iRESTORE — Legal Hardening Brief

1

The Threat: Litigation Mill Operations

How the racket works

1.Pick a statute that pays statutory damages with low proof requirements — no need to prove actual harm. CIPA, TCPA, BIPA, session-replay, pixel-tracking.
2.Find a technical artifact common across many websites — a pixel, a chat widget, session recording, a missing cookie disclosure. Build the theory once, apply it to hundreds.
3.Source claimants in bulk through paid plaintiff networks, repeat filers, advocacy mailing lists.
4.Mass-produce demand letters from a template. Set the settlement low enough that paying is cheaper than fighting — typically $5K–$25K.
5.Settle most on first contact. Drop the ones who push back. Move to the next batch. Your case is one row in their spreadsheet.

Why iRESTORE is a target

Consumer-facing e-commerce with these characteristics is the primary target profile. We check every box:

●Advertising & analytics pixels (Meta, Google, etc.)
●SMS/MMS marketing program (TCPA exposure)
●Third-party AI chat tools recording conversations
●California-based company with CA customer base
●Generic cookie disclosure — no tools named by name
●Likely browsewrap (not clickwrap) TOS acceptance

Mill economics per case

Cost to bring a case$650 – $3,700 Soft settlement target$3,000 – $8,000 Standard settlement$8,000 – $25,000

The core insight: This analysis does not stop a real claim from a real customer with a real grievance. It changes the economics of bringing a high-volume, templated claim. A serial-filer firm weighing our TOS against ten other potential targets will reliably pick a softer one. The goal is to be the harder target.

2

The Defense Tool: Mill-Deterrent Pack

mindheadllc/mill-deterrent-pack

Open-source drop-in contract clauses for TOS and Privacy Policy

View Repository

Eight contract clauses, ready-to-merge TOS and Privacy Policy templates, and response playbooks for when a demand arrives. Clauses are designed as anti-fraud screening — procedural steps any honest claimant can clear, and that a high-volume filing operation cannot clear at scale. Provisions are tiered by enforceability risk.

Tier 1 — Solid

High-confidence enforceability across U.S. jurisdictions. Notice gate, named tracking tech, class waiver, choice of law.

Tier 2 — Probably OK

Likely enforceable, jurisdiction-sensitive. 60-day cooling-off, principal meetings, fee/prior-claims disclosure.

Tier 3 — Aggressive

Maximum deterrent, meaningful severance risk. Pre-merits review, claimant-pays fees, bad-faith reimbursement.

We selected Tier 1 only for this analysis — the highest-confidence, most durable provisions available. Right starting point given California's aggressive consumer-protection regime and the need for counsel review before anything is published.

3

Current State of Our Documents

Terms of Service

View live →

Arbitration provider AAA ✓

Class-action waiver Needs Verification

Governing law CA / FAA ✓

Venue for non-arbitration disputes Asymmetric

Liability cap $500 ✓

Notice gate Missing

Pre-arbitration informal resolution Missing

Fee / prior-claims disclosure Missing

McGill v. Citibank carve-out (CA) Not Confirmed

Privacy Policy

Last updated Aug 7, 2025

View live →

Cookie categories disclosed Present ✓

Specific tools named by name Missing — Critical

"Continued use = consent" language Missing

Dispute resolution cross-reference Missing

Claim-substantiation requirement Missing

CCPA/CPRA opt-out rights Present ✓

Data sharing / "sale" disclosure Present ✓

AI/chatbot recording disclosure Present ✓

4

Gap Analysis — All Eight Provisions

#	Provision	Tier	Status	Gap / Note
01	Notice Gate Claimant-specific facts required before claim proceeds	Tier 1	Missing	No requirement for full identity, dates, URLs, timestamps, IP address, device info, or proof of standing. A template demand can file without any per-claimant investigation.
02	Pre-Arbitration Informal Resolution 60-day cooling-off + principal meetings	Tier 2	Missing	Not in scope for Tier 1. Highest marginal deterrent value after Tier 1 — worth adding in a future revision.
03	Fee & Prior-Claims Disclosure Contingency arrangement + history of similar claims	Tier 2	Missing	Not in scope for Tier 1. Single most disruptive provision against volume filers — a serial plaintiff who has filed 12 identical claims in 2 years looks very different to an arbitrator.
04	Pre-Merits Frivolousness Review Arbitrator screens for good faith before merits	Tier 3	Missing	Intentionally skipped. Elevated severance risk in California. Can be added later if exposure increases.
05	Forum & Cost Allocation Named provider, specified venue, cost rules	Tier 1	Partial	AAA correctly named ✓. Venue for non-arbitration disputes not specified. Cost allocation not addressed beyond AAA defaults. Both need to be added.
06	Class-Action Waiver Individual claims only; non-severable from arbitration	Tier 1	Partial	Class waiver present in Section 16. However: (a) non-severable drafting not confirmed — without it a court can convert individual arbitration into class arbitration; (b) McGill v. Citibank carve-out not confirmed.
07	Tracking-Technology Consent Named tools in PP + explicit consent-through-use	Tier 1	Partial	PP discloses cookie categories but does not name specific tools — no Google Analytics, Meta Pixel, TikTok Pixel, Klaviyo, etc. Generic disclosure does not defeat the "no consent" element in pixel-tracking claims.
08	Choice of Law & Venue Governing law and forum for non-arbitration disputes	Tier 1	Partial	Governing law specified (FAA + CA) ✓. Venue clause is currently asymmetric — only gives Freedom Laser Therapy the right to sue in CA courts. Needs to be symmetric.
PP	PP Dispute Cross-Reference PP directing data-handling claims to TOS arbitration	Tier 1	Missing	No language directing data-handling claims to TOS arbitration and notice provisions. A claimant could argue their privacy claim isn't bound by TOS arbitration since the PP doesn't say so.
PP	PP Claim-Substantiation Requirement Full data + explanation before data-handling claim	Tier 1	Missing	No requirement for a data-handling claimant to produce the alleged data, specific dates/URLs/IP, the legal theory, or description of harm. Front-loading this burden mirrors what a claimant must prove anyway.

5

Recommended Changes — Tier 1

High-confidence, durable across U.S. jurisdictions. None should be published until (a) the current demand resolves and (b) counsel has reviewed.

1. Add a Notice Gate to the TOS Dispute Resolution Section

Modifies: Section 16 — Dispute Resolution

Currently Missing

Before any dispute clock starts, a claimant must send detailed written notice including: full legal name, all email addresses used, specific dates/times and URLs of access, device/OS/browser, IP address if known, proof of standing, a specific factual description of the conduct and harm, and the legal theory asserted.

Why this works: Mass-produced demand letters are templates. They cannot include claimant-specific timestamps, IP addresses, or URLs without per-claimant investigation that destroys the volume model. A good-faith claimant has this information; a mill cannot produce it at scale.

2. Fix the Class Waiver — Add Non-Severable Drafting

Modifies: Section 16 — Class Action Waiver

Needs Fix

The class-action waiver must state explicitly that if the waiver is found unenforceable, the entire arbitration clause is void as to that dispute. Without this, a court can strike the waiver while keeping us in arbitration with a class proceeding.

Why this matters: Post-AT&T Mobility v. Concepcion, class waivers are broadly enforced. But without non-severable drafting, a hostile court can surgically remove the waiver and leave the arbitration clause intact — converting individual arbitration into class arbitration.

3. Add McGill v. Citibank Carve-Out (California)

Modifies: Section 16 — Arbitration / Class Action

Not Confirmed

California's McGill v. Citibank ruling prohibits waiving the right to seek public injunctive relief in court. If our class waiver doesn't carve out McGill-type claims, a California court could find the entire arbitration clause unenforceable. This is a structural fix, not an aggressive move.

California-specific: Critical given that we're a California company with a significant California customer base. Counsel must confirm whether this carve-out is already in Section 16.

4. Make the Venue Clause Symmetric

Modifies: Section 16 — Governing Law / Venue

Asymmetric

The current language only gives Freedom Laser Therapy the right to sue in California courts. It should require both parties to use California courts for any dispute that escapes arbitration — not just give us that option while leaving claimants free to file elsewhere.

5. Name Every Tracking Tool in the Privacy Policy

Modifies: Privacy Policy Section 4 — Tracking Technologies

Critical Gap

The current PP discloses cookie categories but names no specific tools. We need to audit our actual tag-management configuration and list every tool by name — Google Analytics, Meta Pixel, TikTok Pixel, Klaviyo, any session replay or heat-mapping tool, any email tracking pixel, etc.

Audit required before publishing: We cannot write this section until someone runs a tag inspector against the live site. Naming tools we don't use, or omitting tools we do use, undermines the consent record we're building and is itself a litigation target.

6. Add "Continued Use = Consent" to the Privacy Policy

Modifies: Privacy Policy Section 4 — Tracking Technologies

Missing

After listing specific tools, add explicit language: "By accessing and continuing to use our website, you acknowledge and consent to the use of the tracking technologies listed above." This creates the factual consent record that defeats the "no consent" element in CIPA and similar pixel-tracking theories.

Limitation: Works for U.S. users. EU/UK users under GDPR require opt-in consent — our jurisdiction-specific section should override this for those users.

7. Add Dispute Cross-Reference to the Privacy Policy

Adds: New section to Privacy Policy

Missing

Add a section stating that any dispute arising from or relating to data collection, use, sharing, or retention under this Privacy Policy is governed by the dispute-resolution provisions of the Terms of Service — including the notice requirements, arbitration agreement, class-action waiver, and governing law. This closes the argument that a privacy claim isn't subject to TOS arbitration.

8. Add Claim-Substantiation Requirement to the Privacy Policy

Adds: New section to Privacy Policy

Missing

Any claimant alleging a data-handling violation must provide: (a) a complete, unedited copy of the data forming the basis of the claim; (b) specific dates, URLs, device, browser, and IP address; (c) the legal theory; and (d) a description of the harm. Framed as enabling meaningful investigation, not an impossible burden.

Why this works: The claimant ultimately bears the burden of proof on these facts anyway. This provision front-loads it. A mill running a template demand cannot produce this at scale; a good-faith claimant with a real grievance can.

6

What We're Not Adding Yet — and Why

Tier 2 and Tier 3 provisions were intentionally excluded from this phase. They have meaningful additional deterrent value but face higher severance risk — especially in California. Revisit after the current matter resolves and counsel confirms Tier 1 is in place.

Tier 2 Pre-Arbitration 60-Day Cooling-Off Period

Requires a 60-day informal resolution period before any arbitration filing. Most U.S. jurisdictions enforce this as a reasonable condition precedent. Jurisdiction-sensitive and California courts have mixed records on overly long cooling-off periods. Highest-priority item for the Tier 1+2 upgrade.

Tier 2 Mandatory Principal-Level Meetings

Requires both parties' principals to attend two pre-arbitration meetings via video. Mills can't afford to put senior attorneys on a $10K case — this burns their most expensive labor on cases structured as paper shuffles. Skipped because California scrutinizes provisions that look burdensome to consumers.

Tier 2 Fee Arrangement & Prior Claims Disclosure

Requires any claimant to disclose their contingency/fee-sharing arrangement and a history of similar prior claims. A serial plaintiff who has filed 12 identical claims in the past 2 years looks very different to an arbitrator. Must be framed as anti-fraud screening, not fee-shifting.

Tier 3 Pre-Merits Frivolousness Review

Authorizes the arbitrator to conduct a threshold good-faith review before reaching the merits. High severance risk in California — AAA and JAMS consumer rules don't contemplate this kind of pre-merits screen.

Tier 3 Claimant-Pays Fees & Bad-Faith Cost Reimbursement

Requiring consumers to pay all arbitration fees is widely treated as unconscionable in California. AAA consumer rules cap consumer filing fees regardless of contract language. High severance risk — not appropriate for Tier 1.

7

Important Flags & Risks

!

Active Demand — Do Not Modify the TOS Until Resolved

Do not publish any changes while this matter is active. Modifying legal documents during a live claim can be characterized as consciousness of liability and used against us. All changes proposed in this brief should be queued for after the matter resolves.

2

TOS Acceptance UX — Likely Browsewrap, Not Clickwrap

No explicit "I agree to Terms of Service" checkbox visible on product pages — likely Shopify's default checkout notice (browsewrap). Browsewrap is significantly weaker. Courts differ on whether continued use constitutes acceptance of arbitration and class-waiver provisions.

Counsel action needed: Assess whether current UX creates enforceable agreement to the dispute resolution provisions. Recommend implementing clickwrap confirmation at checkout with a logged timestamp and TOS version number.

3

Tracking Technology Audit Required Before Publishing

The PP cannot be updated with specific tool names until someone runs a tag inspector against the live site. Naming tools we don't use, or omitting tools we do use, undermines the consent record and is itself a litigation target. Someone needs to: (a) run a tag inspector on irestorelaser.com, (b) check our tag management platform, (c) reconcile against our ads/analytics accounts. This is an internal operations task, not a legal task.

4

McGill v. Citibank — California Class Waiver Risk

McGill v. Citibank, N.A. (Cal. 2017) prohibits waiving the right to seek public injunctive relief. If our class waiver doesn't carve out McGill claims, a California court may find the entire arbitration clause unenforceable — not just the waiver. This is a structural problem with the existing document, independent of the mill-deterrent changes.

5

CCP §§ 1281.97-1281.99 — Arbitration Fee Payment Deadlines

California imposes strict deadlines on us (as the drafter) to pay our share of AAA fees after a demand is filed. Missing these deadlines — even by one day — can result in waiver of our own arbitration clause, being moved to court, and sanctions. Counsel and legal ops need to confirm there is a documented internal process for handling these payments on time.

6

Cookie Banner Consistency Check

If the site uses a cookie consent banner, the categories and tools disclosed there must match the Privacy Policy. Inconsistencies between the cookie banner and PP are a common and easy mill target — treated as evidence of deceptive consent practices. Once the tracking audit is done and PP updated, the cookie banner must be reviewed in parallel.

8

Questions for Counsel

Specific items that require legal review before any proposed changes can be safely published.

Q1

Active matter — safe to queue changes?

Given the potentially active demand, is there a recommended timeline for when we can safely begin drafting and publishing TOS/PP changes? Are there any communications about the active matter that would affect what we can say in a revised document?

Q2

Does Section 16 include non-severable class waiver drafting?

Please confirm whether the current Section 16 states that if the class-action waiver is found unenforceable, the entire arbitration agreement is void as to that dispute. If not, please add this language. Without it, a court can convert our individual arbitration clause into class arbitration.

Q3

Does Section 16 include a McGill v. Citibank carve-out?

Please confirm whether Section 16 carves out claims for public injunctive relief under California law, as required by McGill v. Citibank, N.A. (Cal. 2017). If not, please add a carve-out. Without it, the entire arbitration clause may be unenforceable in California.

Q4

Is our TOS acceptance UX sufficient to bind users to the arbitration clause?

Product pages appear to use browsewrap (no clickwrap checkbox visible). Please advise whether this creates enforceable agreement to the dispute resolution provisions, including arbitration and class waiver. If browsewrap is insufficient, please advise on implementing clickwrap at checkout with a logged timestamp and TOS version number.

Q5

What is our internal process for paying AAA arbitration fees under CCP §§ 1281.97-1281.99?

California imposes strict deadlines on the drafter of an arbitration clause to pay its share of fees after a demand is filed. Late payment — even by one day — can result in waiver of the arbitration clause. Please confirm whether we have a documented internal process for meeting these deadlines, and advise on what that process should look like.

Q6

Review the proposed Tier 1 additions in this brief for California compliance.

Please review the eight proposed Tier 1 changes in Section 5 and advise on: (a) any that conflict with California consumer law; (b) any additional California-specific provisions we should include; (c) recommended framing adjustments to maximize enforceability in California.

Q7

Privacy Policy — does the generic cookie disclosure create CPRA exposure?

Our current PP discloses cookie categories but does not name specific tracking tools. Please advise whether this generic disclosure creates exposure under the CPRA or other applicable California law — and whether naming specific tools (as proposed) is sufficient, or whether additional steps are required.

Q8

Should we escalate to Tier 1+2 after the current matter resolves?

Tier 2 provisions — particularly the 60-day cooling-off period, mandatory principal meetings, and fee/prior-claims disclosure — have significantly higher deterrent value than Tier 1 alone. Please advise on California-specific enforceability for each, and whether you would recommend adding them in a second revision after the current matter resolves.

9

Next Steps

#	Action	Owner	When
01	Send this brief to outside counsel. Focus their attention on Q2–Q5 first — structural issues with existing Section 16 and acceptance UX.	Legal / Chief of Staff	Now
02	Run a tag inspector on irestorelaser.com. Produce a complete, accurate list of every active tracking tool. Reconcile against ads/analytics accounts and tag manager config.	Marketing / E-Commerce Ops	Now — Unblocked
03	Resolve the active demand / litigation matter.	Legal / CEO	Prerequisite for 04–07
04	Once matter resolves, draft redlined TOS and PP changes implementing all Tier 1 provisions (including tracking tool names from Step 02). Submit to counsel for review.	Legal + AI-assisted drafting	After Step 03
05	Implement clickwrap TOS acceptance at checkout (checkbox + logged timestamp + TOS version number) if counsel confirms browsewrap is insufficient.	E-Commerce / Engineering	After Step 03
06	Align the cookie consent banner with the updated Privacy Policy. Inconsistencies between banner and PP are themselves a litigation target.	E-Commerce / Marketing	After Step 04
07	Establish internal process for tracking and paying AAA arbitration fees on time under CCP §§ 1281.97-1281.99. Brief whoever handles legal mail and AP.	Legal Ops / Finance	After Step 03
08	Optional / Future: Revisit Tier 2 provisions — 60-day cooling-off, principal meetings, fee/prior-claims disclosure. Assess after Tier 1 is in place and matter resolves.	Legal	Future