Firm News

Fifth Circuit Order Reverts HSR Filings to Old Form

On March 19, 2026, the U.S. Court of Appeals for the Fifth Circuit denied the Federal Trade Commission’s (“FTC”) motion for a stay pending appeal in the ongoing litigation challenging the recent February 2025 expansion of pre-merger reporting requirements under the Hart-Scott-Rodino (“HSR”) Antitrust Improvements Act of 1976. Previously, in a February 12, 2026 Order, a Texas federal court ruled that the expanded requirements “exceed[] the FTC’s statutory authority because the agency has not shown that the rule’s claimed benefits will ‘reasonably outweigh’ its significant and widespread costs.” Shortly thereafter, the FTC filed an appeal with the Fifth Circuit and sought an emergency stay of the District Court’s Order pending the outcome of their appeal. On February 19, 2026, the Fifth Circuit granted an administrative stay “until further order of [the] court” while it reviewed but ultimately decided in its most recent Order that the stay should not be maintained pending a final outcome of the appeal. As a consequence of this decision, the expanded requirements that were imposed by the updated HSR form have been vacated, although there is a chance that they could be reinstated if the FTC is successful on appeal. In accordance with the Order, the FTC has announced that it will begin accepting HSR filings on the prior, pre-February 2025 HSR Form although it will continue to accept filings submitted on the new HSR form on a voluntary basis. Parties preparing to submit HSR filings should consult with counsel to assess the best approach in light of this new HSR filing framework. The Lewis Rice HSR team is available to advise and will continue to monitor developments as the FTC’s appeal proceeds.

Katherine Utz Hunter Joins Lewis Rice as Member

Lewis Rice is pleased to announce that Katherine Utz Hunter has joined the firm as a member of the Corporate Department. She brings significant experience advising clients on employee benefits, ERISA compliance and related regulatory matters. Katherine focuses her practice on compliance with the Employee Retirement Income Security Act of 1974 (ERISA) and the design and administration of employee benefit programs, including retirement and health and welfare plans. She advises plan sponsors on navigating complex regulatory requirements, drafts and amends plan documents and participant communications, and counsels clients on governance, fiduciary responsibilities and operational matters. She represents a wide range of clients on sophisticated employee benefits issues and guides organizations through the regulatory, structural and transactional considerations shaping their benefit programs. “Katherine’s thoughtful, detail-oriented approach and ability to translate complex legal requirements into clear, practical guidance for clients make her an exceptional addition to our firm,” said Lewis Rice Chairman Richard B. Walsh, Jr. “We are pleased to welcome her to Lewis Rice.” Katherine earned her J.D. from Chicago-Kent College of Law in 2009, where she was named to the Dean’s List and received CALI Awards in Employment Relationship and Civil Procedure II.

Lewis Rice Featured in Media Coverage on Proposed Central Iowa Trail Project

AI Transcription Tools Give Rise to BIPA Claims

Litigation under the Illinois Biometric Information Privacy Act (“BIPA”) is increasingly and very recently focused on one category of biometric data that many organizations may overlook: voiceprints. Recent lawsuits have focused on AI-powered transcription, speaker recognition, and voice analytics tools as an unlawful use of participants’ voiceprints without proper consent. Voiceprints Are Expressly Covered by BIPA BIPA defines “biometric identifiers” to include voiceprints. Unlike general audio recordings, a voiceprint involves the analysis of unique vocal characteristics to identify or distinguish a speaker. Plaintiffs are alleging that software creates biometric identifiers subject to the statute when it attributes speech to specific individuals using speaker recognition technology. To comply with BIPA, a company collecting voiceprints must: Provide written notice that biometric data is being collected or stored; Inform the individual in writing of the purpose and duration of collection; and Obtain a written release before collection. The collecting company must also publish a publicly available written retention and destruction policy. As discussed in our recent client alert, statutory damages are significant: $1,000 per negligent violation and $5,000 per reckless or intentional violation with potential accrual on a per-scan basis under Cothron v. White Castle System, Inc. AI Meeting Assistants and Speaker Recognition: Ambient Listening a part of the allegations in recent lawsuits. In Cruz v. Fireflies.AI Corp., filed on December 18, 2025 in Illinois District Court, the plaintiff alleges that an AI meeting assistant violated BIPA by recording virtual meetings and using speaker recognition technology to distinguish between participants. According to the complaint, the software automatically joins meetings when enabled by a host, records and transcribes conversations, identifies and labels individual speakers, and stores the resulting data. The plaintiff alleges that these functions necessarily involve creating voice-derived identifiers and that meeting participants, who never created accounts and never signed any written release, were not provided BIPA-compliant notice or consent. The case, which has just began litigation, reflects a growing theory of liability: even where a company does not market its product as “biometric,” functionality that distinguishes speakers based on vocal characteristics may qualify as voiceprint collection under Illinois law. Voiceprint-related risk is not limited just to AI transcription vendors. Employers and organizations may face exposure where they deploy tools such as voice authentication systems, call center voice analytics tools, meeting transcription software, productivity monitoring software, or security systems using vocal identification. Out-of-state technology providers may also face jurisdictional exposure if their tools are used by Illinois entities or affect Illinois residents. Similar to the allegations in Fireflis.AI Corp, in Basich et al. v. Microsoft Corp., plaintiffs allege that consent from one user (such as a meeting host) is insufficient for other participants whose voiceprints are captured during an AI live transcription feature in Microsoft’s Teams product while the participants are physically located in Illinois. The complaint focuses on a specific background process known as “diarization” which creates real-time meeting transcripts by distinguishing who is speaking using unique vocal characteristics, which plaintiffs contend is a collection of a “voiceprint”. Key Takeaways Recent filings confirm that voice-enabled AI tools are a developing frontier of BIPA litigation. Organizations operating in Illinois, or interacting with Illinois residents, should carefully evaluate whether any technology they deploy analyzes or distinguishes speakers based on vocal characteristics (i.e., create “voiceprints”). If voiceprints are implicated, strict compliance with BIPA’s notice, written release, and retention policy requirements is essential to avoid potentially significant statutory exposure. For questions regarding voiceprint-related compliance, AI deployment, or BIPA risk assessment, please contact one of our Data Privacy & Cybersecurity attorneys.

Supreme Court Clarifies Contributory Liability Standard in Copyright Infringement

In a decision with broad implications for internet service providers and generative AI, on March 25, 2026, the United States Supreme Court unanimously held in the Cox Communications, Inc. v. Sony Music Entertainment that an internet service provider is not contributorily liable for copyright infringement solely on a provider’s knowledge of infringement and failure to take sufficient action to prevent infringement. Rather, liability arises only where the provider intended that its service be used to facilitate infringement. What Happened? Cox Communications is an internet service provider serving six million subscribers. Sony Music is a major music copyright owner. Sony sent Cox over 163,000 notices identifying IP addresses of Cox subscribers associated with infringing activity. Sony then sued Cox in federal district court, advancing claims of secondary copyright liability. The jury originally found in favor of Sony Music on both theories and awarded $1 billion in statutory damages. The Fourth Circuit affirmed, reasoning that knowledge that the recipient of the service will use the service to infringe copyrights is sufficient for contributory infringement. The Supreme Court reversed that decision. The Supreme Court’s Decision The Court held Cox was not contributorily liable for the individual users’ infringement because Cox did not intend that its internet service be used for infringement. Such intent can be shown only if the service provider induced the infringement or provided a service that is tailored to infringement. The Court further held that inducement can only be shown through specific acts, such as promoting or marketing the service as a tool to infringe, and that a service is tailored to infringement only if it is not capable of a substantial or commercially significant non-infringing use. Importantly, the Court held that a service provider’s failure to take affirmative steps to prevent infringement by users, even though it was aware of and profiting from that activity, is not sufficient for secondary liability. The opinion emphasized that it may be difficult for a service provider to determine that its services were used for infringement. For example, many internet service subscribers provide connections to multiple different people (e.g., a household, coffee shop, or college dormitory), and network traffic from all such users will ordinarily originate from a single internet address. The Court reasoned that it would be extremely difficult, in many cases impossible, for a service provider to determine which individual was infringing. The Court also noted that a service provider cannot directly control how subscribers use their services. Thus, without evidence of express promotion, marketing, or intent to promote infringement, a service provider’s mere knowledge that infringement was occurring through its services was insufficient to hold the service provider contributorily liable for it. Justice Sotomayor, joined by Justice Jackson, concurred in judgment only, holding the majority unnecessarily limited secondary liability even though common-law theories, such as aiding and abetting, could be applicable to copyright cases, and that the majority dismantled the statutory incentive structure created in the Digital Millennium Copyright Act (“DMCA”). Why it Matters This decision limits the scope of contributory copyright liability for internet service providers in key respects. By requiring evidence of express promotion, marketing, or intent to promote infringement, rather mere knowledge of it and the failure to stop infringing activity, the decision shifts much of the burden of policing the internet for copyright infringement from service providers to copyright holders. Major commercial service providers are unlikely to meet the newly articulated standard for liability. Copyright owners have noted for some time that the DMCA’s balance is tilted too far in favor of service providers. This decision will tilt the scales further. Copyright owners thus will be increasingly dependent on their own policing efforts in pursuing individual infringers directly, which is logistically difficult for similar reasons to those noted by the Court. Once infringing content is removed, on-line infringers can simply re-post it with the push of a button, requiring copyright owners to send repeated takedowns, and the service providers have little legal incentive to disable such accounts. This may result in greater emphasis on enforcement strategies that leverage technical limitations, rather than legal remedies, which could make copyrighted material more difficult to obtain and use electronically.  It should be recognized that the DMCA safe harbor framework, including notice and takedown obligations, remains in place. Thus, service providers still must comply with the DMCA’s notice-and-takedown procedures to enjoy the benefits of the so-called “safe harbor” provisions, which immunize service providers from contribution infringement claims in certain circumstances. Further, the quantity of takedown requests may increase due to this ruling.  If you have questions about copyright infringement or secondary liability in light of this decision, please contact a member of our Intellectual Property team to discuss how these developments may affect your business, compliance obligations, and enforcement strategies going forward.

Oklahoma and Alabama Get the Ball Rolling Again, Enact Comprehensive Privacy Laws

Thus far in 2026, two states, Oklahoma and Alabama, have enacted state comprehensive data privacy laws, continuing the national trend of State-by-State privacy regulation in the absence of federal law. The Oklahoma Consumer Data Privacy Act (“OCDPA”) goes into effect on January 1, 2027. The Alabama Personal Data Protection Act (“APDPA”) goes into effect on May 1, 2027. While these laws largely follow other state comprehensive privacy laws, businesses that operate in or target products or services to residents in these states must comply with distinct features of these laws. Applicability OCDPA: The OCDPA applies to persons conducting business in Oklahoma or producing products or services targeted to Oklahoma residents and that during a calendar year either:  control or process personal data of at least 100,000 Oklahoma residents; or  control or process data of at least 25,000 Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data. APDPA: The APDPA applies to persons conducting business in Alabama or producing products or services targeted to Alabama residents and either:  control or process the personal data of more than 25,000 Alabama residents (excluding personal data processed solely for completing a payment transaction); or  derive over 25% of gross revenue from the sale of personal data, regardless of the number of residents. Exemptions Both the OCDPA and APDPA exempt financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, institutions of higher education, and nonprofits (though the APDPA limits this exclusion to nonprofits with less than 100 employees that do not sell personal data). Notably, the APDPA also includes a small-business exemption for businesses with fewer than 500 employees that do not sell personal data. The OCDPA does not include a small business exemption. Both laws also include data-level exemptions for protected health information under HIPAA, personal data processed by consumer reporting agencies under the Fair Credit Reporting Act, data regulated by the Family Educational Rights and Privacy Act, and data regulated by the Farm Credit Act. Key Definitions Consumer: Both laws narrowly define “consumer” to mean an individual resident of the respective state acting only in an individual or household context. Both laws exclude individuals acting in a commercial or employment context, meaning employee personal data and business-to-business personal data are outside the scope of both the OCDPA and APDPA. Sensitive Data: In line with other state comprehensive data privacy laws, both laws provide for a special category of personal data known as “sensitive data,” which both laws define similarly to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data. Both laws require controllers to obtain consent prior to processing sensitive data. Additionally, if the controller has actual knowledge a consumer is between ages 13 and 16, the APDPA requires affirmative consent in order to sell the consumer’s personal data or using it for targeted advertising purposes. Personal Data: This is a key area of divergence between the two laws. The OCDPA defines “sale” of personal data narrowly to mean only the exchange of personal data for monetary consideration by the controller to a third party. In contrast, the APDPA defines “sale” of personal data more broadly to cover exchanges for monetary consideration or for “other valuable consideration,” and adds a novel requirement that the “controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Businesses that engage in data sharing arrangements involving non-monetary benefits should carefully assess whether those arrangements trigger the APDPA’s requirements even if they would not under the OCDPA. Both laws include similar broad exceptions to the definition of “sale” for ordinary business disclosures, including transfers to processors, affiliates, and disclosures made to fulfill a consumer’s product or service request. Compliance Both the OCDPA and APDPA contain compliance obligations substantially similar to those found in other state comprehensive data privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into data processing contracts with processors. However, the two laws differ with respect to data protection assessments. The OCDPA requires controllers to conduct and document data protection assessments for processing activities involving targeted advertising, the sale of personal data, the processing of sensitive data, profiling in certain instances, or processing that presents a “heightened risk of harm” to consumers. The APDPA does not require data protection assessments at all. Additionally, under the APDPA if a consumer sends an opt-out preference signal (such as browser-based global opt-out signals), controllers may notify consumers of conflicting signals and provide the consumer an opportunity to confirm controller-specific privacy settings or participation in loyalty programs. Consumer Rights and Requests Both the OCDPA and the APDPA grant residents substantially the same set of consumer rights, which are consistent with the rights found in other state comprehensive data privacy laws. Those consumer rights include the following: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for purposes of targeted advertising. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, health care, education, employment opportunities, criminal justice, or access to basic necessities such as food and water. Both the OCDPA and APDPA require controllers to respond to consumer requests within 45 days, with the ability to extend by an additional 45 days when reasonably necessary. While the OCDPA provides consumers the right to appeal, the APDPA does not. The OCDPA allows a consumer to appeal if a controller declines to act on a consumer’s request. Controllers must respond to appeals within 60 days and, if the appeal is denied, must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism. Enforcement and Rulemaking Authority Like most other state comprehensive privacy laws, neither the OCDPA nor the APDPA include a private right of action. The Oklahoma Attorney General has the exclusive authority to enforce the OCDPA, and the Alabama Attorney General has the exclusive authority to enforce the APDPA. The OCDPA provides for a 30-day cure period prior to initiating an enforcement action, while the APDPA provides for a 45-day cure period. Unlike some other state comprehensive data privacy laws, neither of these cure periods sunset, meaning that they will always be available, as opposed to having a limited duration. Each violation of the OCDPA can result in a civil penalty up to $7,500, while each violation of the APDPA can result in a civil penalty up to $15,000. Conclusion The enactment of the OCDPA and the APDPA represents the continued trend of states enacting comprehensive data privacy laws across the United States in the absence of federal legislation. While neither law is novel, there are meaningful differences that businesses operating in, or targeting residents of, these states must consider and comply with. Businesses should act promptly to assess their obligations under both laws and ensure compliance programs are updated accordingly before the effective dates. Entities already compliant with other state privacy laws will find much of the required groundwork already in place, but the unique features of each law warrant careful review. If you would like assistance with, or have any questions about, complying with the OCDPA, the APDPA, or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

Securing a Legislative Victory for the American Car Rental Association

Lewis Rice member David W. Sweeney represented the American Car Rental Association (ACRA) in its effort to shape legislation governing the operations of Turo, an online car-sharing platform, at St. Louis Lambert International Airport. The initial bill would have permitted Turo to operate in airport garages within walking distance of passenger terminals, a proposal opposed by members of the St. Louis Airport Commission due to competitive concerns. David engaged with stakeholders to negotiate a revised agreement that addressed these objections while protecting the interests of ACRA. The final legislation limits Turo’s operations to three designated parking areas west of Terminal 1. The measure was opposed by the St Louis Airport Director but  approved unanimously by the St. Louis Board of Aldermen, marking a significant milestone in the legislative process. This outcome preserved competitive balance in the airport rental market and aligned with ACRA’s policy objectives. The case demonstrates how strategic advocacy and effective negotiation can deliver tangible results for industry associations facing complex regulatory challenges.

Louisiana Joins the Club: What Businesses Need to Know About the Louisiana Data Privacy Act

On May 29, 2026, Louisiana’s Governor signed the Louisiana Data Privacy Act (“LDPA”) into law, making Louisiana the 22nd state, and the third in 2026, to enact a comprehensive state privacy law. The LDPA goes into effect on January 1, 2027. While businesses familiar with the Texas Data Privacy and Security Act (“TDPSA,” discussed in our prior alert here) will recognize much of the LDPA’s structure, several distinctive features warrant careful attention for businesses subject to the LDPA. Applicability The LDPA applies to any person or entity that does business in Louisiana and satisfies at least one of the following thresholds:  Has annual gross revenues in excess of $25 million;  Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more Louisiana residents, households, or devices; or  Derives 50% or more of annual revenues from selling Louisiana residents’ personal information. This structure is similar to the California Consumer Privacy Act (“CCPA”) and represents a significant departure from the thresholds used in most other comprehensive state privacy laws. Most notably, the revenue-based threshold may capture businesses, including those with few business-to-consumer sales, that would not be covered based on the processing of personal data or the volume thereof. Exemptions The LDPA exempts several types of entities, including financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, nonprofits, institutions of higher education, and electric public utilities. Data-level exemptions under the LDPA are broader than those found in most other comprehensive state privacy laws and encompass seventeen categories. Beyond the standard exemptions for protected health information under HIPAA, Fair Credit Reporting Act data, Family Educational Rights and Privacy Act and Driver’s Privacy Protection Act data, Farm Credit Act data, and employee and contractor data processed in the context of that relationship, the LDPA also exempts the following, among others: health records; certain patient identifying information; identifiable private information used in human subjects research under certain federal frameworks; Health Care Quality Improvement Act information; patient safety work product; and information collected solely for public health activities authorized under HIPAA. Key Definitions Consumer: The LDPA defines “consumer” to mean an individual who is a Louisiana resident acting only in an individual or household context. Individuals acting in a commercial or employment context are excluded, meaning employee personal data and business-to-business personal data fall outside the LDPA’s scope. Sensitive Data: Controllers must obtain affirmative consent before processing a consumer’s sensitive data. Consistent with other comprehensive state privacy laws, the LDPA defines “sensitive data” to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child (under 13); and precise geolocation data. Sale of Personal Data: The LDPA defines “sale of personal data” as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Businesses engaged in data-sharing arrangements that involve non-monetary benefits should assess whether those arrangements constitute a “sale” under the LDPA. Standard exemptions from the definition of “sale” apply for disclosures to processors or affiliates, consumer-directed disclosures, and transfers in connection with mergers and acquisitions. Compliance Controllers subject to the LDPA must provide consumers with a reasonably accessible and clear privacy notice disclosing the categories of personal data processed, the purposes of processing, and the process by which consumers may exercise their rights. The LDPA imposes two prescriptive notice requirements found in the TDPSA, but not in most other comprehensive state privacy laws: (1) if a controller sells sensitive personal data, it must post the notice “NOTICE: We may sell your sensitive personal data.” in the same manner as its general privacy notice; and (2) if a controller sells biometric personal data, it must similarly post “NOTICE: We may sell your biometric personal data.” The LDPA requires controllers to conduct and document data protection assessments for higher-risk processing activities, including targeted advertising, the sale of personal data, processing sensitive data, profiling that presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of or unlawful disparate impact on consumers; (ii) financial, physical, or reputational injury to consumers; (iii) an intrusion on the solitude or seclusion, or the private affairs, of consumers that would be offensive to a reasonable person; or (iv) other substantial injury to consumers; and any other processing presenting a “heightened risk of harm.” Assessments are confidential but the Attorney General may request them through a civil investigative demand. Controllers must also recognize universal opt-out preference signals, such as browser or device-level signals, through which consumers may opt out of targeted advertising and the sale of personal data. Importantly, the LDPA specifies that qualifying opt-out signals may not rely on a default setting; they must reflect an affirmative, freely given, and unambiguous choice by the consumer to opt out. Consumer Rights and Requests The LDPA grants Louisiana residents the following rights, consistent with the rights established under other comprehensive state privacy laws: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: If available in a digital format, consumers may obtain a copy of personal data they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data, including through a designated authorized agent or a qualifying opt-out signal. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for targeted advertising purposes. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, healthcare, education enrollment, employment opportunities, criminal justice, or access to basic necessities such as food and water. Controllers must respond to requests within 45 days of receipt, with the ability to extend by an additional 45 days when reasonably necessary. Controllers must establish a conspicuously available appeal mechanism and respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer with access to the Attorney General’s online complaint mechanism. Enforcement The LDPA does not include a private right of action. The Louisiana Attorney General has exclusive enforcement authority and may pursue violations as unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law (“UTPCL”). The LDPA expressly excludes private rights of action otherwise available under the UTPCL. From January 1, 2027 through July 31, 2027, the Attorney General must provide written notice at least 30 days before initiating an investigation, identifying the specific provisions alleged to be violated. The Attorney General may not proceed with the investigation if the business cures the alleged violation within the 30-day period. This cure period sunsets, meaning it will no longer be available, after July 31, 2027. This stands in contrast to the permanent cure periods available under some of the other comprehensive state privacy laws, such as those recently enacted in Oklahoma and Alabama. Conclusion The enactment of the LDPA represents the continued expansion of state-level data privacy regulation across the United States. While much of the LDPA will be familiar to businesses already operating under other comprehensive state privacy laws, its applicability thresholds, broad definition of “sale,” prescriptive sensitive and biometric data notices, and sunsetting cure period are features that require specific attention. Businesses should assess their compliance programs promptly and ensure they are updated before January 1, 2027 and fully mature before the cure period sunsets on July 31, 2027. If you would like assistance with, or have any questions about, complying with the LDPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

Lewis Rice Receives Two International Digital Awards