Video game developer Ubisoft, Inc. came out on top earlier this month in the Northern District of California when a judge dismissed, with prejudice, a class action claiming that the company’s use of third-party website pixels violated privacy laws. The judge concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., No. 24-cv-06943, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).

The plaintiffs alleged that Ubisoft collected and disclosed plaintiffs’ personal information and website usage without their consent through website pixels. Ubisoft moved to dismiss the claims based on the fact that the plaintiffs’ claims relied on the lack of consent but that plaintiffs had “consented to the use of cookies and pixels . . . at least three times during the purchase process” when plaintiffs (1) “interacted with the Cookies Banner” when visiting the website; (2) created accounts on the website, which required the plaintiffs to “accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy”; and (3) “made purchases” at which point Ubisoft’s terms and Privacy Policy were displayed again.

The court took judicial notice of Ubisoft’s Privacy Policy, cookie pop-up, and cookie settings and held that the plaintiffs’ consent defeated their claims:

  • Federal Wiretap Act: The federal Wiretap Act allows for the interception of communications where “one of the parties to the communication has given prior consent to such interception,” and the interception is not “for the purpose of committing any criminal or tortious act.” The court determined that the plaintiffs provided consent and that the crime-tort exception to consent did not apply.
  • California Invasion of Privacy Act, California Constitution, and Common-Law Invasion of Privacy: The court held that the plaintiffs’ consent was a “defense to all three claims” under CIPA, the California Constitution, and California common law invasion of privacy.
  • Video Privacy Protection Act: The court determined that Ubisoft’s disclosures in its Privacy Policy, terms, and on its website through banners and pop-ups satisfied each element of the VPPA’s consent provision. 

The plaintiffs sought a request for leave to amend, but the court denied the request, concluding that any amendment would be “futile” because plaintiffs could not “amend their complaint to overcome the issue of consent.” 

A key takeaway for companies to consider is to revamp your website Privacy Policy disclosures, confirm that your website’s cookie preferences and banner are visible and user-friendly, and clearly articulate the use of third-party trackers and the data disclosed to your website users.

In a big win for businesses, a California federal court just held that a “tester” plaintiff—someone who visits websites to initiate litigation—cannot bring a claim under the California Invasion of Privacy Act (CIPA). Rodriguez v. Autotrader.com, Inc., No. 2:24-cv-08735, 2025 WL 65409 (C.D. Cal. 1.8.25). Tester plaintiffs have started to focus on consumer protection statutes in hopes of broadening CIPA’s application to include internet communications, which would provide them a treasure trove of potential targets. However, the recent decision in Rodriguez provides a defense for businesses facing lawsuits by tester plaintiffs and bolsters another unrelated defense: setting privacy expectations with consumers.

I previously wrote about CIPA claims and the uptick in litigation claiming wiretap violations based on a website’s use of trackers.

Here, the plaintiff alleged violations of CIPA by Autotrader.com for its:

  • Operation of a pen register on its website using tracking technology that could collect a user’s IP address
  • Disclosure of website search terms to third parties (akin to illegal wiretapping)

The court dismissed these claims, stating that a tester plaintiff who “actively seeks out privacy violations” does not expect privacy. Because a tester plaintiff in a CIPA case visits the website and intentionally enters information into the website expecting their information to be “accessed, recorded, and disclosed,” the individual cannot claim an injury. The tester essentially expects the injury to occur.

What should your business do as a result of this decision? Be prepared and consider:

  • Reviewing your website and its Privacy Policy and Terms of Use;
    • Evaluate the types of tracking tools your website uses and their necessity/value (e.g., pixels, web beacons, cookies, etc.). Often, businesses discover that the website cookies and pixels are actually just left over from past initiatives or that certain cookies were installed but never used.
    • Consider using a scanning tool and analyze the scan results to  learn what tracking technologies your website uses.
  • Determining what third parties do with the data collected via your website tracking tools;
  • Include appropriate disclosures in your Privacy Policy and cookie banner/preferences (e.g., to whom is the data disclosed, the use of the data, and a hyperlink to the Privacy Policy in the cookie banner).
    • For example, cookie banners should state that data is disclosed to third parties for targeted ad purposes, if that is the case, instead of only stating that the website uses cookies to improve user experience.
  • Providing an opt-out option (and symmetry of choice)
  • While opt-in consent is not required by applicable consumer privacy laws (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act), allowing users to make informed choices about website tracking could prevent CIPA claims against your business.

SentinelOne researchers have discovered AkiraBot, which is used to target small- to medium-sized company websites with generative AI, and drafted outreach messages for website chats, comments, and contact forms. SentinelOne estimates that over 400,000 websites have been targeted, and the bot has successfully spammed “at least 80,000 websites since September 2024.”

The bot generated custom outreach messages to targets using OpenAI’s large language models (LLM) based on the purpose of the website and bypassed spam filters and CAPTCHA barriers to spam websites. OpenAI has since disabled the API key and other assets used in the campaign.

The SentinelOne researchers posited that “AkiraBot’s use of LLM-generated spam message content demonstrates the emerging challenges that AI poses to defending websites against spam attacks.”

As threat actors continue to evade detection, their generative AI usage will pose an ever-increasing challenge for protecting websites and filtering spam from email accounts.

I have been getting a lot of texts that are clearly scams, and those around me have confirmed an increase in spammy texts.

According to an FTC Consumer Protection Data Spotlight, individuals lost over $470 million resulting from text scams. The top text scams of 2024 that accounted for half of the $470 million lost by consumers to fake texts included:

  1. Fake package delivery problems;
  2. Phony job opportunities;
  3. Fake fraud alerts;
  4. Bogus notices about unpaid tolls; and
  5. “Wrong number” texts that aren’t.

According to the FTC, actionable ways to help stop text scams include:

  • Forwarding messages to 7726 (SPAM). This helps your wireless provider spot and block similar messages.
  • Reporting it on either the Apple iMessages app for iPhone users or Google Messages app for Android users.
  • Reporting it to the FTC at ReportFraud.ftc.gov.

How can you avoid text scams?

Never click on links or respond to unexpected texts. If you think it might be legit, contact the company using a phone number or website you know is legitimate. Don’t use the information in the text message. Filter unwanted texts before they reach you.

Remember that texts are just like emails and can be used for smishing instead of phishing. Treat them the same—with a healthy bout of caution and vigilance to avoid being victimized.

WhatsApp users should update the application for vulnerability CVE-2025-30401, which Meta recently patched when WhatsApp was released for Windows version 2.2450.6.

Meta cautions Windows users to update to the latest version due to the vulnerability that it is calling a “spoofing” issue that could allow attackers to execute malicious code on devices. The attackers exploit the vulnerability by sending maliciously crafted files with altered file types to users that “cause the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”

If you haven’t updated your WhatsApp application, now’s the time.

On March 31, 2025, President Trump signed an executive order (EO 14254) titled “Combating Unfair Practices in the Live Entertainment Market.” EO 14254 directs the Federal Trade Commission (FTC) to, amongst other provisions, rigorously enforce the Better Online Ticket Sales Act (BOTS Act or the Act) and address unfair ticket scalping practices.

Overview of the BOTS Act

Enacted in 2016, the BOTS Act aims to prevent ticket brokers from buying large numbers of event tickets and reselling them at inflated prices. The Act applies to tickets for public concerts, theater performances, sporting events, and similar activities at venues that seat over 200 and prohibits an entity from circumventing access controls or security measures used by online ticket sellers (such as Ticketmaster) to enforce ticket-purchasing limits. It also prevents the resale of tickets obtained by knowingly circumventing access controls. Violations of the Act are considered violations of Section 5 of the FTC Act, which prohibits unfair or deceptive practices. Violators are subject to fines of up to $53,088 per violation.

Under the Act, the circumvention of access controls or security measures is construed broadly and applies to automated ticket bots and certain human actions. A ticket bot is a software program designed to rapidly purchase large quantities of tickets the moment they become available. Scalper bots specifically automate tasks like filling out forms, refreshing web pages, and completing the checkout process. Since scalper bots can complete the checkout process much faster than human users, they can buy thousands of limited-edition tickets as soon as they go on sale. Scalped tickets are then resold for higher profit because they are no longer available from the original ticket seller – this practice is known as ticket scalping.

Sellers often set limits on the number of tickets each buyer can purchase. Bots can bypass this limit by rapidly purchasing tickets across multiple accounts or using fake online profiles and IP addresses. Bots may bypass CAPTCHA and other security measures or manage multiple browser sessions simultaneously to purchase large volumes of tickets simultaneously. These tactics may run afoul of the BOTS Act if the seller has access controls or security measures to prevent such activity. The BOTS Act is not only limited to bot activity, though. A person who buys tickets by creating multiple accounts or using proxies and VPNs to disguise their IP address may also be circumventing a seller’s security measures, which may also violate the Act.

Enforcement Action Under the BOTS Act

In January 2021, the FTC filed complaints against three ticket brokers for allegedly using bots to buy tens of thousands of event tickets and then resell them at inflated prices. The FTC alleged that the defendants violated the Act in multiple ways, including using bots to search for and automatically reserve tickets, using software to conceal their IP addresses, and using bots to bypass CAPTCHA security measures. The complaint also alleged that the defendants had created hundreds of Ticketmaster accounts in the names of friends, family, and fictitious individuals and used hundreds of credit cards to bypass ticket limits. In total, the brokers were subject to a judgment of over $31 million, but due to their inability to pay, they were ultimately liable for $3.7 million in civil penalties.

The BOTS Act also empowers state attorneys general to enforce the Act if they determine that their states’ residents have been threatened or adversely affected by violations of the Act. Though there has been little notable state enforcement action to date, senators from both political parties have introduced bills to enable stronger enforcement of the Act. For instance, in May 2024, the Democratic governor of Arizona, Katie Hobbs, signed and passed a state law often referred to as the “Taylor Swift bill” to authorize the state’s attorney general to investigate unlawful uses of bots to purchase multiple event tickets or circumvent waiting periods and presale codes.

Looking Forward

The executive order instructs the FTC to “rigorously enforce” the BOTS Act and to provide state attorneys general and consumer protection officers with information and evidence to further this directive. The EO also directs the FTC to take additional actions, such as proposing regulations and enforcing against unfair methods of competition and unfair or deceptive acts and practices.

EO 14254 follows on the heels of a December 2024 FTC Rule – the Junk Fees Rule – banning junk ticket and hotel fees, which goes into effect on May 10, 2025. Under the Junk Fees Rule, businesses must clearly and conspicuously disclose the total price, including all mandatory fees, whenever they offer, display, or advertise any price of live-event tickets or short-term lodging. According to the FTC, the Junk Fees Rule enables the agency to “rigorously pursue” bait-and-switch pricing tactics, such as drip pricing and misleading fees.

Following the release of EO 14254 on April 8, 2025, two members of Congress, Diana Harshbarger (R-TN) and Troy Carter (D-LA) co-sponsored a bill in the House titled the “Mitigating Automated Internet Networks for [MAIN] Event Ticketing Act.” This bill is a companion bill to the one initially introduced in the Senate by Marsha Blackburn (R-TN) and Ben Ray Luján (D-NM). The bill would create reporting requirements for online ticket sellers to report successful bot attacks to the FTC. The proposed legislation would also create a complaint database for consumers to share their experiences with the FTC, who would, in turn, be required to share the information with state attorneys general. According to Congresswoman Harshbarger’s press release, the legislation aims to build on the BOTS Act and codify EO 14254. There is strong bipartisan support for live-event industry regulation. In light of EO 14254, the FTC’s Junk Fee Rule, and the MAIN Event Ticketing Act introduction, it is safe to say that both state and federal authorities are focused on regulating the live entertainment industry, particularly in the ticket sale context. BOTS Act enforcement may increase in the coming years, and ticket scalpers should beware.

Yahoo’s ConnectID is a cookieless identity solution that allows advertisers and publishers to personalize, measure, and perform ad campaigns by leveraging first-party data and 1-to-1 consumer relationships. ConnectID uses consumer email addresses (instead of third-party tracking cookies) to produce and monetize consumer data. A lawsuit filed in the U.S. District Court for the Southern District of New York says that this use and monetization is occurring without consumer consent. The complaint alleges that ConnectID allows user-level tracking across websites by utilizing the individual’s email address—i.e., ConnectID tracks the users via their email addresses without consent. The complaint further alleges that this tracking allows Yahoo to create consumer profiles with its “existing analytics, advertising, and AI products” and to collect user information even if a user isn’t a subscriber to a Yahoo product.

The complaint states, “Yahoo openly tells publishers that they need not concern themselves with obtaining user consent because it already provides ‘multiple mechanisms’ for users to manage their privacy choices. This is misleading at best.” Further, the complaint alleges that Yahoo’s Privacy Policy “makes no mention of sharing directly identifiable email addresses and, in fact, represents that email addresses will not be shared.”

The named plaintiff seeks to certify a nationwide class of all individuals with a ConnectID and whose web communications have been intercepted by Yahoo. The plaintiff asserts this class will be “well over a million individuals.” The complaint seeks relief under the New York unfair and deceptive business practices law, the California Invasion of Privacy Act, and the Federal Computer Data Access and Fraud Act.

These “wiretap” violation lawsuits are popping up all across the country. The lawsuits allege violations of state and federal wiretap statutes, often focusing on website technologies like session replay, chatbots, and pixel tracking, arguing that these trackers (and here, the tracking of email addresses) allow for unauthorized interception of communications. For more information on these predatory lawsuits, check out our recent blog post, here.

The lawsuit seeks statutory, actual, compensatory, punitive, nominal, and other damages, as well as restitution, disgorgement, injunctive relief, and attorneys’ fees. Now is the time to assess your website and the tracking technologies it uses to avoid these types of claims.

This week, the California Privacy Protection Agency (CPPA) board held its April meeting to discuss the latest set of proposed regulations, including automated decision-making technology (ADMT) regulations. Instead of finalizing these rules, the board continued its debate and considered further amendments to the draft regulations. Notably, some members proposed changing the definition of ADMT and removing behavioral advertising from ADMT and risk assessment requirements. The board also directed the CPPA to remove a selection of categories in scope for provisions covering significant decisions. The board conditionally approved these changes, but the final (we think) vote will occur at the next meeting.

These continued discussions likely mean that the final rules related to ADMT, risk assessments, and cybersecurity audits are still a long way away. The CPPA raised six topics that they want additional feedback on before presenting the final set of amendments next month:

1.         The definition of “ADMT;”

2.         The definition of “significant decision;”

3.         The “behavioral advertising” threshold;

4.         The “work or educational profiling” and “public profiling” thresholds;

5.         The “training” threshold; and

6.         Risk assessment submissions to the CPPA.

If the changes are substantial enough, the CPPA would open up another 45-day comment period. During the last comment period, CPPA staff reported that over 1,600 pages of comments were received, and hours of testimony were given during the public hearing. The board has until November 2025 to submit the final regulatory package to the California Office of Administrative Law.

Board member Alastair Mactaggart argues that the draft regulations go beyond the scope of the CPPA’s authority to regulate privacy by also attempting to regulate artificial intelligence. He said, “We are now on notice that if we pass these regulations, we will be sued repeatedly and by many parties.” We will continue to monitor these discussions and proposed regulations.

Wired has reported that several government officials involved in the Signal chat exposing sensitive national security plans have also exposed their Venmo accounts by not adjusting their account privacy settings to prohibit the information from being publicly accessible. This means that they “left not only their contact lists publicly visible but also their transactions, which are as recent as last autumn. These records reveal specific information” about who they paid, how much they paid, the date of the payment, and the reason for the payment.

 According to Tara Lemieux, a veteran of the U.S. intelligence community, “When you post anything in those third-party applications, and you don’t understand how that information can be shared or exploited, you are taking a risk for our nation—and that’s not acceptable.”

The risk of public officials not setting their Venmo accounts to private provides insight into their contacts and services provided to them and offers threat actors insight into strategies to use that information to commence attacks against both the contacts and the account owner.

Mike Yeagley, a specialist in commercial data and its security risks, outlines the risk: “What’s the risk of someone at the Cabinet level using Venmo to pay their personal trainer? On the surface, it doesn’t look like much. But now I know who that trainer is—or the gardener, or whoever—and suddenly I’ve expanded my ability to target by identifying the people around that official.” Threat actors use this intimate insight to gather more information to target both the official and the official’s contacts.

Not only have Trump administration officials allowed their Venmo accounts to be public, but so have members of Congress.

According to NOTUS, which first reported the ability to access government officials’ Venmo details, it “easily identified Venmo accounts tied to more than three dozen Trump administration officials and more than 50 current members of Congress. Their transactions are revealing — as are their friends lists.” All of this is quite concerning for national security. It is also a reminder to be aware of privacy settings in all applications, including Venmo. You may not want the world to see the details of who you are paying and why. If so, go to your Venmo app, make privacy choices, and confirm them in the settings. To hide your connections, go to Settings > Privacy > Friends List and select Private. You will be protecting yourself as well as your friends and family.

On March 28, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on RESURGE malware, which is associated with the product Ivanti Connect Secure.

According to the MAR, “RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:

  • Create a web shell, manipulate integrity checks, and modify files.
  • Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
  • Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.”

To address the vulnerability, CISA recommends that users and administrators:

  • Consider a factory reset.
  • Follow Ivanti’s recommended recovery steps.
  • Reset credentials of all accounts.
  • Reset passwords for all domain users and local accounts.
  • Review access policies to temporarily revoke access for affected devices.
  • Reset account credentials or access keys.
  • Monitor related accounts, especially administrative accounts.
  • Report incidents and anomalous activity to CISA.

The MAR is an important read for any businesses using Ivanti Connect Secure, Policy Secure, and ZTA Gateways.