Antitrust & Tech At The 2025 Antitrust Spring Meeting
Technology was a key focus of this year’s ABA Antitrust Spring Meeting, one of the largest gatherings of antitrust professionals in the world. Over a dozen panels focused on cutting-edge technology issues as it pertains to antitrust, consumer protection, and privacy. Below are 5 key technology-related takeaways.
1. 2024 was a busy year for Big Tech cases, and 2025 looks to be on the same path.
One topic of conversation was the Big Tech antitrust cases that had seen developments in 2024 and 2025. For example, Apple filed a motion to dismiss in the U.S. v. Apple case, which is currently pending. In the FTC v. Amazon case, the FTC’s Sherman Act Section 2 and FTC Act Section 5 claims survived Amazon’s motion for dismissal. Panelists opined that there is a trend towards more high litigation risk cases from the government.
For tech-related updates coming down the pike, the panelists noted that Judge Mehta is expected to issue the remedies order in the U.S. v. Google search monopolization case, and the U.S. v. Google adsearch trial will begin later this year. Panelists also noted that Chair Ferguson of the FTC has publicly expressed interest in ensuring innovation in “Little Tech.”
2. Increasing interest in regulating big data across the globe.
Big data was also on the mind as both a driver of innovation and a potential tool of market dominance. Panelists emphasized that data is not inherently valuable—it must be analyzed effectively; stale or contaminated data can impose real costs; and more data isn’t always better since errors can be introduced.
For antitrust specifically, the panel noted big data issues come up in two contexts: 1) anticompetitive conduct like self-preferencing and refusal to deal and 2) as an important input in markets where no data means no competing. Additionally, big data often comes up in the context of barriers to entry, especially for smaller firms, considering how incumbents benefit from network effects and lower marginal costs. Panelists noted that some businesses are making essential facilities arguments about data. As such, companies may run into problems if they block access to big data through artificial impediments.
Panelists also touched on increasing scrutiny from regulators around the globe. In the EU, deals like Google/Fitbit have required data separation. The EU’s Digital Markets Act (DMA) and the UK’s Digital Markets, Competition and Consumers Act (DMCC) introduce obligations around data interoperability and access. While these interventions aim to prevent foreclosures and level the playing field, some panelists cautioned that preemptive regulation could stifle innovation. In the U.S., the panelists discussed DOJ’s search monopolization case against Google, noting that one of the proposed remedies is that Google share certain data with competitors for decade.
3. Uncertainty about the benefits and harms of algorithmic pricing software.
Algorithmic pricing and machine learning tools continue to gain traction in all sorts of industries. These tools promise efficiency and competitive pricing, but also present potential risks of collusion allegations. One widely-attended panel moderated by Maureen Ohlhausen, who originally analogized algorithmic pricing software to a guy named “Bob,” focused on these issues.
A central discussion point was the standard that courts are using to analyze algorithm-related price fixing claims. The prevailing view on the panel seemed to be that the rule of reason should apply, with analysis depending on factors like whether the data is public, forward-looking, or shared among competitors. On the flip side, other panelists suggested that use of an algorithmic pricing software could be likened to a hub and spoke conspiracy. As far as using the algorithms goes, the panel opined that using public data to feed the algorithm is probably safe territory although not an absolute safe harbor. Some panelists also suggested that courts look at how the software is being used, such as whether the user is blindly accepting the pricing recommendations, how much of the strategy is put up front in the prompts and programming, etc.
The panel also discussed how some jurisdictions are already experimenting with regulation of algorithm pricing software. For example, Germany has introduced AI-assisted gasoline pricing. Some evidence suggests in oligopoly situations, use of the algorithm seemed to lead to higher prices. However, many of the panelists cautioned against imposing blanket remedies before more research is done to understand any potential economic harms algorithm pricing software use may have.
Algorithmic pricing software also came up at the close of the Meeting during the Enforcers Roundtable. Elizabeth Odette, current chair of the NAAG Multistate Antitrust Task Force, noted that there was interest in regulating algorithmic software at the state and local level. For example, she stated that there were 4 cities in the U.S. that had banned algorithmic price software used in the housing context. However, she also noted that there was a concern with imposing wide bills banning use that ignores benefits to some competitors.
4. Tech cases are leading the charge in reviving refusal to deal claims.
Refusals to deal remain a hotly contested area in antitrust law, particularly as platforms and data gatekeepers exert growing control over digital ecosystems. One of the Spring Meeting’s panels discussed the potential revival the doctrine, particularly in technology cases. Due to limitations in the doctrine, the panelists noted that plaintiffs increasingly frame alleged anticompetitive conduct under alternative theories, such as exclusive dealing or foreclosure, to varying degrees of success. Some panelists cautioned that plaintiffs cannot elevate form over economic realities to avoid refusal to deal doctrine.
5. Document preservation issues related to technology is keeping some attorneys up at night.
As digital communications and technology use diversify, so do the risks of spoliation and other discovery failures. Regulators are increasingly focused on how companies preserve (or fail to preserve) electronic records, especially when tools like Slack, ephemeral messaging, and generative AI complicate compliance. One of the panels, including an attorney from the FTC, focused on these issues.
Recent enforcement actions underscore the stakes. The panel flagged major gaps in recordkeeping in cases like the U.S. v. Google search monopolization case and the failed Kroger/Albertsons merger, where use of personal devices and auto-deletion policies hindered document production. The panel also noted that on April 1, 2025, a DOJ Antitrust Division press release revealed that an individual had pleaded guilty for deleting text messages after receiving a litigation hold notice in connection with an antitrust investigation.
The panel also noted the inevitability of discovery requests for AI-generated content or prompts. One panelist gave the example of potentially relevant evidence being a business person asking AI to generate an email to a competitor without the use of the word “competition” to show the person’s state of mind. Interrogatories may soon probe usage of large language models and related tools, especially in high-stakes investigations.
ANOTHER ARBITRATION LOSS: Lead Buyers Just Can’t Catch a Break As Litigators Deny Visiting Websites
Pretty common theme right now in TCPAWorld.
Lead buyer buys a lead and makes an outbound call. Lead buyer sued by a litigator who claims “wasn’t me.” Lead buyer tries to enforce the arbitration provision–to kill the class action component of the case–and the court refuses to enforce because the Plaintiff denied visiting the website to begin with.
That fact scenario played itself out anew in Gilliam v. Prince Health, 2025 WL 1126545 (M.D. Tenn April 16, 2025).
There Prince Health bought a lead from JLN CORP d/b/a P1 Solutions who bought it from Techforcemedia LLC d/b/a Top American Insurance pertaining to website topamericaninsurance.com. (None of these companies are R.E.A.C.H. members!) The website contained an arbitration provision in its terms of use.
A visual rendering was provided to the court of the web session by either Active Propsect or Jornaya and it showed Plaintiff’s name and information being entered on the form. On that basis Prince Health tried to compel arbitration arguing plaintiff had accepted the terms and conditions and agreed to arbitrate claims arising out of the lead form submission.
Plaintiff, however, testified at deposition that he had not visited the website and it was not him who had filled out the form.
Just that simply the court denied the motion to compel arbitration. Although the court determined Prince had met its initial burden the fact Plaintiff denied visiting the website under oath was enough for the court to deny the arbitration motion and set further proceedings.
The court’s order is unclear in terms of next steps but under the Federal Arbitration Act a jury or bench trial is needed to determine whether a contract was formed and whether the case may proceed to arbitration. Of course such a proceeding is high stakes– if the plaintiff didn’t fill out the form then not only will he defeat arbitration he will also defeat any claim of consent!
And if the court finds one person didn’t fill out the form perhaps the court will question the credibility of the lead source and certify a class down the line…
So yeah, high stakes poker.
We’ll keep an eye on this and see where it goes.
Opposers Beware: Your Own Mark May Not Be Protectable
The US Court of Appeals for the Federal Circuit affirmed the Trademark Trial & Appeal Board’s dismissal of an opposition to the registration of the marks IVOTERS and IVOTERS.COM while also noting that the US Patent & Trademark Office (PTO) might want to reconsider whether it permits registration of those marks. Heritage Alliance v. Am. Policy Roundtable, Case No. 24-1155 (Fed. Cir. Apr. 9, 2025) (Prost, Taranto, Stark, JJ.)
American Policy Roundtable (APR), a publisher of campaign and political information since June 2010, filed applications to register the marks IVOTERS and IVOTERS.COM for “providing a web site of information on current public policy issues, political campaigns and citizen concerns related to political information” after the PTO approved the marks for publication. Heritage filed an opposition.
Since the 2008 US presidential election season, Heritage has published online voter guides under the names “iVoterGuide” and “iVoterGuide.com” (the iVoters marks). Without a valid registration but having priority of use, Heritage filed an opposition asserting its common law rights in the iVoters marks.
The Board considered Heritage’s opposition but ultimately found that Heritage’s mark was not distinctive. The Board first considered whether the iVoters marks were inherently distinctive and determined they were not just descriptive but “highly descriptive.” The Board next considered whether the iVoters marks had acquired distinctiveness through secondary meaning but found that the record evidence Heritage submitted was inadequate to support a finding that the iVoters marks had any source-identifying significance. Heritage appealed.
On appeal, Heritage argued that the Board had erred by finding the iVoters marks to have neither inherent nor acquired distinctiveness and that the Board violated the anti-dissection principle by evaluating the individual components of the marks instead of the marks as a whole. The Federal Circuit disagreed. The Court found the Board’s determination that the iVoters marks were highly descriptive to be supported by substantial evidence because the prefix “i” generally refers to something internet based. Heritage chose not to challenge the Board’s finding that “VoterGuide” and “.com” were not distinctive, a ruling the Court characterized as “facially reasonable.”
The Federal Circuit also disagreed with Heritage’s argument that the Board improperly evaluated the marks’ individual components. The Court found the Board properly considered the marks as a whole through its determination that the iVoters marks “on their face refer to online voter guides” and because no evidence demonstrated that the combination of the individual components conveyed “any distinctive source identifying impression contrary to the descriptiveness of the individual parts.”
Heritage argued that the Board had erred in its determination that notwithstanding over five years of use, the iVoters marks did not have statutory acquired distinctiveness. Under Section 2(f) of the Lanham Act, registration applicants may submit evidence that a mark has acquired distinctiveness because as a consequence of extensive use and promotion of the mark, consumers now directly associate the mark with the applicant as the source of those goods. Heritage argued that the Board should have accepted its five-plus years of continuous use as prima facie evidence of acquired distinctiveness. The Federal Circuit disagreed, explaining that Section 2(f) states that the Board “may accept” proof of substantially exclusive and continuous use of a mark for five years as evidence of distinctiveness. Because the language of the statute is discretionary, the Board was free to reject Heritage’s evidence. Federal Circuit case law “recognizes the Board’s discretion to weigh the evidence, especially for a highly descriptive mark.” The Court found no reason to disturb the Board’s decision to give little weight to the three declarations Heritage submitted as evidence of acquired distinctiveness and affirmed the Board’s determination that Heritage’s marks were highly descriptive and had not acquired distinctiveness.
The Federal Circuit further suggested that in view of the Board’s rulings, the PTO might reconsider its decision to approve APR’s marks for registration. Although registration should generally follow when an opposition fails, “the stated precondition is that the mark at issue be a ‘mark entitled to registration,’…which might allow the PTO, after an opposition fails, to reconsider the examiner’s pre-opposition allowance.” The Court also suggested the possibility that Heritage could now consider cancellation of APR’s marks.
We Get Privacy for Work: Why You Need a Cybersecurity Incident Response Plan Now [Podcast]
As states increasingly introduce legislative requirements for how companies respond to cybersecurity threats, it is more important now than ever for organizations to have a plan in place to address data breaches if and when they occur.
Transcript
INTRO
As states increasingly introduce legislative requirements for how companies respond to cybersecurity threats, it is more important now than ever for organizations to have a plan in place to address data breaches if and when they occur.
On this inaugural episode of We get Privacy for work, we guide organizations through the process of creating an incident response plan, including who should be involved and how to effectively notify stakeholders.
Today’s hosts are Damon Silver and Joe Lazzarotti, co-leaders of the firm’s Privacy, Data and Cybersecurity Group and principals, respectively, in the firm’s New York City and Tampa offices.
Damon and Joe, the question on everyone’s mind today is: Why should organizations have a cybersecurity incident response plan, what should be included in the plan, and how does that impact my business?
CONTENT
Joseph J. LazzarottiPrincipal, Tampa
Welcome to the We get Privacy podcast. I’m Joe Lazzarotti, and I’m joined by my co-host, Damon Silver. Damon and I co-lead the Privacy Data and Cybersecurity Group here at Jackson Lewis. In that role, our colleagues in the group and we receive a variety of questions every day from our clients, all of which boil down to the core question of how do we handle our data safely?
In other words, how do we leverage all the great things that data can do for our organizations without running headfirst into a wall of legal and other risks? How can we manage that risk without unreasonably hindering our business operations?
Damon W. SilverPrincipal, New York City
On each episode of the podcast, Joe and I are going to talk through a common question that we’re getting from our clients. We’re going to talk through it in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks? What should we be mindful of from an execution perspective?
Joe, our question for today is, what is an incident response plan, and what should it include? To set the table for everyone, do you want to just talk a little bit about what an incident response plan is and what purpose it serves?
Lazzarotti
That is a great place to start. For a lot of organizations, when we talk about an incident response plan, there are a lot of different incidents that a company may face or crises that they may encounter. I’m here in Florida now, and hurricanes may be incidents that people might have a plan for, but we’re talking specifically about security incidents. Data breaches and things that may impact the organization’s systems and ultimately result in some access or acquisition of personal or confidential company information that may create legal obligations to provide notification in certain cases— whether that be to federal or state governmental entities, individuals who are affected, customers or whatnot. These plans can sometimes become pretty complex, depending on the organization, particularly if you’re in a highly regulated industry, but we’re going to try to talk about it at a high level.
For me, one thing that is pretty critical in the event of an incident is understanding how to communicate with the people who need to carry out that plan. That can be difficult. Bad guys have gotten into the system, and maybe they’re still in or can be monitoring email, or maybe the company’s email is not able to function at the moment. How do you communicate with people? So, having that alternate communication strategy can be pretty important, and having a plan for it is critical.
Silver
Related to that, we see all the time, especially with clients who haven’t been through one of these incidents previously, that they’re not really sure who the people who should be involved are, both internally and externally. If they haven’t been through this situation before, for example, if someone just happens to be the manager who finds out from an employee about a link they clicked on, a suspicious email they got or about the fact that they lost their company laptop. An important first step is for them to know who they are supposed to go to report this. Then, the person who receives that report needs to know whom they need to assemble. Who are the right people internally to be tasked with managing this?
There’s sometimes a misconception that it’s just going to be an IT function, and the IT department is going to handle it. Really, in a lot of these instances, the incident has a much broader impact, and IT alone is not going to be in a very good position to respond. You’re going to need people with a legal perspective. You might need people with an HR perspective if employee data is impacted. You might need people from the finance team if accounting data is impacted. You’re definitely going to need somebody or multiple people from leadership who are able to make decisions at the highest level for how the organization is going to respond.
Then, there’s also your external team. Your legal counsel can, under the cloak of privilege, help you do an investigation of the incident and assess your legal obligations. You might have a cyber insurance carrier or broker whom you want to put on notice quickly. You might have a digital forensics firm that you want to have on standby who understands your systems and can jump in quickly.
Knowing who those key players are helps make the process much smoother when something like this happens. Depending on the nature of the incident, it could be pretty chaotic in those early days. That’s not the time you want to try and figure out who’s supposed to be involved and, to Joe’s point, try and figure out how those people are going to communicate.
Lazzarotti
Absolutely, the roles and responsibilities of the individuals are important. One other thing, and this is not specific to the content of the plan per se, but you said something that made me think about it, Damon. What if you needed to get a copy of the plan and your systems are encrypted? So, where do you keep this plan and the contact information of the individuals who are on it? How do they know that they’re on this plan? So, these other things that come with what should be in an incident response plan. It’s also about socializing with those people, maybe doing a tabletop exercise, and keeping the contact information in a place that can be accessed.
Certainly, you mentioned your cyber insurance carrier; that’s really a critical piece of helping to respond to these incidents. Not only from the standpoint of providing resources in terms of having the policy pay for certain expenses that are incurred but also having gone through and helped to identify those external parts of the team that Damon referred to that will help in responding to the incident. Suppose you go out for renewal on a new cyber carrier the following year because you feel like you need to make a change, but they have a different set of people on their external team. Does that mean you have to update that in your incident response plan?
Some of the things that we’re talking about are things that you have to keep up to date. It is not something you just prepare, leave on the shelf and don’t actively use. A lot of this is about preparedness, and these plans can really help improve that position of being prepared, in addition to keeping the system secure. It’s really both of those. That’s what I’m seeing.
Silver
I totally agree, Joe. Honestly, there is value in the plan itself. It is, in many instances, a legal requirement to have the plan. Even more important than the document itself, in most instances, is building that muscle memory and going through the process of thinking through incidents. You do want to be specific about what type of incidents you think you’re most likely to face. You mentioned the example of a hurricane that knocks out your power, or there could be a ransomware attack or a business email compromise. If you have employees that work remotely or travel, you do want to think about those lost laptops, lost phones and other devices. If you have a website that potentially, let’s say, has customer accounts that store sensitive information, there could be some type of misconfiguration of your website. There’s a lot of value in thinking through the scenarios we are most likely to face or that would have the biggest impact if they happened.
Then, what are the steps we’d want to go through if those specific types of incidents happened? How do we make sure that our team is not trying to fumble around and find this plan, read through it and go step by step? In reality, that’s not how it’s going to play out, particularly if it’s a ransomware attack or some other type of event where you’re trying to respond quickly and things are feeling chaotic. You want people to have practiced this enough that they’re just acting on the plan and remembering at least key components of the plan. They’re likely not going to be in a position to go through it, so first, start reading up and trying to understand what the plan contains when there’s an actual incident. That piece of practicing on a regular basis and having key stakeholders involved in developing the plan is more important than the plan itself at the end of the day in terms of the value it can provide to you when responding to an incident.
Lazzarotti
That’s exactly right. Related to that, we are seeing clients who want to have all of the state laws available and exact drafts of notifications. To some degree, that really is a good idea because if you have a sample notice for an individual or a sample website notice, in the event you needed to put something out there, you would be in a better position. If you had some talking points for key people in the organization, some FAQs for a call center if you have a need for that. Those are all good things to have as a starting point.
However, to Damon’s point, when you’re in the situation, the circumstances are going to dictate things that you just might not have anticipated, or you’re going to need to tailor those sample tools that you’ve made a part of your plan to the actual circumstances. You don’t have to worry so much about everything being perfect because the situation is going to take you in a direction you just may not have anticipated, but at least you’ll have really good starting points that will speed the process along so that the plan can be useful for you when it’s needed.
Silver
Well said. We’ve laid the groundwork pretty well conceptually for what purpose these plans serve and how, from the standpoint of using them, a lot of the work is done at the front end before you actually have an incident.
When you’re working on preparing a plan or reviewing an existing draft of a plan, Joe, what are the most important types of things that you’re looking for?
Lazzarotti
For me, it’s clarity, usability and functionality in the sense that if there’s an incident response plan that is 40 or 50 pages, I’m looking at that saying, that seems like a lot to work through. You always want to be careful, and people may have put a lot of thought into it. What I’d recommend in that case is saying, why don’t we do a high-level summary, a checklist or something that is coupled with that large, well-thought-out plan that can be more action-oriented in a situation.
The other thing is to make sure that it covers all of the aspects of the business. One of the things that you said at the beginning is that, sometimes, this function gets pushed to the IT department. However, the IT department may focus on an incident response plan more from an IT perspective. How do we deal with the information system that’s down? What gets left out of that is how we communicate about it. How are our clients affected? Do we have contractual obligations and all that other stuff that may be relevant to the overall response? So, I’d want to be sure that the incident response plan really covers the whole organization, which may include HR, other business units or even wholly owned subsidiaries that may be the parent or even maybe a franchisor. It’s not directly their business, but they want to understand, and we have to protect the brand because there could be those kinds of issues. So, really give some thought to whether the plan is really going to help us. Is the plan as broad as we want so that we’re able to act on it in a situation?
Silver
I agree with that. Thinking about the high-level summary or the checklist that you mentioned, I’ve had similar discussions with clients about how to leverage the work that was done to create a really detailed plan. Also, it’s good to have some more accessible, actionable documents to work off of and keep you organized as you’re responding to an incident. What are some of the key items on that checklist for you?
Lazzarotti
How do you communicate with folks? Who do you need to reach out to? If you are a professional service firm, you need to notify your clients. Where do you go for that information? How do you assess what obligations you have? A lot of focus is on data breach notification laws, which we’re involved in a lot at the federal and state levels. However, there are increasing contractual obligations. Sometimes, it can be difficult, like where are those contracts or what obligations do we have? Having that available, or at least a path to them that you can easily access, can be helpful. Obviously, your broker and carrier— know how to contact them and how to get to the sample forms that you need. Those are some of the things that I’d like, but there are other things.
I’d be interested, Damon, in knowing how you might augment that list.
Silver
I agree with all of those. In some ways, it all starts with a triage list of what your objectives are early. You learn that some type of incident has happened; now, what are the first several steps that you need to take? Those are going to be the most pivotal from the standpoint of the incident response plan having value because those are the things you’re going to have to do potentially very quickly and without much opportunity to deliberate or to reach out to your attorney and run it by them. These are things that need to be done quickly, and it is going to vary depending on the organization. It’s also going to vary depending on the type of incident, but sometimes, if we’re dealing with something like ransomware, a big initial question is how do we get our business back up and running? We’re going to want to look at whether we have backups that we can restore from or if those backups were impacted by the incident. If we don’t have the backups, what other options do we have? Is there any type of publicly available decryption tool, and who do we go to try to explore that? That’s one early question, at least for certain types of incidents: How are we going to get our business back up and running?
Another key early question is how do we make sure that we’re going to be able to do the investigation that we want to do with this incident? Because I know both of us and other members of our team have seen many instances where the client’s internal IT or a managed service provider took some steps really early on in the process that resulted in the wiping of logs that otherwise might have been useful in showing that the scope of an incident was narrowed to certain systems or certain files, but those are wiped. So, the client is left in the position where they may have to make assumptions about what could have been impacted, which results in a much broader notification than might otherwise have been the case. Of course, another consideration is whether this incident is over or if it is a live incident. Is there still a continuing ongoing threat to the systems? What needs to be done from a containment perspective? Having those pieces spelled out clearly and in a practical way with actionable steps that people can take are going to be really important so that in those early moments, you don’t have issues that set you back weeks in terms of getting back up and running or set you back indefinitely in terms of losing evidence. All of those can be really valuable to spell out and also, again, looping back to the point of practicing to have people think through plans in connection with specific types of incidents that might come up.
Lazzarotti
I think we could probably talk forever about writing an incident response plan. One last question, Damon. Once you do have a plan and are practicing that plan, how often do you think a company should revisit and amend it if needed? How often should you review it and consider updates?
Silver
It’s a great question. It’s going to vary depending on the client’s circumstances. A really valuable exercise is to have a standing time on the calendar to look at it. If it’s every 6 months or even every 12 months, have that meeting scheduled.
Then, if something happens, like you experience an incident or you’re integrating some new technology that’s going to process a lot of data, that might be a good reason to either have that meeting sooner than was planned or to have an additional meeting because this really does need to be a living document. It’s not going to serve you very well if it just remains static over time. Putting that time on the calendar ensures that, at minimum, every 6 months or every 12 months, you’re giving it a look to see whether it still makes sense in light of the way that you’re handling data, and you have that opportunity to make corrective actions if that’s necessary.
Lazzarotti
That sounds great. I definitely hope all of our clients are thinking about this, and if they don’t have an incident response plan and are developing one, this session will give them some thoughts about that. We hope everybody enjoyed listening to our We get Privacy podcast, and thank you, Damon.
Ubisoft Defeats Privacy Lawsuit Over Meta Tracking Pixel: These Are the Key Compliance Takeaways You Need to Know
As privacy litigation over tracking pixels continues to surge, a recent decision out of California offers a clear win for companies that implement strong consent mechanisms.
In Lakes v. Ubisoft, Inc., 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025), Plaintiffs Trevor Lakes and Alex Rajjoub filed a class action against Defendant Ubisoft, Inc., a video game company, alleging violations of the Video Privacy Protection Act (VPPA), California’s Invasion of Privacy Act (CIPA), and the Electronic Communications Privacy Act (ECPA).
According to Plaintiffs, their claims arose when they visited Ubisoft’s website (the “Website”) to download games while logged into their respective Facebook accounts. Plaintiffs alleged that Ubisoft installed a Meta/Facebook tracking pixel on the Website, which disclosed their personally identifiable information to Meta. The allegedly disclosed information included the consumers’ unique and unencrypted Facebook ID, a cookie containing an encrypted Facebook ID, and their Video Request Data.
Plaintiffs sought to represent the following classes:
All PII Users on the Website that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “Class”).
All PII Users, who reside and used the Website in California, that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “California Subclass”).
Ubisoft filed a motion to dismiss and requested judicial notice of its Website and the policies publicly available on the Website, including its Privacy Policy, Cookies Settings, and Website Cookies Banner. Ubisoft contended that these were necessary for the Court to have a complete picture of a user’s journey, what the user consents to, and the policies they are provided and agree to. The request for judicial notice was granted for specific portions of the Ubisoft Website.
On the Website’s landing page, a first-time user is presented with a Cookie Banner notifying them that by clicking “OK” and “continuing to navigate on the site” they “accept the use of cookies by Ubisoft and its partners to offer advertising adapted to [their] interests.” If a user clicks on the “set your cookies” hyperlink in the banner, a pop-up appears with more detailed options to change cookie preferences.
To make any purchases on the Website, a user must first create a Ubisoft account and affirmatively accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy, which are all hyperlinked on the Website. Ubisoft’s Privacy Policy informs users that their information will be shared with third parties and outlines how users can withdraw their consent. After agreeing to the Privacy Policy and consenting to the sharing of data during account creation, a user is once again presented with the Privacy Policy every time they make a purchase on the Website.
In light of the above processes, Ubisoft argued that all of Plaintiffs’ claims fail because Plaintiffs were repeatedly informed of, and consented to, the use of cookies and pixels on the Website. The Court agreed, finding that Ubisoft’s disclosures clearly state that it allows partners to use cookies on the Website, that specific analytics and personalization cookies would be used, and that cookie identifiers and other similar data connected to the use of the site could be collected and shared.
In doing so, the Court rejected Plaintiffs’ assertion that a granular disclosure stating that Meta will collect Plaintiffs’ “video game titles combined with unique Facebook identifiers” was required to obtain actual consent. Here, the Privacy Policy explicitly disclosed that Ubisoft uses technologies such as cookies to collect game, login, and browsing data, and that Ubisoft allows its partners to set and access user cookies. This was found to be sufficient, because “a reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
“[A] reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
Therefore, the Court granted Ubisoft’s motion to dismiss the complaint in its entirety, with prejudice. The Court concluded that granting Plaintiffs leave to amend would be futile because they cannot overcome the issue of consent.
The most important takeaway here is the need for businesses to maintain proper consent and disclosure mechanisms – include a cookie disclosure on the website landing page, clearly inform users what data you collect and who you share it with, and allow users to customize non-essential cookies. Although, a Pennsylvania court held that a privacy policy contained in a browsewrap agreement gave users constructive notice of a website’s use of tracking software, affirmative consent obtained via a clickwrap agreement worked in Ubisoft’s favor here. Finally, make sure your privacy policy is accurate and up to date.
Ultimately, this ruling underscores how detailed, user-facing consent flows and transparent data-sharing policies remain critical defenses in privacy litigation.
Combatting Scams in Australia, Singapore, China and Hong Kong
Key Points:
Singapore’s Shared Responsibility Framework
Comparing scams regulation in Australia, Singapore and the UK
China’s Anti-Telecom and Online Fraud Law
Hong Kong’s Anti-Scam Consumer Protection Charter and Suspicious Account Alert Regime
The increased reliance on digital communication and online banking has created greater potential for digitally-enabled scams. If not appropriately addressed, scam losses may undermine confidence in digital systems, resulting in costs and inefficiencies across industries. In response to increasingly sophisticated scam activities, countries around the world have sought to develop and implement regulatory interventions to mitigate growing financial losses from digital fraud. So far in our scam series, we have explored the regulatory responses in Australia and the UK. In this publication, we take a look at the regulatory environments in Singapore, China and Hong Kong, and consider how they might inform Australia’s industry-specific codes.
SINGAPORE
Shared Responsibility Framework
In December 2024, Singapore’s Shared Responsibility Framework (SRF) came into force. The SRF, which is overseen by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA), seeks to preserve confidence in digital payments and banking systems by strengthening accountability of the banking and telecommunications sectors while emphasising individuals’ responsibility for vigilance against scams.
Types of Scams Covered
Unlike reforms in the UK and Australia, the SRF explicitly excludes scams involving authorised payments by the victim to the scammer. Rather, the SRF seeks to address phishing scams with a digital nexus. To fall within the scope of the SRF, the transaction must satisfy the following elements:
The scam must be perpetrated through the impersonation of a legitimate business or government entity;
The scammer (or impersonator) must use a digital messaging platform to obtain the account user’s credentials;
The account user must enter their credentials on a fabricated digital platform; and
The fraudulently obtained credentials must be used to perform transactions that the account user did not authorise.
Duties of Financial Institutions
The SRF imposes a range of obligations on financial institutions (FIs) in order to minimise customers’ exposure to scam losses in the event their account information is compromised. These obligations are detailed in table 1 below.
Table 1
Obligation
Description
12-hour cooling off period
Where an activity is deemed “high-risk”, FIs must impose a 12-hour cooling off period upon activation of a digital security token. During this period, no high-risk activities can be performed.
An activity is deemed to be “high-risk” if it might enable a scammer to quickly transfer a large sum of money to a third party without triggering a customer alert. Examples include:
Addition of new payee to the customer’s account;
Increasing transaction limits;
Disabling transaction notification alerts; and
Changing contact information.
Notifications for activation of digital security tokens
FIs must provide real-time notifications when a digital security token is activated or a high-risk activity occurs. When paired with the cooling off period, this obligation increases the likelihood that unauthorised account access is brought to the attention of the customer before funds can be stolen.
Outgoing transaction alerts
FIs must provide real-time alerts when outgoing transactions are made.
24/7 reporting channels with self-service kill switch
FIs must have in place 24/7 reporting channels which allow for the prompt reporting of unauthorised account access or use. This capability must include a self-service kill-switch enabling customers to block further mobile or online access to their account, thereby preventing further unauthorised transactions.
Duties of Telecommunications Providers
In addition to the obligations imposed on FIs, the SRF creates three duties for telecommunications service providers (TSPs). These duties are set out in table 2 below.
Table 2
Obligation
Description
Connect only with authorised alphanumeric senders
In order to safeguard customers against scams, any organisation wishing to send short message service (SMS) messages using an alphanumeric sender ID (ASID) must be registered and licensed. TSPs must block the sending of SMS messages using ASIDs if the sending organisation is not appropriately registered and licensed.
Block any message sent using an unauthorised ASID
Where the ASID is not registered, the TSP must prevent the message from reaching the intended recipient by blocking the sender.
Implement anti-scam filters
TSPs must implement anti-scam filters which scan each SMS for malicious elements. Where a malicious link is detected, the system must block the SMS to prevent it from reaching the intended recipient.
Responsibility Waterfall
Similar to the UK’s Reimbursement Rules explored in our second article, the SRF provides for the sharing of liability for scam losses. However, unlike the UK model, the SRF will only require an entity to reimburse the victim where there has been a breach of the SRF. The following flowchart outlines how the victim’s loss will be assigned.
HOW DOES THE SRF COMPARE TO THE MODELS IN AUSTRALIA AND THE UK?
Scam Coverage
The type of scams covered by Singapore’s SRF differ significantly to those covered by the Australian and UK models. In Australia and the UK, scams regulation targets situations in which customers have been deceived into authorising the transfer of money out of their account. In contrast, Singapore’s SRF expressly excludes any scam involving the authorised transfer of money. The SRF instead targets phishing scams where the perpetrator obtains personal details in order to gain unauthorised access to the victim’s funds.
Entities Captured
Australia’s Scams Prevention Framework (SPF) covers the widest range of sectors, imposing obligations on entities operating within the banking and telecommunications sectors as well as any digital platform service providers which offer social media, paid search engine advertising or direct messaging services. The explanatory materials note an intention to extend the application of the SPF to new sectors as the scams environment continues to evolve.
In contrast, the UK’s Reimbursement Rules only apply to payment service providers using the faster payments system with the added requirement that the victim or perpetrator’s account be held in the UK. Any account provided by a credit union, municipal bank or national savings bank will be outside the scope of the Reimbursement Rules.
Falling in-between these two models is Singapore’s SRF which applies to FIs and TSPs.
Liability for Losses
Once again, the extent to which financial institutions are held liable for failing to protect customers against scam losses in Singapore lies somewhere between the Australian and UK approaches. Similar to Singapore’s responsibility waterfall, a financial institution in Australia will be held accountable only if the institution has breached its obligations under the SPF. However, unlike the requirement to reimburse victims for losses in Singapore, Australia’s financial institutions will be held accountable through the imposition of administrative penalties. In contrast, the UK’s Reimbursement Rules provide for automatic financial liability for 100% of the customer’s scam losses, up to the maximum reimbursable amount, to be divided equally where two financial institutions are involved.
CHINA
Anti-Telecom and Online Fraud Law of the People’s Republic of China
China’s law on countering Telecommunications Network Fraud (TNF) requires TSPs, Banking FIs and internet service providers (ISPs) to establish internal mechanisms to prevent and control fraud risks. Entities failing to comply with their legal obligations may be fined the equivalent of up to approximately AU$1.05 million. In serious cases, business licences or operational permits may be suspended until an entity can demonstrate it has taken corrective action to ensure future compliance.
Scope
China’s anti-scam regulation defines TNF as the use of telecommunication network technology to take public or private property by fraud through remote and contactless methods. Accordingly, it extends to instances in which funds are transferred without the owner’s authorisation. To fall within the scope of China’s law, the fraud must be carried out in mainland China or externally by a citizen of mainland China, or target individuals in mainland China.
Obligations of Banking FIs
Banking FIs are required to implement risk management measures to prevent accounts being used for TNF. Appropriate policies and procedures may include:
Conducting due diligence on all new clients;
Identifying all beneficial owners of funds:
Requiring frequent verification of identity for high-risk accounts:
Delaying payment clearance for abnormal or suspicious transactions: and
Limiting or suspending operation of flagged accounts.
The People’s Bank of China and the State Council body are responsible for the oversight and management of Banking FIs. The anti-scams law provides for the creation of inter-institutional mechanisms for the sharing of risk information. All Banking FIs are required to provide information on new account openings as well as any indicators of risk identified when conducting initial client due diligence.
Obligations of TSPs and ISPs
TSPs and ISPs are similarly required to implement internal policies and procedures for risk prevention and control in order to prevent TNF. This includes an obligation to implement a true identity registration system for all telephone/internet users. Where a subscriber identity module (SIM) card or internet protocol (IP) address has been linked to fraud, TSPs/ISPs must take action to verify the identity of the owner of the SIM/IP address.
HONG KONG
Hong Kong lacks legislation which specifically deals with scams. However, a range of non-legal strategies have been adopted by the Hong Kong Monetary Authority (HKMA) in order to address the increasing threat of digital fraud.
Anti-Scam Consumer Protection Charter
The Anti-Scam Consumer Protection Charter (Charter) was developed in collaboration with the Hong Kong Association of Banks. The Charter aims to guard customers against digital fraud such as credit card scams by committing to take protective actions. All 23 of Hong Kong’s card issuing banks are participating institutions.
Under the Charter, participating institutions agree to:
Refrain from sending electronic messages containing embedded hyperlinks. This allows customers to easily identify that any such message is a scam.
Raise public awareness of common digital fraud.
Provide customers with appropriate channels to allow them to make enquiries for the purpose of verifying the authenticity of communications and training frontline staff to provide such support.
More recently, the Anti-Scam Consumer Protection Charter 2.0 was created to extend the commitments to businesses operating in a wider range of industries including:
Retail banking;
Insurance (including insurance broking);
Trustees approved under the Mandatory Provident Fund Scheme; and
Corporations licensed under the Securities and Futures Ordinance.
Suspicious Account Alerts
In cooperation with Hong Kong’s Police Force and the Association of Banks, the HKMA rolled out suspicious account alerts. Under this mechanism, customers have access to Scameter which is a downloadable scam and pitfall search engine. After downloading the Scameter application to their device, customers will receive real-time alerts of the fraud risk of:
Bank accounts prior to making an electronic funds transfer;
Phone numbers based on incoming calls; and
Websites upon launch of the site by the customer.
In addition to receiving real-time alerts, users can also manually search accounts, numbers or websites in order to determine the associated fraud risk.
Scameter is similar to Australia’s Scamwatch, which provides educational resources to assist individuals in protecting themselves against scams. Users can access information about different types of scams and how to avoid falling victim to these. Scamwatch also issues alerts about known scams and provides a platform for users to report scams they have come across.
KEY TAKEAWAYS
Domestic responses to the threat of scams appear to differ significantly. Legal approaches explored so far in this series target financial and telecommunications sectors, seeking to influence entities in these industries to adopt proactive measures to prevent, detect and respond to scams. While the UK aims to achieve this by placing the financial burden of scam losses on banks, China and Australia adopt a different approach by imposing penalties on entities failing to comply with their legal obligations. Singapore has opted for a blended approach whereby entities which have failed to comply with the legal obligations under the SRF will be required to reimburse customers who have fallen victim to a scam. However, where the entities involved have met their legal duties, the customer will continue to bear the loss.
Look out for our next article in our scams series.
The authors would like to thank graduate Tamsyn Sharpe for her contribution to this legal insight.
CONSORTIUM OF PRIVACY REGULATORS: Eight States Announce Bipartisan Consumer Privacy Initiative
Eight state regulators have announced a bipartisan initiative to coordinate the implementation and enforcement of their privacy laws. The Consortium of Privacy Regulators includes the California Privacy Protection Agency (“CPPA”) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.
According to an announcement on the CPPA’s website, the Consortium’s goals include facilitating discussions on privacy law and protecting consumer privacy across jurisdictions. The CPPA notes that although each state has its own consumer privacy law, they share certain fundamental features such as rights to access, delete, and stop the sale of personal information, and similar obligations on businesses to protect consumer data.
“We’re proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms. The Consortium reflects this shared commitment—now and for the future.” – Michael Macko, CPPA’s head of enforcement
The CPPA has been one of the most active state agencies in the privacy arena. While this new initiative certainly signals more enforcement actions on the horizon, an inter-state coordinated effort may lead to some amount of uniformity and predictability amidst a patchwork regulatory framework.
You can read the CPPA’s announcement here: State Regulators Form Bipartisan Consortium to Collaborate on Privacy Issues
Powering Africa’s Digital Future: The Challenge of Energy for Data Center Development
As the global economy increasingly digitizes, the infrastructure supporting this shift must evolve accordingly. In Africa, where the demand for digital services is surging — fueled by mobile penetration, fintech innovation, and a young, connected population — the case for expanding data center capacity is clear. However, the continent’s potential is hindered by underdeveloped energy infrastructure, presenting a significant bottleneck.
Why Data Centers Matter
Data centers form the backbone of digital transformation, underpinning cloud storage, AI applications, e-commerce platforms, and digital government services. According to the International Energy Agency (IEA), global electricity consumption by data centers is projected to exceed 800 TWh by 2026, up from 460 TWh in 2022. A significant portion of this demand comes from generative AI and machine learning applications, which consume up to 10 times more energy than traditional searches.
Africa, despite being one of the fastest-growing regions for digital adoption, accounts for less than 1% of the world’s data center capacity. The Africa Data Centres Association estimates that the continent requires at least 1,000 MW of new capacity across 700 facilities to meet demand. Yet, meeting this need will depend not only on digital infrastructure investments but also on solving a persistent and costly energy challenge.
The Energy Challenge: Costs, Capacity, and Volatility
Data center development will play a pivotal role in ensuring digital sovereignty and fostering a resilient, domestically-driven digital economy in Africa.
Sub-Saharan Africa exemplifies both the promise and the challenges of this transformation. While demand for digital services is accelerating, access to reliable energy remains a major obstacle. Many countries across the region grapple with limited energy access, high electricity costs, and outdated infrastructure characterized by frequent outages and heavy reliance on imported fuel sources.
This interplay of costs and reliability poses significant challenges for energy-intensive data centers. According to recent industry analysis, energy supply has emerged as the single most critical issue facing digital infrastructure investors. As demand for electricity rises—driven by AI, cloud computing, and the digitization of public services—grid expansion is struggling to keep pace. As a result, securing reliable, affordable power is now a top strategic priority for data center developers and investors alike.
Despite these challenges, several sub-Saharan countries—including Côte d’Ivoire, Gabon, and Senegal—are making significant progress. While legacy grid issues persist, these countries are actively investing in renewable energy projects that could create the enabling environment needed for sustainable data center growth.
Côte d’Ivoire: In June 2023, the country launched its largest solar power plant in Boundiali, delivering 37.5 MWp of capacity with an expansion target of 83 MWp by 2025. This project aligns with Côte d’Ivoire’s national goal to source 45% of its electricity from renewable energy by 2030.
Senegal: The Taiba N’Diaye Wind Farm, commissioned in 2021, is West Africa’s largest wind energy project, with a total capacity of 158 MW. It plays a central role in Senegal’s broader strategy to diversify its energy mix and reduce dependence on imported fossil fuels.
Gabon: Though less frequently spotlighted, Gabon is actively positioning itself as a renewable energy leader in Central Africa. In 2021, the government launched a hydropower development strategy to boost clean energy capacity. Notably, the Kinguélé Aval Hydroelectric Project, co-financed by the African Development Bank and IFC, will add 35 MW of capacity upon completion and help stabilize electricity supply in the Estuaire province, home to Libreville—the capital and potential hub for digital infrastructure. Gabon has also attracted investment in solar hybrid systems for rural electrification, aiming to reduce diesel reliance and support the decentralization of energy access. These initiatives create a more stable power framework suitable for future data center deployment.
Lessons from Leading Data Center Markets
Morocco is emerging as a pivotal player in North Africa’s data center market, driven by international energy investments and its strategic position connecting Europe, Africa, and the Middle East. Major global tech companies, including Oracle, Microsoft, Google, and Amazon Web Services (AWS), are drawn to Morocco’s rapidly expanding digital economy and its modern infrastructure. The country is fostering a favorable environment for data center growth through government-backed initiatives that enhance ICT infrastructure, making Morocco an attractive destination for both local and international data center operators.
The country’s stability and investments in renewable energy further position it as a sustainable choice for data center operations. With projects like those from Africa Data Centres, Gulf Data Hub, and N-ONE Datacenters, Morocco’s growing data center ecosystem is poised to meet the increasing demand for cloud computing and data storage across North Africa and beyond. By 2028, Morocco is expected to be a key hub for digital services, offering world-class data center facilities.
Looking to other pioneers in the continent, countries like Kenya and South Africa offer valuable lessons. Kenya, rich in geothermal resources, has attracted significant investments such as a $1 billion geothermal-powered data center from Microsoft and G42. This clean, non-intermittent energy solution provides a reliable power source for data centers. Similarly, South Africa is leading solar integration, with projects like the 12 MW solar farm being developed by Africa Data Centres and Distributed Power Africa, designed to power critical centers like Johannesburg and Cape Town. Such initiatives showcase the potential for public-private partnerships to address challenges of grid unreliability and position Africa as a growing leader in sustainable data center infrastructure.
These examples underscore the importance of strategic planning, infrastructure investment, and the integration of renewable energy sources in building resilient, sustainable data centers.
Policy and Legal Implications
From a legal perspective, developing a data center project requires meticulous contractual structuring. Long-term Power Purchase Agreements (PPAs) and Behind-the-Meter (BtM) agreements introduce project-specific risks — notably, the risk that delays in one part of the project (either the power plant or the data center) could lead to disruptions. Legal advisors must anticipate and address potential regulatory challenges, grid permitting complexities, and the need for future-proofing clauses to safeguard the project’s viability.
A comprehensive review of existing legislation, identification of key obstacles, and potential time-consuming issues (such as securing land) are crucial steps in ensuring the project’s success. Moreover, structuring energy supply projects to support data center operations is fundamental for ensuring the project’s bankability.
Conclusion: A Call to Action
Africa stands at a crossroads: with the right investments in both digital and energy infrastructure, the continent could leapfrog into a new era of economic autonomy and technological resilience. However, if energy bottlenecks are not addressed head-on, Africa risks falling behind just as the world accelerates into a data-driven future.
The roadmap is clear: invest in renewables, embrace innovative models like BtM PPAs, partner across sectors, and establish clear regulatory frameworks. Energy is no longer a background concern for digital infrastructure investors — it is the cornerstone. Data center growth and power sector development must now proceed hand-in-hand.
For Africa, this is not just a technical challenge — it is a strategic imperative.
Cross-Border Catch-Up: The Growing Global Trend of the Right to Disconnect [Podcast]
In this episode of our Cross-Border Catch-Up podcast series, Lina Fernandez (Boston) and Kate Thompson (New York/Boston) discuss the growing trend of “right to disconnect” laws that permit employees to disengage from work-related communications and activities during non-working hours. Kate and Lina explore how right-to-disconnect legislation is being implemented in various countries, including Spain, Peru, Colombia, Thailand, and Canada. Lina and Kate also highlight the importance for global employers to stay informed and compliant with these evolving regulations.
TRAPPED: Appellate Court Holds Realtor.Com Cannot Compel Arbitration in TCPA Class Action On Lead Gen Form Sold to Subsidiary
Really important case for everyone in leadgen to pay attention to.
The lead generation industry continues to create TCPA risk for lead buyers– and even seemingly valid leads can cause a bunch of trouble if lead buyers don’t handle data correctly.
The case against Realtor.com involving leads sold by a website operator to Opcity, Inc.–a subsidiary of Move.com who operates as Realtor–is a great example.
In Faucett v. Move,Inc. 2025 WL 1112935 (9th Cir. 2025) the Court of Appeals upheld a district court’s ruling refusing to enforce an arbitration provision in favor of Move.com.
The underlying facts are pretty straightforward.
Guy allegedly visited HudHomesUSA.org and filled out a consent form and accepted an arbitration agreement.
The consent form included Opcity and the website operator sold the lead to Opcity (not clear if it was sold directly or through aggregators.) However the arbitration agreement operated only in favor of the website operator and its “affiliates.”
Opcity somehow allegedly transferred the lead to Move.com who allegedly made outbound calls to Plaintiff in reliance on the lead.
Plaintiff sued Move.com who tried to enforce the arbitration agreement arguing it was an “affiliate” of the website operator. The lower court and appellate courts both disagreed.
The courts determined Opcity was likely not an affiliate of the website operator because the terms implied a corporate relationship in this context and none existed. But even if one did exist via contract between Opcity and the website operator, Move.com had no such relationship and it was a separate entity from Opcity.
Further although Opcity was on the lead form that was not sufficient to expand the reach of the arbitration agreement to it, and even if OpCity could be viewed as a third-party beneficiary of the consent form–unclear–Move.com certainly could not be because it was not on the consent form.
So the take away here is that arbitration clauses in leadgen forms likely DO NOT extend to all marketing partners on a hyperlink and DEFINITELY DO NOT extend to entities related to those marketing partners.
To avoid results like these lead buyers should REQUIRE lead sellers to NAME THEM not just on marketing partners pages but also on arbitration provisions. Stated alternatively, the arbitration and consent provisions on lead generation websites should be co-extensive. So the parties bound by arbitration provisions on lead generation websites should include all marketing partners on the list!
TCPA REVOCATION LESSON: Cenlar’s $714,000.00 TCPA Revocation Settlement Arrives Just In Time to Crystalize Risk
So last Friday the FCC’s new TCPA revocation order went into effect.
While the nastiest parts of the ruling were stayed for one year thanks in large part to the major banks–thanks ABA/MBA and the rest of you!–a good portion of the rule did go into effect.
For those who are not on their revocation game and properly tracking requests the final approval order in a new TCPA class settlement arrives just in time to help you change your ways!
In Kamrava v. Cenlar 2025 WL 1116851 (C.D. Cal April 14, 2025) the court granted final approval to Cenlar’s settlement of a TCPA class involving servicing calls made after revocation of consent.
In many ways this was a throw back case as revocation classes have fallen by the wayside in recent years– leading to less focus on getting it right in some circles. Indeed, the case was filed way back in 2020 and is something of an oddity in today’s TCPAWorld landscape. However, the FCC’s new ruling supercharges risk here, which is why the settlement is so important.
The classes in Kamrava are as follows:
All persons within the United States who received an automated call to their cellular telephone, after revocation of consent, within the TCPA Class Period from defendant or a loan servicer on whose behalf Defendant was sub-servicing, its employees or its agents (the “TCPA Settlement Class”).and
All persons with addresses within the State of California who requested in writing that Defendant or the loan servicer on whose behalf Defendant was sub-servicing to stop contacting them and thereafter (i) received a letter asking them to sign and return a form confirming their cease-and-desist request or (ii) received at least one subsequent telephone call within the RFDCPA Sub-Class Period (the “RFDCPA Settlement Sub-Class”).
I was not involved in the case but I would guess what happened here is Cenlar was only temporarily stopping calls in response to an oral revocation request and then sending out a written letter which, if not returned within a certain timeframe, would result in calls beginning anew.
Thee claims arise between tension between TCPA and FDCPA/RFDCPA revocation rules. Under the debt collection statutes only written requests to stop calls must be honored. But under the TCPA any reasonable means of conveying a revocation is effective– so calls using regulated technology must stop immediately, even if manually launched calls may continue.
Its all part of a thicket of arcane TCPA requirements that can twist an ankle or skin a knee. And in this case Cenlar got snagged for nearly three quarters of a million dollars.
Whistleblower Alleges Disturbing Data Breach Risks at the NLRB Involving Musk-Linked “DOGE” Team
A recent report from National Public Radio (NPR) has detailed alarming allegations of data mishandling and security breaches at the National Labor Relations Board (NLRB). The whistleblower, Daniel Berulis, an information technology (IT) employee with the NLRB, alleges a series of alarming actions taken by Elon Musk’s “Department of Government Efficiency” (DOGE) team. Mr. Berulis’s complaint describes multiple instances of unauthorized system access, suspicious data exportation, and attempts to conceal DOGE’s activities within the NLRB systems. The allegations raise serious concerns about the security of sensitive labor data and the potential for conflicts of interest involving Mr. Musk.
Details of the Whistleblower Allegations
According to the whistleblower, the DOGE team arrived at the agency in March 2025 demanding and receiving “tenant owner level” access to the NLRB’s internal computer systems, granting them virtually unrestricted permission to view, copy, and alter data.
Mr. Berulis reports that this data includes “information about ongoing contested labor cases, lists of union activists, internal case notes, personal information from Social Security numbers to home addresses, proprietary corporate data and more information that never gets published openly.”
Because DOGE received this high-level access without the common security constraints that monitor network activity, Mr. Berulis had limited ability to track any potential breaches in real time. However, Mr. Berulis was later able to put together “puzzle pieces” to track a significant increase of data leaving the NLRB’s network, potentially including sensitive information about union organizing efforts, ongoing legal cases, and confidential corporate secrets. Even when external parties are granted access to such data, it almost never leaves the NLRB system. Additionally, the IT team detected suspicious login attempts from a Russian IP address using one of the newly created DOGE accounts “within minutes” of DOGE accessing the NLRB’s systems, raising further concerns about a potential breach.
Upon reporting his concerns to Congress, the U.S. Office of Special Counsel, which investigates complaints by federal government whistleblowers, and internally to the NLRB, Mr. Berulis experienced suspected acts of retaliation, including someone “physically taping a threatening note” to his door that included sensitive personal information and a photo of him walking his dog.
A Chilling Effect for Workers… and Employers
The possibility that NLRB records may have been copied and exported from the agency may create a severe chilling effect for employees everywhere who turn to the agency for protection.
One expert commented to NPR that these breaches were so severe that if this were “a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They didn’t exercise the more prudent standard practice of copying the data to encrypted and local media for escort.”
The NPR report notes that in addition to creating risks for individuals trying to organize, leaked data may also reveal internal business planning for companies who are facing unfair labor practice complaints, or even trade secrets.
Potential Conflicts of Interest
The report raised that concerns of potential conflicts of interest between Musk and the NLRB, including an ongoing lawsuit between Musk’s company, SpaceX, and the agency in which SpaceX challenges the constitutionality of the NLRB’s structure.
Several lawsuits have been filed DOGE’s activities at other agencies related to its management of Americans’ data, including Social Security information, IRS records, and other agency records.
Help is available for whistleblowers
The Whistleblower Protection Act (WPA) protects federal government employees from certain adverse employment actions that occur because they disclosed information relating to unlawful activities or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.”