Privacy_1200x600_GettyImages-2154887234

In what appears to be an emerging privacy litigation trend, plaintiffs’ attorneys have recently filed a series of putative class action lawsuits targeting data companies in possession of cellular telephone numbers. The lawsuits attempt to leverage an untested provision in Colorado’s Prevention of Telemarketing Fraud Act (PFTA) which prohibits knowingly listing “a cellular telephone number in a directory for a commercial purpose unless the person whose number has been listed has given affirmative consent[.]” Colo. Rev. Stat. Ann. § 6-1-304(4). Although the law was originally enacted in 2005, there is almost no case law interpreting its provisions. However, the PFTA provides for statutory damages of $300-500 per violation, attorneys’ fees, and costs, making it attractive to plaintiffs’ lawyers. Several other states have similar laws. See, e.g., Conn. Gen. Stat. Ann. § 16-247s, N.Y. Gen. Bus. Law § 399-cc.1, Minn. Stat. Ann. § 325E.318, 73 Pa. Stat. Ann. § 2403, S.D. Codified Laws § 49-31-118, and TX UTIL § 64.202.

The recently filed cases attempt to assert PFTA claims against several companies, including Datanyze LLC, Zenleads, Inc., Infopay, Inc., Lusha Systems, Inc., and Beenverified LLC. The plaintiffs claim the defendants violated the PFTA’s prohibitions by listing plaintiffs’ cell phone numbers on their websites without authorization. Specifically, the complaints target business models in which companies display “teaser” data in response to a search query with an offer to purchase additional information. Plaintiffs argue that displaying cell numbers in response to such searches constitutes “listing” numbers in a “directory” within the meaning of the PFTA.

Plaintiffs’ firms Bursor and Fisher, P.A., Emery Reddy PLLC, Anderson + Wanca, and Birnbaum & Godkin, LLP have all jumped on the PFTA bandwagon in recent months. Cases are now pending in federal district courts across the U.S., including the District of Colorado, District of Massachusetts, Northern District of California, Western District of Washington, and Southern District of New York. Each of these cases remains is in the early stages of litigation, and to date, no responsive pleadings or motions to dismiss have been filed.

In light of this recent wave of litigation, companies should consider the following to mitigate the risk they may be targeted under the PFTA:

  1. Identify Colorado cell numbers: Companies should consider their ability to reliably determine if a cell number belongs to a Colorado resident (or that of another state with similar laws).
  2. Consent practices: The PFTA contains an exception if the owner of the cell phone number has provided consent. Companies should consider the sources of their cell phone data and practices relating to obtaining and documenting consent.
  3. “Lists a cellular phone number”: Companies should consider using “dummy” data or redacting portions of displayed cell phone numbers in any search results, which may mitigate risk.
  4. Use of a “directory”: The PFTA prohibits listing a cell number in a “directory,” but the term is not defined in the statute. Companies should consider how they display search results and how they might avoid having those results characterized as a “directory.”
  5. “For a commercial purpose”: Companies should consider adjustments to their sales practices to mitigate any argument they are using data for a commercial purpose.
  6. Opt-out mechanisms: Companies should ensure there are user-friendly opt-out mechanisms that allow individuals to request that their information be removed from databases.

Companies targeted in PFTA litigation will need to think creatively about defenses, as the PFTA has rarely been tested in court. Companies may have a number of arguments based on the statute’s legislative history and the statute’s intended purpose of targeting abusive telemarketing practices, or that a company’s business practices do not fit within the “commercial” conduct regulated by the statute. Further, PFTA claims are generally poor candidates for class certification because the individualized nature of the claims (for example, determining whether there was consent or whether the number belonged to a Colorado resident at the time of publication) arguably defeats Rule 23’s predominance requirement.

Troutman Pepper Locke’s Privacy + Cyber team has experience advising clients concerning PFTA issues and litigating PFTA claims. For more information, contact Joshua D. Davey, David J. Navetta, Ronald I. Raether, and Natalia A. Jacobo.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joshua Davey Joshua Davey

Josh has nearly two decades of experience representing companies in high-stakes class action litigation, government investigations, and business disputes. A partner in Troutman Pepper’s Privacy + Cyber team and a Certified Information Privacy Professional, he has extensive experience in data breach litigation, having…

Josh has nearly two decades of experience representing companies in high-stakes class action litigation, government investigations, and business disputes. A partner in Troutman Pepper’s Privacy + Cyber team and a Certified Information Privacy Professional, he has extensive experience in data breach litigation, having served as one of the court-appointed lead defense counsel for a cloud software company in one of the largest data breach multidistrict litigation proceedings in the U.S. Josh regularly litigates claims under numerous privacy laws, including the FCRA, the DPPA, and the California Consumer Privacy Act.

Read more about Joshua Davey
Show more Show less
Photo of David Navetta David Navetta

David advises clients on all aspects of technology and data law, including data privacy, information security, artificial intelligence (AI), financial reporting, data governance, technology-related transactions, and data monetization and use.

Read more about David Navetta
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Related Posts
Privacy_1200x600_GettyImages-1347310666
Privacy Litigation Report: Takeaways From December 2025 Decisions
January 7, 2026
Privacy_1200x600_GettyImages-1347310666
Courts Split Over How to Apply 'Ordinary Person' Test in VPPA Cases
December 18, 2025
Privacy_1200x600_GettyImages-1400779382
Privacy Litigation Report: October and November 2025 Takeaways
December 10, 2025