Cybersecurity in Digital Health: Why HIPAA Compliance Alone Is Not Enough for M&A Success
In today’s health care landscape, cybersecurity is not only an operational concern — it is quite literally a dealbreaker in corporate transactions. For digital health companies eyeing growth through mergers and acquisitions (M&A), cybersecurity due diligence is now a deal-defining factor. Increasingly, buyers are demanding rigorous proof of HIPAA compliance, a mature cybersecurity program, and an articulate explanation of any cybersecurity incidents and how the target handled them. Weaknesses in any of these areas can quickly turn a promising opportunity into a missed one.
Cybersecurity Due Diligence Is Now Deal Diligence
A company’s cybersecurity posture directly impacts valuation, closing timelines, and integration. Buyers are not only reviewing documentation, they are assessing historical vulnerabilities, breach response protocols, and the strength of cybersecurity governance. If risks surface late in the due diligence process, deals can fall through or valuations may be significantly reduced. Worse still, buyers may inherit undisclosed weaknesses, exposing these buyers to post-close litigation, regulatory fines, and reputational damage.
Forward-thinking CEOs are responding by proactively preparing for digital health M&A readiness — conducting internal audits and penetration testing, strengthening their HIPAA compliance, and demonstrating a culture of security through strong governance and stakeholder involvement.
Showcase Incident Response to Build Buyer Confidence
One of the most overlooked yet powerful messages that buyers and sellers overlook is the target company’s track record when responding to past incidents. If properly managed and documented, a prior data breach or threat event can become a credibility builder as opposed to a red flag.
Buyers want to see:
A clear, documented, tested, and up-to-date incident response plan
Timely HIPAA breach notifications and regulatory compliance
A thorough assessment of any incidents that were not treated as breaches (e.g., where individuals or regulators were not notified)
Evidence of remediation, including system hardening and employee training
Board and leadership involvement in crisis management
Showcasing your health care data incident response process, whether through tabletop exercises or past real-world events, signals operational maturity and reduces buyer uncertainty. One certain red flag for data intensive or heavily regulated targets is the lack of a breach history. Sellers routinely dealing in large volumes of personally identifiable information or HIPAA-protected health information that allege to have never experienced a data breach may be viewed skeptically by prospective buyers that understand the low probability of this.
Beyond HIPAA: Cyber Risk Management as a Strategic Imperative
HIPAA compliance remains essential, but it’s no longer sufficient for true cybersecurity readiness. HIPAA was not designed to account for today’s attack vectors — ransomware, API vulnerabilities, or third-party SaaS breaches. A narrow focus on the HIPAA Security Rule misses the broader challenge of managing cyber risk across an expanding digital ecosystem.
Digital health CEOs must adopt a risk management strategy that evolves with their platform. This includes:
Conducting dynamic, scenario-based risk analyses and assessments
Embedding security into product development and data infrastructure
Treating cybersecurity as a board-level and investor-facing priority
Investing in modern threat detection, zero-trust architectures, and breach containment protocols
Identifying and partnering with incident response firms and forensic investigators during peacetime so that those partners can promptly assist in the wake of an incident.
In short, HIPAA compliance helps avoid penalties, but true cyber risk management builds trust, partnerships, and company value.
What CEOs Should Be Doing Now
More than a defensive posture, cybersecurity is now a source of strategic differentiation. Enterprise clients, payors, and health systems increasingly make cybersecurity maturity a precondition to doing business. Pre-go-live audits by payors and health systems are now common occurrences.
Preparing for cybersecurity scrutiny has become foundational. Whether planning for M&A, raising capital, or entering payor-provider partnerships, strong cybersecurity maturity is now table stakes.
To get there, companies should prioritize the following action items:
Conduct a comprehensive, enterprise-wide HIPAA security risk analysis and cyber risk audit and update those audits regularly
Enforce due diligence across all third-party vendors — it is not enough to simply sign business associate agreements (BAAs)
Encrypt protected health information (PHI) maintained in all environments, from app to cloud to mobile
Train your workforce to recognize and engage, through role-based security simulations, such as red-team penetration tests
Regularly run incident response drills to prove real-world readiness
Establish an insurance program that accounts for the risks the company may face
Review past incidents and breaches for lessons learned
Looking Ahead
With AI-powered diagnostics, remote monitoring platforms, and interoperable patient engagement tools on the rise, cybersecurity risk in digital health will only become more complex. Companies that bake security into their DNA — not just their IT stack — will earn trust, win contracts, and scale responsibly.
Utah Law Aims to Regulate AI Mental Health Chatbots
Those in the tech world and in medicine alike see potential in the use of AI chatbots to support mental health—especially when human support is unavailable, or therapy is unwanted.
Others, however, see the risks—especially when chatbots designed for entertainment purposes can disguise themselves as therapists.
So far, some lawmakers agree with the latter. In April, U.S. Senators Peter Welch (D-Vt.) and Alex Padilla (D-Calif.) sent letters to the CEOs of three leading artificial intelligence (AI) chatbot companies asking them to outline, in writing, the steps they are taking to ensure that the human interactions with these AI tools “are not compromising the mental health and safety of minors and their loved ones.”
The concern was real: in October 2024, a Florida parent filed a wrongful death lawsuit in federal district court, alleging that her son committed suicide with a family member’s gun after interacting with an AI chatbot that enabled users to interact with “conversational AI agents, or ‘characters.’” The boy’s mental health allegedly declined to the point where his primary relationships “were with the AI bots which Defendants worked hard to convince him were real people.”
The Florida lawsuit also claims that the interactions with the chatbot became highly sexualized and that the minor discussed suicide with the chatbot, saying that he wanted a “pain-free death.” The chatbot allegedly responded, “That’s not a reason not to go through with it.”
Another lawsuit in Texas, meanwhile, claims that a chatbot commiserated with a minor over a parents’ time use limit for a phone, mentioning news headlines such as “child kills parents.”
In February 2025, the American Psychological Association urged regulators and legislators to adopt safeguards. In their April 2 letters described above, the senators informed the CEOs that the attention that users receive from the chatbots can lead to “dangerous levels of attachment and unearned trust stemming from perceived social intimacy.”
“This unearned trust can [lead], and has already[ led,] users to disclose sensitive information about their mood, interpersonal relationships, or mental health, which may involve self-harm and suicidal ideation—complex themes that the AI chatbots on your products are wholly unqualified to discuss,” the senators assert.
Utah’s Solution
States are taking note. In line with national objectives, Utah is embracing AI technology and innovation while still focusing on ethical use, protecting personal data/privacy, ensuring transparency, and more.
Several of these new Utah laws to analyze the impact across industries and have broad-reaching implications across a variety of sectors. For example:
The Artificial Intelligence Policy Act (B. 149) establishes an “AI policy lab” and creates a number of protections for users and consumers of AI, including requirements for healthcare providers to prominently disclose any use of generative AI in patient treatment.
The AI Consumer Protection Amendments (B. 226) limit requirements regarding the use of AI to high-risk services.
The Unauthorized Artificial Intelligence Impersonation Amendments (B. 271) protect creators by prohibiting the unauthorized monetization of art and talent.
Utah’s latest AI-related initiatives also include H.B. 452, which took effect May 7 and which creates a new code section titled “Artificial Intelligence Applications Relating to Mental Health.” This new code section imposes significant restrictions on mental health chatbots using AI technology. Specifically, the new law:
establishes protections for users of mental health chatbots using AI technology;
prohibits certain uses of personal information by a mental health chatbot;
requires disclosures to users that a mental health chatbot is AI technology, as opposed to a human;
places enforcement authority in the state’s division of consumer protection;
contains requirements for creating and maintaining chatbot policies; and
contains provisions relating to suppliers who comply with policy requirements.
We summarize the key highlights below.
H.B. 452: Regulation of Mental Health Chatbots Using AI Technology
Definitions. Section 13-72a-101 defines a “mental health chatbot” as AI technology that:
Uses generative AI to engage in interactive conversations with a user, similar to the confidential communications that an individual would have with a licensed mental health therapist; and
A supplier represents, or a reasonable person would believe, can or will provide mental health therapy or help a user manage or treat mental health conditions.
“Mental health chatbot” does not include AI technology that only
Provides scripted output (guided meditations, mindfulness exercises); or
Analyzes an individual’s input for the purpose of connecting the individual with a human mental health therapist.
Protection of Personal Information. Section 13-72a-201 provides that a supplier of a mental health chatbot may not sell to or share with any third party: 1) individually identifiable health information of a Utah user; or 2) the input of a Utah user. The law exempts individually identifiable health information—defined as any information relating to the physical or mental health of an individual—that is requested by a health care provider, with user consent, or provided to a health plan of a Utah user upon request.
A supplier may share individually identifiable health information necessary to ensure functionality of the chatbot if the supplier has a contract related to such functionality with another party, but both the supplier and the third party must comply with all applicable privacy and security provisions of 45 C.F.R. Part 160 and Part 164, Subparts A and E (see the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)).
Advertising Restrictions. Section 13-72a-202 states that a supplier may not use a mental health chatbot to advertise a specific product or service absent clear and conspicuous identification of the advertisement as an advertisement, as well as any sponsorship, business affiliation, or third-party agreement regarding promotion of the product or service. The chatbot is not prohibited from recommending that the user seek assistance from a licensed professional.
Disclosure Requirements. Section 13-72a-203 provides that a supplier shall cause the mental health chatbot to clearly and conspicuously disclose to a user that the chatbot is AI and not human—before the chatbot features are accessed; before any interaction if the user has gone seven days without access; and any time a user asks or prompts the chatbot about whether AI is being used.
Affirmative Defense. Section 58-60-118 allows for an affirmative defense to liability in an administrative or civil action alleging a violation if the supplier demonstrates that it:
created, maintained, and implemented a written policy, filed with the state’s Division of Consumer Protection, which it complied with at the time of the violation; and
maintained documentation regarding the development and implementation of the chatbot that describes foundation models; training data; compliance with federal health privacy regulations; user data collection and sharing practices.
The law also contains specific requirements regarding the policy and the filing.
Takeaways
A violation of the Utah statute carries an administrative fine of up to $2500 per violation, and the state’s Division of Consumer Protection may bring an action in court to enforce the statute. The attorney general may also bring a civil action on behalf of the Division. As chatbots become more sophisticated, and more harms are realized in the context of mental health, other states are sure to follow Utah’s lead.
New York Enacts Amendment to Limit Frequency of Pay Damages for Manual Workers
On May 9, 2025, Governor Hochul signed a budget bill into law that includes an amendment (“the Amendment”) to the New York Labor Law (NYLL).
This Amendment took immediate effect, applies to pending and future actions, and dramatically changes the relief employees can seek for first-time violations the pay frequency provisions for “manual workers” found in NYLL Section 191.
The Amendment substantially reduces potential damages from 100% liquidated damages to lost interest on delayed payments for first-time violations of the NYLL’s frequency of pay requirements where employers otherwise paid manual workers’ wages on regular pay days, no less frequently than semi-monthly. For future violations, liquidated damages will only be available for a second or subsequent violation if there is a finding and order by the New York State Department of Labor (“NYS DOL”) or court of competent jurisdiction of a prior violation for employees performing the same work.
What is a “Manual Worker”?
NYLL Section 191(1)(a) requires that employers pay “manual workers” on a weekly basis, with limited exceptions. The Labor Law defines a manual worker as a “mechanic, workingman or laborer.” The NYS DOL takes a long-standing position that “individuals who spend more than 25% of working time engaged in ‘physical labor’ fit within the definition of ‘manual worker.’” The term “physical labor” has likewise been interpreted broadly to include “countless physical tasks performed by employees.”
The New York Industrial Board of Appeals, the independent body within the NYS DOL that reviews petitions concerning orders, determinations, rules, and regulations issued by the Commissioner of Labor, looks at not only the time spent performing the physical labor, but also the type of labor performed (i.e., whether it is the type of interchangeable physical labor that can be done by multiple individuals with little to no skill or practice). In short, the determination of whether an employee is considered a “manual worker” is a fact intensive inquiry that must be determined on a case-by-case basis, making it difficult for employers to ensure compliance with the law’s requirements.
If a business’ workforce is large enough[1], it can seek an authorization from the NYS DOL to pay manual workers less frequently than weekly. To obtain the authorization for this variance, employers must submit an application to the NYS DOL with specific documentation. The NYS DOL considers a number of factors, including documents related to the financial stability of the employer and a history of compliance under the Labor Law. Where the manual workers are represented by a labor organization, a variance will not be granted without consent from that organization.
Background on Frequency of Pay Claims
As we have reported previously, New York’s appellate courts have been divided as to whether NYLL § 191 was intended to provide litigants with a private right of action for pay frequency claims. On September 10, 2019, the Appellate Division of the New York Supreme Court for the First Department held in Vega v. CM & Associates Construction Management, LLC that a private right of action does exist for NYLL’s frequency of pay provisions and that employees could seek to recover liquidated damages equal to all late-paid wages for violations of the law. The decision in Vega prompted the filing of hundreds of private court actions claiming companies failed to pay “manual workers” on time pursuant to Section 191.
On January 17, 2024, the Appellate Division of the New York Supreme Court for the Second Department held in Grant v. Global Aircraft Dispatch, Inc. that no private right of action exists, thereby creating a split between New York State Appellate Divisions. A request for review of the Grant decision by the New York Court of Appeals (New York’s highest court) is pending.
The confusion created by these conflicting decisions and the potential for employers’ significant exposure to damages set the backdrop for the legislative action.
What the Amendment Does
The budget bill (SB 3006C)[2] adds language to NYLL Section 198(1-a), which provides for the costs, remedies, and recoverable damages an employee or the New York Commissioner of Labor can seek for wage claims. The new language substantially reduces the amount of potential damages from 100% liquidated damages to lost interest (currently at an interest rate of 16% per annum) on delayed payments for first-time violations where employers otherwise paid manual workers wages on regular pay days, no less frequently than semi-monthly.
For future violations, liquidated damages equal to 100% of late-paid wages will only be available for a second or subsequent violation if there is a finding and order by the NYS DOL or a court of competent jurisdiction of a prior violation for manual workers performing the same work.
Although the Amendment is not the panacea employers wished for,[3] it is welcome news for the hundreds of employers subject to litigation or threatened litigation that have otherwise paid their manual workers’ wages on a regular basis, albeit not weekly.
What Employers Should Do Now
The Amendment is by no means the end of pay frequency litigation, and the potential for significant exposure is still possible, particularly if an employer has a finding and order issued against it and is found to have subsequently violated the frequency of pay requirements for the same group of workers again. As such, there are steps employers can take immediately to ensure compliance with the Labor Law’s frequency of pay requirements.
In addition, because of the fact intensive nature of determining whether an employee is a “manual worker,” it is important that employers ensure they are complying with the frequency of pay requirements in the first instance by auditing their pay practices, ideally with the assistance of counsel, to analyze whether certain categories of employees fall within the broad definition of “manual worker,” and, if so, to ensure that all manual workers are paid properly. Employers should also take this opportunity to consult with counsel to determine whether they meet the requirements to obtain a variance from the NYSDOL in order to pay manual workers less frequently than weekly.
ENDNOTES
[1] i.e., has an average of 1,000 employees in New York for the three years preceding the application, or an average of 3,000 out of state employees for the three years preceding, and an average of 1,000 employee in New York for the year preceding the application.
[2] The relevant text of the amendment to the NYLL can be found in Part U of the NYS Budget Bill, S3006-C.
[3] Governor Hochul’s Executive Budget Proposal for fiscal year 2025 (see “Part K”) had included proposed language that would have eliminated liquidated damages as a remedy altogether for manual worker frequency of pay claims.
Pay Up or Lawsuit Up: The 30-Day Countdown That’s Fueling Arbitration Disputes
Online businesses are increasingly facing a wave of arbitration demands under the California Invasion of Privacy Act (“CIPA”) and similar laws. Enterprising law firms have been at the forefront of this trend, filing claims on behalf of individuals who are often not genuine customers, but rather “litigation testers” or professional plaintiffs. Some law firms recruit claimants from advertisements on social media or elsewhere, often recruiting individuals to bring claims against multiple companies simultaneously. These claimants typically allege technical privacy violations, such as the use of website cookies, chatbots, or session replay tools, and then initiate arbitration demands, often en masse. The underlying strategy is not to resolve the merits of each claim, but to exploit the high cost of initiating and defending one or more arbitrations, thereby pressuring businesses into settlements regardless of the actual validity of the claims. Because the major arbitration providers charge businesses a fee for each case filed, businesses can often face tens or hundreds of thousands of dollars in fees simply to have their cases heard, even if the claims against them ultimately fail.
This development has placed a significant burden on well-intentioned businesses. Many of the arbitration demands are based on dubious or manufactured claims, yet the cost of responding to each individual arbitration—including substantial administrative and arbitrator fees—can quickly become overwhelming. As a result, the threat of arbitration is increasingly being used as a tool for extracting settlements, rather than for resolving legitimate disputes.
In this article, we will examine the legal framework that has enabled this trend, focusing on California’s 30-day arbitration fee payment rule and its potential consequences for businesses. We will then explore the arguments raised by major retail industry groups challenging the rule, review the appellate decisions in the Hohenshelt and Hernandez cases, and preview the upcoming California Supreme Court review that could reshape the landscape for consumer arbitrations in California.
California’s 30-Day Arbitration Fee Rule: Strict Deadlines and Harsh Consequences
California law, specifically Code of Civil Procedure sections 1281.97 and 1281.98, requires that businesses pay arbitration fees within 30 days of the invoice being issued by the arbitration provider, such as JAMS or AAA. In consumer and employment arbitrations, the business is typically responsible for a large part of these fees. In the mass arbitration context, the required payment can be substantial sums—tens or even hundreds of thousands of dollars—that not all businesses have readily available. If the business fails to pay within the 30-day window, the business may be in material breach of the arbitration agreement. The consequences can be severe: the claimant may withdraw from arbitration and proceed in court, and the business may be required to pay the claimant’s attorneys’ fees and costs. The statute does not permit extensions unless all parties agree, and there is no exception for inadvertent delay, substantial compliance, or lack of prejudice to the claimant.
Sections 1281.97 and 1281.98 single out arbitration agreements for uniquely harsh treatment, as no other type of contract is voided on such a hair-trigger basis for a minor delay in payment. Outside of the arbitration context, courts consider the facts and circumstances, including whether the delay was excusable or whether the other party was prejudiced. The law’s lack of flexibility in the arbitration context is also problematic, as it does not allow for any discretion or relief for excusable neglect, inadvertent error, or even situations where the payment is only a few days late due to circumstances beyond the business’s control, such as a payment lost or delayed in the mail or an invoice sent to a spam folder. Courts have held that even disagreement as to whether the amount of the fee is correct does not alter the strict interpretation of the 30-day deadline.
Appellate Decisions To-Date
The legal landscape surrounding California’s 30-day arbitration fee rule is sharply illustrated by the appellate decisions in Hohenshelt v. Superior Court and Hernandez v. Sohnen Enterprises, Inc. These cases not only highlight the practical consequences of the rule for businesses but also frame the core legal debate over federal preemption and the enforceability of arbitration agreements in California.
Hohenshelt v. Superior Court
In Hohenshelt, the dispute arose when an employer, Golden State Foods Corp., failed to pay arbitration fees within 30 days of receiving invoices from JAMS, the arbitration provider. The employee, Dana Hohenshelt, invoked Code of Civil Procedure section 1281.98, which deems such a failure a “material breach” of the arbitration agreement. Hohenshelt elected to withdraw from arbitration and return to court, seeking to lift the stay on litigation.
The Court of Appeal sided with the employee, holding that the statutory language was clear and left no room for discretion: if the drafting party (typically the employer or business) does not pay the required fees within 30 days, it is in material breach, and the claimant may proceed in court. The court rejected the argument that an extension granted by the arbitration provider could cure the breach, emphasizing that the statute only allows extensions if all parties agree. The court also found that the Federal Arbitration Act (“FAA”) did not preempt California’s rule, reasoning that the statute furthered the FAA’s objectives by preventing businesses from stalling arbitrations through nonpayment and ensuring a speedy resolution of disputes.
A notable aspect of the Hohenshelt decision is its strict, almost mechanical application of the 30-day rule, regardless of the reasons for late payment or the absence of prejudice to the claimant. The court’s approach was to treat the statutory deadline as absolute, with no exceptions for inadvertent delay, good faith participation, or even payment made shortly after the deadline. This rigid interpretation has significant consequences for businesses, as even minor administrative errors can result in the loss of the right to arbitrate and exposure to additional sanctions.
Hernandez v. Sohnen Enterprises
In contrast, Hernandez presented a different scenario. The employer, Sohnen Enterprises, paid the arbitration fees after the 30-day deadline, and the employee sought to withdraw from arbitration under section 1281.97. The trial court granted the motion, but the employer appealed.
The Court of Appeal reversed, holding that the FAA preempted California’s 30-day rule in this context. The court’s analysis focused on the “equal-treatment principle” established by the U.S. Supreme Court, which prohibits states from imposing special burdens on arbitration agreements that do not apply to other contracts. The court found that section 1281.97’s mandatory finding of material breach and waiver for late payment was an arbitration-specific rule that conflicted with the FAA. Under general contract law, whether a breach is “material” is a fact-specific inquiry, and courts typically consider the circumstances, including whether the delay was excusable or whether the other party was prejudiced. By contrast, California’s statute imposed a strict, automatic penalty for late payment, singling out arbitration agreements for disfavored treatment. The court held that the state law did not override the federal policy favoring arbitration.
What’s Next: California Supreme Court Review
These two cases encapsulate the current legal uncertainty facing businesses in California. Hohenshelt suggests that the 30-day rule is absolute and not preempted by federal law, while Hernandez holds that the FAA preempts the rule. The split in authority has led to confusion and inconsistent outcomes and ultimately creates pressure for businesses to settle non-meritorious claims or risk having to pay the claimant’s attorneys’ fees and costs as a sanction.
The California Supreme Court has granted review in Hohenshelt, with oral argument scheduled for May 21, 2025. The Court’s upcoming review of Hohenshelt could provide much-needed clarity for businesses and claimants alike. The decision may determine whether California can continue to enforce its strict 30-day rule in all consumer and employment arbitrations, or whether the FAA’s equal-treatment mandate will require a more flexible approach.
The outcome could have significant implications for businesses facing arbitration demands, especially in the consumer privacy context, where claimants may attempt to leverage the current statutory regime to pressure businesses into settlements.
We will continue to monitor this case closely and provide updates as the Supreme Court’s decision approaches. Virtually any business with a website faces potential CIPA or similar privacy claims, so those businesses with consumer arbitration agreements should review their arbitration provisions and consult with counsel regarding best practices for managing arbitration fee payments and mitigating the risk of arbitration exposure.
New York’s Warehouse Worker Protection Act Goes Into Effect June 1, 2025: What Employers Need to Know
In 2024, the state of New York passed the Warehouse Worker Protection Act (WWPA) in response to increasing concerns over warehouse worker safety and injuries. The law aims to create safe conditions for employees working in fast-paced distribution environments, with a focus on minimizing the risk of musculoskeletal injuries and disorders.
Starting June 1, 2025, employers operating large warehouses in New York must comply with the WWPA’s new requirements.
Covered Employers
The WWPA applies to employers who directly or indirectly employ or have control over the wages, hours, or working conditions of either:
100 or more employees at a single warehouse location; or
1,000 or more warehouse employees across all New York warehouses.
Warehouses covered by the law include those that fall under the North American Industry Classification System codes for warehousing and storage. This includes facilities such as general warehouses, e-commerce fulfillment centers, wholesale distribution hubs, and courier operations, where employees perform tasks like receiving, stocking, packaging, sorting, labeling, or shipping merchandise.
What Is Required
The WWPA aims to improve safety for warehouse employees by addressing the risks associated with fast-paced working environments and repetitive motion injuries. To that end, employers must implement a comprehensive injury reduction program at each covered warehouse facility. This program must include the following five components:
Worksite Evaluations – Employers must ensure that each job, process, or operation involving manual materials handling undergoes a written worksite evaluation by a qualified ergonomist. These evaluations should identify risk factors such as rapid pace, forceful exertions, repetitive motions, twisting, bending, and awkward postures that could lead to musculoskeletal injuries and disorders. Evaluations must be conducted initially by June 19, 2025, and reviewed and updated annually.
Control of Exposures – Upon identifying risk factors, employers are required to correct them in a timely manner. If corrections necessitate more than thirty days, a schedule for the proposed corrections must be provided.
Employee Training – Employers must provide annual injury reduction training to all employees involved in manual materials handling tasks. This training should cover early symptoms of musculoskeletal injuries, risk factors, methods to reduce risks, and the employer’s injury reduction program. Training must be conducted during normal work hours, without loss of pay, in a language and vocabulary that workers understand.
Onsite Medical & First Aid Practices –For warehouses with on-site medical offices or first aid stations, employers must ensure these are staffed with medical professionals operating within their legal scope of practice. Employers are also required to consult with a licensed medical consultant to evaluate and oversee protocols for the identification and treatment of musculoskeletal injuries and disorders. The medical consultant must review and update these protocols annually.
Employee Involvement – Employers must involve employees and their designated representatives in the development and implementation of all aspects of the injury reduction program. This includes consulting with workplace safety committees, where established, and providing access to worksite evaluations and related records. All documents should be provided in writing, both in English and in the primary language identified by each employee.
In addition to implementing the injury reduction program, employers must also maintain accessible copies of worksite risk evaluations at the warehouse and make them readily available to workers. Upon request, these documents must be provided to employees in writing, free of charge, and within one business day of the request.
What Employers Should Do Now to Prepare
As we approach the WWPA’s effective date, employers should take proactive steps to ensure compliance with the WWPA’s requirements. Key actions include:
Determine if You’re Covered: Review your warehouse headcount and facility types. If you operate high-volume distribution, fulfillment, or shipping centers and meet the employee thresholds, then the law likely applies.
Establish or Update Your Injury Reduction Program: Ensure your warehouse has a written injury reduction program that meets the requirements of the WWPA as outlined above.
Set Up Employee Training: Develop an annual training program for warehouse employees that covers safe work practices and details of the injury reduction plan.
Establish a Request Process: Be ready to respond to employee requests for worksite evaluations and quota records.
EPA Delays PFAS Reporting Deadlines, Again: Implications for Manufacturers and Importers
On May 12, 2025, the U.S. Environmental Protection Agency (EPA) announced an amendment delaying the data submission period for the Toxic Substances Control Act (TSCA) PFAS reporting rule, which will now begin on April 13, 2026, and end on October 13, 2026. Small manufacturers who report solely as article importers will have until April 13, 2027, to complete their submissions. The EPA stated that this delay is necessary to allow additional time for the development of the reporting software. While no other changes are currently planned, the agency is considering reopening certain aspects of the rule for public comment to accommodate potential modifications before the new deadlines.
The interim final rule, published in the Federal Register on May 13, 2025, became effective immediately but remains open for public comment for 30 days. This is the second delay in the reporting timeline. The original requirement was established in September 2023, mandating manufacturers and importers of PFAS from 2011 to 2022 to submit reports. Initially, the reporting period was scheduled to begin on July 11, 2025, but was postponed to accommodate ongoing preparations.
The initial rule aimed to impose reporting and recordkeeping requirements on entities involved in the manufacture or import of PFAS, including those in “articles,” as that term is defined by TSCA, for the years between 2011 and 2022. The EPA explained that delays are primarily due to the need for more time to develop necessary data collection tools and that the agency is considering future rule modifications influenced by efforts to deregulate, such as Executive Order 14219. The agency is also responding to petitions from chemical companies seeking to narrow the scope of the current rule and obtain exemptions consistent with standard TSCA 8(a) reporting provisions.
TRAPPED IN DETROIT: Dobronski has TCPA Defendant on the Hook Personally for Allegedly Illegal Faxes That Defendant May Not Have Even Sent
Quick one for you today on the difference between standing and jurisdiction.
The two concepts are similar– and in some cases overlap– but they are distinct.
Standing refers to the Plaintiff’s ability to bring a certain claim.
Jurisdiction refers to the Court’s ability to hear a specific matter. And there are two kinds of jurisdiction– subject matter and personal. Subject matter jurisdiction refers to the court’s ability to hear cases of a certain type. Personal jurisdiction refers to the court’s ability to hear cases against particular parties.
The overlap between standing and jurisdiction is most complete when considering “subject matter jurisdiction” over a party who may not have been directly harmed by the defendant.
For instance, in Dobronski v. Training Force, 2025 WL 1427042 (E.D. Mich. May 16, 2025) Dobronski sued a company and its two owners for allegedy sending illegal faxes to him.
Rather than challenge standing of Dobrnski to sue them personally, Defendants moved to dismiss the individual defendants arguing the court lacked standing over them. However, since Dobronski had alleged the faxes at issue were directed to his Michigan fax number an as the individual defendants “personally directed, participated in, and authorized the unsolicited advertisements” they were stuck in the case in Michigan even though they resided far far away in Florida.
It’s as simple as that, folks.
Interestingly, the defendants denied ever having sent the faxes at issue but the Court correctly focused on the allegations– which the court viewed as sufficient to determine jurisdiction.
Interestingly had standing been challenged there is an argument the case should have been dismissed since Dobronski cannot alleged his way around the fact that the defendants did not send the faxes. And since it is Dobronski’s burden to show the injury is “fairly traceable” to the defendant arguable the case should have been tossed.
Standing vs. Jurisdiction. The difference matters folks.
Regardless, Dobronski’s hot streak continues. And this is yet ANOTHER reminder of the PERSONAL LIABILITY risks presented by the TCPA!
Rising Temperatures Bring New Obligations for Maryland Employers
Maryland employers are facing the first summer under a heat-related illness prevention standard issued by Maryland Occupational Safety and Health (MOSH). MOSH joins several other Democratic-led Occupational Safety and Health Administration (OSHA) state-plan states, such as California, Nevada, Oregon, and Washington, that have promulgated similar standards in recent years.
Quick Hits
Maryland employers must comply with Maryland Occupational Safety and Health’s (MOSH) new heat-related illness prevention standard.
The MOSH standard has been criticized for its vagueness and the burden it places on employers, leading to potential confusion and inconsistent enforcement.
The Supreme Court’s decision in Loper Bright Enterprises v. Raimondo may limit MOSH’s ability to enforce its interpretation of the new standard, potentially leading to legal challenges.
The MOSH standard applies to all employers whose employees are exposed to an indoor or outdoor heat index of 80°F for more than fifteen minutes in an hour. At a heat index of 90°F or more, high-heat procedures apply. Maryland employers must:
monitor the heat index throughout the work shift;
develop and maintain a written heat-related illness prevention and management plan, made available to their employees and MOSH, that includes an extensive list of required elements, including the importance and availability of rest and drinking water, alternative cooling and control measures, symptoms of heat-related illness and how to respond, acclimatization, high-heat procedures, emergency response, and training;
acclimatize newly hired employees and those returning to the workplace after an absence of seven or more days;
provide adequate and accessible shade, or alternative cooling and control measures;
provide cool and potable drinking water throughout the workday (at least thirty-two ounces per hour per employee); and
provide training regarding heat-related illness prevention at least annually and “[i]mmediately following any incident at the worksite involving a suspected or confirmed case of heat-related illness.” The training must cover a list of specific topics, including environmental and personal factors affecting heat-related illness, acclimatization, the importance of water and rest breaks, signs and symptoms of heat-related illness, responding to heat-related illness, and how the employer will comply. Employers must retain training records for one year following the training date.
The MOSH standard is among the most onerous for employers and has been criticized for the vagueness of its acclimatization, monitoring, and training requirements. While MOSH claims the standard is intended to provide the flexibility to implement a program that considers the unique conditions present at each worksite, the standard’s breadth and ambiguity have caused confusion among employers and set the stage for inconsistent enforcement and litigation.
MOSH promised to provide guidance. It initially issued “Key Requirements” and a “Summary of Key Maryland Requirements fact sheet,” both of which simply reiterate the vague language in the standard. More recently, however, MOSH published an optional model program, itemizing specific and detailed actions that the agency stated employers should consider in developing their plan. Additionally, MOSH conducted a webinar to discuss compliance with the standard, and has now made the recording available on its website. In the webinar, MOSH offered some practical tips beyond the written guidance, including:
Employers may use the wet bulb globe temperature (WBGT) method to monitor the heat index, even though it is not specifically listed as an option in the standard.
The acclimatization schedule is specific to the individual employee—it can be less or more than the general timelines set forth in the standard.
Employers that use their own health care professional (HCP) for pre-employment physicals can direct the HCP to ask the new employee about chronic conditions or medications that pose additional risks for heat-related illness. Although the HCP should not share that specific information with the employer, the HCP can alert the employer that the employee may be more prone to heat-related illness.
Employers may not ask employees directly about their medical conditions or medications in advance of heat-related illness incidents. Employees should be trained that if they have such conditions, they must be more mindful of heat stress.
The definition of “alternative cooling and control measures” includes a variety of protective measures, such as misting equipment and cooling devices, that can alter the employer’s obligation to develop acclimatization procedures and mandatory breaks in accordance with the language in the standard.
The mandatory break periods do not necessarily require cessation of all work but instead can include light duty, paperwork, and similar activities.
Nonworking rest periods of under twenty minutes must be paid in compliance with the Fair Labor Standards Act. Longer nonworking breaks can be unpaid.
Employers must assume that day laborers and temporary employees are not acclimatized.
While the information MOSH provided in the webinar is helpful, additional written compliance guidance would be more helpful to employers developing plans. Given the ambiguous provisions in the MOSH standard, “Monday-morning quarterbacking” may be inevitable, with MOSH taking the position that the employer must be out of compliance if an employee suffers a significant heat-related illness. That position ignores the fact that heat-related illnesses often involve conditions outside of the employer’s control, such as illness, physical fitness, personal medical conditions, and age.
From a legal standpoint, MOSH’s ability to enforce its ad hoc interpretation of the standard’s provisions may be limited. In Loper Bright Enterprises v. Raimondo, the Supreme Court of the United States eliminated deference to an agency’s interpretation of its own statute. The holding will limit the ability of federal agencies to argue successfully that a court must defer to their interpretation of a standard or regulation. The effect of the Loper Bright holding on state regulatory provisions remains to be seen, but it could limit MOSH’s ability to impose its own interpretation of vague provisions on employers, particularly in the absence of written compliance guidance.
Reese’s Law: The Evolving Regulatory and Enforcement Landscape for Consumer Products Containing Button Cell or Coin Batteries
Over the past year, manufacturers, importers, distributors, and retailers of consumer products containing button cell and coin batteries (or products intended to contain them) have continued to adapt to the requirements of Reese’s Law and the Consumer Product Safety Commission’s (CPSC) corresponding enforcement efforts.[1]
Passed by Congress in August 2022, Reese’s Law is intended to protect children and other consumers against the hazard of ingesting button cell or coin batteries.[2] Reese’s Law applies to “consumer products,” as defined by the Consumer Product Safety Act (CPSA),[3] manufactured or imported on or after March 19, 2024, that contain, or are designed to use, a button cell or coin battery.[4] The requirements of Reese’s Law largely fall into two categories: (1) labeling requirements for the products themselves and packaging; as well as (2) “performance requirements” related to how the product itself secures its battery.[5] A discussion of Reese’s Law can be found here with some common FAQs found here.
As detailed below, a few recurrent themes have emerged over the past year with respect to Reese’s Law. Businesses that manufacture, import, distribute, or sell consumer products utilizing button cell and coin batteries should take immediate action to ensure those products are compliant.
Reese’s Law Noncompliance Has Already Been the Source of CPSC Reports and Recalls
Compliance with Reese’s Law is a top priority for the CPSC. Instead of pulling back on enforcement (as seen in other areas of the federal government in recent months), the CPSC has shown that it remains committed to ensuring compliance with Reese’s Law.[6]
To date, noncompliance with Reese’s Law has resulted in several recalls, affecting a wide variety of products, including infant swings, firearm accessories, “smart” patio doors, and submersible RGB LED lights. The violations prompting these recalls run the gamut, including for example, failing to adequately contain the batteries making them accessible to children, and/or failing to include the required labels on the products themselves or their packaging. Many such recalls address both performance and labeling violations.
Businesses should immediately report to the CPSC when they become aware of a potential violation or instance of noncompliance with Reese’s Law. Reporting any potential violations is consistent with the duty that all manufacturers, distributors, importers, and retailers have under Section 15(b) of the CPSA—i.e., the duty to report when a consumer product fails to comply with applicable consumer product safety requirement, such as Reese’s Law.[7]
Compliance May Be Difficult in Certain Circumstances
Reese’s Law provides stringent labeling and performance requirements for consumer products that contain button cell or coin batteries (regardless of whether the batteries are included or sold separately).[8] These requirements can necessitate significant investments of time, money, and other resources to ensure proper compliance.
1. Labeling Requirements
As to labeling, Reese’s Law requires precise labeling on both a covered product’s packaging and the product itself (with some limited exceptions).[9] Compliance may require significant revamping of a covered product’s packaging to include required warning labels and even retooling the manufacture of a covered product itself to include on-product warnings. Even stricter requirements apply to a covered product sold with button cell or coin batteries themselves (i.e., batteries included), rather than by itself, without batteries included.[10]
The CPSC’s recent activity with respect to Apple’s AirTags for noncompliance with the labeling requirements of Reese’s Law are a prime example of labeling enforcement.[11] In its press release announcing an agreement with Apple, the CPSC wrote that Apple had modified both the product itself and the product’s packaging to display the required warnings, and that Apple had taken further action to remediate noncompliant units already sold to consumers.[12] The CPSC concluded its press release with a reminder that manufacturers, importers, distributors, and retailers must report noncompliant products to the CPSC immediately.[13]
2. Performance Requirements
Reese’s Law also includes several “performance requirements” including that consumer products containing button cell or coin batteries must secure the battery inside the battery compartment in such a way that the battery is not exposed or released during reasonably foreseeable use or misuse to minimize the risk of ingestion.[14] For example, a covered product must be able to endure a certain amount of force or tension applied directly to the product, and also be able to withstand drops from certain heights, all without the battery breaking free of the battery compartment.[15] Best compliance practices often include working with a third party testing laboratory to confirm product compliance. Should such testing reveal noncompliance with Reese’s Law for a covered product already in the stream of commerce, it could trigger an obligation under the CPSA to report to the CPSC.[16]
What Does This Mean for My Business?
Complying with Reese’s Law should be top-of-mind for all manufacturers, importers, distributors, and retailers of consumer products containing button cell or coin batteries. Businesses that manufacturer, importer, distribute, or sell covered products should take immediate action to ensure their products comply with the requirements, including consulting with experienced counsel as appropriate and acting on their duty to report any noncompliant products to the CPSC. Additionally, ensuring compliance will require such businesses to coordinate with their suppliers and incorporate these requirements into their annual compliance reviews or audits to identify and correct any compliance gaps.
[1] Safety Standard for Button Cell or Coin Batteries and Consumer Products Containing Such Batteries, 16 C.F.R. § 1263 (2023).
[2] Reese’s Law, 15 U.S.C. § 2056e.
[3] See Consumer Product Safety Act, 15 U.S.C. § 2052(a)(5), which defines a “consumer product” as “any article, or component part thereof, produced or distributed (i) for sale to a consumer for use in or around a permanent or temporary household or residence, a school, in recreation, or otherwise, or (ii) for the personal use, consumption or enjoyment of a consumer in or around a permanent or temporary household or residence, a school, in recreation, or otherwise” with limited exemptions.
[4] See Notes to Reese’s Law, 15 U.S.C. § 2056e (A product is covered by Reese’s Law if it is “[1] a consumer product [2] containing or designed to use one or more button cell or coin batteries, regardless of whether such batteries are intended to be replaced by the consumer or are included with the product or sold separately.”); see also 16 C.F.R. 1263.2.
[5] See Button Cell and Coin Battery Business Guidance, Consumer Product Safety Commission, https://www.cpsc.gov/Business–Manufacturing/Business-Education/Business-Guidance/Button-Cell-and-Coin-Battery.
[6] See Recalls & Product Safety Warnings, Consumer Product Safety Commission, https://www.cpsc.gov/Recalls.
[7] Consumer Product Safety Act, 15 U.S.C. § 2064(b)(2).
[8] Notes to Reese’s Law, 15 U.S.C. § 2056e; see also 16 C.F.R. 1263.2.
[9] See 16 C.F.R. §§ 1263.3, 1263.4 (2023).
[10] Section 3 of Reese’s Law imposes further requirements on the sale of button cell or coin batteries themselves—specifically that the packaging in which such batteries are sold must comply with the Poison Prevention Packaging Act (PPPA). See Button Cell and Coin Battery Business Guidance, Consumer Product Safety Commission, https://www.cpsc.gov/Business–Manufacturing/Business-Education/Business-Guidance/Button-Cell-and-Coin-Battery; see also 16 C.F.R. 1700.15 (regulation implementing the Poison Prevention Packaging Act).
[11] CPSC Secures Agreement with Apple for Enhanced Warnings to Protect Children from Hazards of Battery Ingestion; Apple Takes Action to Address Labeling Violations on AirTags, Consumer Product Safety Commission, https://www.cpsc.gov/Newsroom/News-Releases/2025/CPSC-Secures-Agreement-with-Apple-for-Enhanced-Warnings-to-Protect-Children-from-Hazards-of-Battery-Ingestion-Apple-Takes-Action-to-Address-Labeling-Violations-on-AirTags.
[12] Id.
[13] Id.
[14] 16 C.F.R. §§ 1263.1(a), 1263.3 (2023).
[15] See id.
[16] Consumer Product Safety Act, 15 U.S.C. § 2064(b)(2).
279 CLASS MEMBERS- $479,000 SETTLEMENT: The Pisa Group to Pay Over $1,600.00 Per Class Member In TCPA Settlement– But This One Is Interesting
Usually I would gripe about a TCPA settlement resulting in a payment of over $1,600.00 a class member. But in this case I kind of get it.
The Pisa Group has been trapped in a TCPA case since 2018.
That’s seven years of litigation in one case.
According to the amended complaint the defendant called Plaintiff repeatedly for marketing purposes without consent and kept calling after stop requests.
Well Pisa Group did not roll over in the case and fought it for years.
But all good things must come to an end *cough* so it elected to settle the claims of 279 people for nearly half a million dollars.
To be clear– they paid way too much for the class they settled. Then again holding plaintiffs counsel to a recovery of just ~$150k in fees for 7 years of work is pretty savage. Those guys have to be in a six figure hole on this. So nicely done!
Still you have to feel for Pisa Group who undoubtedly spent a half million in fees litigating only to pay another half million on top of that. This is not a large company that is out over a million bucks–and seven years of wasted time–on one TCPA case.
This did end up being a remarkable settlement for the class members– they will recover about $800.00 each! Not a bad recovery for someone who didn’t do anything but walk to the mailbox.
Case is Williams v. Pisa Group, 2025 WL 1410665 (E.D. Pa May 12, 2025).
Chat soon.
SHOW CAUSE: Verizon’s Choice to Blow Off TCPA Subpoena May Cost It
Quick on for you this AM.
So a guy named Jason Crews brought a TCPA suit in Arizona.
He issued a subpoena to Verizon back in December to obtain records of allegedly illegal calls made to this number.
According to Crews Verizon received the subpoena and simply refused to respond to it– its employees told him “Verizon would not comply because the subpoena was not a court order.”
Hmmmm.
Crews asked the Court to hold Verizon in contempt for failure to respond to the subpoena and also asked the Court to require Verizon to better train it employees.
Well in Crews v. Bermudez, 2025 WL 1411900 (D. AZ May 15, 2025) the Court granted the Plaintiff’s request in part– it ordered Verizon to show up and explain why it had not responded to the subpoena and why it should not be held in contempt.
Eesh.
On the other hand the Court did refuse to issue an order requiring further training of Verizon employees.
Generally speaking it is not a good idea to fail to respond to a subpoena in TCPA cases– or any case really. Federal judges have tremendous power to make your life miserable!
Part 2: Children and Location: Ferguson’s FTC Privacy Enforcement Priorities
While Andrew Ferguson advocates for a restrained regulatory approach at the FTC, his statements and voting record reveal clear priority areas where businesses can expect continued vigorous enforcement. Two areas stand out in particular: children’s privacy and location data. This is the second post in our series on what to expect from the FTC under Ferguson as chair.
Our previous post examined Ferguson’s broad regulatory philosophy centered on “Staying in Our Lane.” This post focuses specifically on the two areas where Ferguson has shown the strongest commitment to vigorous enforcement, explaining how these areas are exceptions to his generally cautious approach to extending FTC authority.
Prioritizing Children’s Privacy
Ferguson has demonstrated strong support for protecting children’s online privacy. In his January 2025 concurrence on COPPA Rule amendments, he supported the amendments as “the culmination of a bipartisan effort initiated when President Trump was last in office.” However, he also identified specific problems with the final rule, including:
Provisions that might inadvertently lock companies into existing third-party vendors, potentially harming competition;
A new requirement prohibiting indefinite data retention that could have unintended consequences, such as deleting childhood digital records that adults might value; and
Missed opportunities to clarify that the rule doesn’t obstruct the use of children’s personal information solely for age verification.
Ferguson’s enforcement record as commissioner reveals his belief that children’s privacy represents a “settled consensus” area where the commission should exercise its full enforcement authority. In the Cognosphere (Genshin Impact) settlement from January 2025, Ferguson made clear that COPPA violations alone were sufficient to justify his support for the case, writing that “these alleged violations of COPPA are severe enough to justify my voting to file the complaint and settlement even though I dissent from three of the remaining four counts.”
In his statement on the Social Media and Video Streaming Services Report from September 2024, Ferguson argued for empowering parents:
“Congress should empower parents to assert direct control over their children’s online activities and the personal data those activities generate… Parents should have the right to see what their children are sending and receiving on a service, as well as to prohibit their children from using it altogether.”
The FTC’s long history of COPPA enforcement across multiple administrations means businesses should expect continued aggressive action in this area under Ferguson. His statements suggest he sees children’s privacy as uniquely important, perhaps because children cannot meaningfully consent to data collection and because Congress has provided explicit statutory authority through COPPA, aligning with his preference for clear legislative mandates.
Location Data: A Clear Focus Area
Ferguson has shown particular concern about precise location data, which he views as inherently revealing of private details about people’s lives. In his December 2024 concurrence on the Mobilewalla case, he supported holding companies accountable for:
“The sale of precise location data linked to individuals without adequate consent or anonymization,” noting that “this type of data—records of a person’s precise physical locations—is inherently intrusive and revealing of people’s most private affairs.”
The FTC’s actions against location data companies signal that this will remain a priority enforcement area. Although Ferguson concurred in the complaints in the Mobilewalla case, he took a nuanced position. He supported charges related to selling precise location data without sufficient anonymization and without verifying consumer consent. However, he dissented from counts alleging unfair practices in categorizing consumers based on sensitive characteristics, arguing that “the FTC Act imposes consent requirements in certain circumstances. It does not limit how someone who lawfully acquired those data might choose to analyze those data.”
What This Means for Businesses
Companies should pay special attention to these two priority areas in their compliance efforts:
For Children’s Privacy:
Revisit COPPA compliance if your service may attract children
Review age verification mechanisms and parental consent processes
Implement data minimization practices for child users
Consider broader parental control features
For Location Data:
Implement clear consent mechanisms specifically for location tracking
Consider anonymization techniques for location information
Document processes for verifying consumer consent for location data
Be cautious about tying location data to individual identifiers
Implement and document reasonable retention periods for location data
While Ferguson may be more cautious about expanding the FTC’s regulatory reach in new directions, these established priority areas will likely see continued robust enforcement under his leadership. Companies should ensure their practices in these sensitive domains align with existing legal requirements.
Listen to this post