The current political environment may be an exceptional chance to see our system of government in action, and understand “separation of powers” and the role of the federal judiciary.

Many are dismayed by the actions of the current administration. However, the outcries and outrage—the statements by those who say our democracy and government are being destroyed—may be causing their own kind of harm.

Mainstream broadcast media and social media messaging that questions the independence and integrity of the federal judiciary, including the U.S. Supreme Court, may be contributing to the erosion of confidence in the federal judiciary and Supreme Court reflected in public opinion surveys. And with an erosion of trust, it is more likely that members of the public will say it is okay to ignore the courts’ rulings. To uphold the rule of law, however, we must understand and respect all three branches of government and ask them to do their jobs.

Our forebears set up our government to address situations like we see today.

The founders of the United States foresaw, and experienced, disagreements and advocacy that were chaotic, disrespectful, and viewed as undemocratic. Thus they established a system of government, reflected in the Constitution, that provides for an independent judiciary to adjudicate disputes regarding the actions of the executive and legislative branches of our government. This third branch of government—the independent judiciary—would determine the legality of the actions of the executive and legislative branches under the laws and Constitution of the United States. Ultimately, the U.S. Supreme Court decides the law of the land, whether actions are permissible—that is, consistent with the Constitution—or not.

The executive and legislative branches need not agree, nor must they fail to aggressively pursue their desired policies through executive or legislative actions. But the members of these branches are required to recognize and honor the decisions of the federal judiciary regarding the legality of actions and the law of the land.

Positions and actions of the executive branch or the legislative branch—the president or Congress—may be viewed as unlawful by the other branch; however, the executive or legislative branch may take actions and pursue them aggressively until the action is found to be unconstitutional or otherwise unlawful by the independent judiciary. That is the way our system is structured and the way it works.

Thus, the president and his cabinet members—and even those with roles we may not understand—may take even outrageous positions and actions until the action is found to be unlawful under the Constitution or other applicable law.

Our judiciary—the third branch of government—must be allowed to do its job and respected for doing so. We may not like a judicial decision, but we must follow and respect it. When a decision is made that a party does not agree with, the appropriate action is to appeal the decision—not ignore the decision, or attack the judge(s) who made it and seek their removal or impeachment.

Remember that advocacy and disagreement led to the creation of this great nation, led to many of the changes and advancements over the years since, and will continue to do so as we move forward. Our system is not perfect, but “E pluribus unum” (“Out of many, one”) and “United we stand, divided we fall” must be principles we live by as we move forward. We are united as one under the Constitution to pursue life, liberty, and the pursuit of happiness for all citizens—collectively as a nation and a people, not as one individual, group, or party as opposed to another.

We will always have groups and leaders who will try to divide us in order to control us and destroy us, to destroy the collective “one” that we are as a unified nation. However, we are free not to fall into this trap, free to put the collective, unified one, our nation, above the many. If we are united in support of the one, we succeed, and those who seek to divide, control, and destroy us as individuals will fail.

We, humans, created our system of government, with our free will, our prejudices, frailties, and failings. We must thus take responsibility for ensuring the system is understood and operates for all of us. Each of us as citizens must accept the responsibility to participate and protect the collective—our government and way of life.

How do we do this? As a start, we can ensure that we, and our friends and neighbors,

1. understand the way our government works—the three branches of government and how they interact to govern and ensure the success of our country;
2. understand our role as citizens (and attorneys) with respect to each branch, and how we can stay engaged and take action to ensure we fulfill our responsibilities;
3. understand the issues that are important to us, where those issues are within the government, and how we can get involved and participate; and
4. do something about those issues and responsibilities.

It can feel difficult to “do something,” but it can help to take a step back and focus your energy.

Decide what you want: What is important to you? What is the issue, and what do you want to happen? Try not to simply get upset, check out, or give up.

Slow down and think about the issue or problem and what you would like to see happen. Learn more, or discuss productively with others rather than making angry posts.

Simplify the problems, solutions, and actions: Work to break things down to where there is something that can be done. Don’t let the complexity of an issue overwhelm you and make you feel helpless; there is always a place to start.

Take action: Execute your plan. Start with small actions and steps to get the ball rolling.

We can each be a part of supporting the independent judiciary and the rule of law, and of working for change in a way that maintains respect for our system of government.

This article is part of a series on the rule of law and its importance for business lawyers created by the American Bar Association Business Law Section’s Rule of Law Working Group. Read more articles in the series.

The views expressed herein are solely those of the author and are not necessarily those of the author’s employer, the American Bar Association, or the Business Law Section.

This is the fifth installment in the Year in Governance Series from the In-House Subcommittee of the ABA Business Law Section’s Corporate Governance Committee. Each month, the series will share key tips on a different corporate governance topic. To get involved in the Corporate Governance Committee, please visit the committee’s webpage.

A message from Kathy Jaffari: “As Chair of the Corporate Governance Committee, I would like to extend my sincere appreciation to the authors for this publication. The Corporate Governance Committee has ongoing opportunities for writing and volunteering with various projects, whether it’s an article you want to publish or a CLE that you want to present. Our Committee is dedicated to helping you promote informative resources for corporate governance practitioners. You may contact me at [email protected] to get involved.”

Conflicts of interest undermine a director’s duty of loyalty, erode trust and effective decision-making, and create litigation and enforcement risk. Directors should identify, disclose, and manage any conflicts of interest to maintain the integrity and effectiveness of a board. It is essential to meticulously document conflicts of interest and efforts to overcome these conflicts in order to protect both the company and its directors.

1. Draft a conflicts of interest policy. Directors need to know the types of conflicts that could arise, such as direct and indirect financial conflicts, dual representation, corporate opportunity, confidentiality, and personal interest. Draft and circulate a comprehensive policy that describes what constitutes a conflict, establishes a disclosure protocol, and lays out procedures for managing conflicts. The policy should also explain what is considered a material conflict.
2. Ask about conflicts, to facilitate disclosure. The director onboarding process will initially identify conflicts, but that is just the beginning. Directors should complete disclosure forms (typically D&O questionnaires) at least annually, and consider requiring directors to update their disclosures whenever their circumstances change.
3. Talk about conflicts, to cultivate culture. If you talk regularly about the importance of early and fulsome disclosures, then you will help create a culture where directors identify potential conflicts before they become a problem. You can place a brief disclosure statement at the top of every meeting agenda, or just remind directors before each meeting of how important it is to disclose any material conflicts.
4. Recuse conflicted directors. When there is a conflict—when a director’s interest could reasonably be expected to influence judgment—recuse that director, immediately. Exclude the director from deliberations (the meeting), decisions (the voting), and information (the minutes, although you can provide a redacted version). The minutes should reflect these efforts in order to record your compliance.
5. Manage board communications to restrict access when necessary. After asking the director with a conflict of interest to leave the room, use the available technology to restrict the information shared with that director by monitoring what is placed on the director’s portal or revising access controls. If it is necessary to maintain confidentiality, consider using separate counsel and advisors. Make sure to consider the timing of disclosures to the full board after committee deliberations.
6. When board independence is in doubt, consider forming a special committee. A special committee (made up of independent, disinterested directors) might be appropriate when, for example: multiple (or even a majority of) directors have conflicts; the transaction under consideration will be reviewed under the entire fairness doctrine; the board anticipates litigation related to the decision; or the proposed transaction involves a controlling shareholder. The special committee needs the authority to do its job properly, so it should be formed early, truly independent, and authorized to make decisions (including saying “no”). Keep in mind that the special committee may need separate counsel and advisors.
7. Consider whether a special committee is worth the trouble. A special committee likely brings inherent challenges that require careful consideration. It is costly. It creates delay. And it may generate the perception that there is more concern than exists or is warranted. Unfortunately, that perception alone could lead to litigation rather than help avoid it. Consider whether recusal of the interested directors would adequately address the conflict.
8. Address conflicts in related-party transactions. Related-party transactions bring higher scrutiny, as the standard of review examines both the process (i.e., “fair dealing”) and the economic terms (i.e., “fair price”). Using additional safeguards, such as approval from a special committee and a majority-of-the-minority vote, may help shift the burden of proof. You should also disclose all material facts, consider engaging third-party valuations or fairness opinions, and document the business rationale, among other things. Required disclosure of these transactions in Securities and Exchange Commission filings leaves them open to enhanced scrutiny.
9. Guard corporate opportunities closely. A strong conflict of interest arises when a director diverts a corporate opportunity. To avoid this, draft and adopt a policy that defines the company’s “line of business,” establish a formal process to determine if an opportunity belongs to the corporation, and document when the company declines to pursue an opportunity.
10. Leverage independent advisors. Use disinterested advisors to help a special committee, or the full board, to craft a rigorous process and establish fair-price credibility. Such advisors can be bankers, valuation experts, or outside counsel. Get them involved early in the process. It may be helpful to vet candidates beforehand so that you have a bench to draw from when the expected (or unexpected) time comes.

The views expressed in this article are solely those of the authors and not their respective employers, firms, or clients.

India’s first standalone data protection legislation, the Digital Personal Data Protection Act, 2023 (“DPDPA”),^[1] is poised to soon come into force. To facilitate its implementation, the Ministry of Electronics and Information Technology recently issued draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”)^[2], which provide guidance on implementation of several key provisions of the DPDPA. The Draft Rules were issued for public consultation till March 5, 2025. After consideration of industry feedback, it is expected that the government may notify the Draft Rules in the coming months, bringing the DPDPA formally into force.

Because of the DPDPA’s extraterritorial reach, businesses around the world need to prepare for its significant impact. Among the critical aspects of the new data protection law are provisions on cross-border data transfers and data localization, requirements for processing of children’s data, personal data breach notification obligations, and heightened obligations for “significant” data fiduciaries. At a macro level, global businesses will need to assess the DPDPA’s applicability to them and update their technological infrastructure and documentation to comply with the new requirements. “Consent managers,” a new category of entity introduced by the law, may need to be onboarded and integrated to manage data subjects’ consents, and data privacy notices will need to be revisited to ensure they provide the DPDPA’s requisite disclosures. At a business level, data sharing arrangements with vendors and group companies will also need to be reconsidered in light of the DPDPA.

Overview and Extraterritorial Application

The DPDPA introduces several compliance requirements for collection and processing of personal data, whether collected in digital form or collected and subsequently digitized.^[3] “Personal data” broadly includes “any data about an individual who is identifiable by or in relation to such data.”^[4] The provisions of the DPDPA do not apply to personal data processed by an individual for “any personal or domestic purpose,” or to personal data that is made or caused to be made publicly available by (a) the “Data Principal” (akin to “data subjects” under other jurisdictional frameworks) to whom such personal data relates, or (b) any other person who is under a legal obligation to make personal data publicly available.^[5]

The DPDPA applies not only to entities processing personal data within India but also to those outside India if such processing is in connection with any activity related to offering of goods or services to individuals (i.e., Data Principals) within India.^[6] This provision is comparable to global frameworks like the European Union’s General Data Protection Regulation (“EU GDPR”), which applies extraterritorially to non-EU businesses that offer goods or services to, or monitor the behavior of, individuals located in the EU.^[7] International businesses that do not have a physical presence in India but target and serve Indian consumers, such as e-commerce websites and digital platforms, will need to comply with the DPDPA.

Consent and Notice Requirements

One of the core principles of the DPDPA is obtaining consent from Data Principals for processing their personal data. “Data Fiduciaries” (akin to “data controllers” under other jurisdictional frameworks) must provide clear, standalone notices in English or any official Indian language,^[8] detailing the purpose of data collection, the types of data processed, and the rights of Data Principals.^[9] The Draft Rules do not prescribe a rigid template or format for the notice, allowing flexibility for Data Fiduciaries to design their notices so long as other requirements are satisfied. However, the notice cannot be combined with other documentation such as an end-user license agreement, general terms of service, or other website policies.^[10]

Under the DPDPA, Data Fiduciaries are required to provide similar notice to Data Principals, as soon as “reasonably practicable,” regarding data for which consent for processing was obtained prior to the enforcement of the Act.^[11] However, the Draft Rules do not specifically prescribe separate notice requirements for these existing datasets. In the absence of detailed guidance, it may be sufficient, in certain cases, for a public notice to be issued on the Data Fiduciary’s websites or apps.

An operational aspect of concern for these notices is the language requirement. It would simplify implementation if the government were to allow notices to be accessible in the language in which the platform is supported or made available to the Data Principals, to prevent unnecessarily onerous translation requirements.

Consent Managers

Unlike the EU GDPR, which permits data processing on some relatively broad bases such as legitimate interest, the DPDPA relies primarily on consent-based processing, with limited instances of legitimate uses such as for employment.^[12] This approach imposes a greater burden on organizations to ensure user-friendly and transparent consent mechanisms. Against this background, it is relevant to note that the DPDPA introduces the novel concept of “Consent Managers.”^[13] These are entities registered with the Data Protection Board of India^[14] that provide Data Principals a platform to manage, review, and withdraw their consent.^[15] These Consent Managers must maintain robust technical and organizational safeguards to ensure transparency and data security.^[16]

While the introduction of Consent Managers may alleviate compliance burdens for Data Fiduciaries, it also creates a potential bottleneck if the regulatory framework for their operation is not adequately developed. Furthermore, it would be useful to clarify whether Consent Managers, which operate as independent entities and businesses from Data Fiduciaries, should themselves be considered Data Fiduciaries, or even Significant Data Fiduciaries.

Significant Data Fiduciaries

The DPDPA introduces the concept of “Significant Data Fiduciaries,” a subset of Data Fiduciaries that will be designated by the central government based on an assessment of “such relevant factors as it may determine,” such as the volume and sensitivity of the data they process.^[17] SDFs are subject to enhanced compliance obligations, including mandatory data protection impact assessments, audits, and appointment of a dedicated Data Protection Officer^[18] to oversee compliance. SDFs may also be required to implement additional security measures, maintain detailed processing records, and observe strict data governance protocols. Furthermore, they may be restricted from transferring certain categories of personal data outside India (discussed below).^[19] Businesses operating as SDFs must proactively assess their data processing activities and prepare to meet these heightened regulatory requirements. It is likely that big tech and large, consumer-facing health care, finance, and IT companies could potentially be notified as SDFs, though the exact criteria that the government may use to notify Data Fiduciaries as SDFs is not clear.

Cross-Border Data Transfers

One of the major concerns under the DPDPA and the Draft Rules for multinational businesses is the regulation of cross-border data flows. The DPDPA permits the transfer of personal data outside India unless the government specifically restricts certain jurisdictions.^[20] Unlike some stringent data localization laws, the DPDPA does not impose blanket prohibitions but retains the authority to designate restricted territories.

This regulatory approach offers some flexibility for businesses engaged in global data processing while ensuring that transfers remain subject to oversight. However, the government may prescribe additional compliance measures for transfers to certain jurisdictions,^[21] such as requiring contractual clauses, data protection impact assessments, or approvals from regulatory authorities. The government may also impose additional compliance requirements on notified SDFs depending on the nature of personal data processed by the SDF and the recipient jurisdiction.^[22] Organizations transferring data outside India should be prepared for these potential requirements and must stay updated on government notifications regarding restricted countries and additional conditions applicable to data transfers.

A key question is whether these restrictions will align with existing global frameworks and compliance with foreign law obligations. Companies operating across multiple jurisdictions may face conflicting compliance obligations depending on specific restrictions that may be introduced under the DPDPA. This could create operational challenges for global data-sharing frameworks, necessitating the adoption of a modular approach to data governance, which enables jurisdiction-specific adjustments while maintaining overall regulatory consistency.

Data Localization Requirements

While the DPDPA generally allows data transfers, the Draft Rules introduce provisions for potential data localization requirements, particularly for SDFs. These entities may be subject to specific data storage and localization mandates.^[23] A government-appointed committee will determine categories of personal data processed by SDFs that must be stored within India.^[24] This could impact global enterprises, particularly those in sectors like finance, health care, and technology, where handling sensitive personal data (often across borders) is integral to operations. Apart from personal data, localization requirements may extend to traffic data pertaining to the flow of personal data,^[25] which can include logs and transactional records, meaning businesses must implement robust infrastructure to ensure compliance. Companies must assess whether they are likely to fall within the SDF category and prepare for potential localization obligations by revising their data storage strategies.

These regulations could impact multinational companies that rely on global data centers and cloud services for their business operations. For companies that use global analytics and services driven by artificial intelligence, data localization can introduce significant inefficiencies. Localization mandates may result in increased costs for infrastructure deployment and operational inefficiencies due to the inability to process data across borders. Additionally, concerns have been raised regarding whether localization measures genuinely enhance data security or merely create operational and economic hurdles.

Personal Data Breach Reporting Obligations

Under the DPDPA, organizations must promptly report personal data breaches.^[26] The law requires that both affected individuals and the Data Protection Board of India be informed without delay upon discovering a breach.^[27] Additionally, within seventy-two hours of an organization’s becoming aware of the breach, a detailed report of the breach must be submitted to the Data Protection Board.^[28]

This requirement aligns with international best practices, such as the EU GDPR, but lacks a materiality threshold. Every breach, regardless of its impact, must be reported. This could lead to an increased compliance burden for businesses, necessitating highly robust cybersecurity frameworks and breach detection mechanisms. The lack of a materiality threshold also raises concerns about regulatory fatigue. If organizations are required to report even minor breaches, regulators may be overwhelmed with notifications, reducing their ability to focus on critical threats. Businesses may also face reputational risks from excessive breach disclosures to multiple stakeholders, even in cases where no harm occurs.

In any case, organizations must establish internal protocols for incident detection, assessment, and reporting. Given that breach notifications may also be required under other laws, such as general^[29] and sector-specific cybersecurity regulations (such as in the banking or the insurance sector), companies should harmonize their reporting obligations to avoid duplication and ensure efficiency.

Additional Considerations

Data Security: Subject to a few minimal restrictions, Data Fiduciaries are allowed to implement the security standards and procedures of their choice to protect the personal data they process.^[30] These safeguards are required to include making sure that the right data security measures (such as encryption, obfuscation, or mapping personal data to tokens) are implemented; access control mechanisms are in place; logs are maintained and routine monitoring is conducted to identify instances of unauthorized access; and more.^[31]

Children and Persons with Disabilities: In relation to processing of personal data of children and persons with disabilities, there are additional requirements for obtaining verifiable consent from the parent or legal guardian if applicable, respectively.^[32] The mode of seeking verifiable consent is left to the discretion of the Data Fiduciary.^[33] Neither the DPDPA nor the Draft Rules require the Data Fiduciary to investigate the ages of its users to ascertain if they are in fact not children, or to investigate the relationship between child and purported parent. The DPDPA and Draft Rules appear to rely upon self-identification by a user as a child, or by a parent, for compliances to trigger.

Retention: According to the DPDPA, personal data must be deleted as soon as it is reasonable to believe that the specified purpose for processing the personal data is no longer being fulfilled.^[34] The Draft Rules specify time frames for the processing of personal data for particular purposes by e-commerce entities, online gaming intermediaries, and social media intermediaries (that meet the prescribed user thresholds).^[35] It lays out a three-year term from the enforcement of the Digital Personal Data Protection Rules, 2025, or the last time the Data Principal approached the Data Fiduciary to execute the specified purpose or exercise their rights, whichever is later.^[36] There is no guidance on the manner of ascertaining when the specified purpose is no longer being served for other Data Fiduciaries. In the absence of a specific timeline, Data Fiduciaries will have varying standards to determine erasure of personal data. Further, it is unclear why a timeline has only been prescribed for the said three classes, as opposed to other Data Fiduciaries, such as those in possession of large volumes of personal data.

Conclusion

Feedback and comments from the industry submitted during the public consultation period are presumably under consideration by the Indian government. Based on recent media reports, it was expected that the DPDPA and the Draft Rules would be finalized for implementation by April 2025.^[37] However, as of mid-May 2025, neither the DPDPA nor the Draft Rules have been brought into effect. As the rules are finalized, businesses must assess their current data protection practices based on their industry and the type of personal data they handle. Principles of purpose limitation, collection limitation, and storage limitation are enforced through the DPDPA and Draft Rules and should be enforced by businesses. Compliance will require updating technological systems, internal processes, and documentation. SDFs engaged in cross-border data sharing may face localization challenges, necessitating adjustments to their data transfer arrangements. A critical consideration for businesses is the significant penalties prescribed under the DPDPA, which start at approximately USD 6 million and go up to approximately USD 30 million, depending on the nature of violation.While the Draft Rules offer flexibility by avoiding rigid standards, several critical aspects, such as SDF designations, data transfer restrictions, and details for obtaining verifiable consent for children’s personal data, remain undefined. These details are likely to be addressed once the final rules are released or subsequently through government-issued FAQs.

1. Digital Personal Data Protection Act, 2023 [hereinafter DPDPA]. ↑

2. Ministry of Electronics and Information Technology, Draft Digital Personal Data Protection Rules, 2025, G.S.R. 02(E) (Issued on January 3, 2025) [hereinafter Draft Rules]. ↑

3. DPDPA § 3(a). ↑

4. DPDPA § 2(t). ↑

5. DPDPA § 3(c). ↑

6. DPDPA § 3(a)–(b). ↑

7. Article 3(2), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter EU GDPR]. ↑

8. DPDPA §§ 5(3), 6(3). Please note that there are twenty-two languages recognized as official under the Eighth Schedule to the Constitution of India: Assamese, Bengali, Bodo, Dogri, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Maithili, Malayalam, Manipuri, Marathi, Nepali, Oriya, Punjabi, Sanskrit, Santhali, Sindhi, Tamil, Telugu, and Urdu. ↑

9. DPDPA § 5(1); Draft Rules, Rule 3; see also Explanatory Note to Digital Personal Data Protection Rules, 2025, ¶ 3 (last visited Apr. 26, 2025). ↑

10. Draft Rules, Rule 3(a). ↑

11. DPDPA § 5(2). ↑

12. DPDPA § 7. ↑

13. DPDPA § 2(g) (“‘Consent Manager’ means a person registered with the [Data Protection] Board [of India], who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”). ↑

14. DPDPA § 6(9). ↑

15. DPDPA § 6(7)–(8). ↑

16. The Draft Rules prescribe the conditions for registration of a Consent Manager under Part A of the First Schedule and enumerate the obligations applicable to the Consent Manager under Part B of the same Schedule. ↑

17. DPDPA § 10(1) (“The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including—(a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order.”). ↑

18. DPDPA § 10(2). ↑

19. Rule 12(4), Draft Rules. ↑

20. DPDPA § 16(1). ↑

21. Rule 14, Draft Rules. ↑

22. Rule 12(4), Draft Rules. ↑

23. DPDPA § 10(2)(c)(iii); Rule 12(4), Draft Rules. ↑

24. Rule 12(4), Draft Rules. ↑

25. Rule 12(4), Draft Rules. ↑

26. DPDPA § 2(u) (“‘[P]ersonal data breach’ means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”). ↑

27. DPDPA § 8(6); Rule 7, Draft Rules. ↑

28. Rule 7(2)(b), Draft Rules. ↑

29. In particular, this refers to the obligation to report cyber-security incidents to the Indian Computer Emergency Response Team in accordance with the provisions of the Information Technology Act, 2000. ↑

30. DPDPA § 8(5). ↑

31. Rule 6, Draft Rules. ↑

32. DPDPA § 9(1). ↑

33. Rule 10, Draft Rules. ↑

34. DPDPA § 8(7)– 8(8). ↑

35. DPDPA § 8(8); Rule 8 and Third Schedule, Draft Rules. ↑

36. Third Schedule, Draft Rules. ↑

37. Surabhi Agarwal & Suraksha P, Centre Sets April Date for DPDP Rules as MeitY Studies Feedback, Econ. Times (Mar. 25, 2025). ↑

This article is Part IX of the Musings on Contracts series by Glenn D. West, which explores the unique contract law issues the author has been contemplating, some focused on the specifics of M&A practice, and some just random.

A recent decision by the Delaware Supreme Court, Thompson Street Capital Partners IV, L.P. v. Sonova U.S. Hearing Instruments LLC,^[1] reveals a potentially worrisome crack in Delaware’s solid and reliable contractarianism. This crack appears in one of the more important bargains made between a buyer and a seller in a private company acquisition agreement—the survival period and the timing and content of the notice of claims required to be delivered by the buyer to the seller to entitle the buyer to the limited indemnification provided by the seller.

Thompson Street Capital involved a seemingly routine dispute concerning the sufficiency and timeliness of a claims notice sent to the seller before the end of the survival period. The seller alleged that this notice (a) failed to include the “specificity” regarding the claim as required by the merger agreement and (b) was untimely because it was not sent within thirty days after the buyer became aware of the issue as required by the merger agreement. While the nature of the dispute was unremarkable, the court’s holding was anything but unremarkable.

The Dispute and the Court of Chancery Decision

The plaintiff, a sell-side private equity firm acting as the “Members’ Representative,” filed a declaratory judgment action in the Delaware Court of Chancery seeking “an order declaring that the Purported Claim Notice did not meet the contractual requirements with which [the buyer] had to comply and, as such, could not serve as a basis to withhold the escrowed funds.”^[2] Additionally, the plaintiff’s complaint “sought a mandatory injunction requiring [the buyer] to execute a Joint Instruction letter directing the Escrow Agent to release the contents of the Indemnity Escrow Fund to Plaintiff.”^[3] Anyone involved in private company M&A is well familiar with this scenario—i.e., a limited survival period coupled with an escrow fund that serves as the sole recourse for any rights to indemnification that may arise during that survival period, followed by a dispute over the timeliness or sufficiency of the notice of claim.

In response to the plaintiff’s complaint, the buyer made a motion to dismiss, which the Delaware Court of Chancery granted “after concluding that ‘[t]he notice provisions at issue here are unambiguous and [the plaintiff’s] prayers for relief are fatally lacking.’”^[4] However, in reaching that holding, the Delaware Court of Chancery focused almost exclusively on the notice provisions of the escrow agreement and failed to recognize that compliance with the notice provisions of the merger agreement was a condition precedent to the buyer’s right to obtain indemnification. 

Because there was both a merger agreement and a separate escrow agreement, which do not always mesh, it was understandable that some confusion might arise over which notice requirements were applicable. The Delaware Court of Chancery focused on the escrow agreement rather than the merger agreement, concluding that the notice was valid under the escrow agreement.

The Delaware Supreme Court’s Decision

On appeal, the Delaware Supreme Court determined that the requirements of the merger agreement were unequivocal and should have been the focus of the Court of Chancery’s decision. Section 9.3.2 of the merger agreement provided:

Any claim by a Purchaser Indemnified Party on account of Damages under this Article IX (a “Claim”), including those resulting from the assertion of a claim by any Person who is not a Party to this Agreement (a “Third-Party Claim”), will be asserted by giving the Members’ Representative reasonably prompt written notice thereof, but in any event not later than 30 days after the Purchaser Indemnified Party becomes actually aware of such Claim, provided that no delay on the part of the Purchaser Indemnified Party in notifying the Members Representative will relieve the Merger Parties from any obligation under this Article IX, except to the extent such delay actually and materially prejudices the Merger Party. Such notice by the Purchaser Indemnified Party will describe the Claim in reasonable detail, will include the justification for the demand under this Agreement with reasonable specificity, will include copies of all available material written evidence thereof, and will indicate the estimated amount, if reasonably practicable, of Damages that has been or may be sustained by the Purchaser Indemnified Party. The Purchaser Indemnified Parties shall have no right to recover any amounts pursuant to Section 9.2 unless the Purchaser notifies the Members’ Representative in writing of such Claim pursuant to Section 9.3 on or before the Survival Date.^[5]

The court focused almost exclusively on the last sentence of section 9.3.2 (defined in the decision as the “Final Sentence”). Importantly, the Delaware Supreme Court held unequivocally that “the Final Sentence clearly embodies a condition precedent and potential for forfeiture because it states plainly that there is no right to indemnification unless the claim notice is provided.”^[6] The court further held that the Final Sentence contained specific language creating the condition precedent of timely and compliant notice, which specific language controlled over the more general language contained in a boilerplate “no waiver” provision.^[7] Moreover, the court held that it was “reasonably conceivable that [the buyer] failed to comply with the Specificity Requirement that [the buyer] ‘include copies of all available material written evidence’ of its claim.”^[8] Indeed, the buyer had apparently admitted that “it did not provide any written evidence with the Claim Notice beyond its own assertions in the Claim Notice itself.”^[9] Finally, the court held that the plaintiff had also sufficiently “alleged that [the buyer] did not comply with the Timing Requirement of Section 9.3.2.”^[10] As a result, the Delaware Court of Chancery should not have granted the buyer’s motion to dismiss. 

So far, so good; this all sounds very contractarian. But then came the bombshell. According to the Delaware Supreme Court, the Final Sentence provides only the “potential” for forfeiture, not a definitive forfeiture of the indemnification right, because, notwithstanding the clear language of the contract, “our law abhors a forfeiture.”^[11] As a result of that abhorrence, the buyer’s “noncompliance may be excused if the timing and specificity requirements were not material to the agreement and the noncompliance would result in a disproportionate forfeiture.”^[12] 

So, the good news for the private-equity-seller plaintiff is that it will now have its day in the Delaware Court of Chancery to (a) prove (or fail to prove) that the buyer’s claim notice was deficient under the merger agreement and (b) if successful, thereby establish that the condition precedent to the indemnification obligation had not occurred, which would then seem to entitle the seller to the release of the escrowed funds as a matter of the bargained-for terms of the merger agreement. 

But, the bad news is that, even if successful in proving the noncompliant notice, the private-equity-seller plaintiff must now also provide evidence in the Delaware Court of Chancery that the timing and specificity requirements that it proved were not met were in fact “material to the agreement” and, if not material to the agreement, that the buyer’s noncompliance would not result in a disproportionate forfeiture of the indemnity rights that were legally conditioned upon that compliance. Failing to meet these additional noncontractual requirements could result in the seller’s inability to enforce the bargained-for condition precedent to the buyer’s indemnification right.

It remains unclear (at least to me) how a buyer, whose right to indemnification is expressly conditioned upon a compliant notice being timely given, could be deemed to have forfeited anything if the buyer failed to comply with the express condition that gives rise to that right. Nevertheless, the Delaware Supreme Court held that a forfeiture would occur and that, in such circumstances, the common law’s abhorrence of that forfeiture would apply.^[13]

The Materiality of Survival and Notice of Claims Provisions

But even if a forfeiture of a conditional indemnification right occurred because of noncompliance with the condition precedent giving rise to that right, such a forfeiture is permissible if the required terms of compliance were “material to the agreement.” And it is truly hard to fathom how any private equity seller could not have considered the bargained-for length of the survival period and the bargained-for requirements for a notice of claim as material in any negotiation of a private company acquisition agreement. Limiting recourse and establishing a limited time to pursue remedies, based on real, not presumed or anticipated, claims, is private equity dealmaking 101.

Indeed, the Delaware Supreme Court in Thompson Street Capital noted cases that have drawn materiality conclusions as a matter of law. The court cited a non-Delaware decision holding that the notice requirements of a claims-made insurance policy were material as a matter of law, as well as a Delaware Court of Chancery decision involving a claim of forfeiture arising from an earnout provision.^[14] While the claims-made insurance policy example closely resembles a survival clause that conditions any indemnification rights on a compliant notice being given before the survival period’s end, the Delaware Supreme Court referenced that example without comment. However, the court did discuss the earnout example of Obsidian Finance Grp., LLC v. Identity Theft Guard Solutions, Inc.^[15] 

In Obsidian, the Delaware Court of Chancery considered an argument by a disappointed seller who failed to meet the exact requirements for an earnout. Instead of the company obtaining an extension of a government contract for six years as required by the earnout terms, it only received an extension for five years and six months. Certainly close, but no cigar, said the Delaware Court of Chancery:

Obsidian’s argument that the Court may declare immaterial the six-month difference between the 5.5-year contract and the six-year earnout condition is misplaced. Obsidian cites no authority that would support a holding that a party to a merger agreement may be excused from satisfying a condition to an earnout on grounds of forfeiture. This comes as no surprise, as an earnout provision contemplates the payout of additional, often substantial, consideration when the entity sold achieves specific, bargained-for milestones. The value of the contingent consideration is inextricably linked to the estimated probability of the contingent event’s occurrence. To change the benchmark of the earnout would be to change its risk profile and, by extension, the amount that should be paid in the event of its achievement. Under Delaware law, however, “a party may not come to court to enforce a contractual right that it did not obtain for itself at the negotiating table.” Unlike horseshoes or hand grenades, there is no “close enough” when it comes to earnouts negotiated by sophisticated parties based on the estimated probability that the precise measure would be hit. Any adjustment to the earnout condition, then, would be “material” as a matter of law.^[16]

The rationale for why this example from the realm of earnouts is not applicable in the context of bargained-for time periods for submitting compliant claims notices as a condition to a buyer’s entitlement to indemnification was not explained. The Delaware Supreme Court simply noted:

We are unable on this record to resolve the materiality and disproportionate forfeiture questions. We address materiality first because excusal of the condition, according to Section 229 of the Restatement, “applies only where occurrence of the condition was not a material part of the agreed exchange.” Although, [the plaintiff] alleges that the timing and particularity requirements were material, the record has not been developed on these points, including whether the parties, in negotiating these agreements, considered these requirements to be material.

Even if we were to determine that the Notice Requirements are not material, we are still unable to determine the disproportionate forfeiture issue on this record. Accordingly, we remand to the Court of Chancery for further consideration on these points.^[17]

The court then provided guidance to the Delaware Court of Chancery on remand. That guidance was derived from section 229 of the Restatement (Second) of Contracts, which consists of a list of factors to consider that are somewhat ambiguous. But the court then quoted from a Pennsylvania Superior Court case to summarize what is essentially required for the materiality analysis under section 229 of the restatement: “materiality in the context of Section 229 ‘rests to a large extent on the analysis of the requirement’s purpose, [but] it also involves a consideration of the negotiations of the parties along with all other circumstances relevant to the formation of the contract or to the requirement itself.’”^[18] 

In private equity deals, sellers desire certainty over the limits of recourse for, and the timing of, indemnification claims. Limiting recourse to the escrowed funds, and returning the remaining sales proceeds held in escrow to the private equity fund’s limited partners after the end of the survival period, is a material part of any private company acquisition agreement. The limited additional record that the Delaware Supreme Court is requiring should be straightforward, therefore. But the fact that it is necessary, in addition to the proof that the notice was in fact noncompliant, is troubling.

Contractarianism Versus Equitable Principles from the Middle Ages 

Professors Jody S. Kraus and Robert E. Scott are among the leading theorists in contract law.^[19] They have expressed their dismay over the importation into contract law of equitable principles developed by the English Chancery Courts in the Middle Ages, which were intended to mitigate some of the harshness of the common-law courts, where no means were available for enforcing executory contracts and commercial parties instead relied upon penal bonds.^[20] The enforcement of the penal bond could sometimes work an injustice because the bond may have been issued for a contract that had in fact been performed, so the Chancery Courts intervened to grant relief from these unjust enforcements.^[21] But we no longer live in that world. The common law now provides remedies for breach of executory contracts, and penal bonds have been relegated to the history books. 

In addressing the interplay between the law of conditions and the equitable concepts related to forfeitures, Professors Kraus and Scott noted the following:

The law of conditions explicitly endorses the principle of freedom of contract by committing to the strict enforcement of all express conditions. Yet, it is also home to the hoary equitable maxim that “the law abhors forfeitures.” The antiforfeiture norm suffuses the law of conditions, which therefore reads like a schizophrenic text, in one sentence insisting on the sanctity of strict construction and enforcement of conditions in spite of forfeiture, while in the next admonishing courts, whenever interpretation allows, to avoid the conclusion that the promisor’s obligation is subject to an enforceable condition if enforcement of the condition would raise the specter of forfeiture.^[22]

The professors further opined:

Even if the parties succeed in writing an express term that unequivocally creates a condition, the ex post form of the antiforfeiture norm strongly encourages courts to exercise their discretion to excuse the condition whenever its enforcement would create a forfeiture and the court deems the condition not to have been a material part of the agreement at the time of formation. In addition, even if a court agrees that a contract contains a material, express condition, the ex post norm encourages the court to find that the promisor has implicitly waived the condition, either retrospectively or prospectively, whenever enforcement of the condition would create a forfeiture.^[23]

Accordingly, they encourage a contractarian approach that Delaware is known for generally. Specifically, in their view:

[C]onditions are always material from the ex ante perspective because they allocate risks between the parties, the contract compensates each party for bearing those risks, and the parties inevitably rely on that allocation of risks. Since materiality is determined by the parties’ intent at the time of formation, conditions will always be material.^[24]

In other words, the professors are apparently suggesting that the “law abhors a forfeiture” maxim should be consigned to the same historical vault that currently houses penal bonds.

Academics similarly suggest that historically inherited and now-encrusted boilerplate is often used impulsively by practitioners without considering the original purpose behind such provisions.^[25] As a result, these inherited provisions may no longer accomplish their intended objective and instead undermine more bespoke provisions in a contract. Could it be that courts are effectively doing the same thing—i.e., applying legal maxims that are effectively “historical artifacts”^[26] to the modern law of contracts?

Perhaps, but the professors’ and other academics’ theories remain just that. And Thompson Street Capital embodies the current law in Delaware. Nevertheless, can Delaware’s contractarianism offer a potential means of avoiding an evidentiary hearing to assess the materiality of bargained-for indemnification regimes in the future? I believe the answer is yes.

Delaware’s Contractarianism Remains Strong

Delaware justifiably “prides itself on the contractarian nature of its law.”^[27] Sophisticated dealmakers and their counsel rely on Delaware courts to enforce the terms of their freely made contracts and to respect the decisions they make about the “risk they should bear.”^[28] As a result, “Delaware courts are ‘especially chary about relieving sophisticated business entities of the burden of freely negotiated contracts.’”^[29]

This contractarianism is so strong that Delaware courts will generally only override the parties’ binding contract “upon a strong showing that dishonoring the contract is required to vindicate a public policy interest even stronger than freedom of contract.”^[30] And these stronger public policy “interests ‘are not to be lightly found, as the wealth-creating and peace-inducing effects of civil contracts are undercut if citizens cannot rely on the law to enforce their voluntarily-undertaken mutual obligations.’”^[31] Thus, “Delaware courts will ‘not rewrite the contract to appease a party who later wishes to rewrite a contract he now believes to have been a bad deal.’”^[32] This is so because “[p]arties have a right to enter into good and bad contracts, the law enforces both.”^[33]

The law’s abhorrence of forfeiture does not appear to be one of the strong public policy interests sufficient to override the parties’ material bargained-for exchange.^[34] Indeed, Thompson Street Capital makes that clear by instructing the Court of Chancery to further develop the record regarding the materiality of the timing and specificity requirements of the merger agreement’s indemnification regime. Assuming that the additional record indicates that the timing and specificity conditions related to the right of indemnification were material to the parties’ agreement, which experience suggests they should be, the Delaware Supreme Court indicated that the antiforfeiture concern will be overcome.

Some Possible Additions to the Survival Clause

But to avoid the requirement that a trial record be established in the future, couldn’t the parties agree on the fact of that materiality in the contract and rely on Delaware’s contractarianism to uphold that agreement? I suggest that they should.^[35]

My current view is that there should be a statement in the survival clause reflecting the parties’ agreement that compliance with the terms of the notice provisions is not only a condition precedent to the indemnifying party’s obligation to indemnify but also a material part of the parties’ bargained-for exchange. I also believe that adding “time is of the essence” language to the survival clause might be helpful, as those words seem to have an almost talismanic effect in other contexts.^[36]

What might these additions to a survival clause look like? Well, I am still musing, but here is a quick effort at such additions:

Notwithstanding anything herein to the contrary, the obligations to indemnify, pay, reimburse, compensate, and hold harmless a Person pursuant to this ARTICLE IX in respect of a breach of representation or warranty, covenant, or agreement shall terminate on the applicable survival termination date (as set forth in Section  9.1(a)), unless an Indemnified Party shall have made a claim for indemnification pursuant to Section 9.2 or Section 9.3, prior to such survival termination date, as applicable, including by delivering an Indemnification Claim Notice or Third-Party Indemnification Claim, as applicable, to the Indemnifying Party. The Parties specifically and unambiguously intend and agree that (a) the survival periods that are set forth in this Section 9.1(a) shall replace any statute of limitations that would otherwise be applicable; (b) the timely delivery of an Indemnification Claim Notice or Third-Party Indemnification Claim, as applicable, to the Indemnifying Party pursuant to Section 9.2 or Section 9.3 shall be an express condition precedent to the obligations to indemnify, pay, reimburse, compensate, and hold harmless a Person pursuant to the ARTICLE IX; (c) time shall be of the essence in the delivery of an Indemnification Claim Notice or Third-Party Indemnification Claim, as applicable, to the Indemnifying Party pursuant to Section 9.2 or Section 9.3; and (d) the survival periods, and the timing and content of an Indemnification Claim Notice or Third-Party Indemnification Claim, as required by this ARTICLE IX, were a material part of the agreed exchange made by the Parties in entering into this Agreement.^[37]

Will this effectively eliminate the need for an evidentiary hearing to establish the materiality of the bargained-for conditions for indemnification, given the law’s abhorrence of forfeitures? Who knows? But it might help. And I welcome improvements and corrections.

1. 2025 WL 1213667 (Del. Apr. 28, 2025). ↑

2. Id. at *5. ↑

3. Id. ↑

4. Id. at *6. ↑

5. Id. at *2 (emphasis in original). ↑

6. Id. at *1 (emphasis added). ↑

7. Id. at *21. The “no waiver” provision stated: “No failure or delay by any Party in exercising any right, power, or privilege under this Agreement will operate as a waiver thereof nor will any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power, or privilege.” Id. at *2. The potential that this type of standard boilerplate may do violence to the specific notice of claims procedures made part of your indemnification regime was previously discussed in Glenn D. West, The Perils and Delights of Contractual Boilerplate, Bus. L. Today (Apr. 15, 2025). ↑

8. Thompson St. Cap., 2025 WL 1213667, at *16. ↑

9. Id. ↑

10. Id. at *17. ↑

11. Id. at *1. ↑

12. Id. ↑

13. But see Vague v. Bank One Corp., 2006 WL 290299, at *11 (Del. Ch. Feb. 1, 2006) (failure to timely exercise options in accordance with the strict terms of an unambiguous agreement resulted in loss of options notwithstanding efforts at “formulating (or piecing together) a theory of equitable relief that would overcome the terms of the parties’ express agreement”). ↑

14. Thompson St. Cap., 2025 WL 1213667, at *20 n.148. The non-Delaware case cited with respect to a claims-made insurance policy’s notice requirements was Citizens Insurance Co. of America v. Assessment Systems Corp., 2019 WL 4014955, at *5–7 (D. Minn. Aug. 26, 2019). But it is interesting to note that in the context of consumer-based life insurance policies, “[i]t has long been established that forfeiture of life insurance coverage for late payment of premiums is ‘not favored in the law; and that courts are always prompt to seize hold of any circumstances that indicate an election to waive a forfeiture, or an agreement to do so on which the party has relied and acted.’” Speziale v. Nat’l Life Ins. Co., 159 F. App’x 253, 255 (2d Cir. 2005). ↑

15. 2021 WL 1578201 (Del. Ch. Apr. 22, 2021). ↑

16. Id. at *8 (emphasis added). ↑

17. Thompson St. Cap., 2025 WL 1213667, at *20. ↑

18. Id. at *21 (citing Acme Mkts., Inc. v. Fed. Armored Express, Inc., 648 A.2d 1218, 1222 (Pa. Super. Ct. 1994)). ↑

19. See Robert E. Scott & Jody S. Kraus, Contract Law and Theory (Carolina Academic Press, 6th ed. 2023). ↑

20. Jody S. Kraus & Robert E. Scott, The Case Against Equity in American Contract Law, 93 S. Cal. L. Rev. 1323 (2020); Jody S. Kraus & Robert E. Scott, Contract Design and the Structure of Contractual Intent, 84 N.Y.U. L. Rev. 1023 (2009). ↑

21. Kraus & Scott, The Case Against Equity in American Contract Law, supra note 20, at 1334–38. ↑

22. Kraus & Scott, Contract Design and the Structure of Contractual Intent, supra note 20, at 1081–82; see also Kraus & Scott, The Case Against Equity in American Contract Law, supra note 20, at 1375. ↑

23. Kraus & Scott, Contract Design and the Structure of Contractual Intent, supra note 20, at 1084; see also Kraus & Scott, The Case Against Equity in American Contract Law, supra note 20, at 1376. ↑

24. Kraus & Scott, Contract Design and the Structure of Contractual Intent, supra note 20, at 1084; see also Kraus & Scott, The Case Against Equity in American Contract Law, supra note 20, at 1377. ↑

25. See, e.g., Stephen J. Choi, Mitu Gulati & Robert E. Scott, Comparing Agency Costs in Contract Production: Private Equity M&A Versus Corporate and Sovereign Bonds, 74 Case W. Rsrv. L. Rev. 47 (2023); Stephen J. Choi, Mitu Gulati, Matthew Jennejohn & Robert E. Scott, Contract Production in M&A Markets, 171 U. Pa. L. Rev. 1881 (2023); Robert E. Scott, Stephen J. Choi & Mitu Gulati, Revising Boilerplate: A Comparison of Private and Public Company Transactions, 2020 Wis. L. Rev. 629 (2020). ↑

26. See Tara Chowdhury, Faith Chudkowski & Mitu Gulati, The Form Knows Best, 79 U. Mia. L. Rev. 607, 625 (2025). But see Glenn D. West, The Form Doesn’t Know Anything: A Response to Chowdhury, Chudkowski & Gulati, 79 U. Mia. L. Rev. 628 (2025). ↑

27. New Enter. Assocs. 14, L.P. v. Rich, 295 A.3d 520, 565 (Del. Ch. 2023). ↑

28. Id. at 566 (quoting Abry Partners V, L.P. v. F&W Acquisitions, LLC, 891 A.2d 1032, 1061 (Del. Ch. 2006)).  ↑

29. Id. (quoting Abry Partners, 981 A.2d at 1062). ↑

30. Id. (quoting Libeau v. Fox, 880 A.2d 1049, 1056 (Del. Ch. 2005), aff’d in part, rev’d in part on other grounds, 892 A.2d 1068 (Del. 2006)). ↑

31. Id. (quoting Libeau, 880 A.2d at 1056–57). ↑

32. Id. (quoting Nemec v. Shrader, 991 A.2d 1120, 1126 (Del. 2010)). ↑

33. Id. (quoting Nemec, 991 A.2d at 1126); see also HC Cos., Inc. v. Meyers Indus., Inc., 2017 WL 6016573, at *9 (Del. Ch. Dec. 5, 2017) (“Delaware courts enforce bad deals the same as good deals. The Court cannot rewrite the contracts, and it cannot ignore the plain terms of the contracts.”). ↑

34. This would appear to contrast with the common law’s abhorrence of “penalties” for breach of contract. See Glenn D. West, When “Liquidated Damages” Are Not—The Common Law’s Abhorrence of Penalties and What You May or May Not Be Able to Do About It, Weil’s Glob. Priv. Equity Watch (Dec. 22, 2020). The law’s problem with penalties was part of the decision in Crispo v. Musk, 304 A.3d 567 (Del. Ch. 2023) (“A party cannot recover damages for consideration that it would not expect to receive had the contract been performed. Such provisions are considered penalties. If a contractual provision defines damages to include penalties, then it is unenforceable.”). But as part of the legislative response to the Crispo decision invalidating provisions providing for lost shareholder premium damages in a busted merger, Delaware General Corporation Law section 261(a) now specifically permits penalties as a remedy against a party who breaches a merger agreement. 8 Del. Code § 261(a). For background on the Crispo decision, see Glenn D. West, Surprise: Target Company May Not Be Entitled to Expectancy Damages Based upon the Lost Premium for an Acquirer’s Wrongful Failure to Close a Merger, Weil’s Glob. Priv. Equity Watch (Nov. 14, 2023). ↑

35. While perhaps not directly in point, Delaware courts have honored contractual stipulations of irreparable harm for the purposes of awarding injunctive relief and specific performance. See, e.g., Gildor v. Optical Sols., Inc., 2006 WL 4782348, at *11 (Del. Ch. June 5, 2006). ↑

36. See HIFN, Inc. v. Intel Corp., 2007 WL 1309376, at *9 (Del. Ch. May 2, 2007) (“When time is of the essence in a contract, a failure to perform by the time stated is a material breach of the contract that will discharge the non-breaching party’s obligation to perform its side of the bargain. Whether time is of the essence in a contract turns in the first instance on whether the contract explicitly states so. When the contract fails to contain a time of the essence clause, time will only be of the essence if the circumstances surrounding the contract or the parties’ course of dealing clearly indicate that strict compliance with a specified timeframe was intended.”). ↑

37. While much of this language is a response to Thompson Street Capital, clause (a) is in response to another concern that was highlighted in a Business Law Today article. See Glenn D. West, Making Sure Your Survival Clause Works as Intended, Bus. L. Today (Mar. 7, 2025). ↑

On April 15, and again on May 2, President Donald Trump called for the revocation of Harvard University’s 501(c)(3) tax-exempt status.^[1] The news came as environmental groups were grappling with rampant rumors that the Trump administration was moving—reportedly through an executive order that was to be issued on Earth Day (April 22)—to redefine the Internal Revenue Service (“IRS”) qualifications for 501(c)(3) tax-exempt status in a way that would exclude conservation and climate nonprofits. That did not happen, and the White House disavowed the rumors. However, on April 24, the interim U.S. attorney for the District of Columbia wrote to the Wikimedia Foundation, the nonprofit that runs Wikipedia, questioning its 501(c)(3) tax-exemption eligibility.

All of this follows President Trump’s March 7 executive order on the federal Public Service Loan Forgiveness program, which ordered the U.S. secretary of education to propose regulations that exclude from the program nonprofit organizations that the administration believes do not qualify for 501(c)(3) tax-exempt status due to having a “substantial illegal purpose.” The executive order defines activities with a “substantial illegal purpose” to include those that aid or abet violations of federal immigration laws, support terrorism, aid or abet illegal discrimination, or violate state tort laws (including those against trespassing, disorderly conduct, or public nuisance), among others. In April, Ed Blum’s American Alliance for Equal Rights filed complaints with the IRS asking the Service to audit and revoke the tax-exempt status of the Gates Foundation and two other 501(c)(3) foundations due to their race-restricted scholarship programs—and the Gates Foundation changed its program just days later. Finally, a March 24 editorial by a Wall Street Journal editor called for the IRS to audit and revoke the exempt status of 501(c)(3) organizations that engage in “illegal” diversity, equity, and inclusion (“DEI”) activities as one of their principal purposes.

While these announcements have sent a wave of fear, apprehension, and alarm through wide swaths of the nonprofit sector, it is important to note that the president, the Justice Department, the Treasury Department, the U.S. attorney for the District of Columbia, and even the IRS do not have the ability to revoke the federal tax-exempt status of any entity through executive order or with the mere stroke of a pen.^[2] There are well-established procedures for revoking federal tax exemption, and they all involve the IRS. As described below, with a few exceptions (such as automatic revocation for failure to file an IRS Form 990 for three years in a row), those procedures require individual, case-by-case IRS audits of each organization, with ample opportunity for the entity to defend itself and multiple routes of appeal. There simply is no lawful mechanism for the president, other members of the Trump administration, or the IRS to revoke the tax-exempt status of multiple nonprofits—or even a single nonprofit—without following this longstanding process.

Note that nonprofit organizations are generally organized and operated as both nonprofit and tax-exempt entities. “Nonprofit” status refers to incorporation status under state corporate law; “tax-exempt” status refers to federal income tax exemption under the Internal Revenue Code (“IRC”). Even if, following the IRS audit and appeal process (and any ensuing litigation), an organization’s tax-exempt status is revoked, it still remains a nonprofit corporation (albeit a taxable one). Even post-revocation, the IRS has no authority to shut down a nonprofit, seize its assets, or otherwise take control of the organization.

If the IRS questions the federal tax-exempt status of a nonprofit organization, it can initiate an audit (technically called an “examination”) of the organization, auditing one or more IRS Forms 990 that were filed by the entity. For the tax years under examination, the IRS is effectively determining whether the Forms 990 at issue were accurate and reflected full compliance with the applicable tax laws. For 501(c)(3) tax-exempt organizations (which comprise the vast majority of tax-exempt entities), there can be many bases for threats to their exempt status, including not meeting the “organizational” or “operational” tests, being found to engage in private inurement or impermissible private benefit, having a substantial nonexempt purpose, engaging in too much lobbying, engaging in prohibited political campaign activity, or having too much unrelated business income, among others.

The IRS conducts several types of audits of tax-exempt organizations. The two most common are correspondence examinations and field examinations, the latter of which is much more invasive, involving one or more auditors on site reviewing information and documents and conducting interviews. Field exams generally take several months to conduct, at a minimum, and often much longer.

There are four potential outcomes of an IRS examination of an exempt organization: a no-change letter, a no-change letter with written advisories, a negotiated closing agreement, or a proposed revocation of exempt status. The first three outcomes enable the organization to retain its tax-exempt status, but in the second or third options, with certain conditions or required changes.

If the IRS concludes an audit with a proposed revocation, the organization has thirty days (or longer if an extension is negotiated) to “protest” the proposed ruling and avail itself of the IRS appeals process.^[3] During the pendency of the IRS appeal, the organization remains tax-exempt, and during the pendency of the audit and appeal process, the IRS is barred by law from disclosing anything publicly about the matter. Once the protest is filed, it will be assigned to an IRS appeals officer, and the organization (and/or its representatives) will have the opportunity to have an appeals conference to make its case for denying the proposed revocation or otherwise proposing a settlement. The appeals conference is an informal meeting between the organization’s representatives and the appeals officer; the IRS agent who conducted the underlying examination does not participate in the conference. The appeals officer (with the approval of their manager) has broad authority to order the IRS division conducting the examination to issue a no-change letter or no-change letter with written advisories, to negotiate a settlement with the organization, or to finalize the revocation.

If the IRS appeals officer decides to uphold the proposed revocation, the organization will be issued a final adverse determination letter, at which point the entity will have lost its federal tax exemption. The revocation will be published in the Federal Register. Following receipt of the letter, the organization will have ninety days to petition the U.S. Tax Court, the U.S. Court of Federal Claims, or the U.S. District Court for the District of Columbia for a declaratory judgment as to its qualification for tax-exempt status. Like other federal litigation, if unsuccessful at the lower court level, the nonprofit organization or the IRS are permitted to appeal to higher courts. Note that if the court petition is filed prior to the issuance of the final adverse determination letter, the IRS is not permitted to revoke the organization’s tax-exempt status during the pendency of the litigation. However, the IRC provides that a court may not issue a declaratory judgment unless the court determines that the organization has exhausted its administrative remedies. If a protest is not filed with the IRS Appeals Office with respect to an adverse determination, the court may determine that the organization has not exhausted its administrative remedies.

If, at the end of the process, the nonprofit loses its federal tax-exempt status, as stated above, it still remains a private nonprofit corporation, just a taxable one, required to file IRS Form 1120 (the federal corporate tax return) annually and pay federal (and state, if applicable) corporate income tax on its net annual income. Of course, if the nonprofit makes the necessary conforming changes to its organization or operations, it always has the option to prospectively reapply to the IRS for recognition of its 501(c)(3) tax-exempt status. It also has the option to transfer its assets to an existing 501(c)(3) entity or to a newly created 501(c)(3) organization, following which it can then dissolve (once all outstanding liabilities have been satisfied).

For more information, contact the author at [email protected].

The views expressed herein are solely those of the author and are not necessarily those of the author’s firm, the American Bar Association, or the Business Law Section.

1. Note that federal law (26 U.S.C. § 7217) prohibits senior officials of the executive branch, including the president, from requesting that the Internal Revenue Service (“IRS”) conduct or cease an audit or other investigation of any taxpayer (including tax-exempt entities). There is an exception for written requests by the secretary of the treasury to the IRS as a consequence of the implementation of a change in tax policy. ↑

2. Congress would seemingly have such authority, but, to date, such legislative action has not been publicly contemplated. ↑

3. See Internal Revenue Serv., IRS Publication 892, How to Appeal an IRS Determination on Tax-Exempt Status (Feb. 2017). ↑

As more state legislatures introduce legislation expanding the reach of their antitrust laws and state attorneys general ramp up their use of antitrust investigations and litigation, the legal landscape continues to become more complex for companies and the courts. Recently, the California enforcers filed an appeal in Association for Accessible Medicines v. Becerra,^[1] of a federal judge’s limiting the extraterritorial reach of California’s Assembly Bill 824^[2] (“A.B. 824”).

A.B. 824, signed by Governor Gavin Newsom in 2019, attempts to ban settlements between generic and brand pharmaceutical manufacturers colloquially known as “reverse payment” settlements. These sorts of settlements arise when a generic manufacturer takes steps to launch a drug product despite the branded manufacturer’s claim to market exclusivity by virtue of its patent protections over that drug. A reverse payment settlement commonly involves a brand pharmaceutical manufacturer offering something of value to a generic manufacturer in exchange for the generic manufacturer’s agreement to delay its market entry until a certain date in the future.

In Federal Trade Commission v. Actavis, Inc.,^[3] the U.S. Supreme Court examined the legal standard that applies to reverse payment settlements, holding that the agreements should be evaluated under the rule of reason. California’s A.B. 824 was enacted in response, and it categorically deemed these agreements anticompetitive as a matter of law and provided for fines of up to $20 million or three times the amount received by the violator in striking the deal—whichever is larger.

In August 2020, the Association for Accessible Medicines (“AAM”), a trade group representing generic pharmaceutical manufacturers, sued the State of California, arguing the law was unconstitutional. In December 2021, the court entered a preliminary injunction, prohibiting enforcement of A.B. 824 pending resolution of the instant lawsuit. In February 2022, the injunction was modified to permit the state to enforce the law only as to “settlement agreements negotiated, completed, or entered into within California’s borders.”

In February 2025, the court entered an order resolving cross-motions for summary judgment, effectively permanently memorializing the state of affairs created by the February 2022 injunction. The court held that A.B. 824 did indeed violate the dormant Commerce Clause insofar as it purported to regulate settlement agreements that had absolutely no connection to California. Accordingly, the court held that the state may enforce the law only as to “settlement agreements negotiated, completed, or entered into within California’s borders.” The order permanently enjoined the state from enforcing A.B. 824 with respect to any settlement agreement that lacked such a connection to California.

At first blush, the order appears to be a victory for the AAM and its member manufacturers. It would seem that so long as generic manufacturers steer clear of negotiating, completing, or executing reverse payment agreements within California borders, they will remain out of the reach of the fines and penalties codified in A.B. 824.

It is unclear whether the pending appeal will resolve two key issues raised by the order. First, the court expressed its concern that A.B. 824, on its face, permitted California to regulate conduct that had no connection to the state whatsoever. In response, the state attempted to argue that this was not the case, asserting A.B. 824 applied only to settlements that cover drug sales in California. With this limitation, the state suggested that A.B. 824 targeted only settlements with some demonstrable connection to California. The court ultimately rejected this argument—not because the sales connection was too tenuous, but solely because the text of A.B. 824, on its face, did not include a limitation to only settlements involving California sales of pharmaceuticals. Thus, the court has left open the proverbial door for California—and other states—to amend A.B. 824 and similar laws to include a sales limitation. In the absence of a full-throated analysis of this defense, it is unclear whether such a limitation would allow for a broader application of A.B. 824 than that permitted by the instant order, one which would undoubtedly trouble the AAM and its members.

Second, the state argued that it should be permitted to enforce A.B. 824 because many states across the country maintain antitrust statutes that already prohibit conduct akin to that regulated by this particular law. The court quickly dispensed with this argument, noting that no state may enforce antitrust legislation ultimately found to violate the dormant Commerce Clause. To the extent challenges are brought, the question of the constitutionality of these state antitrust laws may well boil down to whether the law contains sufficient limiting language so as to target only that unlawful conduct that bears some connection to the subject state.

It unlikely that California’s appeal will resolve the risk for market participants. For example the district court’s order may act as a catalyst for suits challenging the breadth of similar state antitrust laws across the country. In particular, the order leaves ambiguous the potential for California—or other states—to expand the breadth of these antitrust laws by including language that would tie their enforcement to activity that involves sales in the subject state. The growing number of state-level premerger notification requirements and new and amended statutes aimed at expanding the scope of the antitrust laws to conduct not deemed per se illegal under the federal law, or at making it easier for private plaintiffs or enforcement agencies to challenge business activities successfully, will likely complicate antitrust compliance, compliance training, and risk management for companies engaged in interstate commerce.

Before engaging in activity aimed at resolving disputes over generic entry and brand patent protection, it is important to engage competent counsel to prevent any unnecessary cost and expense that may result from an unwitting violation of state law.

1. No. 2:20-cv-1708 (E.D. Cal. Feb. 13, 2025), ECF No. 92. ↑

2. Cal. Health & Safety Code § 134000–134002. ↑

3. 570 U.S. 136 (2013). ↑

“Terms of Service.” Probably all of us have been asked at some point or another to agree to a company’s TOS in order to access its services. Most often, this happens when we download an app to our phone, though it can happen on a regular website as well. It’s not like we have much choice: if we want to use the app, we must agree to the TOS. If we don’t want to agree, we can’t use the app. In practice, that almost always means we agree to the TOS.

TOS commonly contain an arbitration clause. Depending on the clause, arbitration may be subject to—for example—restrictions on remedies, prohibitions against class actions, or limits on recoverable damages. And under typical arbitration rules, there will almost certainly be less and narrower discovery than in court. So it should come as no surprise that some lawyers and litigants cast about for ways to get around arbitration clauses, including in cases where the clause is in TOS.

Last month, in Davitashvili v. Grubhub, No. 23-521 (2d Cir. Mar. 13, 2025), the Second Circuit addressed almost every conceivable threshold question about whether a dispute is arbitrable. In that case, the court looked at three different companies’ TOS to assess (1) whether the parties had agreed to arbitrate at all; (2) if they had agreed to arbitrate, whether it was a court or arbitrators who should decide whether the dispute was within the arbitration clause; (3) if it was for the court to decide, whether the dispute was within the arbitration clause; and (4) if the dispute was covered by the clause, whether the clause was enforceable. In other words, this case presented pretty much every arbitrability-related threshold question imaginable.

Here are the facts. Grubhub, Postmates, and Uber all provide online platforms where customers can order meals from restaurants for pickup and delivery. The restaurants agreed with the platforms not to sell their meals at prices lower than they charge on the platform. That agreement was the basis for an antitrust class action. Three purported classes of restaurant customers sued: those who bought food for delivery or takeout at the restaurants but not on the platforms; those who dined in the restaurants; and those who bought from these restaurants on some other platform. The idea was that, because the platforms required the restaurants not to sell at prices lower than on the platforms, each of these classes had to pay higher prices for their meals than they would have otherwise. In other words, the class action alleged a form of price-fixing.

Note that these classes aren’t defined by reference to any of the platforms’ apps—obviously in order to get around the arbitration clauses in each app’s TOS. But some of the class members (maybe many, or even most) had actually downloaded one or more of the platforms’ apps and accepted their TOS. So does that mean they have to arbitrate their claims?

The first issue was whether there was an agreement to arbitrate at all. There was no issue when it came to Uber and Postmates—those platforms’ custo­mers had agreed to arbitrate. For Grubhub it was less clear. The issue was whether the screen on Grubhub’s interface was designed so that users had inquiry notice of the TOS they were being asked to accept. Typically, for “click-wrap” agreements, in which users are asked to agree to TOS, the users are bound only if they had at least “inquiry” notice of the TOS. Whether there was inquiry notice turns, broadly speaking, on whether the interface makes clear to a user that the “agree” (or “confirm”) button links to the TOS, without excessive distraction on the page, and whether the TOS are reasonably accessible.

In this case the Second Circuit held that the Grubhub web interface was clean and clear enough to place a reasonably prudent user on inquiry notice—though Judge Pérez in her concurring opinion thought Grubhub made the cut just barely, commenting that if the “interface were even marginally more cluttered, the outcome of this appeal would likely be different.” So companies asking users to agree to their TOS would be well-advised to make sure that the screen presenting the TOS to users for agreement should be clean, uncluttered and clear.

Because Grubhub users were on inquiry notice there was an agreement to arbitrate. That led to the next issue: who should decide whether that agreement to arbitrate covers the price-fixing dispute—should it be a court or an arbitrator? This question turns on the language of the arbitration clause. Under Grubhub’s TOS, “issues related to the scope, validity, and enforceability of this Arbitration Agreement are for a court to decide.” So that was pretty clear. But the outcome was different for Uber and Postmates—the Second Circuit held that arbitrators rather than a court decide whether the arbitration clauses in their TOS cover the dispute.

The main remaining issue as to Grubhub was this: were the antitrust class action claims co­vered by the arbitration clause? The Second Circuit’s answer was no. The key issue was whether the language of the arbitration clause covered the antitrust class actions. Here is the relevant part of Grubhub’s TOS:

You and Grubhub agree that all claims, disputes, or disagreements that may arise out of the interpretation or performance of this Agreement or payments by or to Grubhub, or that in any way relate to your use of the Platform, the Materials, the Services, and/or other content on the Platform, your relationship with Grubhub, or any other dispute with Grubhub, (whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory) (each, a ‘Dispute’) shall be submitted exclusively to binding arbitration.

Recall the basis of the antitrust claims: the plaintiffs alleged that Grubhub essentially fixed prices by requiring restaurants that sold through Grubhub to agree not to charge lower prices else­where than they charge on Grubhub. Grubhub argued that the antitrust claims “relate to [the plain­tiffs’] use of the Platform” because their use of Grubhub’s services helped give Grubhub the econo­mic clout to engage in the claimed anticompetitive activity. But the Second Circuit viewed that as too speculative and tenuous a connection to the claims. In the court’s view, the antitrust claims arose from the plaintiffs’ use of other platforms or direct dealings with the restaurants, where they had to pay allegedly artificially high prices, and not from their use of Grubhub’s app. In fact, some class members had never even accessed the Grubhub app—which underscored the court’s point that it was just a coincidence that some members of the plaintiff classes had used Grubhub’s platform.^[1]

The bottom line is that the antitrust class actions against Grubhub remained in court. But that is not the end of matters. There are two additional opinions: one concurrence and one partial dissent. They are worth noting because they may presage issues that might come up in the future.

First, Judge Pérez’s concurrence. Judge Pérez stressed that the under the Federal Arbitration Act (“FAA”), a court can compel arbitration only if the dispute arises out of the particular contract that contains the arbitration clause—in her words, if there is a “nexus” between the claim and the contract. In other words, it doesn’t matter how broadly drafted the clause may be; Judge Pérez would say that a court does not have power to direct the parties to arbitration if a particular dispute doesn’t clearly enough “aris[e] out of” the contract (in the words of the FAA). Depending on how narrowly a future court may view any proposed “nexus,” this approach may materially alter the scope of courts’ perceived authority to send disputes to arbitration.

Judge Sullivan dissented in part. He agreed there must be some kind of connection (or nexus) between the dispute and the contract containing the arbitration clause, so a dispute that is completely unrelated to the contract cannot be sent to arbitration. But his view of an adequate connection was different from the other judges on the panel. He thought the class action claims did arise from the apps. The plaintiffs’ theory of liability was that Grubhub through its app had amassed so much market power that restaurants had no choice but to agree to Grubhub’s “no price competition” terms. Thus, reasoned Judge Sullivan, if pervasive use of Grubhub is the basis for the antitrust claims, the claims “arise out of” use of Grubhub for purposes of compelling arbitration under the FAA.

Where does this leave us? It isn’t every day that we get three opinions from a three-person appellate panel. Is this case a harbinger of a possibly less broad policy in favor of arbitration at the federal level? Might it indicate ongoing ferment about how tight the connection has to be between claims and clause before a dispute can be referable to arbitration? It remains to be seen. Ultimately, of course, the final say on the matter will be with the Supreme Court.

1. The plaintiffs had also argued that it would be unconscionable to require their claims to be arbitrated, but the Second Circuit was unimpressed. The plaintiffs had not even sufficiently advanced the argument in their papers, and certainly not in enough detail to be considered properly. ↑

Over the past few years, companies have been hit by a wave of hundreds of putative class actions—and untold numbers of threatened mass arbitrations—alleging that use of pixel tracking tools violates the Video Privacy Protection Act (“VPPA”). In the first few months of 2025, that trend continued due to (among other things) the ever-growing use of pixels and similar technology and the Second Circuit’s recent decision in Salazar v. National Basketball Ass’n,^[1] which gives an expansive reading to the statute. In fact, as of March 1, 2025, at least twenty-eight VPPA cases have already been filed. This trend parallels the filing rates in recent years, during which around two hundred cases were filed annually.

The Sixth Circuit, however, just rejected the Second Circuit’s reading in Salazar v. Paramount Global,^[2] a highly similar case involving the same plaintiff. The second Salazar case (which we refer to as Paramount for clarity) creates a circuit split on who is a “consumer” of “goods and services” under the statute—which is notable because a petition for certiorari has already been filed seeking review of the Second Circuit’s decision.

In light of these recent and significant developments, companies with an online presence should be aware of the contours of the VPPA, trends in VPPA litigation, and various defenses and arguments available to them.

The VPPA

Congress enacted the VPPA in 1988 in response to a newspaper’s disclosure of VHS tapes that then–Supreme Court nominee Judge Robert Bork rented from a local video rental store. The statute forbids disclosing certain data about consumers’ video viewing habits, along with identifying information, without their consent.

Specifically, the VPPA prohibits “video tape service provider[s]” from “knowingly disclos[ing]” consumers’ “personally identifiable information” (“PII”) to third parties.^[3] Under the Act, PII is “information which identifies a person as having requested or obtained specific video materials or services.”^[4] The statute defines a “video tape service provider” as any entity “engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”^[5] Significantly, the VPPA contains a private right of action and authorizes recovery of “actual damages but not less than liquidated damages in an amount of $2,500” per violation, punitive damages, attorneys’ fees and costs, and other equitable relief.^[6]

Pixel Litigation and the Salazar Decisions involving the NBA and Paramount

The recent influx of VPPA lawsuits and mass arbitrations can be attributed to the coalescence of two phenomena: (1) the ever-increasing use of pixel technology and (2) the growing number of courts, such as the Second Circuit in Salazar, giving key terms in the VPPA a broad reading. But time—and perhaps the U.S. Supreme Court—will tell whether the Sixth Circuit’s April 2025 decision in Paramount represents a turning of the tide in which courts begin to rein in VPPA claims.

A. The Prevalence of Pixels

VPPA lawsuits initially focused on companies’ use of Meta’s Pixel tool, a piece of code embedded in a website’s HTML. The code sends Meta information about what visitors do on the website, which enables the website operator to understand the effectiveness of its ad campaigns on Meta and other website user behaviors. What information it sends depends on how the website configures the Pixel. The use of Meta’s Pixel tool is widespread and spans a number of industries: according to a March 2024 report, about 47 percent of websites use Meta Pixel, including 55 percent of those in the S&P 500, 58 percent in the retail industry, 42 percent in finance, and 33 percent in health care.^[7] Other social media companies, including X (formerly Twitter), now offer tracking pixels, too.^[8]

Plaintiffs contend that VPPA liability can arise when a pixel is set up to share with a third party (1) information about a prerecorded video that a user watches on a company’s website (such as the title of the video); and (2) information that could be used to identify that user. This use of pixels has drawn plaintiffs’ lawyers like a moth to the flame, in large part because of the VPPA’s private right of action and potential for massive statutory damages if a class is certified.

B. The Salazar Decisions

The Second Circuit’s decision in Salazar has further accelerated this trend. Plaintiff Michael Salazar brought a lawsuit against an entity one wouldn’t naturally think of as a “video tape service provider”: the National Basketball Association.^[9] Salazar had signed up for the NBA’s newsletter by providing the company his email address.^[10] He then visited the NBA’s website and watched basketball videos.^[11] Based on these unexceptional facts, Salazar alleged that the NBA violated the VPPA.^[12] Why? Because the NBA’s website used the Meta Pixel, he alleged, some of his personal information—his Facebook ID and information about the videos he watched—was sent to Meta without his consent.^[13]

Salazar’s complaint was initially dismissed.^[14] The district court held that the VPPA required him to offer plausible allegations that (1) the NBA newsletter was a “good or service” within the meaning of the VPPA and that (2) he was a “consumer” of that good or service. He also needed to allege facts demonstrating that he has standing under Article III of the U.S. Constitution, which, among other things, requires that he allege suffering a “concrete” injury. The district court agreed that Salazar had standing to sue, but it dismissed the claim on the merits because it determined that Salazar was not a “consumer” within the meaning of the VPPA.

The Second Circuit reversed, holding that Salazar was a “consumer” under the statute.^[15] The VPPA defines “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”^[16] The NBA asserted that the online newsletter Salazar signed up for was not a “good or service” within the meaning of the Act, because it was not an audiovisual good or service—a qualifier that the NBA argued was consistent with the statute’s requirement that the “goods or services” must come “from a video tape service provider.”^[17] But the Second Circuit rejected this limitation of the statutory language, holding that any consumers—even those who receive non-audiovisual goods from the video tape service provider—are covered by the statute.^[18] Plaintiffs are already relying on this aspect of Salazar in bringing lawsuits involving “goods and services” provided by a whole host of industries, ranging from education to sports betting.^[19]

The Second Circuit also rejected the NBA’s challenge to Salazar’s standing. The NBA pointed out that any information about Salazar was not disclosed to the public but instead directed to one private company (Meta), and accordingly the nature of the disclosure was insufficient to count as the kind of “harm ‘traditionally recognized as providing a basis for lawsuits in American courts’”—the test under Supreme Court precedent for whether an alleged harm constitutes a “concrete injury” for Article III purposes.^[20] The court of appeals rejected this argument, holding that Salazar had standing because his “alleged injury stems from the unauthorized disclosure of his personal viewing information, which is closely related to at least one common-law analog . . . [the] public disclosure of private facts.”^[21] In holding that disclosure to one company alone is enough, the court found it significant that Meta is a major company that uses the information for advertising, and that (according to the complaint) did not have any restrictions on its selling, disclosing, or otherwise using the data.^[22]

Despite describing its holding as “narrow,” the Second Circuit’s decision in Salazar has already had a significant impact in this area.^[23] In the Ninth Circuit, where the court of appeals has not yet reached the issues presented in Salazar, a district court in the Southern District of California has already denied a motion to dismiss a claim by a plaintiff suing Zillow for its use of pixels, relying on Salazar’s reasoning.^[24] In the Second Circuit, courts have quickly made rulings following Salazar’s lead.^[25] In the Eighth and D.C. Circuits—where appeals concerning interpretation of the VPPA are pending—litigants have cited to Salazar in an effort to persuade those courts.^[26]

On March 14, 2025, the NBA filed a petition for certiorari seeking Supreme Court review of the Second Circuit’s decision.^[27] In its petition, the NBA argues that the Second Circuit’s decision created not one but two circuit splits. First, it asserts that the Second Circuit split from the Third, Seventh, Tenth, and Eleventh in holding that a consumer suffers concrete harm when one business discloses the consumer’s personal information to another, even if that information is never disclosed to the public. Second, it argues that the Second Circuit’s ruling on the VPPA definition of “consumer” creates a circuit split because the Sixth, Seventh, and D.C. Circuits are considering the same issue on appeal and are “likely to reject” the Second Circuit’s broad interpretation.^[28]

The NBA’s prediction was correct as to the Sixth Circuit: on April 3, 2025, that court issued a ruling in Paramount (its own case involving Salazar), opting for a narrower reading of the statute. In that case, the same plaintiff sued Paramount Global under the VPPA, asserting that a website owned by the defendant disclosed his video viewing history and Facebook ID without his consent.^[29] As in his case against the NBA, Salazar asserted that he was a “consumer” because he became a “subscriber” to the website when he signed up for its online newsletter.^[30] A federal court in Tennessee disagreed, holding that the definition of “subscriber” is “cabined by the definition of ‘video tape service provider.’”^[31] Thus, the district court concluded, “to qualify as a ‘consumer,’ a ‘plaintiff must be a subscriber of goods and services in the nature of audio-video content.”^[32] Salazar’s allegations failed, the court explained, because Salazar did not plausibly allege that a newsletter subscription “was a condition to accessing the site’s videos, or that it enhanced or in any way affected [his] viewing experience.”^[33]

The Sixth Circuit affirmed, holding that “the most natural reading” of the statute limits the definition of “consumer” to apply only to someone who “subscribes to ‘goods or services’ in the nature of ‘video cassette tapes or similar audio visual materials.’”^[34] The court’s holding pointed to a line of Supreme Court decisions emphasizing that particular words in a statute must be interpreted in the context of the statute as a whole.^[35]

It remains to be seen whether the Sixth Circuit’s decision in Paramount will stanch the flow of VPPA complaints, at least outside the Second Circuit. In the immediate term, Paramount—which acknowledges creating a circuit split on the question of how to define the term “consumer” under the statute—increases the likelihood that the Supreme Court will grant the NBA’s petition and take up the issue itself.

Defenses and Arguments

In light of these developments and the continued flood of VPPA lawsuits, companies should be aware of potential arguments and defenses. We discuss some of these defenses and arguments below.

A. Procedural Defenses

i. Moving to Compel Arbitration

As a threshold matter, in many instances, defendants will have strong grounds to compel arbitration if their customer terms of service include an arbitration provision. That is because the VPPA’s definition of “consumer” is limited to a “renter, purchaser, or subscriber of” a defendant’s services,^[36] and many companies require website visitors to assent to an arbitration provision prior to subscribing or making a purchase.

But companies that have strong arbitration arguments to avoid class action lawsuits in court may nonetheless be targeted by mass arbitrations. Several plaintiffs’ firms specialize in threatening mass arbitrations independent of or as follow-ons to privacy class actions, and VPPA cases are no exception to this trend. Indeed, there are several websites actively recruiting claimants to assert VPPA claims in mass arbitrations. Accordingly, potential VPPA defendants should also take steps to ensure that their arbitration agreements contain provisions to ameliorate the possibility of mass arbitration.^[37] One point to consider; the 2024 AAA rules regarding mass arbitrations alleviate some of the burdens on defendant companies by introducing a “process arbitrator” to manage administrative issues in some circumstances and implementing a fee structure for better predictability and reduced initial burdens on all parties.^[38]

ii. Challenging Class Certification

Even if a VPPA claim is not dismissed at the pleading stage, defendants should have arguments to raise in opposing class certification. For example, defendants can oppose certification of classes under Rule 23(b)(3)’s predominance prong. Because website users configure their browsers differently—some don’t accept cookies, others install software designed to block data sharing, and others still aren’t logged into their Facebook account on the same browser from which they access a defendant’s website—the data disclosed to Meta will not be uniform across visitors. As a result, defendants could argue that the individualized inquiry that would be required to determine whether a class member’s PII was actually disclosed would overwhelm any common issues. In addition, to the extent class litigation waivers are permissible in a particular jurisdiction, defendants should raise that issue. The Salazar court mentioned the NBA’s class-litigation waiver argument in a footnote but did not reach it on its merits.^[39]

B. Statutory Arguments

i. Safe Harbor for Consent

The VPPA contains a safe harbor that permits companies to disclose consumers’ PII as long as they first obtain consent in the manner prescribed by the statute.^[40] The VPPA also authorizes disclosure of PII to third parties if it “is incident to” the company’s “ordinary course of business”—a term defined to “mean[] only debt collection activities, order fulfillment, request processing, and the transfer of ownership.”^[41]

Some VPPA defendants may have a viable consent-based defense, depending on their privacy and cookie policies or other terms of service. To be effective under the VPPA, “informed, written consent” must meet certain statutory requirements: It must (1) be “in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer,” (2) be given at the time disclosure is sought or given in advance for a set period of time not to exceed two years, and (3) provide the consumer with the ability to opt out from disclosures “in a clear and conspicuous manner.”^[42] Courts have suggested that, because of these requirements, the disclosure cannot be part of a website’s general privacy policy or terms of service and must instead consist of its own page or pop-up notice.^[43] The Salazar court reserved the question of whether Salazar had consented to disclosure of his PII by assenting to the NBA’s privacy policy, which stated that it collects certain “Personal Information” from site visitors.^[44] But defendants are more likely to be able to invoke consent if the presentation and wording of the consent language is clear to the reasonable user.^[45]

ii. Interpretive Arguments

Personally Identifiable Information

Generally speaking, plaintiffs in Pixel-related VPPA actions allege that the information that a website sends to Meta (or other Pixel provider) typically includes some combination of (1) the user’s unique Facebook ID, (2) the name of the video the user watched, (3) the times when the user started and stopped viewing the video, and (4) the video’s URL. Plaintiffs then argue that this information constitutes PII under VPPA, because it is “information which identifies a person as having requested or obtained specific video materials.”^[46]

Circuit courts (including the Second Circuit) have not addressed whether the above information would constitute PII.^[47] Instead, what exists is a patchwork of cases attempting to interpret what could constitute PII on a case-by-case basis. The First Circuit, for example, decided that a plaintiff’s GPS coordinates at the time he viewed a video was PII, because another “unrelated third party” was able to “[u]s[e] this information . . . to identify [the plaintiff] and link the videos he had viewed to his individualized profile maintained by [the third party].”^[48] By contrast, the Ninth Circuit determined that a plaintiff’s Roku device serial number and the names of the videos he watched were not PII, because “that information cannot identify an individual unless it is combined with other data in [a third party’s] possession.”^[49] The Third Circuit recognized the complexity of discerning what PII means, noting that its interpretation “has not resulted in a single-sentence holding capable of mechanistically deciding future cases.” As it stated, “We have not endeavored to craft such a rule, nor do we think, given the rapid pace of technological change in our digital era, such a rule would even be advisable.”^[50]

In light of the complexities inherent in the term “personally identifiable information,” companies should consider whether the data collected by the pixel on their website is PII. To the extent defendants operate a version of Meta Pixel that only sends some, but not all, of the information listed above, they should consider contesting whether it is PII, as some courts have dismissed VPPA claims on this ground.^[51]

Subscriber

As mentioned above, the VPPA applies only if the plaintiff is a “renter, purchaser, or subscriber.”^[52] The Salazar court and the First Circuit have interpreted the term “subscriber” broadly to encompass those who have provided any personal information to a company in exchange for a good or service.^[53]

Other circuits have been skeptical of adopting this broad definition. The Eleventh Circuit, for example, has twice declined to confer “subscriber” status to a plaintiff under the VPPA.^[54] That court has held that merely downloading a free application is insufficient to confer “subscriber” status and held that a subscription “involves some type of commitment, relationship, or association (financial or otherwise) between a person and an entity.”^[55]

Goods and Services and “Video Tape Service Provider”

Most courts have interpreted the term “similar audio visual materials” fairly broadly to include essentially all prerecorded video content on a website, even if such content does not bear a close resemblance to the feature-length films that inspired Congress to pass the VPPA. However, several courts have concluded that live-streamed video content is not covered by the statute, because it is not “prerecorded,” and a couple of defendants have achieved dismissal of VPPA claims on that basis.^[56] Similarly, the U.S. District Court for the Northern District of Illinois recently confirmed that a video-editing application is not a “video tape service provider” under the statute because it provides users the ability to edit their own videos—even if that service provides filters, templates, visual effects, or other tools.^[57] Relatedly, the Ninth Circuit recently held that movie theaters are not “video tape service providers” within the meaning of the statute because the “provision of shared access to film screenings” is not encompassed by the statute’s definition limiting video tape service providers to those engaged in the “rental, sale, or delivery” of prerecorded videos.^[58]

C. Constitutional Defenses

i. Standing

First, VPPA claims may be vulnerable on standing grounds. Because such claims are generally based purely on a statutory violation, there are good arguments that they fail the “concrete injury” standard set forth in TransUnion LLC v. Ramirez. That said, standing challenges in Pixel VPPA cases have failed to gain much traction, as several courts have concluded that, at their core, VPPA claims are premised on the disclosure of private information, a type of harm that these courts deem sufficient to confer standing.^[59] The Ninth Circuit has joined the Eleventh and Third Circuits in holding, prior to TransUnion, that alleged violations of the VPPA are sufficient in themselves to satisfy the concrete-injury requirement.^[60] But an appeal currently pending in the Ninth Circuit is worth watching to get that court’s latest word on how to approach standing in privacy cases in light of TransUnion.^[61]

ii. First Amendment

Next, defendants could mount a viable First Amendment challenge to the VPPA on grounds that the statute impermissibly restricts and chills protected noncommercial speech. Patreon asserted such a challenge to the VPPA.^[62] Though the court ultimately found that the merits of the challenge were too fact-intensive to be decided at the pleading stage, it appeared receptive to some of Patreon’s arguments (including that the VPPA’s regulations are content-based) and urged Patreon to reassert its challenge on a more developed record. (Patreon ultimately settled its case.^[63]) Other district courts have reached similar conclusions on the First Amendment question.^[64]

iii. Due Process

Finally, because the VPPA authorizes $2,500 in statutory damages per violation, a defendant could contend that an aggregated award would be excessive and thus violate due process. Though this argument might not be viable until the class certification stage, it has recently proven successful in similar statutory contexts. In one case, the Ninth Circuit vacated a statutory damages award of over $900 million in a Telephone Consumer Protection Act (“TCPA”) case on grounds that the district court failed to properly consider the due process implications of such an award.^[65] The Eighth Circuit similarly affirmed a district court’s decision to reduce a $1.6 billion TCPA verdict to $32 million, because the original award was “so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable.”^[66] And, while the Seventh Circuit ultimately affirmed a $280 million verdict in a TCPA case, it noted that the district court had charged the defendant only about $4 per violation and that imposing the statutory maximum of $10,000 per violation “would be impossible to justify.”^[67]

Conclusion

The trends make clear that companies that offer videos on their websites will continue to face VPPA lawsuits, and courts will need to grapple with the text of a statute written when the corner video rental store was ubiquitous. Few of these cases have proceeded far—and no federal VPPA class action has gone to trial yet. What we can confidently predict is that VPPA litigation will continue to evolve as a greater body of case law emerges over the next several years, and businesses should remain attuned to developments in the law.

1. 118 F.4th 533 (2d Cir. 2024). ↑

2. No. 23-5748, 2025 WL 1000139 (6th Cir. Apr. 3, 2025). ↑

3. 18 U.S.C. § 2710(b)(1). ↑

4. Id. § 2710(a)(3). ↑

5. Id. § 2710(a)(4). ↑

6. Id. § 2710(c)(1)–(2). ↑

7. Online Data Privacy Report: Website Privacy and Compliance Challenges, Lokker 3 (Mar. 2024). ↑

8. Ian Cohen, Are Web-Tracking Tools Putting Your Company at Risk?, Forbes (Oct. 19, 2022, 7:15 AM) (listing various pixels). ↑

9. Salazar v. Nat’l Basketball Ass’n, 118 F.4th 533, 536 (2d Cir. 2024). ↑

10. Id. at 538. ↑

11. Id. ↑

12. Id. at 539. ↑

13. Id. at 537–38. ↑

14. Salazar v. Nat’l Basketball Ass’n., 685 F. Supp. 3d 232, 244–45 (S.D.N.Y. 2023). ↑

15. Salazar, 118 F.4th at 537, 553. ↑

16. 18 U.S.C. § 2710(a)(1). ↑

17. Salazar, 118 F.4th at 536, 539. ↑

18. Id. at 548. ↑

19. See, e.g., Kelcey Caulder, Legal Ed. Cos. Shared Customers’ Data, Suit Claims, Law360 (Dec. 11, 2024, 6:38 PM); Elaine Briseño, DraftKings Sued in NY for Secret Use of Meta Tracking Pixel, Law360 (Dec. 16, 2024, 5:43 PM). ↑

20. Id. at 542 (quoting Bohnak v. Marsh & McLennan Cos., 79 F.4^th 276, 286 (2d. Cir. 2023) (quoting TransUnion LLC v. Ramirez, 594 U.S. 413, 425 (2021))). ↑

21. Id. at 540. ↑

22. Id. at 543–544. ↑

23. Id. at 553. ↑

24. Mata v. Zillow Grp., Inc., No. 24-CV-01095-DMS-VET, 2024 WL 5161955, at *4 (S.D. Cal. Dec. 18, 2024). ↑

25. See, e.g., Golden v. NBCUniversal Media, LLC, No. 22 CIV. 9858 (PAE), 2024 WL 4904676, at *1 (S.D.N.Y. Nov. 27, 2024). ↑

26. See, e.g., Reply Brief of Plaintiff-Appellant at *1, Pileggi v. Wash. Newspaper Publ’g Co., No. 24-7022, 2025 WL 252705 (D.C. Cir. Jan. 20, 2025); Brief of Plaintiff-Appellant at *21, 25, Christopherson v. Cinema Ent. Corp., No. 24-3042, 2024 WL 5159565 (8th Cir. Dec. 6, 2024). ↑

27. Petition for Writ of Certiorari, Nat’l Basketball Ass’n v. Salazar, No. 24-994 (U.S. Mar. 14, 2025). ↑

28. Id. at 30. ↑

29. Salazar v. Paramount Glob., No. 23-5748, 2025 WL 1000139, at *1 (6th Cir. Apr. 3, 2025). ↑

30. Id. at *2. ↑

31. Id. (quoting Salazar v. Paramount Glob., 683 F. Supp. 3d 727, 743 (M.D. Tenn. 2023)). ↑

32. Id. (quoting Salazar v. Paramount Glob., 683 F. Supp. 3d at 743 n.23). ↑

33. Salazar v. Paramount Glob., 683 F. Supp. 3d at 743 (citing Carter v. Scripps Networks, LLC, 670 F. Supp. 3d 90, 98–99 (S.D.N.Y. 2023)). ↑

34. Paramount, 2025 WL 1000139, at *5. ↑

35. Id. ↑

36. 18 U.S.C. § 2710(a)(1). ↑

37. See Andrew J. Pincus, Archis A. Parasharami, Kevin Ranlett, and Carmen Longoria-Green, Mass Arbitration Shakedown: Coercing Unjust Settlements, U.S. Chamber of Com. Inst. for Legal Reform (Feb. 28, 2023). ↑

38. See Andrew J. Pincus, Archis A. Parasharami, Andrew J. Demko, Megan S. Webster, Tony Weibell, Kevin S. Ranlett, and Daniel E. Jones, American Arbitration Association Adopts New Mass Arbitration Rules and Fee Schedules, Mayer Brown (Feb. 5, 2024). ↑

39. Salazar v. Nat’l Basketball Ass’n, 118 F.4th 533, 539 (2d Cir. 2024). ↑

40. 18 U.S.C. § 2710(b)(2)(B). ↑

41. Id. §§ 2710(a)(2), (b)(2)(E). ↑

42. 18 U.S.C. § 2710(b)(2)(B). ↑

43. See Cappello v. Walmart Inc., No. 18-cv-06678-RS, 2019 WL 11687705, at *2 (N.D. Cal. Apr. 5, 2019). ↑

44. Salazar, 118 F.4th at 538–39. ↑

45. See, e.g., Calhoun v. Google, LLC, 113 F.4th 1141, 1151 (9th Cir. 2024) (“[A] determination of what a ‘reasonable’ user would have understood must take into account the level of sophistication attributable to the general public, which uses Google’s services.”). ↑

46. 18 U.S.C. § 2710(a)(3). ↑

47. Some district courts have generally concluded that, because disclosure of the Pixel allegedly shares both the user’s unique Facebook ID—which can be used to ascertain the user’s Facebook profile—and the name of the video watched, an ordinary person could use that information to glean a specific individual’s video-watching behavior. See, e.g., Stark v. Patreon, Inc., 635 F. Supp. 3d 841, 853 (N.D. Cal. 2022); Feldman v. Star Trib. Media Co., 659 F. Supp. 3d 1006, 1014–15, (D. Minn. 2023); Czarnionka v. Epoch Times Ass’n, Inc., No. 22 Civ 6348 (AKH), 2022 WL 17069810, at *4 (S.D.N.Y. Nov. 17, 2022). ↑

48. Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482, 484–85 (1st Cir. 2016). ↑

49. Eichenberger v. ESPN, Inc., 876 F.3d 979, 986 (9th Cir. 2017). ↑

50. In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 290 (3d Cir. 2016). ↑

51. See, e.g., Martin v. Meredith Corp., 657 F. Supp. 3d 277 (S.D.N.Y. 2023), appeal withdrawn, No. 23-412, 2023 WL 4013900 (2d Cir. May 24, 2023) (dismissing VPPA claims when the defendant ran a version of the Meta Pixel that sent only the user’s Facebook ID and the name of the webpage accessed); see also, e.g., Ghanaat v. Numerade Labs, Inc., 689 F. Supp. 3d 714, 721 (N.D. Cal. 2023). ↑

52. 18 U.S.C. § 2710(a)(1). ↑

53. Yershov, 820 F.3d at 487; see also, e.g., Harris v. Pub. Broad. Serv., 662 F. Supp. 3d 1327, 1334–35 (N.D. Ga. 2023); Lebakken v. WebMD, LLC, 640 F. Supp. 3d 1335, 1339–40 (N.D. Ga. 2022) (concluding that plaintiffs are plausibly covered as “subscriber[s]” as long as they register for an account and provide personal information in the process). ↑

54. Perry v. Cable News Network, Inc., 854 F.3d 1336, 1342 (11th Cir. 2017). ↑

55. Ellis v. Cartoon Network, Inc., 803 F.3d 1251, 1254, 1256 (11th Cir. 2015); see also Perry, 854 F.3d at 1342–43. ↑

56. See, e.g., Stark v. Patreon, Inc., 635 F. Supp. 3d 841, 853–54 (N.D. Cal. 2022); Louth v. NFL Enters. LLC, 2022 WL 4130866, at *4 (D.R.I. Sept. 12, 2022). ↑

57. See Rodriguez v. ByteDance, Inc., No. 23-cv-4953, slip op. at 15–16 (N.D. Ill. Mar. 3, 2025). ↑

58. Osheske v. Silver Cinemas Acquisition Co., No. 23-3882, slip op. at 7 (9th Cir. Mar. 27, 2025). ↑

59. See, e.g., Martin v. Meredith Corp., 657 F. Supp. 3d 277 (S.D.N.Y. 2023); Feldman v. Star Trib. Media Co., 659 F. Supp. 3d 1006, 1015 (D. Minn. 2023). ↑

60. Eichenberger v. ESPN, Inc., 876 F.3d 979, 984 (9th Cir. 2017) (citing Perry, 854 F.3d at 1341; In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 274 (3d. Cir. 2016)). ↑

61. See Greg Lamm, 9th Cir. Skeptical of Undoing Microsoft Win in Wiretap Case, Law360 (Jan. 16, 2025, 7:20 PM). ↑

62. See, e.g., Stark v. Patreon, Inc., 656 F. Supp. 3d 1018, 1027–28 (N.D. Cal. 2023). ↑

63. Plaintiffs’ Notice of Motion and Motion for Preliminary Approval of Class Action Settlement at 5, Aug. 2, 2024, Stark v. Patreon, Inc., 656 F. Supp. 3d 1018 (N.D. Cal. 2023) (No. 22-cv-03131-JCS), ECF No. 176. ↑

64. See, e.g., Saunders v. Hearst Television, Inc., 711 F. Supp. 3d 24, 32–33 (D. Mass. 2024); Christopherson v. Cinema Ent. Corp., No. 23-cv-3614, 2024 U.S. Dist. LEXIS 47847, at *13 (D. Minn. Mar. 6, 2024). ↑

65. However, the panel also noted that reducing statutory damages awards should not be done lightly and “must be reserved for circumstances” in which the award is “gravely disproportionate to and unreasonably related to the legal violation committed.” Wakefield v. ViSalus, Inc., 51 F.4th 1109, 1124 (9th Cir. 2022), cert. denied, 143 S. Ct. 1756 (2023); see also Montera v. Premier Nutrition Corp., 111 F.4th 1018, 1043 (9th Cir. 2024) (Ninth Circuit remands district court decision to determine whether the statutory damages award violates due process under Wakefield.). ↑

66. Golan v. FreeEats.com, Inc., 930 F.3d 950, 963 (8th Cir. 2019) (quoting St. Louis, I.M. & S. Ry. Co. v. Williams, 251 U.S. 63, 67 (1919)). ↑

67. United States v. DISH Network L.L.C., 954 F.3d 970, 980 (7th Cir. 2020). ↑

This article discusses a Showcase CLE program titled “All the President’s Men: A Look at Attorneys’ Ethical Duties in View of Recent Disbarments and Criminal Convictions” that took place at the American Bar Association Business Law Section’s 2025 Spring Meeting. All Showcase CLE programs were recorded live and will be available for on-demand credit, free for Business Law Section members.

The legal profession has long upheld a duty to maintain ethical integrity, ensuring that attorneys act within the boundaries of professional responsibility while zealously representing their clients. Yet, recent years have tested the limits of these ethical standards, particularly in the political and corporate arenas. High-profile cases involving attorneys working in presidential administrations and as in-house counsel for entities and educational institutions—as well as the legal profession at large—have resulted in an unprecedented wave of disciplinary actions, disbarments, and even criminal convictions. These cases provide striking examples of what may happen when attorneys prioritize personal loyalty, political influence, or financial gain over their fundamental ethical obligations or, in some cases, failures to properly identify their client.

This presentation will examine the evolving landscape of legal ethics through the lens of recent attorney misconduct cases, exploring how and why these ethical lapses occurred, what lessons can be drawn from them, and how attorneys can ensure they remain within the bounds of professional conduct. The discussion will emphasize the core duties that attorneys owe to their clients, the judicial system, and the public, as well as how ethical boundaries shape legal advocacy, decision-making, and professional accountability.

At the heart of this discussion are the ABA’s Model Rules of Professional Conduct, which serve as the foundation for ethical legal practice. The presentation will analyze critical provisions such as Rule 1.2 (Scope of Representation and Allocation of Authority Between Client and Lawyer); Rule 1.13 (Organization as Client); Rule 1.16 (Declining or Terminating Representation); Rule 1.6 (Confidentiality of Information); Rule 3.3 (Candor Toward the Tribunal); Rule 5.1 (Responsibilities of Partners, Managers, and Supervisory Lawyers); and Rule 8.4 (Misconduct). Through case studies of attorneys who have faced disciplinary actions or criminal prosecution, the panel will illustrate how these ethical guidelines were violated and the consequences that followed. It will also address the recent ABA Formal Ethics Opinion 513 (Aug. 23, 2024) regarding an attorney’s “duty to inquire into and assess the facts and circumstances of each representation” and possibly the obligation to withdraw from such representation under the now amended ABA Model Rule 1.16, as well as ABA Formal Opinion 514 (Jan. 8, 2025) regarding an attorney’s “obligations when advising an organization about conduct that may create legal risks for the organization’s constituents.”

One of the key themes of this discussion is the tension between zealous advocacy and other ethical responsibilities. Attorneys have a duty to vigorously represent their clients within the bounds of the law, but where do the boundaries lie, and when do attorneys cross them? Recent cases involving election-related litigation, obstruction of justice, and business fraud have underscored the difficulty attorneys face when they navigate high-stakes political and corporate environments. Lawyers who crossed ethical lines—whether by submitting false claims, misleading courts, suppressing evidence, or engaging in other forms of misconduct—have faced disbarment, financial penalties, and, in some cases, imprisonment.

Beyond the direct consequences for individual attorneys, these high-profile cases have significant implications for the broader legal profession. Public confidence in the legal system is heavily influenced by attorneys’ conduct, particularly when attorneys are involved in matters of national significance. When attorneys violate ethical rules, they not only damage their own reputations but also erode trust in the integrity of the legal profession as a whole. This session will explore the public perception of attorney misconduct and discuss whether existing professional rules and enforcement mechanisms are adequate to deter unethical behavior.

Another crucial aspect of the discussion is the role of attorneys as gatekeepers of the justice system. Lawyers are not mere advocates for their clients; they are also officers of the court with a duty to uphold the rule of law. This responsibility requires attorneys to balance their obligations to clients with broader ethical duties to the legal system and the public. The presentation will address how attorneys can identify ethical red flags, navigate challenging situations, and seek ethical guidance before engaging in conduct that could lead to professional or legal consequences.

Additionally, the discussion will explore corporate legal ethics and business law applications, focusing on attorneys working in advisory roles within corporate entities. Attorneys serving in executive or in-house counsel positions may face immense pressure from corporate leadership to take legally questionable actions. The Enron scandal, the mortgage meltdown of the late 2000s, and more recent corporate legal battles highlight the risks attorneys face when they fail to exercise independent legal judgment. These examples will be used to illustrate the dangers of enabling unethical or illegal corporate behavior and the importance of attorneys maintaining professional independence.

This presentation offers a critical examination of the ethical challenges attorneys face in today’s legal and political climate. By analyzing recent cases of attorney misconduct, panelists will provide insights into the risks and responsibilities of legal practice. Through an exploration of professional conduct rules, real-world case studies, and ethical best practices, attendees will gain a clearer understanding of their obligations as attorneys and the importance of maintaining ethical integrity in all aspects of their work. The lessons drawn from these cases serve as a powerful reminder of the legal profession’s role in safeguarding justice and the rule of law.

This is the fourth installment in the Year in Governance Series from the In-House Subcommittee of the ABA Business Law Section’s Corporate Governance Committee. Each month, the series will share key tips on a different corporate governance topic. To get involved in the Corporate Governance Committee, please visit the committee’s webpage.

A message from Kathy Jaffari: “As Chair of the Corporate Governance Committee, I would like to extend my sincere appreciation to the authors for this publication. The Corporate Governance Committee has ongoing opportunities for writing and volunteering with various projects, whether it’s an article you want to publish or a CLE that you want to present. Our Committee is dedicated to helping you promote informative resources for corporate governance practitioners. You may contact me at [email protected] to get involved.”

There is an expanding array of technology platforms that facilitate board-related communications and administration of board functions, including some that leverage artificial intelligence (“AI”). Some companies are adopting new technologies, while others are staying with methods that have existed for many years. Regular reviews of the technology used for board-related functions will ensure that companies are weighing the benefits and drawbacks of their current approach while appropriately identifying innovative solutions that could provide enhanced efficiency and flexibility, or reduce risk.

1. Board Management and Communication Platforms: Numerous vendors offer platforms that provide an efficient medium for distribution of board materials, communications, and administration of board functions. Many of these platforms incorporate cybersecurity protections, thus reducing risk, and integrate with internal company systems such as those used for cloud storage and virtual collaboration. They can also help reduce risk by aiding with the administration of company record retention policies. Appropriate training should be provided to ensure consistency in adoption across the board and company stakeholders.
2. Audio and Video Recording: Recording board or committee meetings in audio or video format could present significant litigation risk. It is also inconsistent with the core governance principle that the minutes stand as the only record of such meetings. Even if deleted, recordings may later be recovered via backups. When using collaboration platforms for virtual board or committee meetings, deactivate the recording functionality.
3. Use of AI by Boards: For companies that are considering implementing AI solutions to record and summarize board and committee meetings, see the above tip on Audio and Video Recording. Separately, AI platforms may be able to summarize large amounts of written data, such as board books, which directors and others might find helpful. If considering such a technology solution, ensure that any third-party vendor leveraging AI will treat company information confidentially, has best-in-class cybersecurity controls, regularly tests its models for accuracy, and will not use the company’s data for its own business purposes.
4. Email Communications: Companies should use a secure board management and communication platform/portal for company-related communications. The use of personal email accounts for company business poses heightened cybersecurity concerns and can potentially jeopardize confidentiality. Use of personal or day-job email accounts could also expose those accounts to discovery in litigation. Companies should consider providing directors with company email accounts, on the company’s system and protected by its cybersecurity controls, for purposes of communicating on company business. If it is not possible to avoid directors’ using their everyday email accounts, they should avoid substantive messages and only exchange short, actionable messages like “Call me” or “Check the board portal for new material.”
5. Text Messaging: Companies should caution directors to avoid exchanging substantive text messages regarding company business using personal cell phones or devices. Like use of personal email accounts, use of text messaging via personal devices can give rise to security risks. Text messaging is also often informal, which can lead to the exchange of damaging, embarrassing, or unclear communications that could later become discoverable and misconstrued. If it is impossible to eliminate all text messaging, companies should advise directors that texts related to the company should only be sent for scheduling or administrative reasons (e.g., “I am running 10 minutes late”).
6. Business Continuity and Disaster Recovery: Boards, like companies, should confirm that their business continuity and disaster recovery plans are up to date, tested regularly, and stored in a place where they would be accessible in the event of a significant technology disruption caused by a cybersecurity or ransomware event or a weather disaster. As part of this planning process, boards should confirm that any company technology systems required for the board to communicate or access important information are appropriately backed up and prioritized from a systems resiliency standpoint so that they would be accessible in the event of a significant disruption.
7. Access to Records: Companies should regularly review their access controls, including who has access to electronic board and committee materials and communications. Access should only be granted to those with a “need to know.” Certain employees might only have a “need to know” as it relates to certain committees or matters, and access should be limited accordingly.
8. Destruction of Records: Failure to promptly destroy documents and communications in accordance with the company’s records retention policy, including those relating to the board, raises a company’s risk profile. Documents that could have been properly destroyed can become discoverable in litigation. Overbroad litigation hold orders can also result in companies retaining documents that they could and should have destroyed pursuant to their retention policies. If a company uses a board communications portal, it is advisable to confirm that the portal’s storage settings align with the company’s record retention policy.
9. Technology While Traveling: To address confidentiality and cybersecurity risks, precautions should be taken if the board meets outside of the United States, if directors reside or regularly travel abroad, and if board meetings occur at offsite locations. Companies should consider whether travel or meeting locations abroad present heightened risk of intrusion by state and nonstate actors. They should consider issuing directors with “vanilla” devices for company-related communications (including only software necessary for company business) and/or Faraday bags, which can potentially block signals and provide enhanced security. For offsite board meetings, companies should consider conducting digital sweeps for recording devices.
10. Website Bios and Social Media: Companies, in consideration of their respective risk profiles, should consider whether there is a need to include board (and management) biographies and photographs on company websites and social media sites given that this information could be exploited by bad actors seeking to do harm. It is a good practice to conduct a digital risk assessment periodically to identify what digital information on directors is publicly available so that guidance can be provided to minimize risk.

The views expressed in this article are solely those of the authors and not their respective employers, firms, or clients.