More Arrested Developments: Wisconsin Supreme Court Holds ‘Arrest Record’ Encompasses Noncriminal Civil Violations

The Supreme Court of Wisconsin recently provided significant guidance resolving uncertainty about the scope of the Wisconsin Fair Employment Act’s (WFEA) prohibition against discrimination based on an employee’s or applicant’s arrest record. The court held that “arrest record” includes noncriminal offenses, such as municipal theft, reversing the Wisconsin Court of Appeals. As a result, adverse employment actions based on an individual’s arrest record for a civil offense may now form the basis of a claim of unlawful discrimination.

Quick Hits

The Wisconsin Supreme Court interpreted the phrase “any … other offense” in the WFEA to include noncriminal offenses.
The court’s interpretation is the final chapter in extended, seesaw litigation resulting from a school district’s decision to fire two employees who allegedly stole scrap metal from the district, pocketing the money they received from recycling the stolen material.
The district elected to dismiss the brothers after they were cited by the police for municipal theft (a noncriminal offense).
Relying on its expansive interpretation of the term “other offense,” the court determined that the district’s decision to fire the employees was based on “arrest record,” in violation of the WFEA.

Background
As discussed in our 2024 article addressing prior developments in this case, the Cota brothers worked on the grounds crew for the Oconomowoc Area School District. They were accused of taking the district’s scrap metal to a scrapyard and not remitting to the district the several thousand dollars they received for the scrap.
After an internal investigation was unable to determine which employees were responsible for the alleged theft, the district contacted the Town of Oconomowoc Police Department. The police ultimately cited the Cotas for theft. Approximately a year later, an assistant city attorney told the district he believed he could obtain convictions and that he also believed the case against the Cotas could be settled. He proposed dismissing the citations against the brothers in exchange for a $500 “restitution” payment. The district supported the proposal; however, the Cotas did not agree to the deal and were fired the next day. The municipal citations against the Cotas were later dismissed.
In response, the brothers filed a complaint under the WFEA alleging the district unlawfully fired them because of their arrest records. After an evidentiary hearing, an administrative law judge (ALJ) found that the Cotas failed to establish unlawful discrimination by the district. On appeal by the Cotas, the Labor and Industry Review Commission (LIRC) reversed the ALJ’s decision, concluding that the district did discharge the brothers because of their arrest records. The circuit court then affirmed LIRC’s conclusion. The court of appeals subsequently reversed LIRC, holding that “arrest record” under the WFEA includes only information related to criminal offenses (i.e., not including the municipal offenses the Cotas were cited for). LIRC then petitioned the Wisconsin Supreme Court for review.
Arrest and Conviction Record Discrimination Under the WFEA
Wisconsin is one of a minority of states that prohibit discrimination against employees and applicants because of arrest or conviction records. In sum, the WFEA deems it unlawful for an employer to make employment decisions (including hiring and firing decisions) on the basis of an employee’s arrest or conviction record. Employers risk liability when they, for example, decline to hire an employee due to the contents of a background check or fire an employee when they learn of the employee’s arrest.
Importantly, the WFEA includes an exception—employers may defend an adverse employment decision motivated by arrest or conviction record when a pending arrest or conviction “substantially relates” to the job. In general, an arrest or conviction is “substantially related” to a job when there is some overlap between the circumstances of the job and the circumstances of the offense.
Under the WFEA, an employer may refuse to hire an applicant or suspend an employee based on a pending arrest if the offense is substantially related to the position in question. An employer may also take adverse employment action based on an individual’s conviction record, provided there is a substantial relationship between the crime of conviction and the relevant position. Thus, an employer cannot, in most circumstances, fire an employee based on a pending arrest or an arrest that did not lead to a conviction.
The Court’s Reasoning and Its ‘Strange Results’
The Wisconsin Supreme Court concluded that the ordinary meaning of the phrase “any … other offense” includes violations of both criminal and noncriminal laws. The majority opined that this interpretation of “offense” is consistent with how the word “offense” is used throughout the Wisconsin Statutes. The court’s majority also found that such an interpretation was consistent with the WFEA’s statutory purpose of “protect[ing] by law the rights of all individuals to obtain gainful employment and to enjoy privileges free from employment discrimination because of … arrest record ….”
The majority thus found that LIRC correctly concluded that the Oconomowoc Area School District discharged Gregory and Jeffrey Cota because of their arrest records, in violation of the WFEA.
In a concurring decision, Justice Janet Protasiewicz lamented that the court’s decision, while correctly interpreted, makes for a “strange result.” Justice Protasiewicz wrote that, “[a]s a result of today’s decision, the [Oconomowoc Area School] District may not fire employees who it suspects stole from the District. That is no way to treat the victim of an offense.” Justice Protasiewicz added that if the district had fired the brothers when they suspected them of stealing, instead of going to the police (or had fired the brothers before they were cited by the police), they would not have violated the WFEA. Under these circumstances, the decision could not have been motivated by an arrest record that did not yet exist. “Our statutes should not hamstring employers who are victims that way,” Justice Protasiewicz stated. “An employer should be allowed to take employment action when it is the victim of an offense and suspects an employee did it, even when it relies on information from law enforcement.”
Key Takeaways
The 2024 court of appeals decision in this case narrowed the scope of employer obligations under the WFEA’s arrest record provisions. But this relief was short-lived. Employers doing business in Wisconsin are now confronted with the possibility of a wider array of offenses serving as the basis for arrest record discrimination claims.
Employers may want to note that the definition of “arrest record” under the WFEA includes noncriminal offenses—any information indicating an individual has been questioned, apprehended, or charged with any offense, criminal or noncriminal, may fall under the protection of the WFEA. And employers may also want to note that they have limited options when contending with an employee’s “arrest” by law enforcement. Even if the arrest involves conduct substantially related to the employee’s position (such as was the case with the Cotas’ alleged theft), employers risk liability if they discharge rather than suspend the suspected employee prior to conviction.
Under appropriate circumstances, employers may be well-served to discharge suspected employees prior to police action that may create an arrest record. And as lamented by Justice Protasiewicz, this outcome makes little policy sense and is contrary to the purposes of the WFEA.
While beyond the scope of this article, it is important to note that Wisconsin employers may also lawfully discharge an arrested employee based on their own independent investigation, if they can show that their discharge decision was motivated by the underlying conduct itself and not the fact the employee was arrested (the “Onalaska defense”). Employers may therefore want to conduct thorough internal investigations and document their findings independently of any arrest records—even if it is not possible or advisable to discharge an employee suspected of criminal wrongdoing prior to police action.

Insight Into DOGE’s Access to HHS’ Systems

Becker’s Hospital Review reports that the Department of Government Efficiency (DOGE) “has access to sensitive information in 19 HHS databases and systems,” according to a court filing obtained by Wired. HHS provided the information during the discovery process in the lawsuit filed by the American Federation of Labor and Congress of Industrial Organizations against the federal government, requesting restriction of DOGE’s access to federal systems.
According to Becker’s, DOGE had not previously disclosed nine of the 19 systems, which “contain various protected health information, ranging from email and mailing addresses to Social Security numbers and medical notes.”
Some of the systems included federal employees’ data and access to Medicare recipients’ personal information. For instance, one system listed is the Integrated Data Repository Cloud system, which “stores and integrates Medicare claims data with beneficiary and provider data sources.” Other listed systems include the NIH Workforce Analytics Workbench, which “tracks current and historical data on the NIH workforce, including headcounts and retirement information,” the Office of Human Resources Enterprise Human Capital Management Investment system, which “manages personnel actions and employee benefits at HHS,” and the Business Intelligence Information System, which “stores cloud-based HHS human resources and payroll data for analysis and reporting.”

Department of the Interior to Adopt Expedited NEPA Permitting Procedures for Energy and Minerals Projects on Federal Lands

On April 23, 2025, the U.S. Department of the Interior announced plans to implement unprecedented emergency procedures to fast-track permitting for energy and critical minerals projects on federal lands. The initiative follows President Donald Trump’s Jan. 20, 2025 declaration of a National Energy Emergency and implements that executive order’s direction to “identify and exercise any lawful emergency authorities available” to facilitate energy development, including critical minerals. In his executive order dated March 20, 2025, President Trump used a broad definition of the term “critical mineral” to include all critical minerals identified by the Secretary of the Department of the Interior pursuant to the Energy Act of 2020, as well as uranium, copper, potash, and gold. Eligible energy permitting projects include those that seek to “identify, lease, site, produce, transport, refine, or generate” energy resources.
The Department of the Interior will use the new procedures to expedite its permitting approvals, “if appropriate,” employing existing regulations issued pursuant to the National Environmental Policy Act (NEPA), the Endangered Species Act (ESA), and the National Historic Preservation Act (NHPA). Notably, the press release promises the completion of environmental impact statements (EISs) in just 28 days, and environmental assessments (EAs) within two weeks. The expedited NEPA procedures will rely on 43 C.F.R. § 46.150(b), which authorizes Department of the Interior officials to take emergency actions before preparing a NEPA analysis under certain circumstances. The rule provides that if emergency action is necessary before preparing an EIS, officials must consult with the Council on Environmental Quality (CEQ) regarding the necessary NEPA compliance.
CEQ also released guidance on April 23, 2025 for federal agencies to use in updating their NEPA regulations. The guidance follows CEQ’s withdrawal of its own NEPA rules, as directed by President Trump in his January 20, 2025 executive order entitled Unleashing American Energy. An internal Interior memorandum from the same day documents the Department of the Interior’s consultation with CEQ – required by the Interior NEPA regulations – and its reliance on the CEQ guidance to develop its “alternative [NEPA] compliance process,” and explains how an EIS could be completed in just 28 days under these emergency procedures:

Project applicants must agree in writing to use the alternative procedures and must have submitted plans of operation, drilling permit applications, or other approval requests. 
The Department of the Interior would publish the Notice of Intent to prepare an EIS, solicit written comments, and schedule a public meeting that would be held during the agency’s preparation of the EIS. 
Comment periods would be approximately ten (10) days in most cases, and occur during the preparation of the EIS. 
The EIS would be published in final form within the 28-day period. There would be no draft EIS. 
The Record of Decision must document how the action “addresses the national energy emergency.

The press release contemplates similar emergency procedures for compliance with ESA and NHPA requirements. It is unclear when or how these new procedures will be adopted, and remains to be seen whether they will be widely employed by the Department of the Interior.

Connecticut Office of the Attorney General Issues Annual Report on CTDPA Enforcement

On April 17, 2025, the Connecticut Office of the Attorney General (“OAG”) issued a report highlighting key enforcement initiatives, complaint trends and legislative recommendations aimed at strengthening the Connecticut Data Privacy Act (“CTDPA”). Highlights from the report are summarized below.
Breach Notice Review
In 2024, the OAG received 1,900 breach notifications. Each report was reviewed for compliance with state law. The OAG issued numerous warning letters to covered businesses that failed to provide timely notice, emphasizing that the 60-day statutory clock starts at the detection of suspicious activity—not when the full scope is confirmed. In serious cases, the OAG pursued Assurances of Voluntary Compliance requiring businesses to improve incident response practices and pay penalties.
Consumer Complaints
The OAG continues to receive significant complaint volumes regarding CTDPA compliance. Issues include unfulfilled data rights requests, misleading privacy notices, vague breach notifications, and misuse of public records for online profiles.
Enforcement Actions
The report highlighted enforcement actions on several violations, including the following:

Privacy Notices: The OAG conducted “sweeps” of insufficient or inadequate privacy notices and issued over two dozen cure notices. Common issues included missing CTDPA language, unclear opt-out mechanisms, and misleading limitations on consumer rights. Most businesses took corrective steps following notice.
Facial Recognition Technology: The OAG sent a cure notice to a regional supermarket due to their use of facial recognition technology (for purposes of preventing and/or detecting shoplifting). The OAG noted that businesses using facial recognition must comply with CTDPA’s protections for biometric data. The OAG clarified that crime prevention purposes do not exempt compliance.
Marketing and Advertising Practices: The OAG investigated a complaint involving a national cremation services company that mailed a targeted advertisement to a Connecticut resident shortly after receiving medical treatment. While the data used—name, age and zip code—was not classified as sensitive, the OAG expressed concern over the context and issued a cure notice. As a result, the company updated its privacy notice to disclose its use of third-party data and specify the categories of data collected. The case underscores that for the OAG, even non-sensitive data, when used in sensitive contexts, can lead to privacy harms and warrants heightened oversight.
Dark Patterns and Opt-Out Mechanisms: The OAG has significantly expanded its enforcement efforts to address manipulative design choices—commonly known as “dark patterns”—that interfere with consumer privacy rights. In a 2024 enforcement sweep, the OAG issued cure notices to businesses employing cookie banners that made it easier to consent to data tracking than to opt out.
Minors’ Online Services: The report notes that as of October 1, 2024, the CTDPA imposes new obligations on businesses that offer an “online service, product or feature” to minors under 18 years of age. Generally, these provisions require that businesses use reasonable care to avoid causing a heightened risk of harm to minors. Further, these provisions prohibit: (1) the processing of a minor’s personal data without consent for purposes of targeted advertising, profiling, or sale; (2) using a system design feature to significantly increase, sustain, or extend a minor’s time online; and (3) collecting a minor’s precise geolocation data without consent. 
Consumer Health Data: The report notes that controllers must obtain opt-in consent for processing consumer health data and ensure proper contractual safeguards when sharing such data with processors. Two telehealth companies received letters related to potential unauthorized sharing with technology platforms.
Universal Opt-Out Preference Signals: The report also notes that as of January 1, 2025, businesses must recognize browser-based opt-out signals such as GPC. The OAG has emphasized that this requirement is key to easing consumer privacy management. The OAG also notes that going forward, it will be focused on examining whether businesses are complying with the universal opt-out preference signal provisions and that the OAG expects to engage in efforts to ensure this consumer right is upheld.

CTDPA Legislative Recommendations
The OAG reiterated eight proposed legislative changes to improve the CTDPA:

Scale Back Exemptions: Limit current entity-level exemptions for GLBA and HIPAA, narrow the FCRA data-level exemption and remove the entity-level exemption for non-profit organizations.
Lower Thresholds: Remove thresholds for businesses processing sensitive or minors’ data and scale back all other thresholds for businesses processing other types of data.
Strengthen Data Minimization: Require data processed to be strictly necessary for stated purposes.
Expand Definition of “Sensitive Data”: Add a comprehensive list of “sensitive data” elements found in other state privacy laws, such as government ID numbers, union membership and neural data.
Clarify Protections for Minors: Prohibit targeted advertising and sale of minors’ data for consumers that business “knew or should have known” are minors.
Narrow Definition of “Publicly Available” Data: Refine and limit the scope of “publicly available” data.
Right to Know Specific Third Parties: Require businesses to name the specific entities receiving consumer data.
Enhance Opt-Out Preference Signal and Deletion Rights: Require all web browsers and mobile operating systems to include a setting that allows users to affirmatively send opt out preference signals and create a centralized deletion mechanism.

8th Circuit Clarifies Minnesota Human Rights Act Doesn’t Cover Remote Workers

Last week, the Eighth Circuit said that a remote worker cannot sue their employer under the Minnesota Human Rights Act (MHRA), noting the law’s language makes clear that it does not apply to nonresidents.
The plaintiff in the case—a Michigan-based remote employee—took time off from work to recover from surgery. Shortly after her FMLA protected leave ran out, her employment was terminated. She sued her employer, alleging her employer violated the MHRA by refusing to accommodate her and by terminating her employment. 
Her employer moved for summary judgment, arguing that the plaintiff was not covered under the MHRA because the statute defines an employee as someone who works for an employer and “resides or works in this state [of Minnesota].” The plaintiff had never lived in Minnesota, nor had she traveled to Minnesota for work for nearly two years before she was fired. Accordingly, the district court entered summary judgment for the employer.
On appeal, a three-judge panel honed in on the statute’s “works in this state” language, questioning whether it required Kuklenski to have a physical presence in Minnesota. 
While the plaintiff argued the language should be interpreted liberally, the panel disagreed. In its opinion, the panel explained that the “plain meaning” of the phrase requires “some degree of physical presence in Minnesota,” as any other reading would contradict the statute’s purpose to “secure for persons in this state [of Minnesota], freedom from discrimination” because “discrimination threatens the rights and privileges of the inhabitants of this state [of Minnesota].” The panel found these phrases made clear that the law aimed to protect only those who live or work within the boundaries of Minnesota state lines.
The panel also rejected the plaintiff’s arguments that the court should consider her other contacts with the state, such as her supervisors’ and her clients’ physical presence in Minnesota, and her past travel to Minnesota for work. The panel found the MHRA’s language did not consider other factors and that her almost two-year absence from the state between February 2020 and December 2021 belied her argument that her absence was “temporary.”
The decision suggests that a non-resident with “customary or habitual” work in Minnesota potentially could be covered under the MHRA, and further clarifies that a person need not be physically present in Minnesota at the time of the discriminatory conduct to qualify as an employee under the MHRA. 
However, an important question remains open: whether there are minimum requirements for travel to, or time spent in, the state of Minnesota to qualify for coverage under the MHRA. 

“The plain meaning of this phrase requires some degree of physical presence in Minnesota.”
ecf.ca8.uscourts.gov/…

Blockchain+ Bi-Weekly; Highlights of the Last Two Weeks in Web3 Law: April 24, 2025

The last two weeks have seen federal agencies continue refining their approach to the digital asset industry, while state regulators are beginning to play a more prominent role—even as the overall pace of development appears to be slowed. With the SEC stepping back from non-fraud enforcement, Oregon’s lawsuit against Coinbase highlights a potential shift toward increased state-level activity.
At the federal level, the SEC issued new guidance on registering crypto-related securities, the House held hearings on digital asset market structure, and the DOJ released a memo calling on prosecutors to “end regulation by prosecution”—underscoring a growing federal priority to focus enforcement on fraud and consumer protection rather than taking a broad adversarial stance toward the industry. Other notable developments include Illinois advancing a BitLicense 2.0 proposal, OpenSea seeking SEC guidance on NFT regulations, and Ripple moving to acquire global credit network Hidden Road.
These developments and a few other brief notes are discussed below.
Oregon Sues Coinbase Over Alleged State Securities Laws Violations: April 17, 2025
Background: Oregon’s state attorney general has brought a lawsuit against Coinbase, alleging the exchange has violated Oregon state securities laws through listings of certain assets alleged to be securities under Oregon law. Coinbase has released a statement claiming, “Oregon’s holdout campaign is obstruction for the sake of obstruction. It is a desperate scheme that does nothing to move the crypto conversation forward, and in fact takes us a giant leap backwards from hard-won progress.”
Analysis: As anticipated, states and private litigants are beginning to fill the securities litigation gap left by the SEC’s decision to drop its pending and threatened cases against digital asset participants in favor of pursuing a statutory and rulemaking-based framework. Oregon’s lawsuit, which names 31 assets as “unregistered securities,” is notable—especially as other states withdrew similar actions following the SEC’s retreat in the Coinbase matter. This latest development underscores that, despite federal de-escalation, litigation against exchanges remains an ongoing issue for the industry.
SEC Issues Guidance on How to Register Securities that Involve Crypto: April 10, 2025
Background: Much of the focus at the SEC post-Gensler has been on releasing guidance on what crypto offerings are not securities (memecoins, stablecoins, etc.). The SEC Division of Corporation Finance has now put out guidance for issuers whose securities involve crypto assets on how federal securities law disclosure requirements apply. It recognizes that issuers may offer equity or debt securities as part of operations related to networks, applications, and crypto assets, and highlights the need for tailored, clear, and consistent disclosure aligned with existing rules (e.g., Regulation S-K, Forms S-1, 10, 20-F, and 1-A). Key disclosure elements include a focused description of the issuer’s business and developmental milestones, potential risks (such as technological, regulatory, and liquidity risks), a complete description of the securities (including any unique features and technical specs), and information on directors, executive officers, and significant employees (or third parties) performing policy-making functions.
Analysis: Tokenized securities are coming to traditional finance. Major actors in the traditional financial world are already preparing for that eventuality. Most digital assets are not securities, but many securities could be better handled through addendum only ledger technology rather than a seemingly endless number of middlemen all getting their cut to make sure none of the other middlemen are cheating the consumer. So, while the SEC and Congress work through determining which digital assets are securities and which are something else, this is a good step to allow innovative companies to start registering tokenized products.
Market Structure Hearings Held in House of Representatives: April 9, 2025
Background: The House Financial Services Committee’s Digital Asset Subcommittee and the House Agriculture Committee’s Digital Asset Subcommittee both held hearings on how to approach an overarching market structure for digital assets now that stablecoins seem to be on the fast track to regulatory standards. There is a broad consensus that digital assets that are securities need to be provided a way to register with the SEC and abide by SEC rules that aren’t so onerous that the registration process kills any value of the product.
Analysis: You can probably read the statements from witnesses Bill Hughes, Chris Brummer, and Rodrigo Seira to get the gist of where the focus should be for digital asset regulation. Both hearings had a noticeable focus on use cases for digital assets. We are still waiting for what the market structure bill will look like. It will be close to FIT21, previously passed through the House Financial Services Committee, but we don’t know how close it will be yet, as there were noticeable weaknesses in the bill. Draft language is expected to be public soon, though, and all expectations are for the determining factor between securities offerings and non-securities offerings to focus on “control” as opposed to “decentralization,” which was the focus of last year’s bill.
DOJ Releases Memo “Ending Regulation by Prosecution”: April 7, 2025
Background: Deputy Attorney General Todd Blanche has issued a memorandum to Department of Justice employees with the subject reading “Ending Regulation by Prosecution,” where he states, “Consistent with President Trump’s directives and the Justice Department’s priorities, the Department’s investigations and prosecutions involving digital assets shall focus on prosecuting individuals who victimize digital asset investors or those who use digital assets in furtherance of criminal offenses…” The memo clarifies that the DOJ is not going to focus efforts on exchanges or wallets for the actions of third-parties, and is not the regulator of alleged unregistered money transmission laws. It also disbands the National Cryptocurrency Enforcement Team, which was responsible for most current investigations and prosecutions in the space over the last few years.
Analysis: Note that this memorandum does not include guidance not to prosecute alleged violations of 18 U.S.C. 1960(b)(1)(C), which involves allegations of transmitting funds that are “knowingly” the product of criminal offenses and is the heart of the Roman Storm and Samuri Wallet developer cases. Interestingly, the memo calls out the issue of how digital asset losses are calculated when trying to compensate victims (a not-so-subtle reference to FTX depositors getting ~$20,000 per Bitcoin lost when Bitcoin was worth quadruple that by the time repayments happened). Not sure if there is a solution to this other than making people choose early in the process if they want in-kind or value of asset at time of theft. Unfortunately for Do Kwon, even with this DOJ pivot, his suit will remain ongoing.
Briefly Noted:
Paul Atkins Sworn in as SEC Chair: Paul Atkins has finally been sworn in as SEC Chair, marking the formal start of a new era for the Commission. The agency remained active in redefining its priorities throughout his confirmation process, and Atkins was widely understood to be in alignment with the key decisions made during that period. With his swearing-in now complete, he is positioned to implement a full regulatory agenda and set the tone for the post-Gensler SEC—potentially accelerating shifts in enforcement priorities, rulemaking, and digital asset policy.
Illinois Looking to Pass BitLicense 2.0: An Illinois bill is gaining traction and is expected to pass, which would enact similar onerous reporting and registration requirements as the New York BitLicense. With the combination of the Oregon lawsuit discussed above, this further emphasizes the need for comprehensive regulations at a federal level to prevent fractionalized and contradictory rules.
OpenSea Open Letter: OpenSea has submitted a public letter to the SEC advocating for NFT marketplaces to be carved out of broker/dealer registration requirements with the SEC. It is clear that even with NFTs decline, they are still a crucial part of the ecosystems that need regulatory guidance. 
Nova Labs Lawsuit Dismissed: Nova Labs (the developer behind Helium Network) was sued in the last days before Gensler resigned, and that lawsuit has now been dismissed with prejudice. So this ordeal actually ended up good for them since the lawsuit being brought and then dismissed in this way prevents any future lawsuit over the same allegations from the agency.
Hinman Cleared by Office of Inspector General: Former Corporation Finance Director Bill Hinman has been cleared of allegations that his infamous speech was the result of insider dealings.
$1.2 Billion M&A Deal: Ripple is reportedly acquiring global credit network Hidden Road for $1.25 billion. This is reportedly an effort to give functionality to Ripple’s stablecoin, RLUSD, in traditional finance for cross-border settlements.
MEV Submission: Really great work from the team at Paradigm explaining how MEV works and what the SEC should consider in regulation in light of those technical realities. Good stuff.
DOJ Memo Confirmed Not Applicable for Fraud: As stated above, the DOJ memo regarding cutting down on criminal actions for crypto actors is not a get out of jail free card for past (alleged) frauds.
SEC Roundtable on Crypto Custody: The SEC has announced the time and speakers in its next crypto roundtable on custody. It remains great to see as many of these conversations as possible happen in public.
Phantom Wallet Lawsuit: It looks like an attorney is suing the wallet developer where he held certain memecoins he created, but which were stolen through his computer being compromised. This will be something worth following, especially if wallet developers are regulated under a market structure bill or similar legislation.
Conclusion:
The last two weeks have been relatively quiet in terms of crypto legal development. With the SEC pivoting away from prosecuting non-fraud crypto cases, state regulators have begun stepping into that role, most notably with Oregon suing Coinbase over alleged violations of state securities laws. At the federal level, the SEC provided guidance on registering securities that include crypto assets, the House of Representatives held market structure hearings, while the DOJ aimed to “end regulation by prosecution.”

Are Your Lactation Spaces Compliant?

Lactation spaces go by different names — wellness room, vacant office, storage room. No matter what you call it, there are strict regulations about what the room contains and where the room must be located. Some of the requirements may surprise you. 
PUMP Act Requirements 
In short, the PUMP Act states that employees “are entitled to a place to pump at work, other than a bathroom, that is shielded from view and free from intrusion from coworkers and the public.” 
However, last year a U.S. Department of Labor (DOL) memo provided more specifics. DOL guidance states that employees must be provided a place to sit, and a flat surface (other than the floor) on which to place the pump. The guidance does not say a refrigerator is required, but rather the employee must be able to safely store milk while at work, such as in an insulated food container, personal cooler, or refrigerator. Access to electricity is “ideal.” And the guidance states that access to a sink near the lactation “improves the functionality of the space.” 
The DOL guidance says that some employers may choose to use a room with a door that closes and covered windows. But an employer can also create a space using partitions, as long as the space is shielded from view and free from intrusion. 
But There’s More
Many employers forget that their lactation space must not only comply with the PUMP Act, but also the Pregnant Worker’s Fairness Act (PWFA) regulations. The PWFA regulations turn many of the amenities that were not mandatory into amenities that an employer may be required to provide if an employee makes a request and adding the amenity does not create an undue hardship for the employer. 
The PWFA regulations state: “Accommodations related to pumping, such as, but not limited to, ensuring that the area for lactation is in reasonable proximity to the employee’s usual work area; that it is a place other than a bathroom; that it is shielded from view and free from intrusion; that it is regularly cleaned; that it has electricity, appropriate seating, and a surface sufficient to place a breast pump; and that it is in reasonable proximity to a sink, running water, and a refrigerator for storing milk.” Therefore, if an employee asks for something for the PUMP room, consider whether it qualifies as a reasonable accommodation request under the PWFA that you are required to provide. 
Lactation spaces are no longer a “bonus room” or a “benefit,” they are a legal requirement. And not providing a room that is compliant with federal law may make you vulnerable to a collective action lawsuit. So do your research and ensure lactation spaces cover your legal basis. 

Lactation spaces are no longer a “bonus room” or a “benefit,” they are a legal requirement.

Threat Actors Use AI to Launch Identity Theft Scams

Identity theft will continue to rise in 2025. According to the Better Business Bureau of Missouri (BBB), it received over 16,000 identity theft complaints in the past three years. Scammers are “increasingly using advanced tactics such as artificial intelligence to exploit victims.”
The BBB notes that threat actors are taking over social media accounts to solicit money and “impersonating individuals to rent apartments or open credit cards.”
According to Which?, fraud prevention service Cifas reports the continuing rise of identity theft and fraud, and artificial intelligence (AI) is “fuelling [the] identity fraud increase.” Cases of account takeover “drastically increased by 76% in 2024.” Over half of these cases involved threat actors hijacking mobile telephone accounts, and SIM swap fraud increased by a whopping 1,055%. Threat actors use AI more frequently in cases of false applications, where it assists “with the speed, sophistication and scale of false documentation, as well as aiding the ability to pass verification checks.”
Identity theft will continue to rise, so preventative measures, such as those outlined by the BBB, Identitytheft.org, and the FTC, will hopefully prevent victimization. If you become a victim, the FTC has free helpful resources to consider.

The State of Employment Law: Three States Have Virtually No Anti-Discrimination Laws

Under federal employment discrimination laws, race, color, religion, national origin, sex, sexual orientation, gender identity, disability, age, citizenship status, and genetic information are protected classifications. Most states have a list of protected classes that closely mirrors federal law, and many states have even added more protected classifications. However, three states have largely left civil rights protections in employment to the federal government.
Mississippi has no anti-discrimination statute and therefore has no protected classes of its own. Alabama and Georgia prohibit age discrimination and unequal pay on the basis of sex, and Georgia additionally prohibits disability discrimination, but Alabama and Georgia otherwise have no protected classes. As such, employees who work in those three states are largely dependent on federal law for protection against employment discrimination.
Employers in Mississippi, Alabama, and Georgia may feel they benefit from lesser regulation, as fewer anti-discrimination laws may translate into fewer discrimination charges, as well as less time and lower legal fees devoted to administrative investigations. Many states with more robust anti-discrimination laws conduct civil rights investigations that employers would just as soon avoid. However, the lack of regulation could cut both ways. In fact, those same civil rights investigations that employers dread often prevent lawsuits, as a no-cause dismissal from a state civil rights agency often persuades an employee not to file suit. 
Because of their minimal state law protections, employees in Mississippi, Alabama, and Georgia are likely to pursue any discrimination claims at the federal Equal Employment Opportunity Commission. But the EEOC has largely abdicated its duty to investigate charges of discrimination in the past five years, instead simply issuing “right-to-sue” letters that provide said employees with an easy path to court. 
Consequently, employers in Mississippi, Alabama, and Georgia may pine for state civil rights agencies to play a more active, gatekeeping role–minimizing costly and time-consuming discrimination lawsuits.

FTC Settles With accessiBe For Misleading Statements About WCAG Compliance

The Federal Trade Commission (FTC) announced on April 22, 2025, that it has approved a settlement entered into a Final Order with accessiBe, which claimed its plug-in product, accessWidget, “can make any website compliant with Web Content Accessibility Guidelines (WCAG).” The settlement includes the payment of $1 million and requires accessiBe to refrain from “making misleading claims.” The Commission unanimously approved the Final Order 3-0.
The FTC had filed a complaint against accessiBe Ltd alleging that “despite the company’s claims, accessWidget did not make all user websites WCAG-compliant and these claims were false, misleading, or unsubstantiated.” The complaint further alleged that it “deceptively formatted third-party articles and reviews to appear as if they were independent opinions.”
The settlement reinforces the FTC’s continued focus on misleading claims, and companies should check the accuracy of representations made on websites.

FTC Finalizes Updates to Children’s Privacy Rule…Again

After a period of regulatory review under Chairman Andrew Ferguson, on Tuesday, April 22, 2025, the U.S. Federal Trade Commission (FTC) published amendments to the Children’s Online Privacy Protection Act (COPPA) Rule (COPPA Rule or the Rule), which was last updated in 2013. As we reported earlier this year, the FTC finalized its most recent updates to the COPPA Rule on January 16, 2025. However, that version of the amended Rule was not published before President Trump took office on January 20, 2025, and ordered a freeze on “publishing any rule to the Office of the Federal Register until a new agency head appointed or designated by the President reviews and approves the rule.” Accordingly, the FTC, now under Chairman Ferguson, once again reviewed and approved amendments to the COPPA Rule with minor changes to the version approved during the Biden administration. The amended Rule will go into effect on June 23, 2025, although most of the substantive requirements are effective April 22, 2026.
The amended Rule published on April 22, 2025, remains substantively the same as the January 16, 2025, pre-publication version. The key revisions to the Rule we previously highlighted are unchanged. They include new parental notification requirements related to data shared with third-party vendors, a new definition for “mixed audience,” the addition of biometric and government identifiers to the list of “personal information,” more robust “reasonable security” provisions, and a requirement that operators adopt and provide notice of a data retention policy. Additionally, the published Rule retains new requirements for COPPA Safe Harbor programs.
In a concurring opinion supporting the January 16 version of the amended Rule, Chairman (then Commissioner) Ferguson identified a few areas where he felt clarification in the amended Rule language would be helpful, but those changes were not implemented. Issues he identified include:

The meaning of a “material” change requiring new parental consent remains undefined. Both the 2013 version of the Rule and the amended version require that operators obtain fresh parental consent for all “material” changes to privacy terms; however, “material” remains an undefined term in the amended Rule. This may raise several different compliance obstacles, but Ferguson took specific issue with the fact that the amended Rule also requires operators to disclose to parents the identities of third-party recipients of children’s data when obtaining parental consent. With no elaboration on what is meant by “material,” he speculated that all additions or changes to the identities of third-party vendors could require an operator to request new parental consent. This mandate would increase the costs of switching third-party vendors and thus discourage the use of upstart competitors, undermining business competition.
The meaning of “retained indefinitely” remains undefined. The 2013 version of the Rule made clear that children’s data should be retained only for “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” The amended Rule retains this language with minor modifications but also specifies that “[p]ersonal information collected online from a child may not be retained indefinitely.” However, no time period is set for retention. In Ferguson’s concurring opinion, he stated that “it is unclear how the requirement is any different than the existing requirement to keep the information no longer than necessary to fulfill the purpose for which it was collected.”
Collection of personal information for age verification continues to require parental consent. In his concurring opinion, Ferguson asserted that operators of mixed-audience websites or online services “wanting to use more accurate age verification techniques than self-declaration” would need information “such as photographs or copies of government-issued IDs.” Ferguson argued that the amended Rule contains “many exceptions to the general prohibition on the unconsented collection of children’s data, and these amendments should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”

As of this writing, neither the Chairman nor the other sitting commissioners issued additional statements on the publication of the amended Rule. However, there are aspects of the Federal Register preamble and the Rule itself that appear to address the Chairman’s prior concerns. For example, the “material” change notification requirement is discussed in a footnote to the preamble to the Federal Register notice (and was also present in the January 16 pre-publication version), where the FTC explains that “the Commission is not likely to consider the addition of a new third-party to the already-disclosed category of third-party recipients to be a material change that requires new consent.” The amended Rule’s requirement for a written data retention policy requires reference to a time period, which appears to address Ferguson’s earlier concerns that the amended Rule does not adopt a specific temporal limit on data retention as long as data is not retained indefinitely. In addition, it appears that the Commission considered the option of allowing personal information, including photographs and biometric identifiers, to be used for age verification, but ultimately determined that the potential benefits of using this type of information for age verification were outweighed by the risks of this data being misused.
Given that this most recent round of amendments was initiated in 2019, it seems unlikely that any further amendments will be made in the near term absent further Congressional action to amend COPPA itself. However, children’s privacy continues to be an area of focus for the FTC, which will hold a workshop entitled “The Attention Economy: How Big Tech Firms Exploit Children and Hurt Families” at 9:00 a.m. ET on June 4, 2025. This workshop will cover a variety of topics, including strategies to protect children online, such as through age verification and parental consent requirements. Members of the public can register to attend in-person, and a link to the livestream will be posted to FTC.gov the morning of the event.

Florida Legislature Will Need Extra Time to Negotiate Budget & Tax Relief

Today, the President of the Florida Senate announced that tax relief has stalled the budget negotiations for the 2025 Regular Session. This means the Florida legislature will likely have to return in a Special Session to resolve tax and budget bills before the start of the state fiscal year on July 1, 2025.
The Senate announced they had offered a tax relief package of nearly $3B in the first year and $1.3B in future years. That relief would include a temporary elimination of certain motor vehicle fees, a permanent sales tax exemption on clothing under $75, a 1% reduction of the business rent tax (to 1%), and the historic sales tax holidays. See Senate Bill 7034.
The House’s current legislation would result in a $5B tax reduction in the first year and a $5.48B recurring reduction thereafter. Cornerstones of House Bill 7033 are a permanent 0.75% reduction of all sales tax rates and a redirection of tourist development tax (bed taxes) to offset local property taxes. The House bill will be considered on the floor of the full House tomorrow morning.