Video Game Developer’s Website Privacy Policy Disclosure and Cookie Banner Consent Defeat Wiretap Class Action

Video game developer Ubisoft, Inc. came out on top earlier this month in the Northern District of California when a judge dismissed, with prejudice, a class action claiming that the company’s use of third-party website pixels violated privacy laws. The judge concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., No. 24-cv-06943, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).
The plaintiffs alleged that Ubisoft collected and disclosed plaintiffs’ personal information and website usage without their consent through website pixels. Ubisoft moved to dismiss the claims based on the fact that the plaintiffs’ claims relied on the lack of consent but that plaintiffs had “consented to the use of cookies and pixels . . . at least three times during the purchase process” when plaintiffs (1) “interacted with the Cookies Banner” when visiting the website; (2) created accounts on the website, which required the plaintiffs to “accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy”; and (3) “made purchases” at which point Ubisoft’s terms and Privacy Policy were displayed again.
The court took judicial notice of Ubisoft’s Privacy Policy, cookie pop-up, and cookie settings and held that the plaintiffs’ consent defeated their claims:

Federal Wiretap Act: The federal Wiretap Act allows for the interception of communications where “one of the parties to the communication has given prior consent to such interception,” and the interception is not “for the purpose of committing any criminal or tortious act.” The court determined that the plaintiffs provided consent and that the crime-tort exception to consent did not apply.
California Invasion of Privacy Act, California Constitution, and Common-Law Invasion of Privacy: The court held that the plaintiffs’ consent was a “defense to all three claims” under CIPA, the California Constitution, and California common law invasion of privacy.
Video Privacy Protection Act: The court determined that Ubisoft’s disclosures in its Privacy Policy, terms, and on its website through banners and pop-ups satisfied each element of the VPPA’s consent provision. 

The plaintiffs sought a request for leave to amend, but the court denied the request, concluding that any amendment would be “futile” because plaintiffs could not “amend their complaint to overcome the issue of consent.” 
A key takeaway for companies to consider is to revamp your website Privacy Policy disclosures, confirm that your website’s cookie preferences and banner are visible and user-friendly, and clearly articulate the use of third-party trackers and the data disclosed to your website users.

Antitrust & Tech At The 2025 Antitrust Spring Meeting

Technology was a key focus of this year’s ABA Antitrust Spring Meeting, one of the largest gatherings of antitrust professionals in the world. Over a dozen panels focused on cutting-edge technology issues as it pertains to antitrust, consumer protection, and privacy. Below are 5 key technology-related takeaways.
1.  2024 was a busy year for Big Tech cases, and 2025 looks to be on the same path.
One topic of conversation was the Big Tech antitrust cases that had seen developments in 2024 and 2025.  For example, Apple filed a motion to dismiss in the U.S. v. Apple case, which is currently pending. In the FTC v. Amazon case, the FTC’s Sherman Act Section 2 and FTC Act Section 5 claims survived Amazon’s motion for dismissal. Panelists opined that there is a trend towards more high litigation risk cases from the government.
For tech-related updates coming down the pike, the panelists noted that Judge Mehta is expected to issue the remedies order in the U.S. v. Google search monopolization case, and the U.S. v. Google adsearch trial will begin later this year. Panelists also noted that Chair Ferguson of the FTC has publicly expressed interest in ensuring innovation in “Little Tech.”
2.  Increasing interest in regulating big data across the globe.
Big data was also on the mind as both a driver of innovation and a potential tool of market dominance. Panelists emphasized that data is not inherently valuable—it must be analyzed effectively; stale or contaminated data can impose real costs; and more data isn’t always better since errors can be introduced.
For antitrust specifically, the panel noted big data issues come up in two contexts: 1) anticompetitive conduct like self-preferencing and refusal to deal and 2) as an important input in markets where no data means no competing. Additionally, big data often comes up in the context of barriers to entry, especially for smaller firms, considering how incumbents benefit from network effects and lower marginal costs.  Panelists noted that some businesses are making essential facilities arguments about data.  As such, companies may run into problems if they block access to big data through artificial impediments.
Panelists also touched on increasing scrutiny from regulators around the globe.  In the EU, deals like Google/Fitbit have required data separation. The EU’s Digital Markets Act (DMA) and the UK’s Digital Markets, Competition and Consumers Act (DMCC) introduce obligations around data interoperability and access. While these interventions aim to prevent foreclosures and level the playing field, some panelists cautioned that preemptive regulation could stifle innovation. In the U.S., the panelists discussed DOJ’s search monopolization case against Google, noting that one of the proposed remedies is that Google share certain data with competitors for decade.
3.  Uncertainty about the benefits and harms of algorithmic pricing software.
Algorithmic pricing and machine learning tools continue to gain traction in all sorts of industries. These tools promise efficiency and competitive pricing, but also present potential risks of collusion allegations.  One widely-attended panel moderated by Maureen Ohlhausen, who originally analogized algorithmic pricing software to a guy named “Bob,” focused on these issues.
A central discussion point was the standard that courts are using to analyze algorithm-related price fixing claims. The prevailing view on the panel seemed to be that the rule of reason should apply, with analysis depending on factors like whether the data is public, forward-looking, or shared among competitors. On the flip side, other panelists suggested that use of an algorithmic pricing software could be likened to a hub and spoke conspiracy.  As far as using the algorithms goes, the panel opined that using public data to feed the algorithm is probably safe territory although not an absolute safe harbor.  Some panelists also suggested that courts look at how the software is being used, such as whether the user is blindly accepting the pricing recommendations, how much of the strategy is put up front in the prompts and programming, etc.
The panel also discussed how some jurisdictions are already experimenting with regulation of algorithm pricing software. For example, Germany has introduced AI-assisted gasoline pricing. Some evidence suggests in oligopoly situations, use of the algorithm seemed to lead to higher prices. However, many of the panelists cautioned against imposing blanket remedies before more research is done to understand any potential economic harms algorithm pricing software use may have.
Algorithmic pricing software also came up at the close of the Meeting during the Enforcers Roundtable.  Elizabeth Odette, current chair of the NAAG Multistate Antitrust Task Force, noted that there was interest in regulating algorithmic software at the state and local level. For example, she stated that there were 4 cities in the U.S. that had banned algorithmic price software used in the housing context. However, she also noted that there was a concern with imposing wide bills banning use that ignores benefits to some competitors.
4.  Tech cases are leading the charge in reviving refusal to deal claims.
Refusals to deal remain a hotly contested area in antitrust law, particularly as platforms and data gatekeepers exert growing control over digital ecosystems. One of the Spring Meeting’s panels discussed the potential revival the doctrine, particularly in technology cases. Due to limitations in the doctrine, the panelists noted that plaintiffs increasingly frame alleged anticompetitive conduct under alternative theories, such as exclusive dealing or foreclosure, to varying degrees of success. Some panelists cautioned that plaintiffs cannot elevate form over economic realities to avoid refusal to deal doctrine. 
5.  Document preservation issues related to technology is keeping some attorneys up at night.
As digital communications and technology use diversify, so do the risks of spoliation and other discovery failures. Regulators are increasingly focused on how companies preserve (or fail to preserve) electronic records, especially when tools like Slack, ephemeral messaging, and generative AI complicate compliance. One of the panels, including an attorney from the FTC, focused on these issues.
Recent enforcement actions underscore the stakes. The panel flagged major gaps in recordkeeping in cases like the U.S. v. Google search monopolization case and the failed  Kroger/Albertsons merger, where use of personal devices and auto-deletion policies hindered document production. The panel also noted that on April 1, 2025, a DOJ Antitrust Division press release revealed that an individual had pleaded guilty for deleting text messages after receiving a litigation hold notice in connection with an antitrust investigation. 
The panel also noted the inevitability of discovery requests for AI-generated content or prompts. One panelist gave the example of potentially relevant evidence being a business person asking AI to generate an email to a competitor without the use of the word “competition” to show the person’s state of mind. Interrogatories may soon probe usage of large language models and related tools, especially in high-stakes investigations.

ANOTHER ARBITRATION LOSS: Lead Buyers Just Can’t Catch a Break As Litigators Deny Visiting Websites

Pretty common theme right now in TCPAWorld.
Lead buyer buys a lead and makes an outbound call. Lead buyer sued by a litigator who claims “wasn’t me.” Lead buyer tries to enforce the arbitration provision–to kill the class action component of the case–and the court refuses to enforce because the Plaintiff denied visiting the website to begin with.
That fact scenario played itself out anew in Gilliam v. Prince Health, 2025 WL 1126545 (M.D. Tenn April 16, 2025).
There Prince Health bought a lead from JLN CORP d/b/a P1 Solutions who bought it from Techforcemedia LLC d/b/a Top American Insurance pertaining to website topamericaninsurance.com. (None of these companies are R.E.A.C.H. members!) The website contained an arbitration provision in its terms of use.
A visual rendering was provided to the court of the web session by either Active Propsect or Jornaya and it showed Plaintiff’s name and information being entered on the form. On that basis Prince Health tried to compel arbitration arguing plaintiff had accepted the terms and conditions and agreed to arbitrate claims arising out of the lead form submission.
Plaintiff, however, testified at deposition that he had not visited the website and it was not him who had filled out the form.
Just that simply the court denied the motion to compel arbitration. Although the court determined Prince had met its initial burden the fact Plaintiff denied visiting the website under oath was enough for the court to deny the arbitration motion and set further proceedings.
The court’s order is unclear in terms of next steps but under the Federal Arbitration Act a jury or bench trial is needed to determine whether a contract was formed and whether the case may proceed to arbitration. Of course such a proceeding is high stakes– if the plaintiff didn’t fill out the form then not only will he defeat arbitration he will also defeat any claim of consent!
And if the court finds one person didn’t fill out the form perhaps the court will question the credibility of the lead source and certify a class down the line…
So yeah, high stakes poker.
We’ll keep an eye on this and see where it goes.

The CFPB Shuts Down Controversial “Regulation Through Guidance” Practices

The acting head of the Consumer Financial Protection Bureau (CFPB) continues to winnow out regulatory tools used by agency staff under the prior administration. Just a month after revoking certain interpretative rules and announcing the deprioritized enforcement of others, the CFPB has now reportedly discontinued the Bureau’s longstanding practice of “regulation through guidance.” 
An internal agency memorandum circulated last week by Acting Director Russell Vought apparently did not mince words in criticizing the Bureau’s prior use of “guidance” to effectuate backdoor rulemaking: “For too long this agency has engaged in weaponized practices that treat legal restrictions on its authorities [to engage in rulemaking] as barriers to be overcome rather than laws that we are oath-bound to respect. This weaponization occurs with particular force in the context of the Bureau’s use of sub-regulatory ‘guidance.’” Vought’s concern: “[G]uidance materials [have been used] improper[ly] where they impose rights or obligations on private parties outside of the notice-and-comment process prescribed by the Administrative Procedure Act [APA].” That is, to create new regulatory rules, the APA—5 U.S.C. § 553—requires federal agencies like the CFPB to first publish a Notice of Proposed Rulemaking in the Federal Register and to allow the public an opportunity to comment “through submission of written data, views, or arguments.” The prior CFPB regime’s practice of publishing informal “guidance” to impose de facto rules and obligations on covered parties, without prior notice, did not comply with these statutory requirements. Much of the CFPB’s prior guidance left ambiguous their non-binding nature and whether non-compliance would trigger enforcement action by the CFPB. Vought seeks to remedy that concern.
Importantly, the CFPB directive last week seeks more than just a prohibition of future guidance that “purport[s] to create rights or obligations binding on persons or entities outside the Bureau.” The CFPB is also reportedly committed to “rescind[ing] all ‘guidance’ that has unlawfully regulated private parties in the past.” As the agency’s comprehensive internal review concludes in the coming weeks, the CFPB is expected to ultimately renounce significant existing guidance—from advisory opinions to blog posts—that contravene the APA and the Bureau’s constitutional authority for regulatory rulemaking.
Vought’s internal messaging at the CFPB notably occurred on the same day last week that the White House published its own “Memorandum for the Heads of Executive Departments and Agencies.” See Directing the Repeal of Unlawful Regulations, Presidential Memoranda (Apr. 9, 2025). In that Memorandum, the administration instructed agency heads to review and repeal all “facially unlawful regulations” within the next 60 days that do not conform with the recent Loper Bright decision and nine other Supreme Court opinions. With the assistance of its agency heads, including at the CFPB, the executive branch thus continues its path forward to deregulate.

The Missing Piece to Your Business’ Litigation Team: Using A National Coordinating Counsel to Manage Your Mass Tort Litigation

Businesses, large and small, can find themselves overwhelmed by litigation quickly, if and when they find themselves in the crosshairs of a developing litigation. For years, the best example of these crosshairs was those focused mainly on asbestos and those entities that either supplied or manufactured with asbestos. However, over recent years we have seen that focus shift to other types of litigation, including cosmetic and pharmaceutical talc, industrial talc, crystalline silica, benzene, PFAS, pharmaceuticals, and many others. With most of these developing litigations, there are plaintiff firms that specialize in investigating entities involved with the products or activities at issue, and then bringing an onslaught of suits against those entities. Once an alleged tie is found between any mass litigation and an entity, the entity can find themselves named in almost every suit filed across the nation by national plaintiff firms. This often happens before an entity can truly appreciate the magnitude of the impact of these lawsuits.
Many entities attempt to manage this litigation in-house, not knowing that they have options on how best to manage their entity’s litigation issues. However, many times a better alternative is to hire a National Coordinating Counsel (“NCC”) to assist in managing the litigation for the entity. The NCC’s job is to manage every aspect of an entity’s litigation across jurisdictions relating to a specific topic or topics. The use of an NCC allows for streamlined work, implementation of national litigation strategies, and better and more predictable litigation outcomes.
In particular, there are advantages to hiring an NCC at every level of litigation. Below we will outline the basics of why hiring an NCC can benefit your entity at different levels of litigation. We will be publishing a series of follow-up articles on each specific aspect of litigation mentioned below and how hiring an NCC can assist in bringing more value to your entity as compared to attempting to manage the litigation in-house.

Case Management

The NCC’s main role is to manage your entity’s litigation across jurisdictions. This will include tracking all of the relevant deadlines in your cases, including trial dates, expert discovery deadlines, written discovery deadlines, depositions, and motion practice. The NCC tracks this information in real time by having open lines of communication with local counsel in each jurisdiction and creating reports based on that communication so that the information can be presented in a quick and easily digestible manner to your entity. However, this role goes well beyond just tracking relevant events in cases. The NCC is able to report trends involving different plaintiff firms, experts, product identification, and strategies for defenses. The NCC will use these trends and information from across jurisdictions to help develop and implement defense strategies.
For example, Personal Jurisdiction and Forum Non-Conveniens defenses can be suggested based on not only the facts of a case, but also the knowledge of different jurisdictions case specific laws regarding causation, available defenses, damages, as well as others. The NCC is also able to track litigation in each jurisdiction to determine which jurisdictions are more likely to go to trial, jurisdictions with higher settlement values, and jurisdictions that plaintiffs are likely to refile cases against your entity as the sole defendant after a successful Personal Jurisdiction or Forum Non-Conveniens motion. The NCC is able to communicate with local counsels to determine all the facts so your entity can be confronted with only issues and possible solutions rather than having to find those solutions yourselves. This case management also branches out too many other aspects of the case, including discovery, corporate representatives, experts, and trials, as mentioned below.

Discovery

Perhaps one of the biggest roles an NCC can play to ease the burden of litigation on an entity is to manage written discovery. When responding to discovery across cases and across jurisdictions, a national strategy is required. This strategy will ensure that responses are uniform across cases and that your entity is not committing discovery fraud. An NCC can draft all discovery responses across jurisdictions to ensure that all objections and responses are phrased the same way nationwide. However, it is also possible to have local counsel draft your responses and to have the NCC review these responses to ensure similar objections and responses.  Either way, the NCC ensures that each inquiry made to your entity is responded to in a uniform way. It avoids contradictions that, when discovered by plaintiff firms, can lead to motion practice and accusations of discovery fraud, which can lead to hefty and punitive penalties.
An NCC ensures that document productions are consistent nationwide to similar requests. When a plaintiff firm is filing cases against your entity in multiple jurisdictions, they are expecting to receive the same documents in response to their requests regardless of the jurisdiction. Without an NCC providing oversight, it is possible that documents can be omitted from disclosure or that documents can be accidentally produced. Either way, this can lead to discovery motions and/or sanctions for discovery fraud. Discovery fraud is a serious risk if your discovery responses and document productions are not managed at a national level, the consequences of which can plague your entity for the rest of its life in the litigation.
Furthermore, an NCC can assist in the drafting and use of confidentiality orders to protect your documents. This needs to be done on a national level, as disclosure in one jurisdiction would require disclosure in all jurisdictions. Tracking your documents and protecting your interests on a national level requires a national strategy that would need to be micromanaged by your entity’s legal department if your entity is not using an NCC.
Beyond written discovery, having an NCC can help ensure that a national strategy is undertaken for gathering discovery in cases. This includes the use of subpoenas for records, the use of private investigators, and the use of other resources. Additionally, having an NCC can assist in gathering discovery across states, as they can link local counsel across jurisdictions for more efficient use of interstate discovery subpoenas or Freedom of Information/Open Public Records Act requests. Overall, they implement a strategy across jurisdictions with the local counsels so that your entity can leave no stone unturned while not having to dedicate resources within your entity to do so.

Corporate Representative Depositions and Trial Testimony

Corporate Representative depositions and trial testimony are another opportunity for an NCC to provide your entity value. First, if your entity is new to the litigation, an NCC can assist in determining the best person or persons to serve as a corporate representative. They can assist in the search by interviewing possible candidates and providing your entity with the pros and cons of each candidate. Once a corporate representative is established, the use of an NCC allows for consistent preparation of your corporate representative for all depositions and trial testimony to ensure that the testimony given on behalf of your entity is consistent. Part of this preparation is the development of a corporate story, for which your corporate representative will be the mouthpiece. This is of the upmost importance, as this will be how your entity is represented to a jury at trial. A compelling corporate story can be the difference between a large plaintiff verdict and a defense verdict.
The preparation of your entity’s corporate story, as well as your corporate representative, can include mock depositions, document reviews, and review of written discovery. This implementation of a consistent strategy across cases and jurisdictions avoids the issues presented when each local counsel is responsible for preparing a corporate representative. This also saves time and resources that would be required if each local counsel had to prepare for each corporate representative deposition by reviewing transcripts and discovery from other jurisdictions. An NCC can constantly be up-to-date without constant review of what has previously happened with a corporate representative. This makes your corporate representative testimony consistent for the witness, the client, and for plaintiff counsel. This leads to positive and predictable outcomes.

Experts

An NCC team allows for efficient management of experts and expert discovery across cases and jurisdictions. An NCC team allows for each expert to have a specific point of contact. This creates a consistent relationship and avoids issues with ensuring the experts are provided with materials and payments consistently. It allows for consistent reports and more involved strategy development across cases. It also allows for a better relationship to develop, which often allows for experts to be more forgiving if issues to arise and reports are needed on an expedited basis. In-house management or management by local counsels of these issues may not result in as favorable outcomes.
Further, as a part of an overall expert strategy, having an NCC allows for a more tactical approach to retaining experts. This includes using multiple experts from the same field across different cases so that that your entity is not reliant on one expert in case there is conflicting trial dates, a conflict with a co-defendant, or an issue with retention in any particular case. Further, this allows for more in-depth management of costs. This also allows for experts to better manage their time while your entity’s entire case load is getting the full attention it deserves. This level of management is possible with an NCC because they are able to dedicate the time and their expertise in a way that local counsel and in-house attorneys cannot.
Further, an NCC team allows for consistent expert depositions, Daubert hearings, and trial testimony from your experts. This is similar to corporate representatives, discussed above. The consistent time spent in preparation for depositions and reviewing reports allows for a direct relationship on behalf of your entity with the expert, as well as a consistent strategy that builds and adapts over time. Further, this facilitates inclusion of cutting edge science and publications within your experts opinions, which substantially supplements your entity’s defenses.  This is just another way an NCC team adds value to your entity.

Trial Teams

While no entity wants to find itself at trial, the fact of the matter is that every entity named in a lawsuit must prepare as if a trial is inevitable. This ensures that the entity is prepared in the unlikely event that a matter goes to trial. An NCC team is your entity’s insurance policy that a trial team will be prepared under those circumstances. An NCC team helps create consistent work product for both pre-trial filings and trial itself. This stems from having developed a trial strategy that can be used as a basis for every case. Different elements of this strategy would include development of a corporate story, development of defenses such as expert defenses or state-of-the-art defenses, development of cross-examinations of plaintiff’s experts, and more. An NCC team will constantly be developing and perfecting motions in limine, openings and closings, and cross-examinations that will come together to form a trial handbook. This will allow trial counsel to have a step-by-step plan of how your entity should be defended at trial.
Moreover, this NCC work helps lead to a more consistent and predictable defense, which helps manage outcomes. The NCC team manages trial dates across jurisdictions so that an entity can ensure it is prepared for any trial issues that may come up in any of their cases. This also allows for the entity to have better forecasting of what cases will go to trial, which cases will resolve, and what issues may arise at any time. Due to this, an entity can be better prepared for outcomes and can prepare for what can be expected during any particular time period.

Case Resolution

Resolving cases outside of trial is also the job of your NCC. An NCC can more effectively resolve cases than individual local counsel because they can do so on a larger scale. Further, an NCC can devote more resources and time to forming the relationships with plaintiff firms that allow for these resolutions. Your NCC team can create value when negotiating by creating group settlements across jurisdictions, but your NCC can also create value by producing creative solutions when negotiating with plaintiff firms. They can take advantage of early settlement opportunities or could develop different frameworks depending on your entity’s circumstances.
It is easier for your NCC team to develop creative deals as compared to local counsels or in-house counsel because they will be dedicating more time and resources to building a relationship with the different plaintiffs’ firms on behalf of your entity. Further, they will spend more time on behalf of your client developing relationships with co-defendants on behalf of your entity. This can help develop your defenses, which will impact the overall outcomes of your cases.
Your NCC team will also be tracking different points of data regarding the outcomes in your cases to allow for better projections for future matters. This includes the past history of cases with each plaintiff firm, past history of cases with each product, past history of cases with product use during different time periods, past history in each jurisdiction, as well as many other data points. All of this combines for more information so that your entity can be better prepared to handle the litigation it faces and can navigate a future given its involvement in the litigation.
Overall, an NCC team is the missing piece to your business’ litigation team. An NCC team manages your litigation, but more importantly, they add value to produce better and more predictable outcomes. For your organization to continue to succeed, it should be proactive regarding the possibility of mass litigation. This includes involving an NCC as soon as possible, as it allows your NCC to provide as much value as possible by preparing as much as they can before the cases start rolling in.

We Get Privacy for Work: Why You Need a Cybersecurity Incident Response Plan Now [Podcast]

As states increasingly introduce legislative requirements for how companies respond to cybersecurity threats, it is more important now than ever for organizations to have a plan in place to address data breaches if and when they occur.  

Transcript
INTRO
As states increasingly introduce legislative requirements for how companies respond to cybersecurity threats, it is more important now than ever for organizations to have a plan in place to address data breaches if and when they occur.  
On this inaugural episode of We get Privacy for work, we guide organizations through the process of creating an incident response plan, including who should be involved and how to effectively notify stakeholders.  
Today’s hosts are Damon Silver and Joe Lazzarotti, co-leaders of the firm’s Privacy, Data and Cybersecurity Group and principals, respectively, in the firm’s New York City and Tampa offices.
Damon and Joe, the question on everyone’s mind today is: Why should organizations have a cybersecurity incident response plan, what should be included in the plan, and how does that impact my business?  
CONTENT
Joseph J. LazzarottiPrincipal, Tampa
Welcome to the We get Privacy podcast. I’m Joe Lazzarotti, and I’m joined by my co-host, Damon Silver. Damon and I co-lead the Privacy Data and Cybersecurity Group here at Jackson Lewis. In that role, our colleagues in the group and we receive a variety of questions every day from our clients, all of which boil down to the core question of how do we handle our data safely?  
In other words, how do we leverage all the great things that data can do for our organizations without running headfirst into a wall of legal and other risks? How can we manage that risk without unreasonably hindering our business operations?
Damon W. SilverPrincipal, New York City  
On each episode of the podcast, Joe and I are going to talk through a common question that we’re getting from our clients. We’re going to talk through it in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks? What should we be mindful of from an execution perspective?  
Joe, our question for today is, what is an incident response plan, and what should it include? To set the table for everyone, do you want to just talk a little bit about what an incident response plan is and what purpose it serves?
Lazzarotti  
That is a great place to start. For a lot of organizations, when we talk about an incident response plan, there are a lot of different incidents that a company may face or crises that they may encounter. I’m here in Florida now, and hurricanes may be incidents that people might have a plan for, but we’re talking specifically about security incidents. Data breaches and things that may impact the organization’s systems and ultimately result in some access or acquisition of personal or confidential company information that may create legal obligations to provide notification in certain cases— whether that be to federal or state governmental entities, individuals who are affected, customers or whatnot. These plans can sometimes become pretty complex, depending on the organization, particularly if you’re in a highly regulated industry, but we’re going to try to talk about it at a high level.  
For me, one thing that is pretty critical in the event of an incident is understanding how to communicate with the people who need to carry out that plan. That can be difficult. Bad guys have gotten into the system, and maybe they’re still in or can be monitoring email, or maybe the company’s email is not able to function at the moment. How do you communicate with people? So, having that alternate communication strategy can be pretty important, and having a plan for it is critical.
Silver  
Related to that, we see all the time, especially with clients who haven’t been through one of these incidents previously, that they’re not really sure who the people who should be involved are, both internally and externally. If they haven’t been through this situation before, for example, if someone just happens to be the manager who finds out from an employee about a link they clicked on, a suspicious email they got or about the fact that they lost their company laptop. An important first step is for them to know who they are supposed to go to report this. Then, the person who receives that report needs to know whom they need to assemble. Who are the right people internally to be tasked with managing this?  
There’s sometimes a misconception that it’s just going to be an IT function, and the IT department is going to handle it. Really, in a lot of these instances, the incident has a much broader impact, and IT alone is not going to be in a very good position to respond. You’re going to need people with a legal perspective. You might need people with an HR perspective if employee data is impacted. You might need people from the finance team if accounting data is impacted. You’re definitely going to need somebody or multiple people from leadership who are able to make decisions at the highest level for how the organization is going to respond.  
Then, there’s also your external team. Your legal counsel can, under the cloak of privilege, help you do an investigation of the incident and assess your legal obligations. You might have a cyber insurance carrier or broker whom you want to put on notice quickly. You might have a digital forensics firm that you want to have on standby who understands your systems and can jump in quickly.  
Knowing who those key players are helps make the process much smoother when something like this happens. Depending on the nature of the incident, it could be pretty chaotic in those early days. That’s not the time you want to try and figure out who’s supposed to be involved and, to Joe’s point, try and figure out how those people are going to communicate.
Lazzarotti  
Absolutely, the roles and responsibilities of the individuals are important. One other thing, and this is not specific to the content of the plan per se, but you said something that made me think about it, Damon.  What if you needed to get a copy of the plan and your systems are encrypted? So, where do you keep this plan and the contact information of the individuals who are on it? How do they know that they’re on this plan? So, these other things that come with what should be in an incident response plan. It’s also about socializing with those people, maybe doing a tabletop exercise, and keeping the contact information in a place that can be accessed.  
Certainly, you mentioned your cyber insurance carrier; that’s really a critical piece of helping to respond to these incidents. Not only from the standpoint of providing resources in terms of having the policy pay for certain expenses that are incurred but also having gone through and helped to identify those external parts of the team that Damon referred to that will help in responding to the incident. Suppose you go out for renewal on a new cyber carrier the following year because you feel like you need to make a change, but they have a different set of people on their external team. Does that mean you have to update that in your incident response plan?  
Some of the things that we’re talking about are things that you have to keep up to date. It is not something you just prepare, leave on the shelf and don’t actively use. A lot of this is about preparedness, and these plans can really help improve that position of being prepared, in addition to keeping the system secure. It’s really both of those. That’s what I’m seeing.
Silver
I totally agree, Joe. Honestly, there is value in the plan itself. It is, in many instances, a legal requirement to have the plan. Even more important than the document itself, in most instances, is building that muscle memory and going through the process of thinking through incidents. You do want to be specific about what type of incidents you think you’re most likely to face. You mentioned the example of a hurricane that knocks out your power, or there could be a ransomware attack or a business email compromise. If you have employees that work remotely or travel, you do want to think about those lost laptops, lost phones and other devices. If you have a website that potentially, let’s say, has customer accounts that store sensitive information, there could be some type of misconfiguration of your website. There’s a lot of value in thinking through the scenarios we are most likely to face or that would have the biggest impact if they happened. 
Then, what are the steps we’d want to go through if those specific types of incidents happened? How do we make sure that our team is not trying to fumble around and find this plan, read through it and go step by step? In reality, that’s not how it’s going to play out, particularly if it’s a ransomware attack or some other type of event where you’re trying to respond quickly and things are feeling chaotic. You want people to have practiced this enough that they’re just acting on the plan and remembering at least key components of the plan. They’re likely not going to be in a position to go through it, so first, start reading up and trying to understand what the plan contains when there’s an actual incident. That piece of practicing on a regular basis and having key stakeholders involved in developing the plan is more important than the plan itself at the end of the day in terms of the value it can provide to you when responding to an incident.  
Lazzarotti  
That’s exactly right. Related to that, we are seeing clients who want to have all of the state laws available and exact drafts of notifications. To some degree, that really is a good idea because if you have a sample notice for an individual or a sample website notice, in the event you needed to put something out there, you would be in a better position. If you had some talking points for key people in the organization, some FAQs for a call center if you have a need for that. Those are all good things to have as a starting point.  
However, to Damon’s point, when you’re in the situation, the circumstances are going to dictate things that you just might not have anticipated, or you’re going to need to tailor those sample tools that you’ve made a part of your plan to the actual circumstances. You don’t have to worry so much about everything being perfect because the situation is going to take you in a direction you just may not have anticipated, but at least you’ll have really good starting points that will speed the process along so that the plan can be useful for you when it’s needed. 
Silver
Well said. We’ve laid the groundwork pretty well conceptually for what purpose these plans serve and how, from the standpoint of using them, a lot of the work is done at the front end before you actually have an incident.  
When you’re working on preparing a plan or reviewing an existing draft of a plan, Joe, what are the most important types of things that you’re looking for?
Lazzarotti  
For me, it’s clarity, usability and functionality in the sense that if there’s an incident response plan that is 40 or 50 pages, I’m looking at that saying, that seems like a lot to work through. You always want to be careful, and people may have put a lot of thought into it. What I’d recommend in that case is saying, why don’t we do a high-level summary, a checklist or something that is coupled with that large, well-thought-out plan that can be more action-oriented in a situation.  
The other thing is to make sure that it covers all of the aspects of the business. One of the things that you said at the beginning is that, sometimes, this function gets pushed to the IT department. However, the IT department may focus on an incident response plan more from an IT perspective. How do we deal with the information system that’s down? What gets left out of that is how we communicate about it. How are our clients affected? Do we have contractual obligations and all that other stuff that may be relevant to the overall response? So, I’d want to be sure that the incident response plan really covers the whole organization, which may include HR, other business units or even wholly owned subsidiaries that may be the parent or even maybe a franchisor. It’s not directly their business, but they want to understand, and we have to protect the brand because there could be those kinds of issues. So, really give some thought to whether the plan is really going to help us. Is the plan as broad as we want so that we’re able to act on it in a situation?
Silver
I agree with that. Thinking about the high-level summary or the checklist that you mentioned, I’ve had similar discussions with clients about how to leverage the work that was done to create a really detailed plan. Also, it’s good to have some more accessible, actionable documents to work off of and keep you organized as you’re responding to an incident.  What are some of the key items on that checklist for you?
Lazzarotti  
How do you communicate with folks? Who do you need to reach out to? If you are a professional service firm, you need to notify your clients. Where do you go for that information?  How do you assess what obligations you have? A lot of focus is on data breach notification laws, which we’re involved in a lot at the federal and state levels. However, there are increasing contractual obligations. Sometimes, it can be difficult, like where are those contracts or what obligations do we have? Having that available, or at least a path to them that you can easily access, can be helpful. Obviously, your broker and carrier— know how to contact them and how to get to the sample forms that you need. Those are some of the things that I’d like, but there are other things.  
I’d be interested, Damon, in knowing how you might augment that list.
Silver  
I agree with all of those. In some ways, it all starts with a triage list of what your objectives are early. You learn that some type of incident has happened; now, what are the first several steps that you need to take? Those are going to be the most pivotal from the standpoint of the incident response plan having value because those are the things you’re going to have to do potentially very quickly and without much opportunity to deliberate or to reach out to your attorney and run it by them. These are things that need to be done quickly, and it is going to vary depending on the organization. It’s also going to vary depending on the type of incident, but sometimes, if we’re dealing with something like ransomware, a big initial question is how do we get our business back up and running? We’re going to want to look at whether we have backups that we can restore from or if those backups were impacted by the incident. If we don’t have the backups, what other options do we have? Is there any type of publicly available decryption tool, and who do we go to try to explore that? That’s one early question, at least for certain types of incidents: How are we going to get our business back up and running?
Another key early question is how do we make sure that we’re going to be able to do the investigation that we want to do with this incident? Because I know both of us and other members of our team have seen many instances where the client’s internal IT or a managed service provider took some steps really early on in the process that resulted in the wiping of logs that otherwise might have been useful in showing that the scope of an incident was narrowed to certain systems or certain files, but those are wiped. So, the client is left in the position where they may have to make assumptions about what could have been impacted, which results in a much broader notification than might otherwise have been the case. Of course, another consideration is whether this incident is over or if it is a live incident. Is there still a continuing ongoing threat to the systems? What needs to be done from a containment perspective? Having those pieces spelled out clearly and in a practical way with actionable steps that people can take are going to be really important so that in those early moments, you don’t have issues that set you back weeks in terms of getting back up and running or set you back indefinitely in terms of losing evidence. All of those can be really valuable to spell out and also, again, looping back to the point of practicing to have people think through plans in connection with specific types of incidents that might come up.
Lazzarotti  
I think we could probably talk forever about writing an incident response plan.  One last question, Damon. Once you do have a plan and are practicing that plan, how often do you think a company should revisit and amend it if needed? How often should you review it and consider updates?  
Silver
It’s a great question. It’s going to vary depending on the client’s circumstances. A really valuable exercise is to have a standing time on the calendar to look at it. If it’s every 6 months or even every 12 months, have that meeting scheduled.  
Then, if something happens, like you experience an incident or you’re integrating some new technology that’s going to process a lot of data, that might be a good reason to either have that meeting sooner than was planned or to have an additional meeting because this really does need to be a living document. It’s not going to serve you very well if it just remains static over time. Putting that time on the calendar ensures that, at minimum, every 6 months or every 12 months, you’re giving it a look to see whether it still makes sense in light of the way that you’re handling data, and you have that opportunity to make corrective actions if that’s necessary.
Lazzarotti  
That sounds great. I definitely hope all of our clients are thinking about this, and if they don’t have an incident response plan and are developing one, this session will give them some thoughts about that. We hope everybody enjoyed listening to our We get Privacy podcast, and thank you, Damon.

To AI or Not to AI? The Use of AI in Employment Decisions

Even just a few years ago, the concept of using artificial intelligence (AI) in everyday life was a novel, if somewhat intimidating, concept. But from Google’s AI overview to Microsoft’s Copilot, many of us use AI daily to help increase efficiency and streamline certain processes. If you are an employer using AI to sort through job applications and resumes, to make decisions based on background check information, or to sort through criteria for promotion or termination decisions, you need to consider the legal ramifications, which increasingly involve federal and state laws.
The State and Local Legal Landscape
Some state legislatures and local governments, in attempting to get ahead of any issues, have started considering or issuing guidance or legislation aimed at preventing employment discrimination resulting from the use of AI tools. For example, New Jersey has issued guidance indicating that the use of AI in employment decisions will be subject to the same antidiscrimination laws as non-AI decisions and that employers will be liable for discrimination caused by AI tools they did not design. Both Colorado and Illinois have passed laws, effective in 2026, prohibiting employers from using AI in a discriminatory manner and requiring certain disclosures when using AI in certain employment decisions. New York City passed a local law, effective July 2023, that regulates the use of AI in employment decisions. Maryland and California have proposed but have not yet passed AI legislation, and even more states are in the early stages of considering laws regulating employer use of AI in employment decisions.
Where Is the Federal Government on This Issue?
It is currently unlikely that federal legislation is forthcoming, although that could change in the years to come. In 2023 and 2024, the Equal Employment Opportunity Commission and the Department of Labor issued guidance on the use of AI in employment decisions. That guidance was rescinded following President Trump’s January 2025 executive order revoking policies and directives acting as “barriers” to “AI innovation.”
Now What?
While this is an evolving area, employers, especially those with remote employees across the United States, must keep up to date on state or local laws on the use of AI in employment decisions. As a general rule, make sure that any AI you are using complies with federal anti-discrimination laws. Other best practices include:

Have a policy on if and how you are going to use AI;
Vet your AI vendors and make sure they have considered the potential adverse impact of their products;
Notify employees or prospective employees that you are using AI in employment decision- making;
Regularly audit AI results to see if protected groups are being disproportionately impacted;
Ensure employees responsible for implementing AI tools have the proper training and are using such tools appropriately; and
Consult with subject matter experts and legal counsel as necessary.

Listen to this post

Ethylene Oxide Case Starts Trial In Georgia

Ethylene Oxide (EtO) is an industrial solvent widely used as a sterilizing agent for medical and other equipment that cannot otherwise be sterilized by heat/steam.  EtO may also be used as a component for producing other chemicals, including glycol and polyglycol ethers, emulsifiers, detergents, and solvents.   Allegations that exposure to EtO increases the risk of certain cancers has led to governmental regulation as well as private tort actions against companies that operate sterilization facilities that utilize EtO.  The most recent example of the latter is a trial that started this week in Georgia.
Ethylene Oxide Trial History
The first ethylene oxide case to go to trial was the Kamuda matter, in which an Illinois jury awarded $263 million in September of 2022 against Sterigenics for ethylene oxide exposure from that company’s Willowbrook facility.  A subsequent trial in the same jurisdiction against the same defendant resulted in a defense verdict.  Ultimately, Sterigenics resolved its pending claims involving the Willowbrook plant in the amount of $408 million.   In December of 2024, a Philadelphia Court of Common Pleas jury found the defendant B. Braun Manufacturing Inc. not liable on all counts.  The plaintiff had alleged that her husband developed leukemia as a result of working at the defendant’s sterilization plant in Allentown, Pennsylvania for seven years.  Notably, unlike the Illinois trials, the Philadelphia trial involved an employee at the sterilization facility as opposed to the Illinois plaintiffs who did not work at the Willowbrook plant but resided nearby.
Last month, a Colorado jury rendered a verdict in favor of defendant Terumo BCT Inc. (Isaacks et al. v. Terumo BCT Sterilization Services Inc. et al. in the First Judicial District of Colorado (docket number 2022CV031124).  This was a bellwether trial that lasted six weeks, and involved four female plaintiffs.  The jury determined that the defendant was not negligent in its handling of emissions from its Lakewood plant.  The plaintiffs had sought $217 million in damages for their alleged physical impairment and also $7.5 million for past and future medical expenses as well as punitive damages.  In light of the fact that the six person jury found the defendant Terumo not negligent, it did not need to consider damages or causation.  Notably, there remain hundreds more pending claims against Terumo in Colorado.  In fact, plaintiffs’ counsel filed almost 25 more cases while the trial was in progress.  All of the plaintiffs alleged that they had developed cancer as a result of ethylene oxide emissions from the Terumo facility.  One plaintiff alleged breast cancer as a result of 23 years of exposure from the plant, while another alleged breast cancer after almost 35 years of exposure (these two plaintiffs were neighbors).  Another plaintiff alleged multiple myeloma while the fourth plaintiff alleged Hodgkin’s lymphoma.
Georgia Trial Starts
Earlier this week, an EtO trial commenced against CR. Bard in Georgia.  At issue is the company’s medical equipment sterilization plant in Covington, Georgia.  The plaintiff, who had been a truck driver, alleges that he would make pickups at the plant on a regular basis, and, coupled with the fact that he resided  one and half miles from the plant, was exposed to EtO and developed non-Hodgkin lymphoma.  The plaintiff alleges that the company failed to take appropriate steps to protect he and the community from EtO.  According to plaintiff’s allegations, the Covington facility emitted 9.8 million pounds of EtO from 1970 to 2017, that there were no controls until 1990, and that there were multiple instances of unintended EtO releases.  Further, there are claims that Union Carbide, which had suppled EtO to the plant, had warned the company.  Until 1990 there was nothing at all interfering with the release of the gas outside the plant, he said, claiming to the jury that any controls the plant put in place were done because the company was “forced” to, and that there were numerous “unintended” release incidents over the years. Even Bard’s EtO supplier, Union Carbide, had warned Bard, Daniel said.
For its part, Bard and Becton Dickinson (Bard’s parent company), maintain that the plant has always been a good corporate citizen and that the plaintiff’s cancer was not caused by EtO but rather by a random DNA mutation.  Plaintiff counsel told the jury that the Food and Drug Administration has noted the critical role that EtO plays in the country’s healthcare system and that over 50% of medical products are sterilized with EtO.
Analysis
Recently, we’ve seen increased trial activity with respect to EtO trials.  As set out above, there have now been cases taken to verdict in Illinois, Pennsylvania, and Colorado.  And now a case has started trial in Georgia.  There is also EtO litigation activity in California, though those cases are still in the discovery phase.  As noted in previous postings, we expect that plaintiff firms will recruit new clients who allege some type of cancer as a result of residing in the vicinity of an ethylene oxide plant, particularly if the Georgia trial results in a plaintiff verdict.  How long will it be until we see television advertisements run by plaintiff firms seeking new plaintiffs?  We’ve seen this in asbestos, talc, contaminated water, firefighting foam, defective earplugs, and other types of litigation. It is not out of the realm of possibility to think that we will see this with ethylene oxide litigation at some point in the near future.

Ubisoft Defeats Privacy Lawsuit Over Meta Tracking Pixel: These Are the Key Compliance Takeaways You Need to Know

As privacy litigation over tracking pixels continues to surge, a recent decision out of California offers a clear win for companies that implement strong consent mechanisms.
In Lakes v. Ubisoft, Inc., 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025), Plaintiffs Trevor Lakes and Alex Rajjoub filed a class action against Defendant Ubisoft, Inc., a video game company, alleging violations of the Video Privacy Protection Act (VPPA), California’s Invasion of Privacy Act (CIPA), and the Electronic Communications Privacy Act (ECPA).
According to Plaintiffs, their claims arose when they visited Ubisoft’s website (the “Website”) to download games while logged into their respective Facebook accounts. Plaintiffs alleged that Ubisoft installed a Meta/Facebook tracking pixel on the Website, which disclosed their personally identifiable information to Meta. The allegedly disclosed information included the consumers’ unique and unencrypted Facebook ID, a cookie containing an encrypted Facebook ID, and their Video Request Data.
Plaintiffs sought to represent the following classes:

All PII Users on the Website that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “Class”).
All PII Users, who reside and used the Website in California, that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “California Subclass”).

Ubisoft filed a motion to dismiss and requested judicial notice of its Website and the policies publicly available on the Website, including its Privacy Policy, Cookies Settings, and Website Cookies Banner. Ubisoft contended that these were necessary for the Court to have a complete picture of a user’s journey, what the user consents to, and the policies they are provided and agree to. The request for judicial notice was granted for specific portions of the Ubisoft Website.
On the Website’s landing page, a first-time user is presented with a Cookie Banner notifying them that by clicking “OK” and “continuing to navigate on the site” they “accept the use of cookies by Ubisoft and its partners to offer advertising adapted to [their] interests.” If a user clicks on the “set your cookies” hyperlink in the banner, a pop-up appears with more detailed options to change cookie preferences.
To make any purchases on the Website, a user must first create a Ubisoft account and affirmatively accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy, which are all hyperlinked on the Website. Ubisoft’s Privacy Policy informs users that their information will be shared with third parties and outlines how users can withdraw their consent. After agreeing to the Privacy Policy and consenting to the sharing of data during account creation, a user is once again presented with the Privacy Policy every time they make a purchase on the Website.
In light of the above processes, Ubisoft argued that all of Plaintiffs’ claims fail because Plaintiffs were repeatedly informed of, and consented to, the use of cookies and pixels on the Website. The Court agreed, finding that Ubisoft’s disclosures clearly state that it allows partners to use cookies on the Website, that specific analytics and personalization cookies would be used, and that cookie identifiers and other similar data connected to the use of the site could be collected and shared.
In doing so, the Court rejected Plaintiffs’ assertion that a granular disclosure stating that Meta will collect Plaintiffs’ “video game titles combined with unique Facebook identifiers” was required to obtain actual consent. Here, the Privacy Policy explicitly disclosed that Ubisoft uses technologies such as cookies to collect game, login, and browsing data, and that Ubisoft allows its partners to set and access user cookies. This was found to be sufficient, because “a reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
“[A] reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”

Therefore, the Court granted Ubisoft’s motion to dismiss the complaint in its entirety, with prejudice. The Court concluded that granting Plaintiffs leave to amend would be futile because they cannot overcome the issue of consent.
The most important takeaway here is the need for businesses to maintain proper consent and disclosure mechanisms – include a cookie disclosure on the website landing page, clearly inform users what data you collect and who you share it with, and allow users to customize non-essential cookies. Although, a Pennsylvania court held that a privacy policy contained in a browsewrap agreement gave users constructive notice of a website’s use of tracking software, affirmative consent obtained via a clickwrap agreement worked in Ubisoft’s favor here. Finally, make sure your privacy policy is accurate and up to date.
Ultimately, this ruling underscores how detailed, user-facing consent flows and transparent data-sharing policies remain critical defenses in privacy litigation.

CONSORTIUM OF PRIVACY REGULATORS: Eight States Announce Bipartisan Consumer Privacy Initiative

Eight state regulators have announced a bipartisan initiative to coordinate the implementation and enforcement of their privacy laws. The Consortium of Privacy Regulators includes the California Privacy Protection Agency (“CPPA”) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.
According to an announcement on the CPPA’s website, the Consortium’s goals include facilitating discussions on privacy law and protecting consumer privacy across jurisdictions. The CPPA notes that although each state has its own consumer privacy law, they share certain fundamental features such as rights to access, delete, and stop the sale of personal information, and similar obligations on businesses to protect consumer data.
“We’re proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms. The Consortium reflects this shared commitment—now and for the future.” – Michael Macko, CPPA’s head of enforcement

The CPPA has been one of the most active state agencies in the privacy arena. While this new initiative certainly signals more enforcement actions on the horizon, an inter-state coordinated effort may lead to some amount of uniformity and predictability amidst a patchwork regulatory framework.
You can read the CPPA’s announcement here: State Regulators Form Bipartisan Consortium to Collaborate on Privacy Issues

March 2025 Bounty Hunter Plaintiff Claims

California’s Proposition 65 (“Prop. 65”), the Safe Drinking Water and Toxic Enforcement Act of 1986, requires, among other things, sellers of products to provide a “clear and reasonable warning” if use of the product results in a knowing and intentional exposure to one of more than 900 different chemicals “known to the State of California” to cause cancer or reproductive toxicity, which are included on The Proposition 65 List. For additional background information, see the Special Focus article, California’s Proposition 65: A Regulatory Conundrum.
Because Prop. 65 permits enforcement of the law by private individuals (the so-called bounty hunter provision), this section of the statute has long been a source of significant claims and litigation in California. It has also gone a long way in helping to create a plaintiff’s bar that specializes in such lawsuits. This is because the statute allows recovery of attorney’s fees, in addition to the imposition of civil penalties as high as $2,500 per day per violation. Thus, the costs of litigation and settlement can be substantial.
In March of 2025, product manufacturers, distributors, and retailers were the targets of 283 new Notices of Violation (“Notices”), as well as 75 amended Notices, alleging a violation of Prop. 65 for failure to provide a warning for their products. This was based on the alleged presence of the following chemicals in these products. Noteworthy trends and categories from new Notices sent in March 2025 are excerpted and discussed below. A complete list of all new and amended Notices sent in March 2025 can be found on the California Attorney General’s website, located here: 60-Day Notice Search.

Food and Drug

 
 

Product Category
Notice(s)
Alleged Chemicals

Assorted Prepared Food and Snacks: Notices include sunflower seeds, granola, instant soup, chips, crackers, and energy bars
50Notices
Cadmium, Lead and Lead Compounds, Mercury and Mercury Compounds

Dietary Supplements: Notices include pea protein powder, protein shake blends, dietary fiber supplements, and cinnamon supplements
33Notices
Cadmium, Mercury and Mercury Compounds, Lead and Lead Compounds, Bisphenol A, Perfluorooctanoic Acid (PFOA), and Perfluorooctane Sulfonate (PFOS)

Fruits and Vegetables: Notices include pickled ginger, kale chips, and dried mango slices
12Notices
Lead and Lead Compounds

Seafood: Notices include shrimp, crab cakes, mussels, and anchovies
9Notices
Cadmium and Lead and Lead Compounds

Assorted Prepared Food and Snacks: Notices include coconut water, black beans, and plant-based chicken
5Notices
Bisphenol A (BPA)

Cannabinoid Products: Notices include gummies and coffee
5Notices
Delta-9-tetrahydrocannabinol

Seafood: Notices include anchovies, smoked clams, and sardines
5Notices
Perfluorononanoic acid (PFNA) and its salts, Perfluorooctanoic Acid (PFOA), and Perfluorooctane Sulfonate (PFOS)

Noodles, Pasta, and Grains: Notices include penne and gluten-free fusilli
4Notices
Lead and Cadmium

Spices and Sauces: Notices include mole, curry, and vegan Bolognese
4Notices
Lead and Lead Compound

Fruits and Vegetables: Notices include mushrooms and pineapple slices
2Notices
Bisphenol A (BPA)

Seafood: Notices include chunk light tuna
1Notice
Bisphenol A

Cosmetics and Personal Care

 
 

Product Category
Notice(s)
Alleged Chemicals

Personal Care Items: Notices include shower caps and body tape
6Notices
Perfluorooctanoic Acid (PFOA)

Personal Care Products: Notices include lotion, hair oil, and shave gel
6Notices
Diethanolamine

Personal Care Products: Notices include hair growth jelly
1Notice
Lead

Consumer Products

 
 

Product Category
Notice(s)
Alleged Chemicals

Glassware and Ceramics: Notices include serving dishes, mugs, bowls, and vases
34Notices
Lead

Plastic Pouches, Bags, and Accessories: Notices include clutches, toy baskets, travel cases, and cross-body bags
33Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Di-n-butyl phthalate (DBP)

Clothing: Notices include jackets, hoodies, shoes, and shorts
15Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Di-n-butyl phthalate (DBP)

Housewares: Notices include umbrellas, shower curtain liners, and washcloths
15Notices
Perfluorooctane Sulfonate (PFOS) and Perfluorooctanoic Acid (PFOA)

Housewares: Notices include tablecloths, corkscrews, and rope lights
11Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP) and Di-n-butyl phthalate (DBP)

Tools: Notices include first aid kits, clamps, valves, safety vests, and natural gas conversion kits
11Notices
Di(2-ethylhexyl)phthalate (DEHP), Diisononyl phthalate (DINP), and Lead

Gloves
4Notices
Chromium (hexavalent compounds)

Housewares: Notices include lunch bags, generator covers, and athletic tape
4Notices
Perfluorooctanoic Acid (PFOA)

Moth Balls
4Notices
Naphthalene and p-Dichlorobenzene

Housewares: Notices include canes, brass bells, and air fresheners
3Notices
Lead

Jackets
3Notices
Perfluorooctanoic Acid (PFOA)

Sports Equipment: Notices include jump ropes and hockey sticks
2Notices
Di(2-ethylhexyl)phthalate (DEHP)

Furniture Wax
1Notice
Toluene

There are numerous defenses to Prop. 65 claims and proactive measures that industry can take prior to receiving a Prop. 65 Notice in the first place. Keller and Heckman attorneys have extensive experience in defense of Prop. 65 claims and in all aspects of Prop. 65 compliance and risk management. We provide tailored Prop. 65 services to a wide range of industries, including food and beverage, cosmetics and personal care, consumer products, chemical products, e-vapor and tobacco products, household products, plastics and rubber, and retail distribution.

Illinois Amends ‘One Day Rest In Seven Act’ to Prohibit Employer Retaliation

Takeaways

The state’s “One Day Rest In Seven Act” now includes anti-retaliation provisions and an enforcement mechanism.
Employers should review their policies and practices and ensure they are compliant with the new law.

Related link

Illinois General Assembly – Full Text of Public Act 103-1082

Article
Recent amendments to the Illinois One Day Rest In Seven Act (ODRISA) prohibit employers from retaliating against employees and create an enforcement mechanism. The amendments went into effect March 21, 2025.
ODRISA requires employers to provide employees with at least 24 hours of rest in every “consecutive seven-day period.” It also requires meal periods of at least 20 minutes every 7.5 hours worked (and an additional 20-minute meal period for employees who work shifts of 12 hours or longer). Employers must also provide employees with reasonable restroom breaks.
Under the recent amendments, retaliation is prohibited against employees who have:

Exercised their rights under ODRISA;
Made ODRISA complaints to their employer or the Illinois Department of Labor (IDOL);
Instituted or are about to institute a proceeding under ODRISA; or
Testified or are about to testify in any investigation or proceeding under the Act.

820 ILCS 140/5.5.
An employee who believes their employer has violated ODRISA’s anti-retaliation provisions may file a claim with the IDOL and recover “all legal and equitable relief as may be appropriate.” 820 ILCS 140/7(b)(4).
The amendments also create an enforcement mechanism. The IDOL (represented by the Illinois attorney general) could assess penalties and fees and, ultimately, seek to enforce such penalties and fees by bringing a civil action “in any circuit court or in any administrative adjudicative proceeding under [the] Act.” 820 ILCS 140/7(d).
Employers should review their policies and practices and ensure they are compliant with the new ODRISA provisions.