, the Court wrote, “not just when a demand is enforced but when it is made and for as long as it remains outstanding.”

• The chilling effect occurs even if disclosure is limited to government officials and not the public.  The Court confirmed, “demands for private donor information burden First Amendment rights “even if there is no disclosure to the general public” (cleaned up).

• A target of such a demandneed not wait for enforcement to seek judicial relief. The Court wrote, “Whether the subpoena’s demands and penalties were immediately enforceable or contingent on future court action, donors would reasonably fear disclosure and hesitate to associate, and a reasonable recipient of the Attorney General’s subpoena would be induced to trim its protected advocacy knowing it now stands in the government’s crosshair.”

The Court rejected New Jersey’s arguments that a potential a forthcoming protective order, the availability of state court review, or partial carve-outs for certain donors cured the constitutional harm.

Takeaways 

The decision confirms that nonprofits and charities have standing to challenge state attorney general subpoenas seeking donor information before those subpoenas are enforced. It also suggests that organizations targeted by AG subpoenas seeking other types of information do not need to wait for enforcement proceedings to establish standing if the subpoena still “burdens a constitutional right.”  This decision, then, may in effect undercut decisions like Twitter v. Paxton (9th Cir.), which held that Twitter’s First Amendment argument was not ripe because the Texas AG had not yet enforced its subpoena against Twitter and therefore the company had not yet suffered an injury in fact.

Additionally, the Supreme Court’s decision shows that even assurances that sensitive information will not be publicly disclosed do not eliminate constitutional concerns. The Court made clear that compelled disclosure to the government alone can chill protected activity.

Colorado: Enforcement Halted, but a Legislative Overhaul Is in the Works

Colorado’s landmark AI law, SB24-205, enacted in 2024, was set to become the first comprehensive state-level AI regulatory regime targeting “high-risk artificial intelligence systems.” That timeline has been upended by litigation and legislative revision. 

Enforcement Stay. On April 27, 2026, the U.S. District Court for the District of Colorado granted a joint motion in x.AI LLC v. Weiser to suspend case deadlines and—critically—stay enforcement of the Colorado AI Act. Under the court’s order, the Colorado AG “shall not initiate enforcement, including but not limited to the initiation of an investigation, for alleged violations of [the Colorado AI Act] (or any legislation replacing or amending [the Colorado AI Act] enacted during this legislative session)” until 14 days after the court rules on xAI’s forthcoming preliminary injunction motion. That motion, in turn, will not be filed until 28 days after AG Weiser completes rulemaking on the Colorado AI Act or any successor statute enacted this session. AG Weiser has also indicated he does not intend to promulgate rules until the legislative session concludes, further extending the practical timeline before enforcement could resume.

The Legislative Rewrite: Senate Bill 26-189. While enforcement is paused, Colorado lawmakers have introduced SB 26-189, which would repeal and replace the Colorado AI Act with a new framework governing automated decision-making technology (“ADMT”) used to materially influence “consequential decisions.” The shift in terminology—from “high-risk artificial intelligence systems” to “ADMT”—is a significant conceptual pivot. 

Under SB26-189 as introduced, the compliance landscape changes significantly:

Developer duties would center on providing deployers with technical documentation describing the covered ADMT’s intended uses, categories of training data (to the extent known), known limitations and inappropriate uses, and instructions for appropriate use and human review. Developers would also be required to notify deployers of material updates and retain records for at least three years. 

Deployer duties shift toward a disclosure-and-rights model: point-of-interaction notice to consumers, a plain-language description of the ADMT’s role within 30 days of an adverse outcome, and a process for consumers to request human review and correction of factually incorrect personal data. 

What’s gone. Notably, SB26-189 would remove the Colorado AI Act’s requirements for deployer risk management programs aligned to industry standards, extensive risk assessments, and the duty to use “reasonable care to avoid algorithmic discrimination.” The replacement bill pivots from a comprehensive risk-management regime (aligned with the EU AI Act) to a more targeted documentation, notice, and rights-based framework (with similarities to recent CCPA regulations on automated decisionmaking technology).

Enforcement structure. The AG remains the sole public enforcer, with enforcement channeled through the Colorado Consumer Protection Act (deceptive trade practices). A 60-day notice-and-cure period applies before the AG may initiate an action, absent knowing or repeated violations. SB26-189 does not create a new private right of action.

Connecticut: A Sweeping Approach to AI Governance

Connecticut is advancing one of the most comprehensive omnibus AI bills in the country with Senate Bill 5, “An Act Concerning Online Safety.” On Friday, May 1, 2026, SB 5 cleared both chambers of the Connecticut legislature and is awaiting the Governor’s signature. Far from a single-issue statute, SB 5 addresses companion chatbots, employment-related automated decisions, synthetic digital content, safe harbors, and more. 

Anti-Discrimination Integration. SB 5 also amends Connecticut’s existing anti-discrimination statutes to expressly cover the use of automated employment-related decision processes, making it a discriminatory practice to use such a process in a manner that has the effect of discrimination on the basis of protected characteristics. Courts and the Connecticut Commission on Human Rights and Opportunities would consider evidence (or lack thereof) of anti-bias testing or similar proactive efforts in assessing liability. 

Synthetic Digital Content Labeling. Starting October 1, 2027, developers of AI systems capable of generating synthetic digital content—defined as any digital content produced or manipulated by an AI system—must ensure outputs are marked and detectable as AI-generated, in a manner that is detectable by consumers and consistent with recognized technical standards. 

Automated Employment-Related Decision Processes. Effective October 1, 2026 (with substantive obligations kicking in October 1, 2027), the bill creates a dedicated regulatory framework for automated employment-related decision processes (“AEDPs”). Deployers using AEDPs must disclose to employees and applicants that they are interacting with such a process, including a description of its “general nature.” Before any employment-related decision is made, deployers must provide written notice disclosing deployment of the process, its purpose, opt-out rights under Connecticut’s data privacy law, and contact information. Developers must also provide deployers with all information necessary for deployers to comply with the above requirements. 

If an automated process generates an adverse employment decision, the deployer must provide a high-level statement disclosing the principal reason(s) for the decision, including the degree to which the automated output contributed, the type of data processed, and the data source. Deployers must additionally offer an opportunity to examine and correct personal data not provided by the individual.

AI Companion Chatbot Safety. Effective January 1, 2027, SB 5 would require operators of AI companions—defined as AI models that simulate human conversation through text, audio, or video—to implement protocols to detect and address user expressions indicating a risk of suicide, self-harm, or imminent violence. Operators must also provide clear notice to users that they are communicating with AI at the beginning of each interaction (at minimum once daily) and hourly during continuous interactions. The AG would enforce these provisions, with civil penalties of up to $15,000 per day per violation.

Also effective January 1, 2027, the bill prohibits operators from providing an AI companion to users under 18 if it is reasonably foreseeable that the AI is capable of:

• encouraging self-harm, violence, or disordered eating; 

• offering unregulated mental health services; 

• prioritizing validation of the user’s beliefs, preferences or desires over factual accuracy or the user’s safety; 

• engaging in romantic or sexually explicit interactions; or 

• deploying manipulative engagement techniques for the purpose of maximizing the user’s engagement time with the AI companion. 

Violations carry civil penalties of up to $25,000 per violation, and notably, the bill also creates a private right of action for aggrieved users (or their parents), including actual and punitive damages.

AI Safe Harbor Program. Effective October 1, 2026, the bill establishes a voluntary safe harbor mechanism: AI users may submit proposed safe harbor programs, which can be administered by third parties, to the Department of Consumer Protection for approval. Participating AI users deemed compliant with approved program guidelines would be “deemed to be in compliance” with Connecticut’s data privacy and consumer protection statutes. Under the program, approved entities will be given a ten-day cure period to address any alleged violations of the Connecticut Data Privacy Act or Unfair Trade Practices Act. This provision offers a potentially significant compliance pathway for companies willing to submit to independent assessment and annual review.

California: AI Governance Takes Shape Through Political Competition

California’s AI regulatory landscape continues to evolve on multiple fronts—through enacted legislation, a pending ballot measure that could reshape state AI oversight, and a gubernatorial race in which AI governance has become a central policy issue. In January, we wrote about SB 243—California’s now effective “companion chatbot” law. The law requires operators of AI systems that provide adaptive, human-like responses and sustain a relationship across multiple interactions to notify users when they are interacting with AI and implement additional safeguards for minors, including recurring reminders every three hours that the user is interacting with a chatbot. 

The Gubernatorial AI Policy Debate. On May 4, 2026, gubernatorial candidate Xavier Becerra released an 11-point AI policy plan framing California as the “gold standard” for AI policy, positioning it against what he calls the Trump administration’s “abdicated federal responsibility on AI governance.” Becerra’s platform calls for:

• Expanding AI literacy through schools, libraries, and community colleges;

• Deploying AI within state government for permitting, benefits delivery, and public health;

• Continuously tracking AI’s large-scale economic effects on employment;

• Funding CalCompute (a publicly owned cloud computing platform) to provide equitable access to AI infrastructure;

• Enforcing and strengthening California’s existing AI standards;

• Protecting children from AI-driven manipulative design and suicidal content;

• Pursuing transparency and human review standards for high-stakes automated decisions affecting livelihoods, health, housing, or freedoms; and

• Pushing for a national AI framework, arguing California must set the standard in the absence of federal leadership.

The plan reflects themes already embodied in existing California law and pending legislation, particularly around child safety, workforce impact, and transparency in automated decision-making. 

Compliance Takeaways

Monitor Colorado’s legislative session closely. The enforcement stay buys time ahead of the Colorado AI Act’s current June 30 effective date. Colorado’s legislative session ends on May 13, 2026, and while SB 26-189 was only introduced on May 1st, the bill is moving quickly and may be raised for a vote before the session’s end. If enacted, SB 26-189 would take effect on Jan. 1, 2027. However, as noted above, the law would not be enforced until AG Weiser has concluded rulemaking. 

Prepare for Connecticut’s multi-layered framework. SB 5 is a broad omnibus AI legislative package that introduces new employment-related AI obligations, chatbot safety rules, synthetic content labeling rules, safe harbor programs, and anti-discrimination provisions with varied effective dates and compliance mechanics. Companies with Connecticut operations, particularly those deploying automated tools in employment or consumer-facing AI, should begin evaluating internal compliance programs against the bill’s requirements. 

Watch for Regulatory Action in California. With existing chatbot obligations in effect, a pending ballot measure, and a governor’s race that has elevated AI governance to a central policy platform, California remains the state most likely to set the pace for national AI regulation. 

Across all three states, the clearest compliance through-line remains transparency, documentation, human review, and consumer rights in high-stakes automated decisions. Organizations building around those core principles will be best positioned regardless of which specific framework ultimately takes effect in its final form.

As we posted last year, NAD challenged Apple’s availability claims and determined that consumers would reasonably believe that all Apple Intelligence features would be available at the time of launch, notwithstanding a disclosure in a footnote. The NAD decision was the least of Apple’s worries, however, as the company faced eight class action lawsuits on the same issue (which were later consolidated into one).

This week, plaintiffs asked a California federal judge Tuesday to approve a $250 million settlement resolving the claims.

We’re seeing an increased focus on substantiation for AI claims. (Click here, for example.) Companies should ensure they can support any claims they make about what their AI can do. As this case shows, companies also need to be careful if they advertise features that aren’t currently available. Ads should clearly distinguish what is available at the time of purchase from what may be available in the future. As the NAD decision suggests, making that distinction in a footnote may not be enough to escape scrutiny.

Pricing 101: Key Considerations Across Privacy and Consumer Protection

In this introductory session, Privacy Practice Chair and Partner Alysa Hutnik and State AG Practice Chair and Partner Paul L. Singer, will provide a high-level look at today’s evolving pricing landscape and its growing intersection with privacy and consumer protection. Attendees will gain a foundational understanding of the regulatory environment and the key forces shaping how companies approach pricing strategy and compliance. Topics will include:

• Current legislation shaping pricing transparency, including junk fee laws and algorithmic pricing
• The role of social media in amplifying scrutiny and enforcement risk
• Practical considerations for maintaining compliance in an evolving regulatory environment

Register here.

To learn more about the Surveillance Pricing and Beyond: Navigating Today’s Pricing Landscape Webinar Series, click here.

CLE

Kelley Drye is an accredited provider of CA, IL, NY, and TX CLE. This continuing legal education program has been approved for 1.0 New York non-transitional Professional Practice credit and 1.0 General credit for California, Illinois, and Texas. New York credit can be applied reciprocally to New Jersey requirements and Connecticut requirements. We will apply for CLE credit in other jurisdictions, upon request, but cannot guarantee approval.

Last week, Washington Attorney General Nick Brown filed a lawsuit against Albertsons Companies—the parent company of Safeway, Albertsons, and Haggen grocery stores—alleging that the grocery stores used deceptive “BOGO” promotions that overcharged consumers across the state. 

According to the complaint, the stores advertised BOGO deals on various products while quietly increasing the price of the “buy one” item in the weeks or months before the promotion. After the promotion ended, the prices were allegedly reduced to pre‑promotion levels. 

For example, the complaint alleges that one store increased the price of olive oil by 57% ahead of a BOGO promotion before dropping it back to the original price after the promotion ended. The AG argues that these promotions trick consumers into thinking that they’re getting a better deal than they are. Although they may get an item for “free,” they are paying an inflated price for another.

The AG estimates that the grocery stores overcharged Washington consumers on more than 3 million transactions, resulting in approximately $19.7 million in revenue from deceptive promotions. The AG wants the court to stop the grocery stores’ use of deceptive promotions, provide restitution to Washington consumers, and pay civil penalties for each violation of state law as well as pre-judgment interest.

This case fits squarely within a renewed regulatory enforcement focus on pricing transparency at a time when grocery costs are top of mind for consumers. Pricing issues are also becoming a focus in the wave of email marketing lawsuits that we’ve written about. For more information on those, you can register for our webinar on May 12.

Consumer Protection Priorities

Consumer protection is a primary focus of the MN AGO, expanding significantly in recent years. The Consumer Protection Section comprises eight divisions that cover areas such as consumer fraud and deceptive practices, antitrust, charities, privacy, wage theft, civil rights, and more, and is charged with consumer education, complaint intake, investigations, and enforcement. 

When determining priorities, the MN AGO considers factors such as the number of individuals affected, the severity of the harm, areas in which the Office has expertise, and the priorities set by the Attorney General, an elected official. In addition, where the Office identifies regulatory gaps—such as areas not addressed by federal legislation, including data privacy—the states, including the MN AGO, may step in to address those issues. 

When seeking remedies, the highest priorities are consumer restitution, where applicable, and injunctive relief designed to address the behavior in question. The Office can seek civil penalties up to $25,000 per violation of the state’s general consumer protection statutes. 

Data Privacy and the MCDPA

Statutory Scope and Enforcement Framework

The MCDPA establishes consumer rights and imposes corresponding obligations on covered businesses. Violations of the Act may result in civil penalties of up to $7,500 per violation. To be subject to the Act as a controller, an entity must process personal data relating to at least 100,000 consumers in addition to meeting other applicability requirements. It also applies to some entities related to a percentage of revenue. The Act largely exempts small businesses, except for when sales of sensitive data are involved.

Enforcement authority under the Act rests exclusively with the MN AGO, which currently has six attorneys and an investigator in its Privacy Unit, but in many cases the Unit works collaboratively with other states.  According to Lewellen, from an enforcement perspective, the MCDPA is “nice and clear” (compared to UDAP litigation) because it avoids debates over what is fair or unfair and instead turns on straightforward compliance questions, such as whether a company is processing data rights requests as required. The challenge for the MN AGO has therefore not been identifying violations, but prioritizing targets and allocating enforcement resources in a smart, strategic way.

Priorities, Outreach, and Engagement

Lewellen explained that prioritization has focused on emergent problems, companies that are uncooperative or unwilling to comply, and entities that simply do not respond to the MN AGO without some additional “nudge.” The Office also emphasized that privacy enforcement is an area where legal analysis alone is insufficient, requiring reliance on technologists and people with other expertise to ensure compliance with the law.

The MN AGO has been focusing on outreach to industry, attorneys, and consumers regarding the Act and has a number of public-facing resources available, including a data privacy complaint form and rights requests templates. The Office has been actively communicating with entities where potential issues are identified, remaining open to dialogue and engagement. The MN AGO said that generally speaking, those businesses have been willing to make changes to privacy notices or other privacy practices once concerns were raised. Prior to January 31, 2026, the Office relied on letters to notify entities of violations and provided a statutorily mandated 30 day opportunity to cure before initiating enforcement. Although the requirement for a formal cure period has now expired, the MN AGO indicated that similar letters may still be used as a tool, but that formal notice letters will be rare, and that the Office will continue to rely primarily on informal outreach, such as emails or phone calls, as an initial point of contact. The Office described this as an opportunity for companies to engage off the record, without being required to submit a formal written response or verified answers, before the state issues a broad civil investigative demand.

Consumer Complaints and Responses

Since July 2025, Minnesotans have submitted more than 200 complaints related to the Act, including data rights requests, allegations of improper data use, and reports of data breaches—a significant volume for Minnesota, particularly given that the complaints arise under a single statute. The MN AGO noted that the quality and caliber of the complaints from consumers often come from a dedicated group of individuals (and repeat complainants) who are interested not only in their rights but in testing the boundaries of companies’ privacy procedures.

The MN AGO employs a range of graduated responses when addressing complaints received under the Act, beginning with education and informal engagement. In some cases, the Office focuses on educating consumers, such as directing consumers to template request forms available on the Office’s website. In other instances, the Office may educate businesses, particularly where noncompliance appears to stem from outdated practices—for example, when a business does not accept complaints from Minnesota consumers because its privacy policy has not been updated since the law took effect. The MN AGO also facilitates dispute mediation by sharing information received from a consumer with the business and requesting a response.

Where concerns appear systemic, the MN AGO may escalate its response by issuing a communication to a business referred to as violation, notice, or enforcement letters. These letters typically include education, outreach, and enforcement information; identify specific provisions of the Act with which a privacy notice or business practice may not comply; request that the business assess whether it is subject to the statute; and seek a meeting—often within 30 days—to discuss the issues, provide guidance, and understand the company’s position.  Recipients of the enforcement letters have been most frequently in the retail sector, followed by data brokers, and then to a lesser extent, to technology, insurance, and nonprofit entities. In more limited circumstances, the MN AGO may issue a civil investigative demand, a form of pre litigation discovery supported by a minimally descriptive statement of the Office’s reasonable belief in its authority, which has been used primarily to address emergent issues or particularly recalcitrant entities that fail to respond meaningfully to notice letters.

Enforcement as the MCDPA Matures

The MN AGO explained that the core goal of the MCDPA—as with all statutes they enforce—is to promote good behavior, not to surprise or ambush. Enforcement efforts are focused on areas where there is real, meaningful harm to consumers, particularly structural issues that undermine the ability to exercise statutory rights. A key example is the failure to honor universal opt out mechanisms, which the Office views as a technical but critical tool designed to make consumer choice reasonable and meaningful. The MN AGO also prioritizes violations involving sensitive data as defined in Minnesota statute—such as precise geolocation, health data, or other sensitive personal information—especially where such data is processed, stored, or misused without the significant affirmative consent required by law. These focus areas generally align with enforcement priorities across other states at a high-level.

Now that the law has been in effect for some time, the expectation is compliance, and entities are more likely than in prior months to receive enforcement letters or civil investigative demands. Businesses are expected to be actively assessing their data privacy practices and operationalizing compliance, particularly if they are implicated as controllers or processors under the statute. The Office views failures to respond to consumer rights requests, to maintain compliant privacy notices, to honor universal opt out mechanisms, or to implement internal structures for handling consumer complaints as increasingly concerning at this stage.

Key MN AGO Messages for Businesses

• Don’t ignore communications from attorneys general offices. Have mechanisms in place to flag and respond to such complaints. 
• Be honest and forthright—particularly where AG requests are overbroad or impractical—recognizing that enforcers do not always understand a company’s internal systems. 
• Early cooperation can help focus investigations, reduce the scope of discovery, and facilitate resolution before remedies, penalties, and fees escalate. 
• Demonstrating compliance efforts—especially by fixing issues without requiring court intervention—can meaningfully mitigate enforcement burdens, while stonewalling or noncooperation significantly increases the likelihood that the Office will seek to compel compliance. 
• “Do the math” in regard to the MCDPA: with penalties of up to $7,500 per violation, counsel should help clients weigh the comparatively lower cost of compliance against the potentially far greater cost of noncompliance.

In 2024, we reported that Papaya’s competitor Skillz filed a lawsuit alleging, among other things, that Papaya falsely advertised that all players on its platform are human. In its motion to dismiss, Papaya argued that it never expressly stated that. 

Although a New York federal court agreed that Skillz hadn’t identified any statements that were expressly false, Skillz had identified statements—including references to “individuals” and “players”—that could imply that consumers are playing against humans, rather than bots. The court determined that if Papaya does employ bots, the claims identified by Skillz could be actionable.

Last week, a jury returned a verdict in favor of Skillz on its Lanham Act and New York General Business Law claims, finding Papaya should pay $420 million in actual damages. The jury also determined that Papaya should pay disgorgement amounts of $652 million and $720 million, with the actual amount to be determined by the court. 

Join Kelley Drye Partners Gonzalo Mon and Geoffrey Castello on May 12 for a timely discussion unpacking this fast-moving litigation trend. This webinar will explore what plaintiffs’ attorneys are focused on, what the latest legislative amendments mean for pending and future claims, and what companies can do now to assess risk and adapt their email practices.

Topics will include:

• The Washington Supreme Court's Brown v. Old Navy decision and its
  ripple effects
• Why subject line lawsuits have surged and spread to other states
• What subject lines are getting the most attention
  Recent amendments to CEMA
• Practical steps companies can take now to mitigate risk in email campaigns

Register here.

Behind the Price Tag: Giving Consumers Clarity in the Data Driven Pricing Ecosystem

Utah Attorney General Derek Brown headed this panel consisting of representatives of the National Retail Federation, Electronic Privacy Information Center (EPIC), and Chamber of Progress, as well as Sundeep Iyer, Executive Assistant Attorney General at the New Jersey Attorney General’s Office. General Brown began by providing his own definitions and examples for four terms: 

1. Dynamic pricing, where pricing goes up and down based on supply and demand, and may adjust immediately (e.g., gasoline).
2. Surge pricing, a variation of dynamic pricing where prices are tied to times of peak demand (e.g., rideshare pricing that goes up after a concert). 
3. Surveillance pricing or personalized pricing, where prices are based on the individual consumer (e.g., health insurance). 
4. Algorithmic pricing, which “matters to a lot of AGs,” and involves pricing structures utilizing algorithms. AG Brown noted that, through algorithmic pricing, competitors may end up charging the same price even though they have not colluded with each other and questioned whether antitrust laws are sufficient for this world of pricing. 

Misconceptions. AG Brown asked each panelist to describe misconceptions regarding these types of pricing. The Chamber of Progress panelist noted that although the term “surveillance pricing” gives the impression that businesses have troves of data on individuals, regulators have not found evidence of this. Rather, pricing data is used for mundane things like personalized coupons. He said the impulse to regulate because it “could be scary” may undermine competitive purposes. 

New Jersey’s representative Iyer agreed that at some level all pricing is data driven and determined by market forces, but said there are differences based on industry. Regardless of pending legislation, he explained, states have existing enforcement tools such as UDAP and state data privacy laws that continue to apply to new concepts and technology. New legislation would just provide additional tools for states and clarity for businesses. 

EPIC’s panelist said surveillance pricing does not always come in the form of charging different base prices but could instead present through loyalty or rewards programs based on inferences of what a customer is likely to pay. The National Retail Federation said there are misconceptions about loyalty programs, which are designed to build customer trust in a competitive marketplace based on selling on volume.

Current legislation. New Jersey described the current laws in this area in California, New York, (see our latest blog post here) and Maryland (awaiting governor’s signature). Maryland’s law goes further to ban certain types of surveillance pricing. AG Brown questioned if disclosure of the use of algorithmic pricing (like New York’s law) solves the issue or not. Iyer said it is a matter of what we are trying to solve, whether it is affordability or whether consumers are informed about their rights. He said depending on the end goal, transparency might be one avenue. 

AG Brown noted potential First Amendment issues, and again questioned whether a disclosure solves the problem or just “freaks people out.” The National Retail Federation brought First Amendment litigation on the New York law because it required a specific sentence in specific font, which the panelist explained could end up having no meaning. Operationally, it could also be a problem where wording is required on price tags. It also could become “annoying,” according to the National Retail Federation representative, like cookie banners. The EPIC speaker disagreed with the National Retail Federation panelist, saying disclosures at the point of sale are simple, understandable, and important, where privacy policies have failed. 

Where does it go too far? AG Brown posed the following hypothetical—where do businesses go too far in collecting and individualizing data, or when is surveillance pricing a good thing? He noted that it is one thing if businesses know his zip code, but another if they can estimate BMI or other personal items of information. The Chamber of Progress representative said though the line is difficult to draw, he looks at whether the data is being used in a competitive way to offer a discount on a price or to extract value to increase price. Iyer echoed this, noting that AGs use existing antitrust laws to address price fixing—such as in rental pricing with the RealPage lawsuit—where companies allegedly used algorithms to collude on sharing nonpublic information that was not an approximation of market price. AG Brown noted that with antitrust price fixing actions, companies typically have a meeting of the minds but questioned what happens if there is a hub and spoke where companies outsource pricing to a third party and end up with parallel results driven by technology. Iyer said that in RealPage, management companies were on notice that their data would be used in setting a model using other nonpublic data and said he would not be surprised if AG offices look at other competitive markets to evaluate whether they may also have price fixing. 

The EPIC panelist said the right question is whether pricing practices match or defy consumer expectations, and whether they extract wealth or provide bona fide discounts or perks. For example, loyalty programs that lower prices are helpful, but he asserted that loyalty programs may also be used to have an anticompetitive impact on consumers. The National Retail Federation representative pointed out that loyalty programs are voluntary, and if a business does things customers don’t like, the customers will vote with their feet. According to him, retailers don’t build a giant dossier – they know information such as clothing sizes to serve deals. 

Where should AGs focus? AG Brown asked the panel about potential UDAP claims, for example where market efficiencies may go too far. Iyer said where there is an information gap for consumers and regulators, transparency is important to understand how tools are being used. This may require significant resources from enforcement perspective. He also noted that privacy laws may be an avenue for addressing surveillance pricing where the practices do not accord with disclosures the company is making (citing California’s recent enforcement sweep). Further, state AGs could have a role to play in educating consumers. He explained that states will also play a more active role in enforcement because the FTC halted its 2024 surveillance pricing inquiry. 

The Chamber of Progress panelist said there is strong evidence that tools can serve consumers by enhancing competition, but in different context can have different effects. He suggested AGs focus on a specific harm they are trying to eradicate, not the mechanism itself so as not to disrupt pro-competitive effects of technology. The EPIC speaker echoed this some, asking, where do you distinguish a loyalty perk from a penalty? The National Retail Federation panelist said that though the topic is not top of mind for consumers, they do have expectations for data. He suggested not taking tools away that help small businesses and drive prices lower, but rather using the existing consumer protection framework to protect from egregious practices such as using data based on protected class. 

NAAG Conference Takeaways:

After another successful NAAG conference, we look forward to next month’s Consumer Protection Conference where we will hear more from staff on enforcement priorities. Until then:

• Continue monitoring State AG meetings for additional insights into state enforcement priorities. 
• States will continue to focus on protecting children, from dangerous substances to allegedly harmful technologies. 
• Consider education to consumers and State AGs on new or complex business practices – if appropriate. 
• On pricing, don’t wait for further “surveillance pricing” or similar statutes. Review practices now for transparency and consumer expectations to address potential UDAP concerns (see our other suggestions here).

As we’ve noted, the Center for Industry Self-Regulation’s Institute for Responsible Influence—an initiative dedicated to advancing transparency, accountability, and trust in the US creator economy—aims to change that. Last week, they announced the launch of their Responsible Influence Certification Program.

The Program features a 90-minute interactive curriculum grounded in real-world scenarios. The course covers FTC Endorsement Guides and other government requirements, industry advertising standards, and responsible brand partnerships. Creators who complete the curriculum and pass the assessment receive the Institute for Responsible Influence Certification Seal. 

Certified Creators will gain access to ongoing resources and will be included in a forthcoming searchable database, making it easier for brands to discover and connect with trained creators. The Creators will also be subject to ongoing monitoring by the Institute of Responsible Influence, who will attempt to ensure they comply with its requirements.

Companies who engage influencers may want to consider sourcing their influencers from the Institute’s database or requiring their influencers to get certified through the Program. Using a certified influencer doesn’t relieve companies from their responsibilities to ensure that their influencers comply with the laws, but it might make that job easier. 

• TouchTunes Music Company made unqualified “Made in the USA” claims on its website and other marketing materials. Although the company assembled its electronic dartboards in the US, many components—including ones essential to the function and operation of the products—were made outside the US. To settle the case, the company agreed to pay $625,000 towards consumer redress, stop misrepresenting that products are Made in the USA, and notify consumers about the settlement.
• Americana Liberty, Three Nations, and their principals advertised that flags and other accessories were “Made in the USA,” “All-American Made,” “100% Made in the USA,” “100% American Made Tough,” and “Built by Americans for Americans,” even though several products were wholly imported from China and others were comprised of significant or essential components from China. To settle the case, the company agreed to pay $167,743 towards consumer redress, stop misrepresenting that products are Made in the USA, and notify consumers about the settlement.
• Oak Street Manufacturing Company advertised that certain footwear products were “handcrafted 100%” in the US, that some were made in the US “from heel-to-toe, using no pre-assembled components from overseas,” and that some were “More than Made in USA.” The FTC alleged that some of the products’ components were produced outside of the US and that, in some cases, final assembly was completed outside of the US. To settle the case, the company agreed to pay $75,000 towards consumer redress and stop misrepresenting that products are Made in the USA.

In addition to these actions, the FTC issued closing letters to two companies that had been under investigation for making unqualified “Made in the USA” claims without proper substantiation. The companies agreed to take action to remediate certain claims and to comply with the FTC’s “Made in USA” standard. Based on each company’s remedial actions and commitment to future compliance, FTC staff issued letters closing these investigations.

Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, warned: “We will robustly enforce the ‘Made in the USA’ standard so that the American people have confidence that their purchases of American-made products support American workers and manufacturing.” If you haven’t evaluated whether you can substantiate your “Made in the USA” claims, now may be a good time to do that.