Client Alert Archives

From the Derivatives Practice Group: The SEC’s Division of Corporation Finance released a statement on certain proof-of-work mining activities, on which Commissioner Crenshaw issued a cautionary statement.

New Developments

CFTC Staff Issues Interpretation Regarding Financial Reporting Requirements for Japanese Nonbank Swap Dealers. On March 20, the CFTC’s Market Participants Division issued an interpretation concerning financial reporting obligations for nonbank swap dealers subject to regulation by the Financial Services Agency of Japan (“Japanese nonbank SDs”). On July 18, 2024, the CFTC issued a comparability determination and related comparability order granting substituted compliance in connection with the CFTC’s capital and financial reporting requirements to Japanese nonbank SDs, subject to certain conditions in the order (“Japanese Comparability Order”). One of the conditions in the Japanese Comparability Order, condition 9, requires each Japanese nonbank SD to file a copy of its home regulator Annual Business Report with the CFTC and the National Futures Association (NFA). The staff interpretation clarifies that Japanese nonbank SDs may satisfy condition 9 of the Japanese Comparability Order by filing with the CFTC and the NFA certain enumerated schedules of the Annual Business Report (In Scope Schedules), subject to the translation, U.S. dollar conversion, and deadline requirements of condition 9. The interpretation was issued in response to a request from the Securities Industry and Financial Markets Association on behalf of its Japanese nonbank SD members that rely on the Japanese Comparability Order. [NEW]
SEC’s Division of Corporation Finance Releases Statement on Certain Proof-of-Work Mining Activities. On March 20, the SEC’s Division of Corporation Finance (“Corp Fin”) released a statement providing its views on certain activities on proof-of-work networks known as “mining.” Specifically, the statement addressed the mining of crypto assets that are intrinsically linked to the programmatic functioning of a public, permissionless network, and are used to participate in and/or earned for participating in such network’s consensus mechanism or otherwise used to maintain and/or earned for maintaining the technological operation and security of such network. Corp Fin said that participants in “Mining Activities” (as defined in the statement) do not need to register transactions with the SEC under the Securities Act or fall within one of the Securities Act’s exemptions from registration in connection with these Mining Activities. Commissioner Crenshaw released a related statement, noting that Corp Fin’s statement delivers “neither progress nor clarity” and suffers from issues of flawed logic and limited and imprecise application. Commissioner Crenshaw said that Corp Fin’s statement “leaves us exactly where we started,” because it does not obviate the need for a facts and circumstances application under the investment contract test set forth in SEC v. W.J. Howey Co., 328 U.S. 293 (1946). [NEW]
CFTC’s Office of Customer Education and Outreach Releases New Advisory on Fraud Using Generative AI. On March 19, the CFTC’s Office of Customer Education and Outreach (the “OCEO”) released a customer advisory that says generative artificial intelligence is making it increasingly easier for fraudsters to create convincing scams. The OCEO advisory describes how fraudsters use AI to create fraudulent identifications with phony photos and videos that can appear very real if one is not familiar with the advances of AI technology. The fraudsters also are using AI to forge government or financial documents. An FBI public service announcement also warns the public about how criminals are using AI to commit fraud and how the technology is being used in relationship investment scams. [NEW]
CFTC Staff Withdraws Advisory on Swap Execution Facility Registration Requirement. On March 13, the CFTC Division of Market Oversight (“DMO”) announced it is withdrawing CFTC Letter No. 21-19, Staff Advisory Swap Execution Facility (“SEF”) Registration Requirement, effective immediately. As stated in the withdrawal letter, DMO determined to withdraw the advisory since it has created uncertainty regarding whether certain entities are required to register as SEFs.
Acting Chairman Caroline D. Pham Delivers Keynote Address at FIA BOCA50. On March 11, Acting Chairman Caroline D. Pham announced a new 30-day compliance and remediation initiative or enforcement sprint. This initiative involves review of the CFTC’s currently open investigations and enforcement matters regarding compliance violations, such as recordkeeping, reporting or other compliance violations without customer harm or market abuse. The CFTC will seek to expeditiously resolve these matters in the next 30 days to conserve the CFTC’s resources and free up Division of Enforcement staff to pursue fraudsters and scammers and seek recoveries for victims, whether through disgorgement, restitution, or other measures.
SEC Crypto Task Force to Host Roundtable on Security Status. On March 3, the SEC announced that its Crypto Task Force will host a series of roundtables to discuss key areas of interest in the regulation of crypto assets. The “Spring Sprint Toward Crypto Clarity” series will begin on March 21 with its inaugural roundtable, “How We Got Here and How We Get Out – Defining Security Status.” The SEC indicated that initial roundtable on March 21 is open to the public, will be held from 1 p.m. to 5 p.m. at the SEC’s headquarters at 100 F Street, N.E., Washington, D.C and that the primary discussion will be streamed live on SEC.gov, and a recording will be posted at a later date. The SEC also noted that information regarding the agenda and roundtable speakers will be posted on the Crypto Task Force webpage.

New Developments Outside the U.S.

ESMA Extends the Tiering and Recognition of the Three UK-Based CCPs. On March 17, ESMA announced its decision to temporarily extend the application of the recognition decisions under Article 25 of the European Market Infrastructure Regulation (“EMIR”) for three central counterparties (“CCPs”) established in the United Kingdom (“UK”). On January 30, 2025, the European Commission adopted a new equivalence decision in respect of the regulatory framework applicable to CCPs in the UK. Subsequently, ESMA has prolonged the tiering determination decisions and recognition decisions for the three recognized UK CCPs – ICE Clear Europe Ltd, LCH Ltd (as Tier 2) and LME Clear Ltd (as Tier 1) – that were adopted by ESMA on September 25, 2020, to align with the expiry date of the new equivalence decision. The application of the tiering determination decisions and recognition decisions is temporarily extended until 30 June 2028. [NEW]
ESMA and Bank of England Conclude a Revised MoU in Respect of UK-Based CCPs Under EMIR. On March 17, ESMA and the Bank of England (“BoE”) signed a revised Memorandum of Understanding (“MoU”) on cooperation and information exchange concerning the three CCPs established in the UK (ICE Clear Europe Ltd, LCH Ltd and LME Clear Ltd) which have been recognized by ESMA under EMIR. ESMA said that, according to EMIR, one of the conditions for recognition of a third-country CCP (TC-CCP) by ESMA is the establishment of cooperation arrangements between ESMA and the relevant third-country authority. ESMA noted that the revised MoU follows the amendments introduced by EMIR 3 on the requirements concerning the content of such cooperation arrangements, in particular, cooperation in respect of systemically important TC-CCPs (Tier 2 TC-CCPs), and replaces the earlier version that ESMA and the BoE concluded in 2020. [NEW]
UK Drops Proposals to Publicize Enforcement Investigations if Public Interest Test is Met. On March 11, the UK Financial Conduct Authority (“FCA”) wrote to the Treasury Select Committee and House of Lords Financial Services Regulation Committee about its proposals to increase the transparency of enforcement investigations. The FCA indicated that, given continued industry concern over its proposals to publicize an investigation into a regulated firm carrying out authorized activity, where a public interest test is met, the FCA will not proceed with this. Instead, it will stick to its existing exceptional circumstances test to determine if it should publicize investigations into regulated firms. The FCA noted that it will take forward the following proposals and aim to publish a policy statement in the first half of this year: (i) Reactively confirming investigations announced by others; (ii) Public notifications that focus on the potentially unlawful activities of unregulated firms and regulated firms operating outside the regulatory perimeter; and (iii) Publishing greater detail of issues under investigation on an anonymous basis. ISDA said that the FCA’s proposal, which would have given it the ability to publicly name firms at the start of an investigation, caused concern across the industry. In their February 17 response to the proposal, ISDA and the Association for Financial Markets in Europe (“AFME”) highlighted concerns that the proposals would be harmful to UK competitiveness and growth and suggested a broader interpretation of the existing exceptional circumstances test could be used to meet the FCA’s objectives. This was the second consultation ISDA and AFME responded to on this subject. The first response, submitted on April 30, 2024, is available here. [NEW]
ESMA Clarifies the Treatment of Settlement Fails with Respect to the CSDR Penalty Mechanism. On March 14, ESMA published a statement on the treatment of settlement fails with respect to the Central Securities Depositories Regulation (“CSDR”) penalty mechanism, following the major incident that affected TARGET Services (T2S and T2) last month. ESMA clarifies in the statement that National Competent Authorities (“NCAs”) do not expect Central Securities Depositories to apply cash penalties in relation to settlement failures for the days of February 27 and 28, 2025. As specified in an existing CSDR Q&A, cash penalties should not be applied in situations where settlement cannot be performed for reasons that are independent from the involved participants. [NEW]
The ESAs Acknowledge the European Commission’s Amendments to the Technical Standard on Subcontracting Under the Digital Operational Resilience Act. On March 7, the European Supervisory Authorities (EBA, EIOPA and ESMA – the “ESAs”) issued an opinion on the European Commission’s (“EC”) rejection of the draft Regulatory Technical Standard (“RTS”) on subcontracting. The EC indicated that it rejected the original draft RTS on subcontracting, which specified further elements that financial entities must determine and assess when subcontracting ICT services that support critical or important functions under the Digital Operational Resilience Act (“DORA”), on the grounds that certain elements exceeded the powers given to the ESAs by DORA. The opinion acknowledges the assessment performed by the EC and opines that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. The ESAs said that, for this reason, they do not recommend further amendments to the RTS in addition to the ones proposed by the EC. The ESAs encouraged the EC to finalize the adoption of the RTS without further delay as submitted to the ESAs.

New Industry-Led Developments

IOSCO Launches New Alerts Portal to Help Combat Retail Investment Fraud. On March 20, IOSCO announced the launch of the International Securities & Commodities Alerts Network (“I-SCAN”). IOSCO said that I-SCAN is a unique global warning system where any investor, online platform provider, bank or institution can check if a suspicious activity has been flagged for a particular company by financial regulators, which will submit alerts directly to I-SCAN, worldwide. According to IOSCO, I-SCAN forms part of IOSCO’s Roadmap for Retail Investor Online Safety, an initiative which was launched in November last year. [NEW]
ISDA Expands SwapsInfo to Include European CDS Trading Activity. On March 13, ISDA announced that it has expanded its SwapsInfo derivatives database and website to include European credit default swaps (“CDS”) trading activity, creating a more comprehensive picture of derivatives trading in the EU, UK and US. The new data includes EU and UK index and single-name CDS traded notional and trade count, based on transactions publicly reported by 18 European approved publication arrangements and trading venues.
ISDA Submits Paper to ESMA on OTC Derivatives Identifier for MIFIR Transparency. On March 11, ISDA submitted a paper to ESMA setting out its view on how the delegated act specifying the identifying reference data to be used for over-the-counter (“OTC”) derivatives transparency under the Markets in Financial Instruments Regulation (“MIFIR”) should be implemented. The delegated act leaves room for interpretation by ESMA on which unique identifier should be used, creating a risk that the International Securities Identification Number may be retained in some form. The ISDA paper makes the case for the use of the unique product identifier (“UPI”), maintaining its position that this will create more effective transparency and a more attractive consolidated tape, as well as reducing cost and complexity, and aligning with the increasing international consensus on using the UPI as the basis for OTC derivatives identification.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus, New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki, New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Gibson Dunn’s Immigration Task Force is available to help clients understand what these and other expected policy changes will mean for them and how to comply with new requirements.

In recent weeks, several federal agencies responsible for overseeing different aspects of the immigration system have issued or proposed new rules and guidance impacting noncitizens, as well as their families, communities, and employers. This update outlines four of those developments: a new Department of Homeland Security (DHS) rule requiring registration of certain noncitizens and criminal penalties for willful failure to comply; a new proposed DHS rule around the use of social media to vet noncitizens in a variety of common immigration postures; a new proposed Department of Health and Human Services (HHS) around access to the Affordable Care Act marketplace for DACA holders; and a potential new “Gold Card” path to permanent residence.

1. New DHS Rules

DHS recently announced two new rules that seek to expand its ability to monitor noncitizens present in, or seeking admission to, the United States. These include (1) the implementation of a decades-old, little-used registration requirement for noncitizens; and (2) the implementation of new social media information collection and review for certain noncitizens.

Registration Requirements for Certain Noncitizens

On March 12, 2025, DHS announced an interim final rule, effective April 11, 2025, that would—for the first time in decades—enforce the registration requirements of the Immigration and Nationality Act (INA) against certain noncitizens. These requirements include submitting a recently updated registration form online and being fingerprinted.[1] Noncitizens who follow such registration requirements will be issued a certificate or receipt card that they must carry with them at all times.[2]

The interim final rule implements a portion of Executive Order 14159 (titled “Protecting the American People Against Invasion”).[3] In the Executive Order, President Trump directed the Secretary of Homeland Security to enforce the INA’s registration requirements, which date back to the Alien Registration Act of 1940.[4] Notably, these requirements are applicable only for certain noncitizens, namely those who have not applied for a visa, submitted one of several specific forms for immigration relief, or been issued one of several types of identity, visa, entry, or lawful status documents.[5]

Noncitizens who are required to register but willfully fail to do so (or to provide proof of registration when requested by law enforcement) could face civil and criminal penalties.[6]

History

The Alien Registration Act of 1940, also known as the Smith Act,[7] mandated in Title III that all noncitizens (i) aged 14 or older (ii) who had not previously been registered or fingerprinted and (iii) who remained in the United States for thirty or more days were required to apply for registration and be fingerprinted before the end of the thirty day-period.[8 The registration requirements of the Smith Act were announced during a series of radio public service announcements, the first of which included Attorney General Robert Jackson announcing it as an “inventory” of immigrants, which was described as “essential to our national defense.”[9]

In 1952, Congress enacted the INA, incorporating the requirements of the Alien Registration Act into the statute.[10] Further, the INA included a provision that required all registrants to carry the “certificate of alien registration or an alien registration receipt card” “at all times” or risk criminal liability.[11]

While the law has been on the books for decades, its enforcement historically has been inconsistent, and the requirement had generally fallen out of use.[12] Today, noncitizens who enter the United States via a lawful entry method would have already been “registered” in the sense that they have undergone pre-entry vetting and identification confirmation—in other words, the relevant federal agencies already have the “registration” information they need.[13] And for noncitizens who enter the country without inspection, until now, there was no mechanism by which they could comply with the Act’s requirements.[14]

Current Enforcement

DHS’s interim final rule established Form G-325R (“Biometric Information (Registration)”) as a general registration form which can be submitted online.[15] This new general registration form is “available to all aliens regardless of their status”[16] in order to “[e]nsure that all previously unregistered aliens in the United States”[17] follow the registration requirements.

These requirements do not apply to several categories of noncitizens, namely those who have (i) applied to the Department of State for a visa, (ii) submitted one of the documents listed under 8 C.F.R. § 264.1(a),[18] or (iii) been issued one of the documents listed under 8 C.F.R. § 264.1(b).[19] Noncitizens who do not currently appear to need to register under the registration requirements include, among others:

Lawful permanent residents;
Noncitizens who were issued a Form I-94 or I-94W, even if the period of admission has expired;
Noncitizens issued an employment authorization document;
Noncitizens who have applied for lawful permanent residence and been fingerprinted, even if the applications were denied; and
All noncitizens in the U.S. who were issued immigrant or nonimmigrant visas before their last date of arrival.

The requirements for certain categories of noncitizens remain unclear. For example, individuals who have applied for asylum and are awaiting adjudication do not fall within the specific list of exempted individuals identified here but are generally already subject to biometrics collection and otherwise seem to meet the exemption criteria.

Additionally, the interim final rule provides that “every registered alien 18 years of age and over must at all times carry and have in their personal possession any certificate of alien registration or alien registration receipt card” and “[n]oncompliance is a misdemeanor punishable by a fine of up to $5,000 or imprisonment for not more than thirty days, or both.”[20] This means that immigrants who are registered—including those with lawful immigration status—could be criminally prosecuted for failing to carry proof of that registration with them at all times.

Social Media Screening

On March 5, 2025, DHS issued a Notice of Proposed Rulemaking (NPRM) “Generic Clearance for the Collection of Social Media Identifier(s) on Immigration Forms”) that would require applicants for several forms of immigration relief and benefits to provide identifier information (“handles”) for social media platforms on which they have had a presence in the last five years.[21]

This requirement is applicable to noncitizens in a wide variety of legal postures, from those seeking entry to the United States for the first time to those who have been here for decades and are applying to obtain their citizenship: N-400 (Application for Naturalization), I-131 (Application for Travel Documents, Parole Documents, and Arrival/Departure Records), I-192 (Application for Advance Permission to Enter as Nonimmigrant), I-485 (Application to Register Permanent Residence or Adjust Status), I-589 (Application for Asylum and for Withholding of Removal), I-590, I-730 (Refugee/Asylee Relative Petition), I-751 (Petition to Remove Conditions on Residence), and I-829 (Petition by Investor to Remove Conditions on Permanent Residence Status).

The stated purpose of this NPRM is to collect all necessary screening information for immigration benefit decisions and to ensure “uniform vetting standards” for national security and public safety risks,[22] as called for by Executive Order 14161 (“Protecting the United States from Foreign Terrorists and Other National Security and Public Safety Threats”).[23]

2. HHS Proposed Final Rule on Affordable Care Act Access for DACA Recipients

On March 19, 2025, HHS announced a NPRM to rescind a recent Biden Administration regulation that, since November 2024, has permitted recipients of relief under the Deferred Action for Childhood Arrivals (DACA) policy to purchase health insurance through the marketplaces established by the Affordable Care Act (ACA).[24] Estimates vary regarding the number of affected individuals, but reflect that approximately 11,000 DACA recipients would lose their current enrollment to the ACA marketplaces.[25]

Enacted in 2010, the ACA established “Marketplaces” in each state where citizens and “lawfully present” noncitizens may purchase health insurance, made accessible through tax subsidies.[26] States may choose to run their own exchange or participate in the Federal Exchange.[27] Upon passage, HHS issued regulations that defined the term “lawfully present” broadly to include, among other groups, all recipients of “deferred action”—an exercise of prosecutorial discretion by DHS to defer taking removal action against an individual.[28]

Two years later, in June 2012, DHS announced the DACA policy, which allows noncitizens who came to the U.S. as children to apply for deferred action, providing temporary protection from deportation and work authorization.[29] As of September 30, 2024, there are over 530,000 active DACA recipients in the United States.[30] Because of court orders in pending litigation, no new DACA applications have been processed since July 2021, though current DACA recipients can still renew their status and work authorization.[31]

When DACA was first implemented, HHS amended the definition of “lawfully present” to exclude DACA recipients for the purpose of the ACA, thus excluding them from the ACA Marketplaces.[32] On May 8, 2024, however, a Biden Administration final amended the definition of “lawfully present”—effective November 1, 2024—to include DACA recipients, on the ground that there was no reason to treat DACA recipients differently than other persons with “deferred action” status.[33] That final rule is currently subject to litigation in the District of North Dakota and has been enjoined and stayed in nineteen states.[34] Gibson Dunn, together with the National Immigration Law Center, is currently representing DACA recipients and CASA, a membership-based immigrant rights organization, as intervenors in that litigation in defending the May 2024 final rule. Due to the limited nature of the injunction and stay, the final rule remains in effect in other states, and around 11,000 DACA recipients have purchased Marketplace plans.[35]

This recent NPRM would revise the ACA Marketplace regulations to again bar DACA recipients from the ACA Marketplaces.[36] Comments on the regulation are due on April 11, 2025.

3. Announcement of the Potential Revocation of EB-5 Visa in favor of a “Gold Card”

The Executive Branch has also announced plans to offer a Gold Card, which, after application and payment of a fee of $5,000,000, would offer privileges granted by existing Permanent Resident Cards (Green Cards) and a path to U.S. citizenship.[37] President Trump and U.S. Secretary of Commerce Howard Lutnick described the proposed visa program in remarks to reporters in the Oval Office on February 25, 2025.[38] The Gold Card, according to President Trump, could be paid for directly by vetted individuals or on behalf of individuals by companies seeking to hire top job candidates.[39]

“Golden visas” offering legal status and a path to citizenship have grown in popularity in recent decades, with European countries such as Spain, Portugal, and Greece all offering a form of a golden visa to individuals who invest a minimum amount of money in the country.[40]

The United States currently offers a visa under the EB-5 Immigrant Investor Program authorized under Section 203(b)(5) of the Immigration and Nationality Act (the INA),[41] that functions somewhat similarly to a golden visa in that it offers individuals who make certain investments in the country a path to lawful permanent residence.

Specifically, under the INA, EB-5 Visas are available to qualified immigrants seeking to enter the United States for the purpose of engaging in a for-profit organization formed in the United States (1) in which the visa applicant invested (after November 29, 1990), or is actively in the process of investing, $1,050,000 (subject to adjustment) and (2) that will create full-time employment for at least 10 individuals lawfully authorized to be employed in the United States (other than the applicant’s spouse and children).[42] Of the visas made available under the EB-5 Program each year, 20 percent are reserved for investors in rural areas, 10 percent for investors in designated high unemployment areas, and 2 percent for investors in infrastructure projects, each with a reduced investment requirement of $800,000.[43] Under the INA, investments may be made in an organization managed directly by the investor or in qualified regional center programs in which qualified immigrants pool their investments.[44] Notably, the INA expressly authorizes visas under the regional center program through September 30, 2027.[45] Secretary Lutnick, however, stated that the EB-5 Program “was full of nonsense make believe and fraud” and would be replaced by the Gold Card program.[46]

Compared to EB-5 Visas, the proposed Gold Card would shift visa requirements away from the above investment criteria focused on job creation, especially in rural and high unemployment areas, in favor of a simplified flat fee paid to the U.S. Government. At a cost of $5,000,000, the proposed Gold Card would also come at a significantly higher price to visa applicants, and unlike investments made under the EB-5 Program, fees paid for the proposed Gold Card would not offer visa applicants the opportunity to generate returns directly on the cost of the visa.

President Trump and Secretary Lutnick have not detailed plans for terminating the existing EB-5 Program, nor have plans for implementing a Gold Card program been provided. Although the EB-5 program was created by statute,[47] President Trump has stated his belief that Congressional action will not be required to create the Gold Card program.[48] A new visa program adopted without legislation likely would face legal challenges.

[1] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793 (Mar. 12, 2025).

[2] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11794 (Mar. 12, 2025).

[3] See Alien Registration Requirement, U.S. Citizenship and Immigration Services, available at https://www.uscis.gov/alienregistration (last visited Mar. 18, 2025); Exec. Order No. 14159, 90 Fed. Reg. 8443 (Jan. 29, 2025), § 7.

[4] See Exec. Order No. 14159, 90 Fed. Reg. 8443 (Jan. 29, 2025), § 7; Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11793 (Mar. 12, 2025).

[5] See Alien Registration Requirement, U.S. Citizenship and Immigration Services, available at https://www.uscis.gov/alienregistration (last visited Mar. 18, 2025).

[6] See Alien Registration Requirement, U.S. Citizenship and Immigration Services, available at https://www.uscis.gov/alienregistration (last visited Mar. 18, 2025) (“It is the legal obligation of all unregistered aliens (or previously registered aliens who turn 14 years old) who are in the United States for 30 days or longer to comply with these requirements. Failure to comply may result in criminal and civil penalties, up to and including misdemeanor prosecution, the imposition of fines, and incarceration.”); Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11794 (Mar. 12, 2025) (“An alien’s willful failure or refusal to apply to register or to be fingerprinted is punishable by a fine of up to $5,000 or imprisonment for up to six months, or both.”).

[7] See Public Law 76-670, 54 Stat. 670.

[8] See Public Law 76-670, 54 Stat. 670, tit. III.

[9] See Elizabeth Burnes & Marisa Louie, The A-Files: Finding Your Immigrant Ancestors, 45 Prologue Mag. 1 (Spring 2013), in NATIONAL Archives, https://www.archives.gov/publications/prologue/2013/spring/a-files.

[10] See 8 U.S.C. §§ 1301 et seq.

[11] See 8 U.S.C. § 1304(e) (noting that anyone who failed to carry such a certificate or receipt card “shall be guilty of a misdemeanor and shall upon conviction for each offense be fined not to exceed $100 or be imprisoned not more than thirty days, or both”).

[12] See Tim Sullivan, Immigration Officials Say Everyone Living in the US Illegally Must Register. What Does That Mean?, Eyewitness News ABC 7 (Mar. 3, 2025), https://abc7ny.com/post/immigration-officials-say-everyone-living-us-illegally-register-what-does-mean/15957638/ (noting that “[a]cross the decades, . . . scholars say the registration requirement has rarely been enforced”).

[13] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11794 (Mar. 12, 2025) (listing the forms “that satisfy registration requirements”).

[14] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11795 (Mar. 12, 2025) (noting that under current regulations, “[a]liens who entered without inspection and have not otherwise been encountered by DHS lack a designated registration form”).

[15] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11795 (Mar. 12, 2025).

[16] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11795–96 (Mar. 12, 2025).

[17] See Exec. Order No. 14159, 90 Fed. Reg. 8443 (Jan. 29, 2025), § 7.

[18] DHS regulations identify the following forms as applicable registration forms: I-67, I-94, I-95, I-181, I-485, I-590, I-687, I-691, I-698, I-700, and I-817. See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11794–95 (Mar. 12, 2025).

[19] DHS regulations identify the following forms as constituting evidence of registration: I-94, I-95, I-184, I-185, I-186, I-221, I-221S, I-551, I-766, I-862, and I-863. See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11795 (Mar. 12, 2025).

[20] See Alien Registration Form and Evidence of Registration, 90 Fed. Reg. 11793, 11795–96 n.7 (Mar. 12, 2025).

[21] See Agency Information Collection Activities; New Collection: Generic Clearance for the Collection of Social Media Identifier(s) on Immigration Forms, 90 Fed. Reg. 11324 (Mar. 5, 2025).

[22] See Agency Information Collection Activities; New Collection: Generic Clearance for the Collection of Social Media Identifier(s) on Immigration Forms, 90 Fed. Reg. 11324 (Mar. 5, 2025).

[23] See Exec. Order No. 14161, 90 Fed. Reg. 8451 (Jan. 30, 2025), § 2.

[24] Patient Protection and Affordable Care Act; Marketplace Integrity and Affordability, 90 Fed. Reg. 12942 (March 19, 2025)

[25] Id. at 13000.

[26] Patient Protection and Affordable Care Act, P.L. 111-148, as amended.

[27] Affordable Choices of Health Benefit Plans, 42 U.S.C. §§18031 et seq.

[28] Pre-Existing Condition Insurance Plan Program, 75 Fed. Reg. 45014 (July 30, 2010); Patient Protection and Affordable Care Act; Establishment of Exchanges and Qualified Health Plans, 77 Fed. Reg. 18310 (March 27, 2012); Consideration of Deferred Action for Childhood Arrivals (DACA), U.S. Citizenship and Immigration Services, https://www.uscis.gov/DACA.

[29] Consideration of Deferred Action for Childhood Arrivals (DACA), U.S. Citizenship and Immigration Services, https://www.uscis.gov/DACA.

[30] Count of Active DACA recipients, U.S. Citizenship and Immigration Services https://www.uscis.gov/tools/reports-and-studies/immigration-and-citizenship-data

[31] Consideration of Deferred Action for Childhood Arrivals (DACA), U.S. Citizenship and Immigration Services, https://www.uscis.gov/DACA.

[32] Pre-Existing Condition Insurance Plan Program, 77 Fed. Reg. 52614 (Aug. 30, 2012).

[33] Clarifying the Eligibility of Deferred Action for Childhood Arrivals (DACA) Recipients and Certain Other Noncitizens for a Qualified Health Plan through an Exchange, Advance Payments of the Premium Tax Credit, Cost-Sharing Reduction, and a Basic Health Program, 89 Fed. Reg. 39392 (May 8, 2024).

[34] Kansas v. United States, 2024 WL 5220178, at *10 (D.N.D. Dec. 9, 2024).

[35] Patient Protection and Affordable Care Act; Marketplace Integrity and Affordability, 90 Fed. Reg. 12942, 13000 (March 19, 2025)

[36] Id.

[37] Remarks: Donald Trump Signs Executive Orders in the Oval Office, Roll Call (Feb. 25, 2025), available at https://rollcall.com/factbase/trump/transcript/donald-trump-remarks-executive-orders-white-house-february-25-2025/.

[38] Id.

[39] Id.

[40] Jonathan Wolfe, How Trump’s ‘Gold Card’ Plan Echoes the Golden Visas Programs in Europe, the New York Times (Feb. 26, 2025), available at https://www.nytimes.com/2025/02/26/nyregion/trump-gold-card-visa-europe.html.

[41] 8 U.S.C. § 1153(b)(5) https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title8-section1153&num=0&edition=prelim

[42] Id.

[43] Id.

[44] Id.

[45] Id.

[46] Remarks: Donald Trump Signs Executive Orders in the Oval Office, Roll Call (Feb. 25, 2025), available at https://rollcall.com/factbase/trump/transcript/donald-trump-remarks-executive-orders-white-house-february-25-2025/.

[47] See e.g., Dep’t of State v. Munoz, 602 U.S. 899 (2024) (“over no conceivable subject [visa decisions] is the legislative power of Congress more complete.”) (quoting Oceanic Navigation Co. v. Stranahan, 214 U. S. 320 (1909); Fiallo v. Bell, 430 U.S. 787 (1977).

[48] Remarks: Donald Trump Signs Executive Orders in the Oval Office, Roll Call (Feb. 25, 2025), available at https://rollcall.com/factbase/trump/transcript/donald-trump-remarks-executive-orders-white-house-february-25-2025/.

The following Gibson Dunn lawyers prepared this update: Stuart Delery, Nancy Hart, Matt Rozen, Laura Raposo, Ariana Sañudo, Carolyn Ye, Alex Prezioso, Heather Skrabak, and Matt Weiner.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, any leader or member of the firm’s Pro Bono, Public Policy, Administrative Law & Regulatory, Appellate & Constitutional Law, or Labor & Employment practice groups, or the following members of the firm’s Immigration Task Force:

Stuart F. Delery – Co-Chair, Administrative Law & Regulatory Practice Group,
Washington, D.C. (+1 202.955.8515, [email protected])

Naima L. Farrell – Partner, Labor & Employment Practice Group,
Washington, D.C. (+1 202.887.3559, [email protected])

Nancy Hart – Partner, Litigation Practice Group,
New York (+1 212.351.3897, [email protected])

Katie Marquart – Partner & Chair, Pro Bono Practice Group,
Los Angeles (+1 213.229.7475, [email protected])

Laura Raposo – Associate General Counsel,
New York (+1 212.351.5341, [email protected])

Matthew S. Rozen – Partner, Appellate & Constitutional Law Practice Group,
Washington, D.C. (+1 202.887.3596, [email protected])

Ariana Sañudo – Associate, Pro Bono Practice Group,
Los Angeles (+1 213.229.7137, [email protected])

Betty X. Yang – Partner & Co-Chair, Trials Practice Group,
Dallas (+1 214.698.3226, [email protected])

Gibson Dunn’s Workplace DEI Task Force aims to help our clients navigate the evolving legal and policy landscape following recent Executive Branch actions and the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Key Developments:

On March 19, the Equal Employment Opportunity Commission (EEOC) issued guidance entitled “What You Should Know About DEI-Related Discrimination at Work,” which includes eleven questions and corresponding answers addressing the process for asserting a discrimination claim and the scope of protections under Title VII of the Civil Rights Act of 1964 (Title VII) as they relate to DEI programs. The EEOC and the Department of Justice (DOJ) also released a joint one-page technical assistance document entitled “What To Do If You Experience Discrimination Related to DEI at Work,” which provides examples of “DEI-related discrimination” under Title VII and directs employees who “suspect [they] have experienced DEI-related discrimination” to “contact the EEOC promptly.” As described in an EEOC press release, these documents are designed “[t]o help educate the public about how well-established civil rights rules apply to employment policies, programs, and practices—including those labeled or framed as ‘DEI.’”

The guidance broadly defines potentially unlawful DEI initiatives as, among other things, programs that involve “[a]ccess to or exclusion from training (including training characterized as leadership development programs)”; “[a]ccess to mentoring, sponsorship, or workplace networking / networks”; “[i]nternships (including internships labeled as ‘fellowships’ or ‘summer associate’ programs)”; and “[s]election for interviews, including placement or exclusion from a candidate ‘slate’ or pool.” The guidance also addresses the unlawful “segregation” of employees, noting that employers may not “separate workers into groups based on” protected characteristics “when administering DEI or any trainings [or] workplace programming,” even if the separate groups “receive the same programming content or amount of employer resources.” The guidance further notes that “unlawful segregation can include limiting membership in workplace groups, such as Employee Resource Groups (ERG), Business Resource Groups (BRGs), or other employee affinity groups, to certain protected groups.” The guidance also provides that employers may not “justify taking an employment action based on race, sex, or another protected characteristic because the employer has a business necessity or interest in ‘diversity,’ including preferences or requests by the employer’s clients or customers.” Finally, the guidance suggests that DEI-related trainings “may” create a hostile work environment if there is evidence that the “training was discriminatory in content, application, or context.”

For more information about this guidance, please see our March 20 client alert, available here.

On March 19, the Trump Administration announced that it would suspend approximately $175 million in federal funding for the University of Pennsylvania. It made the announcement via a post on social media site X in which it embedded a Fox Business clip that was sourced to an unnamed White House official. In the post on X, the White House stated that the decision was based on Penn’s “policies forcing women to compete with men in sports.” The announcement came after the Education Department’s Office for Civil Rights opened an investigation into the University’s swimming program following President’s Trump’s executive order (EO) banning transgender athletes from women’s sports. A spokesperson from the University said the school had not received notification of this action.

On March 17, Acting EEOC Chair Andrea Lucas sent letters to 20 law firms requesting information about their DEI practices and programs. In the letters, Lucas cites publicly available information about the firms’ hiring practices and diversity initiatives and states that she is “concerned” that those “programs, policies, and practices” may be unlawful under Title VII of the Civil Rights Act. The letters make the same 37 requests for information from each target firm from 2019 to the present, including requests for information about their hiring and promotion processes, diversity goals, application and selection criteria for fellowship programs, and participation in diversity internship programs. Among other information, the requests also seek the name, sex, race, GPA, and contact information for all applicants for legal positions at the firm at any level, any lawyers selected for particular programs, and all lawyers considered for elevation to partner. The requests also ask firms to list the clients that have “diversity requirements,” and instances in which the firms provided demographic information to clients. In a press release issued the same day as the letters, Acting Chair Lucas states: “The EEOC is prepared to root out discrimination anywhere it may rear its head, including in our nation’s elite law firms.”

On March 14, a panel of the U.S. Court of Appeals for the Fourth Circuit issued a unanimous ruling temporarily staying the preliminary injunction in Nat’l Ass’n of Diversity Officers in Higher Educ., et al., v. Donald J. Trump, et al., No. 1:25-cv-00333-ABA (D. Md. 2025). The stay decision permits the implementation and enforcement of key aspects of two recent Executive Orders signed by President Trump: EO 14151 (“Ending Radical and Wasteful Government DEI Programs and Preferencing”) and EO 14173 (“Ending Illegal Discrimination and Restoring Merit-Based Opportunity”). The preliminary injunction stayed by this decision had blocked enforcement of EO 14173’s requirement that federal contractors and grant recipients certify they do not “operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws” and “agree that [their] compliance in all respects with all applicable federal anti-discrimination laws is material” for purposes of the False Claims Act. It had also enjoined the federal government from freezing or terminating existing “equity-related” contracts and grants under EO 14151.

While the Fourth Circuit stay order itself is relatively short, all three judges on the panel—Chief Judge Diaz, Judge Harris, and Judge Rushing—wrote concurring opinions elaborating on their reasoning. Chief Judge Diaz wrote that “despite the vitriol being heaped on DEI,” those working on such efforts “deserve praise, not opprobrium,” for “when this country embraces true diversity, it acknowledges and respects the social identity of its people. When it fosters true equity, it opens opportunities and ensures a level playing field for all.” Judge Harris explained that she understood the EOs to be “distinctly limited in scope” to address only “conduct that violates existing federal anti-discrimination laws,” and that any agency action beyond that scope may be unconstitutional. Her reasoning leaves open room for as-applied constitutional challenges to the EOs, which plaintiffs may seize on once enforcement of the EOs resumes. Judge Rushing wrote that the other judges’ “view on whether certain Executive action is good policy” is an “impermissible consideration” in fulfilling the court’s “duty to adjudicate cases and controversies according to the law.” Judge Rushing also raised questions about the plaintiffs’ standing and ripeness, noting that the plaintiffs have not challenged any specific agency action or decision.

On March 14, the U.S. Department of Education’s Office for Civil Rights (OCR) announced an investigation into 45 universities for potential violations of Title VI of the Civil Rights Act of 1964 over their partnership with “The Ph.D. Project,” a nonprofit organization that helps students with insight and networking opportunities related to pursuing a Ph.D. Additionally, OCR is also investigating six universities “for allegedly awarding impermissible race-based scholarships” and one university “for allegedly administering a program that segregates students on the basis of race.” The investigations followed a February 14 Dear Colleague Letter OCR sent nationwide reminding schools of their “obligations to end the use of racial preferences and stereotypes in education programs and activities.” The full list of universities under investigation is available here.

On March 14, Texas Attorney General Ken Paxton sent a letter in response to an inquiry from Colonel Freeman Martin, Director of the Texas Department of Public Safety, regarding the “[v]alidity of district court orders directing state agencies to amend a person’s biological ‘sex’ designation on state identification documents.” In the letter, Paxton writes that district courts in Texas lack jurisdiction to issue these orders, reasoning that the “‘judicial power’ endowed to district courts” does not justify “ex parte orders directing state agencies to amend a person’s biological sex” on birth certificates and driver’s licenses. On this basis, Paxton concludes that these district court orders are void and instructs that “prior ‘corrections’ should be reversed” immediately.

On March 6, President Trump issued an executive order titled “Addressing Risks from Perkins Coie LLP,” which, among other things, requires the Chair of the EEOC to “review the policies of representative large, influential, or industry leading law firms for consistency with Title VII of the Civil Rights Act of 1964, including whether large law firms: reserve certain positions, such as summer associate spots, for individuals of preferred races; promote individuals on a discriminatory basis; permit client access on a discriminatory basis; or provide access to events, trainings, or travel on a discriminatory basis.” Additionally, the EO directs the Attorney General to work with the EEOC Chair and with State Attorneys General as appropriate to investigate practices of “large law firms . . . who do business with federal entities for compliance with race-based and sex-based non-discrimination laws and take any additional actions the Attorney General deems appropriate in light of the evidence uncovered.” The letters from the Acting Chair of the EEOC to 20 law firms appear to be in response to these directives. The first section of the EO stated that Perkins Coie “racially discriminates against its own attorneys and staff, and against applicants.” The EO mandates the suspension of security clearances for the firm’s employees, a review of government contracts involving the firm and government contractors that work with the firm, and restrictions on access to government buildings and communications with government officials by the firm.

In response, on March 11, Perkins Coie filed a lawsuit and a motion for a temporary restraining order (TRO) challenging certain provisions of the EO, arguing that the order was an unconstitutional attempt to punish the firm for its legal representation and support of diversity and inclusion initiatives. The case is Perkins Coie LLP v. U.S. Department of Justice et al., No. 1:25-cv-00716 (D.D.C. 2025). On March 12, 2025, the United States District Court for the District of Columbia granted the TRO halting the enforcement of certain provisions of the EO. The court described the EO as “viewpoint discrimination” and warned that it would have a “chilling harm of blizzard proportions” on the legal profession if allowed to stand. The motion for a TRO filed by Perkins Coie did not seek to block section 4 of the EO, which directs the EEOC to review the DEI practices of large law firms. Accordingly, the court’s ruling did not address that provision.

On March 14, the White House issued a similar executive order aimed at the law firm Paul, Weiss, Rifkind, Wharton & Garrison LLP, which among other things said that the firm had “discriminate[d] against its own employees on the basis of race and other categories prohibited by civil rights law.” It noted that “Paul Weiss, along with nearly every other large, influential, or industry leading law firm, makes decisions around ‘targets’ based on race and sex.” On March 20, President Trump announced that he is withdrawing the EO after Paul Weiss “agree[d] that the bedrock principle of American Justice is that it must be fair and nonpartisan,” “affirm[ed] its commitment to merit-based hiring, promotion, and retention” and stated it “will not adopt, use, or pursue any DEI policies,” agreed to “conduct a comprehensive audit of all its employment practices,” and promised to “dedicate the equivalent of $40 million in pro bono legal services . . . to support the [Trump] Administration’s initiatives.”

On March 6, the Dean of the Georgetown University Law Center, William Treanor, wrote in response to a March 3 letter from Interim U.S. Attorney for the District of Columbia, Edward Martin. In his letter, Interim U.S. Attorney Martin asks Dean Treanor whether he has “eliminated all DEI from [the] school and its curriculum” and whether he would “move swiftly to remove it” if “DEI is found in your courses or teaching in [any way].” The letter additionally informs the law school that the United States Attorney’s Office for the District of Columbia will not consider any applicant from a school teaching and utilizing DEI for any employment, fellowship program, or internship.

Dean Treanor’s response asserts that Martin’s letter “challenges Georgetown’s ability to define its mission as an educational institution” in violation of the First Amendment, which “guarantees that the government cannot direct what Georgetown and its faculty teach and how to teach it.” Dean Treanor notes the current Administration has itself affirmed this “bedrock principle of constitutional law,” asserting that the Department of Education has confirmed “that it cannot restrict First Amendment rights and that it is statutorily prohibited from ‘exercising control over the content of school curricula.’” In closing, Dean Treanor asked the U.S. Attorney’s office to confirm that any Georgetown-affiliated candidates for employment with the office will receive full and fair consideration.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

Reuters, “Exclusive: Proxy Adviser Glass Lewis Sticks with Diversity Guidance, Will Flag Risk” (March 4): Ross Kerber of Reuters reports that proxy adviser Glass Lewis will continue to consider boardroom diversity when making voting recommendations. Kerber reports, however, that now when recommending against a board candidate for a reason related to diversity, Glass Lewis will also note “information that could support an alternative vote by the client.” This change follows last month’s announcement by Institutional Shareholder Services that it would no longer consider diversity when making boardroom voting recommendations. Kerber writes that, in an email to clients seen by Reuters, Glass Lewis reaffirmed its 2025 benchmark guidelines for U.S. companies, which recommend that shareholders vote against certain directors at large U.S. companies when their boards lack gender, racial, or LGBTQ diversity.
New York Times, “Trans Workers Describe a ‘Betrayal’ by an Agency Meant to Protect Them” (March 5): The New York Times’ Jessica Silver-Greenberg reports on the recent actions by the EEOC to dismiss cases involving transgender and nonbinary workers. The article highlights the case of Asher Lucas, who was fired from the restaurant Culver’s after complaining about harassment due to his transgender identity. The EEOC initially sued Culver’s for unlawful employment practices but has since moved to dismiss the case, citing “President Trump’s executive order asserting that there are only two sexes, male and female.” Citing to the same EO, the EEOC has also moved to dismiss six other lawsuits against various companies, including a pizzeria at Chicago O’Hare International Airport and a hotel franchise in western New York, which were accused of creating hostile work environments for transgender and nonbinary employees and retaliating against them when they complained. According to the authors, the EEOC’s reversal marks a significant departure from its previous stance on protecting LGBTQ workers, as emphasized in its 2023 strategic plan, and is in tension with the Supreme Court’s decision in Bostock v. Clayton County that Title VII prohibits discrimination against gay and transgender employees.
Wall Street Journal, “Trump’s Employment Bias Fighter Has DEI in Her Crosshairs” (March 6): The Wall Street Journal’s Richard Vanderford reports that Andrea Lucas, the acting chair of the EEOC, intends to “take on the bias she sees in [DEI] programs.” Vanderford reports that Lucas stated in a recent interview that considering a worker’s race, ethnicity, or sex when offering opportunities is illegal, regardless of intent. He reports that Lucas also stated that employers should not assume “that they’re off the hook” for “discrimination in a past administration.” Vanderford writes that Lucas’s approach to DEI “could help accelerate a corporate flight from DEI already under way.” He notes, however, that Lucas said businesses need not move away from “merit-focused decision-making,” highlighting, for example, training or mentoring for first-generation college graduates done in a race-blind manner. Vanderford also reports that, under Lucas, the EEOC is “launching a crackdown on what it calls Anti-American bias in the workplace,” aiming to “protect American workers who might not be hired because of the perception that foreign-born workers have a better work ethic.”
Reuters, “US Retailers Publicly Scrap Some ‘DEI’ Initiatives While Quietly Supporting Others” (March 6): Nicholas P. Brown and Arriana McLymore from Reuters report that while many U.S. retailers have publicly discontinued DEI programs, several are maintaining certain DEI efforts. Brown and McLymore report on several companies that have informed advocacy groups that they will continue to support some LGBTQ+ and racial justice events, and to support resource groups for underrepresented employees. The article quotes Gibson Dunn’s Jason Schwartz, who says companies are “trying to thread the needle—stay true to corporate values, satisfy various stakeholders, but reduce legal risk.” Companies “are essentially picking their battles or trying to avoid battles altogether,” says Schwartz, who notes that the programs companies are most likely to retain are the ones tied to customer and employee relationships. Yet some stakeholders, the authors write, are not satisfied with these changes. Brown and McLymore report that Twin Cities Pride refused a sponsorship from Target “because the company would not specify how it would continue to support LGBTQ+ shoppers and employees.”
The Atlantic, “Colleges Have No Idea How to Comply With Trump’s Orders” (March 10): Rose Horowitch of The Atlantic reports that the Trump Administration’s guidance on DEI has sent universities into a state of “chaos.” She writes that schools’ “first challenge” is determining the meaning of “DEI,” and their second challenge is determining the scope of corrective action to take, if any. She notes that there has been a recent “flurry of nomenclature modifications,” with universities replacing “diversity, equity, and inclusion” and related terms on their websites with, for example, “equal access and equal opportunity” or “Inclusive Excellence,” in an effort to “try to get out of the target zone.” Indeed, Horowitch notes that the cost of getting caught in the administration’s crosshairs is high, citing the recent cancellation of $400 million in federal grants and contracts for Columbia University in connection with the school’s allegedly insufficient efforts to combat antisemitism. Additionally, Horowitch describes the situation faced by “public universities in red states,” which she notes have “little choice but to go beyond cosmetic changes” in response to local political pressure.
Newsweek, “Nearly Half of Companies Surveyed Say They Will Maintain DEI Effort in 2025” (March 14): Newsweek’s Aman Kidwai reports on a recent survey of corporate leaders, including general counsel, HR and diversity officers, by law firm Littler Mendelson P.C. that found that “49 percent of C-suite leaders are not considering new or further rollbacks of DEI programs after the Trump administration’s executive orders, and that only 8 percent are seriously considering changes.” Kidwai quotes a report on the study stating that “approximately three-quarters” of those surveyed said that “employee expectations for ongoing [DEI] commitments” played a role in their decision to continue their DEI initiatives, suggesting that DEI “remains an important talent retention and recruitment strategy for many employers even as the environment around those efforts becomes more hostile.” Kidwai also cites to a survey by Gravity Research, showing that while the percentage of Fortune 100 companies mentioning DEI in earnings calls dropped from 43% in 2023, to 31% in 2024, there was also a 59% rise in neutral, related terms such as “belonging” or “diverse perspectives,” indicating that these conversations may be continuing but in different terms.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

American Alliance for Equal Rights v. Southwest Airlines Co., No. 24-cv-01209 (N.D. Tex. 2024): On May 20, 2024, American Alliance for Equal Rights (AAER) filed a complaint against Southwest Airlines, alleging that the company’s ¡Lánzate! Travel Award Program, which awards free flights to students who “identify direct or parental ties to a specific country” of Hispanic origin, unlawfully discriminates based on race. AAER seeks a declaratory judgment that the program violates Section 1981 and Title VI, a temporary restraining order barring Southwest from closing the next application period (set to open in March 2025), and a permanent injunction barring enforcement of the program’s ethnic eligibility criteria. On August 22, 2024, Southwest moved to dismiss, arguing that the case was moot because the company had signed a covenant with AAER that eliminated the challenged provisions from future program application cycles. On December 6, 2024, the court granted in part and denied in part Southwest’s motion to dismiss. The court concluded that Southwest’s covenant to eliminate the program rendered moot any claims for declaratory or injunctive relief. However, the court held that it had jurisdiction over the plaintiff’s claims for one cent in nominal damages and allowed those claims to proceed. The court rejected Southwest’s argument that Southwest mooted those claims through an “unsuccessful tender of one cent to [AAER].” On February 7, 2025, Southwest Airlines answered the complaint, denying allegations of discrimination.
- Latest update: On March 3, 2025, AAER filed a motion for summary judgment, arguing that there was no genuine dispute of material fact on three relevant questions: (1) whether ¡Lánzate! involved contracts; (2) whether ¡Lánzate! intentionally discriminated against non-Hispanics; and (3) whether that ethnic discrimination harmed one of AAER’s members by preventing them from competing for ¡Lánzate! in 2024.

2. Employment discrimination and related claims:

Winter v. Jones, No. 4:25-cv-00299 (E.D. Mo. 2025): On March 10, 2025, a class action complaint was filed in federal district court in Missouri against Defendants Edward D. Jones & Co., The Jones Financial Companies, and EDJ Holding Company. The lawsuit alleges that the defendants employ a racially discriminatory compensation policy, in which financial advisors are paid extra if they transfer assets to “women and/or diverse” advisors rather than to heterosexual, white male advisors, which in turn affects the performance ratings of the transferor advisors. The lawsuit further alleges the defendants employ racially discriminatory criteria in their hiring, firing, and promotion practices, in which non-white financial advisors are favored over white advisors. The complaint requests injunctive relief enjoining the defendants’ alleged race-based employment policies.
- Latest update: The docket reflects that the defendants have waived service of process. Their Rule 12 motion or answer is due May 10, 2025.
Martin v. Sedgwick Claims Management Services, Inc., No. 2:25-cv-02275 (W.D. Tenn. 2025): On March 11, 2025, a former employee of Sedgwick Claims Management Services, Inc., filed a complaint against the company alleging race discrimination and sexual harassment, as well as retaliation for complaints made regarding such discrimination. The plaintiff’s compliant asserts that he was subjected to a hostile work environment and discriminatory practices because he is Caucasian and heterosexual. In part, he alleges that Sedgwick’s DEI training materials were offensive and discriminatory towards white, heterosexual males. The plaintiff claims that after he complained about the discriminatory DEI content and sexual harassment by his supervisor, he faced retaliation, including being falsely accused of recording conversations with management, which led to his termination on March 25, 2024. He asserts that Sedgwick failed to conduct a meaningful investigation into his complaints and that his discharge was pretextual.
- Latest update: Sedgwick was served on March 13, 2025. Its answer is due on April 4, 2025.
EEOC v. Battleground Restaurants, No. 1:24-cv-00792 (M.D.N.C. 2024): On September 25, 2024, the EEOC filed a lawsuit against a sports bar chain, Battleground Restaurants, in federal district court in North Carolina. The lawsuit alleges that the chain refused to hire men for its front-of-house positions, such as server or bartender jobs, in violation of Title VII. On November 25, 2024, Battleground Restaurants moved to dismiss or strike an improperly named defendant. Battleground Restaurants argued that the EEOC’s pattern or practice claims are “insufficiently pled, conclusory, and not plausible on their face,” and that the EEOC failed to conduct a “reasonable investigation” or give “adequate notice” to Battleground Restaurants. On February 24, 2025, the court denied the defendant’s motion to dismiss, finding the EEOC complied with notice requirements, plausibly alleged a pattern or practice of disparate sex discrimination, and can properly include Battleground Restaurants as a defendant.
- Latest update: On March 10, 2024, the defendants answered the complaint, denying the large majority of the plaintiff’s allegations, and asserted numerous defenses, including that the plaintiff failed to identify any male applicant who was not hired for a front-of house position due to their sex, and that the defendants hired the best applicants without regard to their sex.
De Piero v. Pennsylvania State University, No. 2:23-cv-02281-WB (E.D. Pa. 2023): A white male professor sued his employer, Penn State University, claiming that university-mandated DEI trainings, discussions with coworkers and supervisors about race and privilege in the classroom, and comments from coworkers about his “white privilege” created a hostile work environment that led him to quit his job. He claimed that after he reported this alleged harassment and published an opinion piece objecting to the impact of DEI concepts in the classroom, the university retaliated against him by investigating him for bullying and aggressive behavior towards his colleagues. The plaintiff alleged harassment, retaliation, and constructive discharge in violation of Title VI, Title VII, Section 1981, Section 1983, the First Amendment, and Pennsylvania civil rights laws. On October 21, 2024, the defendants moved for summary judgment on the plaintiff’s hostile work environment claims. The defendants argue the plaintiff cannot show that he experienced discrimination based on his race because he was not required to attend any of the meetings about which he complains. Defendants also argue that the plaintiff cannot show respondeat superior liability for Penn State, and that his claim for punitive damages fails as a matter of law. On November 27, 2024, the plaintiff filed a response to the defendant’s motion for summary judgment arguing that the university “maintain[ed] a hostile environment based on pervasive racial dogma and race essentialism.” The plaintiff described various incidents that he claimed met the standard for “severe and pervasive harassment,” and also denied his voluntary participation in the events and discussions at issue provided defendants with an affirmative defense.
- Latest update: On March 6, 2025, the court granted the defendant’s motion for summary judgment and dismissed the plaintiff’s hostile work environment claims. The court found the “severe or pervasive” elements of the hostile work environment claim dispositive. In particular, the court found that the behaviors complained of by the plaintiff, including “campus wide emails” pertaining to racial injustice, “being invited to review scholarly materials,” and “conversations about harassment levied by and against [the plaintiff],” could not reasonably be found to rise to the level of severe harassment. As to the “pervasive” conduct prong, the court explained that of the 12 incidents in the complaint, no “racist comment” was directed at the plaintiff and “only a few” involved actions that were directed at the plaintiff at all. The court concluded that this pattern of behavior could not reasonably be found to rise to the level of “pervasive.”
Gerber v. Ohio Northern Univ., No. 2023-1107-CVH (Ohio. Ct. Common Pleas Hardin Cty. 2024): On June 30, 2023, a law professor sued his former employer, Ohio Northern University, for terminating his employment after an internal investigation determined that he bullied and harassed other faculty members. On January 23, 2024, the plaintiff, now represented by America First Legal, filed an amended complaint. The plaintiff claims that his firing was actually in retaliation for his vocal and public opposition to the university’s stated DEI principles and race-conscious hiring, which he believed were illegal. The plaintiff alleged that the investigation and his termination breached his employment contract, violated Ohio civil rights statutes, and constituted various torts, including defamation, false light, conversion, infliction of emotional distress, and wrongful termination in violation of public policy. On February 20, 2024, the defendants filed a motion for partial dismissal, arguing that the plaintiff’s termination was not against public policy because he was not an at-will employee, that all claims against university employees in their individual capacities should be dismissed, and that the plaintiff did not allege facts sufficient to support claims of breach, defamation, false light, or intentional infliction of emotional distress.
- Latest update: On February 14, 2025, the plaintiff filed a motion for leave to move for partial summary judgment. The plaintiff argued there was no genuine dispute of material fact as to whether the university had breached his employment contract. On February 27, 2025, the court denied the defendant’s motion, finding that the “factual allegations are not so clear that [the d]efendants are entitled to individual dismissals.” On February 28, 2025, the court also denied the plaintiff’s motion for leave to seek partial summary judgment, finding the defendants were entitled to demonstrate there was “adequate cause” for terminating plaintiff’s employment.
Grande v. Hartford Board of Education et al., 3:24-cv-00010-JAM (D. Ct. 2024): On January 3, 2024, John Grande, a white male physical education teacher in the Hartford school district, filed suit against the Hartford School Board after allegedly being forced to attend mandatory DEI trainings. He claimed that he objected to the content of a mandatory professional development session focused on race and privilege, stating that he felt “white-shamed” after expressing his political disagreement with the training’s purposes and goals, and that he was thereafter subjected to a retaliatory investigation and was wrongfully threatened with termination. He claimed the school’s actions constitute retaliation and compelled speech in violation of the First Amendment. On February 5, 2025, the defendants filed a motion for summary judgment, arguing that the plaintiff’s objections to the trainings were made in the course of his official duties as a District employee and therefore were not protected by the First Amendment. They further argued that the District’s interest in effectively administering its professional development sessions outweighed the plaintiff’s speech interests.
- Latest update: On March 5, 2025, the plaintiff filed an opposition to the defendant’s motion for summary judgment. The plaintiff argued that summary judgment is improper because material facts, such as whether the plaintiff was speaking as a private citizen about a matter of public concern and the nature of plaintiff’s statements, are in dispute. The plaintiff also argued that he sufficiently pled a First Amendment retaliation claim against the defendants.

3. Challenges to statutes, agency rules, and regulatory decisions:

Moe et al. v. Yost et al., No. 24AP-483 (Ohio App. Ct. Mar. 18, 2025): In March 2024, families of minor transgender adolescents in Ohio filed suit to challenge House Bill 68, which had banned gender-affirming pharmaceutical medical care for transgender adolescents. The state trial court found the law constitutional.
- Latest update: On March 18, 2025, the Ohio Tenth District Court of Appeals reversed, holding that the ban on gender affirming care violated the “constitutional freedom to choose health care” under the state’s Health Care Freedom Amendment, and that the law violated the “fundamental right” of parents “to seek medical care for their children.”
Chicago Women in Trades v. President Donald J. Trump, et al., No. 1:25-cv-02005 (N.D. Ill. 2025): On February 26, 2025, Chicago Women in Trades (CWIT), a non-profit organization, sued President Trump, challenging EO 14151 and EO 14173. CWIT alleges that, because of the orders, its federal grant funding was frozen and although the funding was restored following a temporary restraining order issued in another proceeding, “CWIT’s grants remain under threat of termination.” CWIT claims that these EOs violate principles of separation of powers, the First and Fifth Amendments, and the Spending Clause of the U.S. Constitution.
- Latest update: On March 5, 2025, CWIT filed a motion for preliminary injunction to enjoin the defendants from enforcing and carrying out EOs 14151 and 14173. CWIT argues that the EOs violate the First and Fifth Amendments, Separation of Powers, and the Spending Clause.
National Association of Diversity Officers in Higher Education, et al., v. Donald J. Trump, et al., 25-cv-333 (D. Md. 2025): On February 3, the Mayor and City Council of Baltimore, the National Association of Diversity Officers in Higher Education, the American Association of University Professors, and the Restaurant Opportunities Centers United filed a complaint in the District of Maryland challenging two recent DEI-related EOs. The complaint raises six constitutional claims, including claims alleging that the orders violate the First Amendment, Fourteenth Amendment, Spending Clause, and separation of powers. The complaint sought a declaratory judgment that EO 14151 and EO 14173 are unconstitutional, as well as a preliminary injunction enjoining enforcement of these executive orders. On February 13, the plaintiffs filed a motion for a temporary restraining order, or, in the alternative, a preliminary injunction. On February 21, the district court preliminarily enjoined enforcement of key aspects of the orders.
- Latest update: On March 10, 2025, the district court clarified that the injunction applies to all federal agencies. On March 14, 2024, a panel of the U.S. Court of Appeals for the Fourth Circuit temporarily stayed the preliminary injunction. Please see the Key Development summary above for additional detail.
Young Americans for Freedom et al. v. U.S. Department of Education et al., No. 3:24-cv-00163-PDW-ARS (D.N.D. 2024): On August 27, 2024, the University of North Dakota Chapter of Young Americans for Freedom (YAF) sued the U.S. Department of Education (DOE) over its McNair Post-Baccalaureate Achievement Program, a research and graduate studies grant program that supports incoming graduate students who are either low-income, first-generation college students or “member[s] of a group that is underrepresented in graduate education.” YAF alleges that the McNair program violates the Equal Protection Clause by restricting admission based on race. YAF requests, among other things, a preliminary injunction enjoining the DOE from enforcing all race-based qualifications for the McNair program. On September 4, 2024, YAF filed a motion for preliminary injunction, requesting that the court prevent the DOE from enforcing the racial and ethnic qualifications of the McNair program, and requiring the DOE to notify all participating institutions of higher education that they cannot impose or rely upon such classifications. On December 31, 2024, the court denied the plaintiff’s preliminary injunction motion and dismissed the case without prejudice for lack of subject matter jurisdiction, ruling that there was no Article III standing because the McNair Program is not exclusively administered by the Department of Education. On January 24, 2025, the plaintiffs filed a motion to alter or amend the judgment arguing that the court should have allowed the plaintiffs to amend their complaint instead of dismissing the case outright.
- Latest update: On March 10, 2025, the Department of Education filed an opposition to the plaintiffs’ motion for reconsideration, arguing that the plaintiffs’ motion should be denied because they failed to identify “manifest error of fact or law” in the court’s decision or demonstrate exceptional circumstances warranting relief.
Nat’l Urban League et al., v. President Donald J. Trump, et al., No. 1:25-cv-00471 (D.D.C. 2025): On February 19, 2025, the National Urban League, National Fair Housing Alliance, and AIDS Foundation of Chicago sued President Donald Trump challenging EO 14151, EO 14168, EO 14173, and related agency actions, as ultra vires and in violation of the First and Fifth Amendments and the Administrative Procedure Act. The plaintiffs allege that these orders penalize them for expressing viewpoints in support of diversity, equity, inclusion, and accessibility, and transgender people. They also claim that, because of these orders, they are at risk of losing federal funding. The complaint seeks a declaratory judgment holding that the EOs at issue are unconstitutional, as well as a preliminary injunction enjoining enforcement of these EOs. On February 28, the plaintiffs filed a motion for a preliminary injunction.
- Latest update: On March 5, 2025, Do No Harm, a non-profit organization, filed a motion to intervene as defendant, arguing that the plaintiffs’ challenge to the EOs directly threatens their mission of “ensuring that medicine is driven by scientific evidence rather than ideology and that professional opportunities are allocated based on merit” and its ability to protect its members from discrimination and other harms. On March 10, the plaintiffs filed their opposition to Do No Harm’s motion to intervene, arguing that Do No Harm lacks a legally protected interest in the case, lacks Article III standing, and has failed to rebut the presumption that the defendants adequately represent its interests. On March 12, 2025, the court denied Do Not Harm’s motion to intervene without prejudice. The court found that Do Not Harm may not intervene as a matter of right, as it has not shown that the government will inadequately represent Do Not Harm’s interests. On March 17, 2025, the plaintiffs filed a reply in support of their motion for a preliminary injunction, arguing their claims meet standing requirements. The plaintiffs claim they are likely to succeed on the merits of their Fifth Amendment claim because the defendants have failed to explain numerous key terms that form the basis for plaintiffs’ vagueness challenge. The plaintiffs further claim they are likely to succeed on the merits of their First Amendment claim because the EOs allegedly have seven provisions that violate the First Amendment.
State of California et al. v. U.S. Department of Education et al., No. 1:25-cv-10548 (D. Mass. 2025): On March 6, 2025, the states of California, Massachusetts, New Jersey, Colorado, Illinois, Maryland, New York, and Wisconsin (collectively, “the plaintiff states”) sued the U.S. Department of Education, alleging that it “arbitrarily” terminated previously awarded grants authorized by Congress under the Teacher Quality Partnership (TQP) and Supporting Effective Educator Development (SEED) programs. The plaintiff States argue that the termination of the grants violates the Administrative Procedure Act (APA) and seek declaratory and injunctive relief to vacate and set aside the termination of all previously awarded grants under the TQP and SEED programs.
- Latest update: On March 6, the plaintiff States filed a motion for a temporary restraining order to enjoin the defendants from “implementing, giving effect to, maintaining, or reinstating under a different name the termination of any previously-awarded TQP and SEED grants.” The plaintiff States argued that the “abrupt and immediate” termination of the programs threatens “imminent and irreparable” harm. The motion highlighted the programs’ purpose to address a critical shortage of highly qualified and licensed K-12 teachers. The court granted the plaintiff States’ TRO request on March 10, 2025, finding that plaintiff States are likely to succeed on the merits of their claims that terminating the programs was arbitrary and capricious and adequately demonstrated that they would be irreparably harmed if temporary relief were not granted, and that the balance of the equities weighs heavily in favor of granting the TRO. The TRO requires the Department of Education to immediately restore the grants to the pre-existing status quo and enjoins it from implementing, maintaining, or reinstating the terminations. On March 17, 2025, the defendants filed a memorandum in opposition to the plaintiffs’ motion for a preliminary injunction, arguing that plaintiffs have not shown they are likely to succeed on the merits nor have they suffered any irreparable harm. The defendants claim they would be the ones suffering irreparable harm if the plaintiffs’ preliminary injunction is granted because government funds would be spent that cannot be recouped. The defendants also claim the court lacks jurisdiction to review the Department of Education’s decisions on how to allocate funds because the APA does not permit judicial review of “agency action” that “is committed to agency discretion by law.”

4. Title VI Discrimination:

Do No Harm v. American Chemical Society, No. 1:25-cv-0638 (D.D.C. 2025): On March 5, 2025, Do No Harm filed a suit against The American Chemical Society (ACS) in the U.S. District Court for the District of Columbia. The complaint alleges that ACS operates a program for Black, Hispanic, and indigenous applicants (“the ACS Scholars Program”) that excludes white and Asian applicants, thereby violating federal anti-discrimination laws. Do No Harm argues that the program’s racial criteria are not narrowly tailored to serve a compelling interest and that the ACS, as a recipient of federal financial assistance, is subject to Title VI’s prohibition against racial discrimination. Do No Harm seeks declaratory and injunctive relief, as well as nominal damages.
- Latest update: The docket does not yet reflect that the defendant has been served.

Legislative Updates:

On February 21, seven Republican members of the West Virginia House introduced House Bill 2795, which would withhold state funds from private entities that contravene “substantial public policies” of the state. The law would penalize a wide range of activities, including “[p]roviding any form of funds, financial aid, or benefits to an employee seeking to obtain an abortion” or gender-reassignment surgery; offering, requiring, hosting, or allowing trainings where any representative “states that there are more than two genders”; permitting “biological men to enter into any women’s restroom in a facility leased or owned by the private entity”; and, similarly, permitting “biological women to enter into any men’s restroom.” Related to DEI, the bill would withhold funds from private entities “[o]ffering, requiring, hosting, conducting, or allowing any [DEI] training session, class, program, seminar, speech, presentation, or similar meeting” or a training where a representative “makes a negative statement about a particular race, ethnicity, color, ancestry, or nationality”; considering race in employment decisions; requiring employees to engage in DEI programs; employing individuals “whose duties include” DEI programming; having policies designed to “influence the composition of its workforce” or any other policy implemented “on the basis of race, sex, ancestry, color, or national origin, except as required by federal law”; and from taking adverse actions based on an “employee’s political, social, or religious beliefs.” The law would withhold funds from any entity that promotes theories of “unconscious or implicit bias, cultural appropriation, allyship, transgenderism, microaggressions, microinvalidation, group marginalization, systemic oppression, structural racism or inequity, social justice, intersectionality, neopronouns, inclusive language, heteronormativity, gender identity or theory, privileged status based on race, color, ancestry, ethnicity, national origin, or sex.” The bill provides that the state Attorney General may enforce these limitations and directs the Attorney General to set up an anonymous whistleblower system. It also provides a private right of action to employees required to participate in any prohibited activity.

On February 20, Representative Don McLaughlin (R) of the Texas House of Representatives introduced House Bill 3075, which would withhold state funding from public and private entities engaged in “restricted ideological programs.” A “restricted ideological programs” is one that “supports, promotes, or is aligned with” any of the following: “initiatives, theories or policies that seek to alter social institutions through identity-based conflict”; advocacy related to “redistribution of resources based on perceived societal inequalities”; equity initiatives seeking “equal outcomes rather than equal opportunities based on demographic factors”; “nonbiological” definitions of gender and “policies supporting gender transition”; assertions that “gender identity is independent of biological sex”; theories assigning “privilege, oppression, or identity based primary on racial categorization”; and policies that prioritize “demographic representation over merit-based evaluation.” The bill provides for a civil penalty “not to exceed the amount of state money that the entity has received” if an entity “knowingly misrepresents” its activities to receive state funds. The bill also establishes a State Funding Integrity Review Division, which it directs to review all state-funded grants, contracts, and awards and to develop a “vetting process.” The bill does not apply retroactively to contracts entered into or renewed before the law’s effective date.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Zakiyyah Salim-Williams, Cynthia Chen McTernan, Zoë Klein, Cate McCaffrey, José Madrid, Jenna Voronov, Emma Eisendrath, Kristen Durkan, Simon Moskovitz, Teddy Okechukwu, Beshoy Shokralla, Heather Skrabak, Maryum Asenuga, Angelle Henderson, Janice Jiang, Kameron Mitchell, Lauren Meyer, Chelsea Clayton, Maya Jeyendran, Albert Le, Allonna Nordhavn, Felicia Reyes, Godard Solomon, Laura Wang, and Ashley Wilson.

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, [email protected])

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, [email protected])

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, [email protected])

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, [email protected])

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, [email protected])

We are pleased to provide you with Gibson Dunn’s ESG update covering the following key developments during February 2025. Please click on the links below for further details.

I. GLOBAL

2025 proxy voting updates reflect a less prescriptive approach to director diversity

Institutional Shareholder Services (ISS), Glass Lewis, and institutional investors State Street, BlackRock, and Vanguard released updates to their proxy voting policies for 2025 with implications for how investors intend to analyze director diversity.

ISS announced that it will no longer consider board gender and racial/ethnic diversity in its vote recommendations for the election of directors at U.S. companies in light of developments relating to diversity, equity, and inclusion practices. Instead, ISS will evaluate director vote recommendations based on other criteria in their Benchmark and Specialty and voting guidelines, such as independence, accountability, and responsiveness.
Glass Lewis issued a Supplemental Statement on Diversity Considerations at U.S. Companies (the Supplemental Statement) that modifies its approach to board diversity effective March 10, 2025. Glass Lewis will continue to apply existing policies, including its diversity expectations for boards (generally expecting 30% gender diversity and at least one director from an underrepresented community) and its expectation that companies disclose individual or aggregate demographic information for directors. The Supplemental Statement emphasizes, however, that existing policies are based on market practice and “operate on a ‘comply or explain’ basis,” so for companies that do not meet these expectations, Glass Lewis will consider any company disclosures relating to “rationale or context regarding the composition of [companies’] boards,” including any disclosure related to challenges resulting from the “US legal and policy environment.” Moving forward, the Supplemental Statement indicates that when recommending votes against a director related to diversity, Glass Lewis will offer clients two recommendations: “one that applies [the] Benchmark Policy approach as articulated in [the] 2025 Benchmark Policy Guidelines for the US Market, and one that does not consider gender or underrepresented community diversity as part of the recommendation.”
State Street’s policy removes numerical diversity targets and does not indicate that State Street may take negative voting action on board diversity, instead stating that “nominating committees are best placed to determining the most effective board composition and we encourage companies to ensure that there are sufficient levels of diverse experiences and perspectives represented in the boardroom.”
BlackRock’s policy removes numerical diversity targets and expectations relating to disclosure of the board’s approach to diversity, but BlackRock may still vote against the nominating committee members of S&P 500 companies if they are an outlier relative to “market norms,” noting that 98% of S&P 500 firms have 30% or greater diversity.
Vanguard’s revised policy softens its approach to board diversity but continues to highlight the need for a “sufficient breadth of skills, experience, perspective, and personal characteristics (such as age, gender, and/or race/ethnicity) resulting in cognitive diversity” and seeks disclosure of both the “range of skills, background, and experience” of each board member as well as “an understanding of the directors’ personal characteristics to enable shareholders to understand the breadth of a board’s composition.” Vanguard also may vote against a nominating committee chair if board composition or related disclosure is inconsistent with market norms.

II. UNITED KINGDOM

UK Government publishes National Biodiversity Strategy and Action Plan for 2030

On February 26, 2025, the UK Government published the National Biodiversity Strategy and Action Plan for 2030—the “Blueprint for Halting and Reversing Biodiversity Loss”—in support of its commitment to the UN COP15 biodiversity framework. The framework commits the UK to achieving all 23 of the Kunming-Montreal Global Biodiversity Framework targets.

Financial Conduct Authority (FCA) publishes update on extending sustainability disclosure requirements (SDR) to portfolio managers

On February 14, 2025, the FCA updated its webpage for Consultation Paper CP24/8 on extending the SDR and investment labelling regime to portfolio management. The FCA has announced it no longer intends to publish a policy statement in Q2 2025. The FCA acknowledged that the consultation feedback from CP24/8 highlighted that it is taking longer than expected for some asset managers to comply with the SDR and labelling regime, and the potential impact of this on portfolio managers. This consultation follows the publication of Consultation Paper CP22/20 and corresponding Policy Statement PS23/16 on SDR and investment labels, which introduced a package of measures for fund managers. The FCA indicated it will continue to reflect on the feedback received and will provide further information in due course.

UK Emissions Trading Scheme (UK ETS) updates

On February 12, 2025, the UK Government launched a consultation on extending the UK ETS beyond the end of Phase I at midnight on December 31, 2030. The consultation proposes options and seeks views on extension into a second phase and the length of such extension, and whether to allow banking of emissions allowances between the two phases. The consultation closes on April 9, 2025.

On February 5, 2025, the UK Government published the Greenhouse Gas Emissions Trading Scheme (Amendment) (No. 2) Order 2025 together with the explanatory memorandum. The Order, which came into force on March 3, 2025, amends legislation that gives effect to the UK ETS. The Order amends the start of the second allocation period for stationary installations from 2026 to 2027, making 2026 a standalone year, and provides for the calculation of free allocation in 2026. In addition, the Order introduces three technical and operational amendments to the scheme regarding data publication (requiring the UK ETS authority to publish full details of transactions between accounts in the registry after a three-year delay to promote transparency), data sharing (by adding limited exceptions to the prohibition on disclosure of UK ETS data to support the development and implementation of related policies and statutory functions of the Climate Change Committee), and extending the ultra-small emitter eligibility criteria so that installations with low emission levels that started operations between January 2, 2021 and January 1, 2024 can apply to be classed as ultra-small emitters during the period 2026 through 2030.

Financial Reporting Council (FRC) announces UK Stewardship Code (Code) signatories ahead of consultation closure

On February 11, 2025, the FRC announced there are now 297 signatories to the Code, representing £52.3 trillion in assets under management, including 199 asset managers, 77 asset owners, and 21 service providers. The FRC’s consultation, which closed on February 19, 2025, was launched on November 1, 2024 to review proposals to amend the Code with a focus on streamlining reporting requirements and reducing the burden on signatories. As reported in our November 2024 ESG Update, the key proposals include: (i) a revised definition of stewardship that emphasizes the need to create long-term sustainable value for clients and beneficiaries as a key outcome of good stewardship; (ii) a reordered and streamlined reporting process, including a new process for FRC evaluations that will focus on activities and outcomes rather than ongoing policies; (iii) two sets of Principles, one for asset owners and asset managers, and the other for service providers; and (iv) new guidance to support effective implementation and help signatories with the transition to the new reporting arrangements. Following the consultation, the FRC plans to publish an updated Code that will come into effect in 2026. Submission of reports in 2025 should continue to be in accordance with the 2020 Code.

FRC publishes final report on recommendations for the sustainability assurance market

On February 5, 2025, the FRC published its findings from the market study into the assurance of sustainability reporting—“Assurance of Sustainability Reporting Market Study: Final Report.” The report builds on the FRC’s Emerging Findings report published on October 15, 2024. The FRC has recommended three key actions to support the market’s development: (a) to establish a clear UK policy framework for sustainability assurance that aligns with international frameworks where appropriate; (b) to create a unified regulatory consolidating standard setting, oversight, enforcement, and market monitoring; and (c) to improve quality of available information on sustainability assurance.

UK Government relaunches mission-led Net Zero Council (Council)

On February 5, 2025, the UK Government relaunched the Council, in support of the Clean Energy Superpower Mission—with a plan to help sectors accelerate to net zero. The Council’s main functions will be to provide expert input on government net zero strategies, to drive decarbonization through convening and supporting senior leaders of high emitting businesses, and to engage the public by acting in their capacity as communicators to the wider business community and advocators for climate action. This initiative aligns with the Plan for Change to create jobs and economic opportunities.

FRC publishes thematic review of climate-related financial disclosures by AIM and large private companies

On January 21, 2025, the FRC published its thematic review of climate-related financial disclosures by AIM and large private companies. The review analyzes the first cycle of filings by in-scope entities under the mandatory reporting requirements under the Companies Act 2006. The thematic review concluded that preparers had endeavored to meet reporting requirements; however, there was inconsistent quality of reporting among the sample size (20 UK companies). The publication summarizes examples of good practice and indicates areas that preparers can improve on as reporting against these requirements matures in subsequent years.

III. EUROPE

First Omnibus Simplification Package (Omnibus Package) proposes to scale back sustainability reporting and due diligence obligations

On February 26, 2025, the European Commission presented the Omnibus Package, which proposes significant amendments to the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD). For a detailed analysis, please see our Client Alert.

EU Commission proposes to simplify investment regulations to boost public and private investment

As part of the Omnibus Package, the European Commission also proposed simplifying the InvestEU Programme Regulation and the European Fund for Strategic Investments Regulation to reduce administrative burdens for businesses and citizens while enhancing competitiveness (Omnibus II), among other changes. The suggested amendments include reducing the frequency and scope of certain reports and exempting small final recipients, such as small and medium enterprises (SMEs), from specific rules. These measures are expected to save approximately EUR 350 million, with a particular benefit for SMEs. In addition, the proposal aims to boost investment capacity by around EUR 50 billion through a EUR 2.5 billion increase in the EU guarantee and the combined use of resources from three legacy programs. This is expected to drive growth and innovation in key sectors such as clean tech, digitalization, and sustainable infrastructure.

EU Commission launches “Clean Industry Deal”

On February 26, 2025, the European Commission published its proposal for the “Clean Industrial Deal” to accelerate decarbonization and boost clean technology industries. Among other things, the proposal includes a newly launched Action Plan on Affordable Energy to lower energy costs for industries, businesses, and households, while promoting the transition to a low-carbon economy. Furthermore, the Commission aims to increase demand for EU-made clean products by introducing sustainability, resilience, and “made in Europe” criteria in public and private procurements as part of the new Industrial Decarbonisation Accelerator Act. The Clean Industrial Deal also strives to increase access to financing by proposing an Industrial Decarbonisation Bank with a EUR 100 billion funding target and the adoption of a new Clean Industrial Deal State Aid Framework.

EU will introduce new recycling rules for fashion brands and cut down food waste

Following the initial proposal to revise the EU’s Waste Framework Directive in July 2023, EU lawmakers finally reached a provisional agreement for an updated directive on February 19, 2025. The amended rules aim to reduce textile waste by asking companies to establish extended producer responsibility schemes that will ultimately require textile producers and fashion brands to pay for the collection and recycling of their clothing. The new law will apply to both EU companies and non-EU companies who place products on the EU market. In addition, EU lawmakers also agreed to introduce binding food waste reduction targets that need to be reached by December 31, 2030: 10% in food processing and manufacturing and 30% per capita in retail, restaurants, food services, and households. As a next step, the EU Parliament and the Council will need to formally adopt and endorse the agreement.

EU Platform on Sustainable Finance (PSF) proposes to reduce EU taxonomy reporting burden

On February 5, 2025, the PSF, which advises the EU Commission on the development of sustainable finance policies, published its recommendations for reducing the EU Taxonomy reporting burden. The proposal aims to simplify compliance, improve data transparency, and ease administrative challenges for businesses while still maintaining sustainability goals. PSF suggested, in part, introducing a materiality principle applicable to all entities, defining clear guidelines for the use of estimates within the taxonomy framework, and refining the “do no significant harm” (DNSH) assessment. The latter was already taken up by the EU Commission in its Omnibus Package, which explicitly seeks to simplify the DNSH criteria.

CSRD transposition

No countries transposed the CSRD in February. In light of the Omnibus Package, we expect that further implementation will be paused until the proposed directives are adopted by the EU Parliament and the Council. Furthermore, it should be taken into account that potential amendments to the CSRD would need to be transposed into national law as well. An overview of the current transposition status of CSRD into national laws can be found here.

IV. NORTH AMERICA

Science Based Targets initiative (SBTi) releases draft of new standard

On March 18, 2025, SBTi released the initial draft of its revised Corporate Net-Zero Standard to solicit feedback from businesses and other stakeholders. The revision’s goal is to align with the latest climate science and “ensure that th[e] standard continues to enable companies to set and deliver ambitious, science-based targets consistent with achieving net-zero emissions at the global level by 2050.” Among other changes, the revised standard includes the following: (i) separation of Scope 1 and Scope 2 targets (including to encourage low-carbon electricity targets), (ii) additional flexibility in setting Scope 3 targets (including options to set targets for green procurement and revenue generation, rather than emissions reductions, and a focus on emissions-intensive activities), (iii) opportunities to use carbon removal for unabated and residual emissions, (iv) a process to track and report progress against targets, and (v) streamlined requirements for medium-sized companies in developing markets and SMEs. The consultation period is open until June 1, 2025.

Senate bill and letters from U.S. state officials and federal lawmakers regarding impacts of CSRD and CSDDD on U.S. businesses

On March 12, 2025, U.S. Senator Bill Hagerty introduced the draft Prevent Regulatory Overreach from Turning Essential Companies into Targets Act (Protect USA Act), a bill aimed at safeguarding U.S. businesses from the extraterritorial enforcement of foreign sustainability due diligence regulations. The draft bill would prohibit companies in strategic industries, particularly those involved in natural resource extraction and industrial production, from complying with foreign sustainability frameworks that exceed U.S. legal requirements, including, notably, foreign subsidiaries of U.S.-based companies. While the proposed bill explicitly refers to the CSDDD, which imposes extensive environmental and social due diligence obligations on companies operating or doing business in the EU, the wording of the bill suggests that other foreign sustainability regulations, such as the CSRD, could also be covered. It also proposes to penalize persons who take adverse actions against entities integral to the national interests of the United States related to a foreign sustainability due diligence regulation, creating a private right of action against any person who violates this prohibition. Because the bill has been introduced in the Senate, it will likely require approval by 60 Senators to overcome a potential filibuster.

Twenty-one state officials sent a letter to President Trump on February 25, 2025, asking the United States Trade Representative to investigate CSRD, CSDDD, and related directives under Section 301 of the Trade Act of 1974 and “consider the impact of these directives as part of any overarching trade initiatives” with the EU. The state officials claim that EU sustainability directives are overreaching and burdensome to U.S. economic interests. Similarly, in a letter dated February 26, 2025, Senate Banking Committee Chairman Tim Scott and four other Republican lawmakers urged the U.S. Department of Treasury and National Economic Council to “support European calls to indefinitely pause CSDDD,” find that its “extraterritorial application is untenable and detrimental to global productivity,” that civil liability under CSDDD should be removed, and clarify that “U.S. companies are not bound by net zero transition plans akin to those imposed on EU firms.”

U.S. Environmental Protection Agency (EPA) set to reconsider 2009 endangerment finding on greenhouse gases

As part of his executive order titled “Unleashing American Energy,” President Trump directed the Administrator of the EPA to submit recommendations “on the legality and continuing applicability of” the EPA’s 2009 endangerment finding. The endangerment finding declared that greenhouse gases pose a threat to public health and welfare and serve as the basis for EPA greenhouse gas regulations under the Clean Air Act. On March 12, 2025, part of a larger EPA announcement of the “greatest and most consequential day of deregulation in U.S. history,” new EPA administrator Lee Zeldin has recommended reconsideration of the endangerment finding and the regulations that rely on the finding, signaling the potential deregulation of greenhouse gas emissions at the federal level.

For further details on the EPA’s deregulatory actions and the effect on the regulatory environment for light- and heavy-duty motor vehicles and off-road engines, see our recent Client Alert.

Texas judge upholds Biden Administration Labor Department ESG fiduciary rule

In a memorandum opinion and order issued on February 14, 2025, the U.S. District Court for the Northern District of Texas held that the U.S. Department of Labor’s rule allowing fiduciaries to consider ESG and other collateral factors as a tiebreaker when deciding between competing investment options does not violate the Employment Retirement Income Security Act of 1974 (ERISA). This rule was finalized by the Biden Administration’s Labor Department in 2022 and overturned 2020 guidance from the Trump Administration that restricted the consideration of non-pecuniary factors such as ESG in investment decisions. Specifically, the court found that the rule is still valid under the Loper Bright ruling, which reversed Chevron deference, because the rule “does not permit a fiduciary to act for other interests than the beneficiaries’ or for other purposes than the beneficiaries’ financial benefit.”

Litigation related to freeze on distribution of federal funds

Under the “Unleashing American Energy” executive order, President Trump also directed the federal government to halt the disbursement of funds appropriated through the Inflation Reduction Act and the Infrastructure Investment and Jobs Act. In response, Pennsylvania Governor Josh Shapiro, along with Pennsylvania agencies such as the Pennsylvania Department of Environmental Protection, filed a lawsuit on February 13, 2025 claiming that federal agencies are unlawfully restricting these agencies from accessing Congressionally-appropriated federal funds in violation of Constitutional separation of powers.

Separately, in response to a January 27 memorandum from the U.S. Office of Management and Budget that instituted a near-total federal funding freeze, 22 states, the District of Columbia, and the governor of Kentucky sought and were granted a temporary restraining order blocking the federal funding freeze, which was extended indefinitely through a preliminary injunction on March 6, 2025.

Coalition of 22 state attorneys general challenge New York’s Climate Change Superfund Act

On February 11, 2025, 22 state attorneys general filed a lawsuit challenging New York’s Climate Change Superfund Act (Superfund Act). The Superfund Act, described in our December 2024 ESG Update, was signed into law last December and imposes strict liability on fossil fuel companies for greenhouse gas emissions, requiring these companies to contribute a total of $75 billion to a climate resilience fund through 2050. The lawsuit argues that the Superfund Act violates the federal constitution, the New York constitution, and federal law. Specifically, among other claims, the suit alleges that the Superfund Act violates the Supremacy Clause of the U.S. Constitution because it is preempted by the Clean Air Act and violates the dormant Commerce Clause of the U.S. Constitution because it targets energy producers headquartered in other states by imposing “clearly excessive penalties.”

Vermont passed a similar law in May 2024 that has also been the subject of litigation. In that case, plaintiffs allege similar claims, including that the state law is preempted by the federal Clean Air Act.

District court dismisses two claims in California’s climate disclosure law legislation

As covered in our January 2024 ESG Update, in Chamber of Commerce v. California Air Resource Board, the U.S. Chamber of Commerce, California Chamber of Commerce, and other business and trade organizations are challenging California’s Senate Bill No. 253 (SB 253) and Senate Bill No. 261 (SB 261), which require greenhouse gas emissions reporting and climate-related risk reporting for large companies doing business in California. On February 3, 2025, the U.S. District Court for the Central District of California granted California’s motion to dismiss two of the plaintiffs’ three claims relating to the Supremacy Clause and the Dormant Commerce Clause of the U.S. Constitution.

The Court dismissed both claims as they relate to SB 253 without prejudice, holding that there were no justiciable claims because SB 253 does not impose requirements on plaintiffs or the companies they represent but instead directs the California Air Resources Board to adopt implementing regulations. As to SB 261, the first dismissed claim centered around whether the laws are invalid extraterritorial regulations under the Dormant Commerce Clause. The court did not find SB 261 to be discriminatory as to out-of-state competitors and dismissed this claim without prejudice. The second dismissed claim argued that the laws were preempted by the federal Clean Air Act under the Supremacy Clause. The Court dismissed this claim with prejudice, holding that plaintiffs did not identify a federal law or Constitutional provision that preempts SB 261’s disclosure requirement or supports the assertion that, by requiring disclosure, SB 261 regulated emissions and should be preempted.

The sole remaining claim alleges that the laws violated the First Amendment of the federal Constitution. On February 25, plaintiffs requested a preliminary injunction based on this remaining claim.

Introduction of new state-level climate laws

Several states, including Colorado, Illinois, Maine, New Jersey, and New York have introduced new climate disclosure bills that generally would require companies with more than $1 billion in annual revenues to report their Scopes 1, 2, and 3 greenhouse gas emissions, similar to California’s SB 253. New York has also introduced a bill requiring disclosure of climate-related financial risk, similar to California’s SB 261. In addition, California and Illinois have each introduced bills that would create a private course of action for individuals and businesses harmed by climate disasters, allowing them to bring suit against a “responsible party,” which is generally an entity engaging in misleading practices in connection with fossil fuel products (for purposes of California’s law) or an entity that emitted a product with total greenhouse gas emissions of at least one billion metric tons of carbon dioxide (for purposes of Illinois’s law). Each of these bills has been assigned to a committee and thus has yet to be voted upon by the respective state legislatures.

In case you missed it…

The Gibson Dunn Workplace DEI Task Force has published its updates for February summarizing the latest key developments, media coverage, case updates, and legislation related to diversity, equity, and inclusion, including dedicated alerts describing:

a lawsuit filed by the State of Missouri against Starbucks alleging that Starbucks is violating state and federal anti-discrimination laws;
potential DEI directive enforcement insights from an Office of Personnel Management memorandum; and
the injunction against significant aspects of anti-DEI executive orders.

More information on executive orders and other announcements from the White House is available in our White House Executive Order Tracker. A collection of our analyses of the legal and industry impacts from the presidential transition is available here.

V. APAC

Hong Kong Monetary Authority shares ESG-related insights on 2025/26 Budget and issues guidance on climate-related risk management

On February 27, 2025, the Hong Kong Monetary Authority (HKMA) shared its insights on the upcoming 2025/26 fiscal budget where it highlighted plans for new government bond issuances aimed at raising funds for green infrastructure and other sustainable finance initiatives. In the same month, the HKMA also issued the Adoption Practice Guide on Greentech in the Banking Sector, which requires banks to integrate climate risk factors into their credit and market risk models, enhance internal controls, and improve the disclosure of climate-related financial risks. These initiatives are part of the Hong Kong Government’s broader effort to integrate fiscal policy with sustainability objectives, driving the transition toward a resilient, low-carbon economy.

Hong Kong Mandatory Provident Fund Schemes Authority tightens ESG disclosure standards for pension fund managers

On February 24, 2025, the Hong Kong Mandatory Provident Fund Schemes Authority (MPFA) introduced stricter ESG disclosure rules for 12 major Hong Kong pension fund managers. The new guidelines require managers to clearly detail their ESG investment strategies and risk management processes in their communications, consistently measure ESG factors, and report ESG achievements in their annual governance reports. According to the MPFA, these changes affect 47 ESG-related funds managing assets worth HK$36.6 billion (~US$4.71 billion).

China releases framework for sovereign green bonds

On February 20, 2025, China’s Ministry of Finance introduced a framework for sovereign green bonds, enabling offshore issuance and global investment in China’s green initiatives. Funds raised will support eligible green projects in the central fiscal budget, targeting climate change mitigation, pollution control, resource protection, and biodiversity preservation. The initiative seeks to expand high-quality green bond offerings and attract international capital to bolster China’s low-carbon development.

China accelerates reform to market-based renewable energy pricing

On February 10, 2025, China announced a significant reform to its renewable power pricing system. The National Development and Reform Commission and the National Energy Administration issued a joint notice to transition from a fixed pricing system to a market-based pricing system. This reform focuses on three key aspects: allowing market forces to determine pricing, establishing a sustainable pricing and settlement mechanism, and adopting differentiated policies for existing and new projects. The new policy aims to accelerate the construction of a modern power system and ensure the sustainable development of renewable energy.

Hong Kong sets 2025 priorities for sustainable finance

On February 6, 2025, the Green and Sustainable Finance Cross-Agency Steering Group, established by the Hong Kong financial regulators, published its three priorities to advance sustainable finance in Hong Kong. These include enhancing sustainability disclosure by supporting ISSB Standards and developing an assurance framework, strengthening Hong Kong’s role as a sustainable finance hub by expanding the Hong Kong Taxonomy and advancing carbon trading, and leveraging data and technology through the launch of the Hong Kong Green Fintech Map and improvements to public sustainability data tools.

New Zealand Parliament debates “anti‑ESG” bill

On or around February 4, 2025, a controversial Financial Markets (Conduct of Institutions) Amendment (Duty to Provide Financial Services) Amendment Bill was introduced in the New Zealand Parliament seeking to prevent registered banks from refusing to provide banking services on ESG grounds. The bill specifies that a bank must not withdraw or refuse to provide services “except for commercial reasons” and creates an offense that provides for fines of up to NZ$500,000 for each offense.

The following Gibson Dunn lawyers prepared this update: Lauren Assaf-Holmes, Susy Bullock, Carla Baum, Alexa Bussmann, Mitasha Chandok, Becky Chung, Mellissa Duru, Ferdinand Fromholzer, Michelle Kirschner, Julia Lapitskaya, Vanessa Ludwig, Babette Milz, Johannes Reul, Meghan Sherley, Helena Silewicz*, and QX Toh.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s ESG: Risk, Litigation, and Reporting practice group:

ESG: Risk, Litigation, and Reporting Leaders and Members:
Susy Bullock – London (+44 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213.229.7121, [email protected])
Ronald Kirk – Dallas (+1 214.698.3295, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202.955.8238, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])

*Helena Silewicz is a trainee solicitor in London and not admitted to practice law.

On March 19, 2025, the staff of the U.S. Securities and Exchange Commission (the SEC Staff) updated its Marketing Compliance Frequently Asked Questions with respect to the Advisers Act Marketing Rule[1] (the Marketing Rule) to issue new interpretive guidance (the FAQ) significantly easing requirements with respect to the presentation of gross and net investment performance.

In particular, the SEC Staff indicated that (i) it is no longer necessary to show net performance on an investment-by-investment basis, and (ii) certain other “portfolio characteristics” do not need to be presented on both a gross and net basis; in each case so long as certain parameters are met.

(i) Net Performance Need not be Shown at the Investment Level (with Certain Caveats):

Following the adoption of the Marketing Rule and a subsequent FAQ in which the SEC Staff indicated that net performance is required to be presented for individual investments or groups of investments extracted from a single portfolio (collectively, Extracted Performance) where gross performance is shown, sponsors have struggled to comply with this requirement, frustrated by the fact that fees and expenses are primarily charged at the fund (not investment) level. The SEC Staff’s new guidance reverses this position, permitting sponsors to present performance information the way that many did prior to the Marketing Rule’s adoption, with Extracted Performance displayed only on a gross basis, provided it is displayed alongside fund-level gross and net returns. The following parameters must be met when displaying Extracted Performance on a gross but not net basis:

1. The Extracted Performance must be clearly identified as gross performance.
2. The Extracted Performance must be accompanied by the total portfolio’s gross and net performance.
3. Gross and net performance of the total portfolio must be presented with at least equal prominence to, and in a manner designed to facilitate comparison with, the Extracted Performance .
4. Gross and net performance of the total portfolio must be calculated over a period that includes the entire period over which the Extracted Performance is calculated.

We note that the requirement to show net performance with equal prominence to gross performance still applies to the performance of groups of investments extracted from multiple portfolios that is considered “hypothetical performance” (i.e., any performance results that were not actually achieved), as well as targeted and projected returns.

The FAQ raises the question of how sponsors should handle individual investment performance in case studies designed to spotlight certain investments on one page of a pitchbook or quarterly report, or investment-level performance of pre-fund investments (which may have been structured as single asset vehicles), which sponsors may wish to aggregate with other pre-fund investments to show how such investments would have performed had they been part of a hypothetical fund/investment program.

While a more conservative reading of the Marketing Rule and the FAQ would suggest that fund-level gross and net performance should be included on the same page as any case study showcasing an investment’s individual gross performance, footnote 6 of the FAQ helpfully clarifies: “In the staff’s view, the gross and net performance of the total portfolio does not need to be presented on the same page of the advertisement as the extracted performance, provided that the presentation facilitates comparison between the gross and net performance of the total portfolio and the extracted performance. For example, in the staff’s view, presenting the gross and net performance of the total portfolio prior to the extracted performance in the advertisement could also facilitate such comparisons and help ensure they are presented with at least equal prominence to the performance of the extract.” This guidance gives sponsors actionable steps with which they can comply, and suggests that organizing a private placement memorandum or pitchbook with the full track record first, followed by individual case studies, will likely be acceptable under the current guidance. However, sponsors must continue to be mindful of the Marketing Rule’s general “fair and balanced” requirement whenever individual investment returns are presented.

As it relates to investments made prior to the commencement of an actual fund, if a sponsor shows any such investments in a series, the Marketing Rule generally requires that they show all related investments (in other words, no highlighting only home runs), and in the absence of a fund to show “fund-level” performance, our view is that it likely remains necessary to show investment-level net performance (including applicable fees, which should be footnoted to highlight that they may not be comparable to those charged by the fund).

If a sponsor seeks to aggregate performance from pre-fund investments into a hypothetical fund, such performance should be clearly labeled as hypothetical and counsel should be consulted to draft appropriate disclosure regarding all calculations and assumptions made, discuss the presentation of investment-level and “fund”-level returns, and to confirm that all relevant performance has been included.

(ii) “Portfolio Characteristics” Need not Show Net Performance (with Certain Caveats):

In addition, the SEC Staff stated in an FAQ titled “Portfolio or Investment Characteristics” that certain presentations of gross “portfolio characteristics” (e.g., yield, coupon rate, contribution to return, volatility, sector or geographic returns, attribution analyses, the Sharpe ratio, the Sortino ratio, and other similar metrics)[2] do not need to be accompanied by a net equivalent, so long as:

1. The gross characteristic is clearly identified as being calculated without the deduction of fees and expenses.
2. The characteristic is accompanied by a presentation of the total portfolio’s gross and net performance consistent with the requirements of the Marketing Rule.
3. The total portfolio’s gross and net performance is presented with at least equal prominence to, and in a manner designed to facilitate comparison with, the gross characteristic; and
4. The gross and net performance of the total portfolio is calculated over a period that includes the entire period over which the characteristic is calculated.

Sponsors utilizing such metrics should consult with counsel to determine appropriate footnotes but no longer need to attempt (sometimes impossible) calculations in an effort to generate a “net performance” number associated with them.

We note that the recent FAQ did not withdraw the SEC Staff’s previous February 6, 2024 FAQ guidance on showing net unlevered performance, described in our prior client alert on the subject. In that FAQ, the SEC Staff advised, among other things, that private fund sponsors that wish to exclude the impact of subscription credit facilities when showing a gross internal rate of return in their performance track records must also exclude such impact when showing the corresponding net internal rate of return.

[1] Rule 206(4)-1 under the Investment Advisers Act of 1940, as amended.

[2] The SEC Staff clarified in FN 8 of the FAQ that this list does not include “total return, time-weighted return, return on investment (RoI), internal rate of return (IRR), multiple on invested capital (MOIC), or Total Value to Paid in Capital (TVPI), regardless of how such metrics are labelled in the advertisement.”

The following Gibson Dunn lawyers prepared this update: Kevin Bettsteller, Greg Merz, and Shannon Errico.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding the issues and considerations discussed above. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Investment Funds practice group, or the authors:

Investment Funds Contacts:
Kevin Bettsteller – Century City (+1 310.552.8566, [email protected])
Albert S. Cho – Hong Kong (+852 2214 3811, [email protected])
Candice S. Choh – Los Angeles (+1 310.552.8658, [email protected])
Shannon Errico – New York (+1 212.351.2448, [email protected])
John Fadely – Singapore (+65 6507 3688, [email protected])
A.J. Frey – Washington, D.C./New York (+1 202.887.3793, [email protected])
Shukie Grossman – New York (+1 212.351.2369, [email protected])
James M. Hays – Houston (+1 346.718.6642, [email protected])
Kira Idoko – New York (+1 212.351.3951, [email protected])
Gregory Merz – Washington, D.C. (+1 202.887.3637, [email protected])
Eve Mrozek – New York (+1 212.351.4053, [email protected])
Roger D. Singer – New York (+1 212.351.3888, [email protected])
Edward D. Sopher – New York (+1 212.351.3918, [email protected])
C. William Thomas, Jr. – Washington, D.C. (+1 202.887.3735, [email protected])
Kate Timmerman – New York (+1 212.351.2628, [email protected])

On March 12, 2025, the Securities and Exchange Commission (SEC) issued a no-action letter that establishes a clear path to compliance with the “accredited investor” verification steps required to engage in general advertising and solicitation in reliance on the private placement safe harbor set forth in Rule 506(c) of Regulation D under the Securities Act of 1933.

I. Overview

The letter makes Rule 506(c) a more attractive option for private fund sponsors by eliminating the need to obtain intrusive documentation from investors who meet minimum investment thresholds and give certain representations, although broadly marketing a private fund continues to present certain challenges that the letter does not address.

II. Rule 506(c)

Generally speaking, offerings of securities must be registered with the SEC and/or relevant states unless an exemption is available. Rule 506(c), adopted in 2013, provides one such exemption from registration that, unlike the more commonly used Rule 506(b) safe harbor, permits sponsors to offer fund interests using general advertising and solicitation so long as they “take reasonable steps to verify that purchasers of securities sold in any offering…are accredited investors.” Compliance with this requirement has been daunting, because the accredited investor verification methods prescribed to date have required sponsors to obtain and review extensive personal financial information from many investors prior to sale, or a written confirmation from certain third-party professionals that the investor is accredited.

III. The Letter

The no-action letter seeks to address this problem by confirming that, so long as the following conditions are met, a sponsor will be deemed to have taken reasonable steps to verify that a prospective investor is an accredited investor for purposes of Rule 506(c):

The sponsor must obtain written representations that the prospective investor (a) is an accredited investor and (b) is not specifically financing, in whole or in part, the minimum investment amount;

The prospective investor’s minimum investment amount, which may be in the form of a binding capital commitment, must be:
1. at least $200,000 for natural persons; or
2. at least $1,000,000 for legal entities.[1]
The sponsor must not have actual knowledge of any facts indicating that a prospective investor is not an accredited investor or that a prospective investor has used third-party financing specifically to make their investment.

IV. Analysis & Key Takeaways

While the no-action letter provides much-needed clarity with respect to complying with the Rule 506(c) accredited investor verification requirement, there are a number of considerations that sponsors should keep in mind when deciding whether to utilize general advertising and solicitation for a fundraise:

The letter has no bearing on the limitations imposed by the exemptions from registration under the Investment Company Act of 1940, including the requirement that private funds (other than certain real estate funds relying on the Section 3(c)(5)(C) exemption) cap investors who are not “qualified purchasers” at 100. The letter could, however, prompt sponsors to explore permanent capital vehicles that are registered under the Investment Company Act, and accordingly not subject to this limitation, but rely on Rule 506(c) to avoid the significant cost and burden of Securities Act registration.

For sponsors who are SEC-registered investment advisers, the provisions of the Investment Advisers Act of 1940 continue to apply, including the requirement that investors in Section 3(c)(1) funds (not more than 100 beneficial owners) must be “qualified clients” in order to charge them performance-based compensation, and the marketing rule, which, among other things, would impose heightened scrutiny on public-facing advertisements that contain “hypothetical performance” (e.g., targeted or projected returns).

Sponsors who plan to seek investments from outside the U.S. must be careful not to run afoul of any applicable “world sky” private placement regimes, including the Alternative Investment Fund Managers Directive in the European Economic Area, by broadly marketing a fund through, for example, a globally accessible website or social media account.

While the various exemptions available under Regulation D are non-exclusive, once the general advertising and solicitation bell has been “rung”, per se, it generally cannot be “unrung”. The use of Rule 506(c) could, for instance, preclude a fund from subsequently relying on the “statutory exemption” under Section 4(a)(2) of the Securities Act, which prohibits broad marketing activity. This could be particularly problematic in a situation where a sponsor is disqualified from relying on the Rule 506 safe harbors for certain “bad acts” as Section 4(a)(2) likely would be the only avenue available to maintain the private placement status of a given fund offering absent a waiver from the SEC.

[1] For an entity that is an accredited investor solely on the basis that its beneficial owners are accredited investors, the minimum investment amount is at least $1,000,000, or $200,000 for each beneficial owner if owned by fewer than five natural persons (and written representations described above should be obtained for each natural person beneficial owner).

The following Gibson Dunn lawyers prepared this update: Kevin Bettsteller and Zane Clark.

Madrigal v. Hyundai Motor Am., S280598 – Decided March 20, 2025

The California Supreme Court today unanimously held that a plaintiff who refuses a settlement offer under Code of Civil Procedure section 998 but later accepts a less favorable offer before trial will generally be liable for statutory cost-shifting that applies to parties who reject settlement offers and end up with less favorable outcomes.

“Section 998(c)(1) . . . places the task of obtaining a more favorable judgment on a plaintiff who does not accept a valid 998 offer. It requires cost shifting if the plaintiff does not do so. There is no requirement in the statute that the case be resolved by trial in order to penalize a nonaccepting offeree for continuing the case after a superior offer was properly made.”

Justice Corrigan, writing for the Court

Background:

Section 1032 of the Code of Civil Procedure generally entitles the prevailing party in a lawsuit to recover its litigation costs, including attorneys’ fees when authorized by statute. Section 998 provides an exception to this general framework when a plaintiff rejects or does not timely accept a settlement offer by the defendant under section 998 and then “fails to obtain a more favorable judgment or award.” Cal. Code Civ. Pro. § 998(c)(1). In such cases, the plaintiff is not entitled to recover its postoffer litigation costs and must pay some or all of the defendant’s postoffer costs.

Oscar and Audrey Madrigal sued Hyundai, alleging that their Elantra suffered from various issues that their local dealership couldn’t repair. Hyundai soon offered to settle the case for about $55,000 plus attorney fees. The Madrigals did not accept the offer. But eventually, on the first day of trial, the parties settled for $39,000. After the Madrigals moved to recover their attorneys’ fees and costs, Hyundai invoked section 998 and argued that they were not entitled to recover fees and costs incurred after the date of the $55,000 settlement offer because they ultimately agreed to settle the case for less than that.

The trial court ruled that section 998 did not apply because the case was resolved via a pretrial settlement, not a trial. But the Court of Appeal reversed in a divided opinion, holding that the Madrigals were not exempt from section 998’s cost-shifting provisions.

Issue Presented:

Do section 998’s cost-shifting provisions apply to a plaintiff who rejects a section 998 settlement offer but later agrees to a lower settlement before trial?

Court’s Holding:

Yes. Whenever a plaintiff rejects a section 998 offer and then “fails to obtain a more favorable judgment or award”—whether at trial or through a pretrial settlement—section 998(c)(1) overrides the general rule that prevailing plaintiffs are entitled to recover their costs.

What It Means:

Section 998 appears relatively straightforward but has been difficult in practice for parties and courts to apply. This latest decision from the California Supreme Court removes uncertainty about the scope of the statute and clarifies that it applies equally to pretrial settlements (which are far more common than jury verdicts).
As the Court observes, its opinion will have the “likely result that parties, knowing that section 998 cost shifting can apply absent a different and agreed-upon allocation, will deal with the issue of costs in their settlement agreements.”
The Court’s expansive interpretation of section 998 will likely provide further incentive for plaintiffs to accept reasonable section 998 settlement offers so they are not later punished for obtaining a less favorable result via a pretrial settlement.

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the California Supreme Court. Please feel free to contact the following practice group leaders:

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 [email protected]	Allyson N. Ho +1 214.698.3233 [email protected]	Julian W. Poon +1 213.229.7758 [email protected]
Kahn A. Scolnick +1 213.229.7656 [email protected]	Bradley J. Hamburger +1 213.229.7658 [email protected]	Michael J. Holecek +1 213.229.7018 [email protected]

Related Practice: Litigation

Theodore J. Boutrous, Jr.
+1 213.229.7804
[email protected]

Theane Evangelis
+1 213.229.7726
[email protected]

This alert was prepared by Daniel R. Adler, Ryan Azad, Matt Aidan Getz, and James Tsouvalas.

Gibson Dunn’s DEI Task Force is available to help clients understand what these and other expected policy and litigation developments will mean for them and how to comply with new requirements.

On March 19, 2025, the Equal Employment Opportunity Commission (EEOC) issued guidance entitled “What You Should Know About DEI-Related Discrimination at Work,” which includes eleven questions and corresponding answers addressing the process for asserting a discrimination claim and the scope of protections under Title VII of the Civil Rights Act of 1964 (Title VII) as they relate to DEI programs. The EEOC and the Department of Justice (DOJ) also released a joint one-page technical assistance document entitled “What To Do If You Experience Discrimination Related to DEI at Work,” which provides examples of “DEI-related discrimination” under Title VII and directs employees who “suspect [they] have experienced DEI-related discrimination” to “contact the EEOC promptly.” As described in a press release the EEOC issued yesterday, these documents are designed “[t]o help educate the public about how well-established civil rights rules apply to employment policies, programs, and practices—including those labeled or framed as ‘DEI.’”

The EEOC’s longer question-and-answer guidance explains the process for bringing Title VII claims and discusses the scope of Title VII, including the categories of individuals it protects and the aspects of employment it governs.

The guidance explains that “Title VII protects employees, applicants, and training or apprenticeship program participants,” and “also may apply to interns.” The guidance emphasizes that “Title VII’s protections apply equally to all workers” regardless of whether they are part of a minority group. The EEOC states that it “does not require a higher showing of proof for so-called ‘reverse’ discrimination claims,” in reference to Ames v. Ohio Department of Youth Services (No. 23-1039), in which the Supreme Court is poised to consider whether “majority-group” plaintiffs must meet a “heightened” evidentiary standard for discrimination claims. The guidance explains that in the EEOC’s view, “there is no such thing as ‘reverse’ discrimination; there is only discrimination.”

In response to the question “When is a DEI initiative, policy, program, or practice unlawful under Title VII?” the guidance states that an employment action “may be unlawful” if it is “motivated—in whole or in part—by race, sex, or another protected characteristic.” It broadly defines potentially unlawful DEI initiatives as, among other things, programs that involve “[a]ccess to or exclusion from training (including training characterized as leadership development programs)”; “[a]ccess to mentoring, sponsorship, or workplace networking / networks”; “[i]nternships (including internships labeled as ‘fellowships’ or ‘summer associate’ programs)”; and “[s]election for interviews, including placement or exclusion from a candidate ‘slate’ or pool.” As to what may constitute an adverse action, the EEOC cites to Muldrow v. City of St. Louis, Missouri, et al., 144 S. Ct. 967, 974 (2024), to reiterate that workers bringing discrimination claims “only need to show ‘some injury’ or ‘some harm’ affecting their ‘terms, conditions, or privileges’ of employment,” and that “terms [or] conditions” should be “interpreted broadly.”

The guidance also addresses the unlawful “segregation” of employees, including in the context of employee resource and affinity groups. For example, the EEOC notes that employers may not “separate workers into groups based on” protected characteristics “when administering DEI or any trainings [or] workplace programming,” even if the separate groups “receive the same programming content or amount of employer resources.” The guidance further notes that “unlawful segregation can include limiting membership in workplace groups, such as Employee Resource Groups (ERG), Business Resource Groups (BRGs), or other employee affinity groups, to certain protected groups.” The guidance instructs that employers should instead make all trainings and workplace networks open to all employees.

The guidance further provides that employers may not “justify taking an employment action based on race, sex, or another protected characteristic because the employer has a business necessity or interest in ‘diversity,’ including preferences or requests by the employer’s clients or customers.” The EEOC states that “business interests in diversity and equity” have never “been found by the Supreme Court or the EEOC to be sufficient to allow race-motivated employment actions.”

Finally, the guidance addresses DEI-related training and suggests that such trainings “may” create a hostile work environment if there is evidence that the “training was discriminatory in content, application, or context.” The guidance further suggests opposing such trainings may constitute protected activity under Title VII “if the employee provides a fact-specific basis for his or her belief that the training violates Title VII.”

The shorter guidance document released yesterday—What To Do If You Experience Discrimination Related to DEI at Work—shares much of the same information in a one-page guidance document jointly authored by the EEOC and the DOJ.

The following Gibson Dunn lawyers prepared this update: Jason Schwartz, Greta Williams, Cynthia Chen McTernan, Naima Farrell, Zoë Klein, Anna McKenzie, Cate McCaffrey, Albert Le, and Godard Solomon.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s DEI Task Force or Labor and Employment practice group:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group,
Washington, D.C. (+1 202.955.8242, [email protected])

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group,
Los Angeles (+1 213.229.7107, [email protected])

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group,
New York (+1 212.351.3850, [email protected])

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer,
Washington, D.C. (+1 202.955.8503, [email protected])

Naima L. Farrell – Partner, Labor & Employment Group,
Washington, D.C. (+1 202.887.3559, [email protected])

Cynthia Chen McTernan – Partner, Labor & Employment Group,
Los Angeles (+1 213.229.7633, [email protected] )

Molly T. Senger – Partner, Labor & Employment Group,
Washington, D.C. (+1 202.955.8571, [email protected])

Greta B. Williams – Partner, Labor & Employment Group,
Washington, D.C. (+1 202.887.3745, [email protected])

Zoë Klein – Of Counsel, Labor & Employment Group,
Washington, D.C. (+1 202.887.3740, [email protected])

Anna M. McKenzie – Of Counsel, Labor & Employment Group,
Washington, D.C. (+1 202.955.8205, [email protected])

A new Connected Vehicles Rule has arrived and with it, new requirements for supply chain due diligence for auto manufacturers and importers.

As of March 17, 2025, a final rule[1] prohibiting the import and sale of certain connected vehicles and key components, including Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS), has officially taken effect (the “Connected Vehicles Final Rule” or “Final Rule”). Issued by the U.S. Department of Commerce’s Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS), the Connected Vehicles Final Rule applies to hardware and software products made in, or incorporating parts or technology sourced from, Russia or China.

The Final Rule will significantly impact companies importing or manufacturing connected vehicles and related systems, particularly those with supply chains linked to China and Russia. The Final Rule addresses concerns about risks posed by certain autonomous and connectivity technologies from China and Russia, notably regarding the potential for unauthorized access to sensitive data and internal vehicle systems. Compliance with this Final Rule, which introduces new declaratory and due diligence obligations, will require careful evaluation of hardware and software sourcing, potentially altering existing automotive supply chains.

I. Key Takeaways

Below we outline key takeaways and the near-term implications of the Connected Vehicles Final Rule.

Under the Final Rule, “VCS Hardware Importers” and “Connected Vehicle Manufacturers” (as defined below in Section III) will be prohibited from engaging in certain sale or import transactions involving VCS hardware and software and ADS software connected to Chinese-affiliated or Russian-affiliated companies for future model year vehicles.[2]
In addition, Connected Vehicle Manufacturers with a sufficient nexus to China or Russia will be prohibited from knowingly selling new connected vehicles that incorporate covered VCS hardware or software or ADS software in the United States, even if the vehicle was made in the United States.
Software-related prohibitions will take effect for model year 2027. Hardware-related prohibitions will take effect for model year 2030, or January 1, 2029, for units without a model year. Prohibitions on the sale of connected vehicles by manufacturers with a sufficient nexus to China or Russia, even if manufactured in the United States, take effect for model year 2027.
In coming years, affected companies will need to submit a Declaration of Conformity for any imports of VCS or ADS software, or systems containing such software, involving foreign interests[3]—even a non-Chinese or non-Russian interest—at least once a year for each affected part or model year vehicle; conduct supply chain due diligence to ensure compliance with the Connected Vehicles Final Rule; and keep records of relevant transactions for up to 10 years.
The Final Rule applies only to passenger vehicles under 10,001 pounds, though BIS announced in its press release that a rule for commercial vehicles is forthcoming.[4]

The Final Rule was announced on January 14, 2025, and follows a Notice of Proposed Rulemaking (NPRM)[5] published by BIS on September 26, 2024, as well as an Advance Notice of Proposed Rulemaking (ANPRM)[6] published by BIS on March 1, 2024. Authorized under Executive Order 13873, the Final Rule grants the Secretary of Commerce and his delegates the authority to mitigate “undue” or “unacceptable” risks to national security from information and communications technology and services transactions involving “foreign adversaries.”[7] However, the specific prohibitions in the Connected Vehicles Final Rule are currently limited to China and Russia.[8] BIS’s Compliance and Application Reporting System (CARS) webpage is currently live and accepting submissions from industry users for (1) Specific Authorization Applications, (2) Declarations of Conformity, and (3) Advisory Opinion Requests, which are discussed in greater detail below. BIS has also issued several “Frequently Asked Questions” related to these topics.[9]

At a high level, the Final Rule broadly applies to connected vehicles that are “manufactured primarily for use on public streets, roads, and highways” with onboard technology that allows the vehicle to communicate with external networks.[10] This includes on-road vehicles with onboard systems capable of communicating with external networks or devices via Bluetooth, cellular, satellite, or Wi-Fi. Considering the ubiquity of this technology in modern cars, BIS initially anticipated in September’s NPRM that the Final Rule would cover essentially “all new vehicles sold in the United States”[11] after the Final Rule takes effect for model year 2030 vehicles. However, in the Final Rule, BIS specified that vehicles not meeting the weight or passenger requirements for a “connected vehicle,” including recreational vehicles and agricultural equipment, would not be affected.[12] BIS acknowledged that it will take time for manufacturers to evaluate and adjust their supply chains to comply with the Final Rule and accounted for this transition period through a staggered implementation model.

II. Policy Considerations Underlying the Final Rule

A. National Security Concerns

The U.S. government has long been concerned with physical and information security risk posed by interference with autonomous vehicles (AVs) by foreign adversaries. Increasingly, lawmakers have become concerned with advanced technology, including technology allowing for the remote control of a vehicle, because such technology could allow bad actors to take over steering or operation of a car. AVs collect relatively advanced GPS and location data. AV technology also relies on camera and visuospatial data collection, some of which may be processed outside the vehicle. The NPRM specifically intended to address lawmakers’ concerns that if a foreign adversary were permitted to gain access to those data sources, it could collect and exfiltrate extensive video or photo data of sensitive locations like military bases and secure facilities (e.g., server farms or data warehouse locations), as well as personal data regarding driving habits and locations.[13] The Final Rule is similarly aimed at preventing technology with such vulnerabilities to be used in cars sold on the U.S. market.

a. China

In the Final Rule, BIS expressed national security concerns with the use of Chinese hardware and software in U.S. connected vehicles, premised largely on China’s “military-civil fusion strategy.”[14] In addition, BIS explained that Chinese laws require Chinese-registered companies to provide business information and other data to the Chinese government on request, regardless of their location.[15]

b. Russia

Though Russia has historically been less active in the global automotive industry, the Russian government has recently sought to revitalize its domestic auto manufacturing sector, experiencing a projected 15% increase in passenger vehicle sales in 2024 alone.[16] The Russian government also employs a suite of laws that enable it to compel domestic companies with overseas operations to surrender data and similar operational assets gleaned through foreign ventures.[17] For these reasons, BIS remains concerned that concerted efforts by the Russian government to develop the domestic Russian automotive industry, the growing U.S. electric vehicle (EV) market, and Russian resilience to Western sanctions and export control regimes increase the likelihood that Russia-linked connected vehicle technology will enter the U.S. connected vehicle supply chain and pose an undue or unacceptable risk to U.S. national security.[18]

B. Economic Competition

The Final Rule also appears motivated by efforts to promote the development of domestic EV and AV production, including technologies associated with those vehicles. By prohibiting the importation of cars equipped with covered technology from China, the U.S. government has sought to promote the onshore development of that technology or, at least, sourcing that technology from markets other than China. Because Chinese manufacturers dominate the EV battery market, this effort appears aimed at driving car companies out of China and stunting the growth of Chinese EV and AV industries.

Though domestic industry was not a focus of the Final Rule, the Final Rule dovetails with other Biden-era U.S. government measures, including the 2022 Inflation Reduction Act (IRA), which limited tax credits for consumer EVs that use batteries made in China,[19] and the Biden administration’s tariff increase on Chinese EVs from 25% to 100% under Section 301 of the Trade Act of 1974, which came into effect in September 2024.[20]

However, the transition to the Trump administration has somewhat altered the federal government’s approach to EVs. While the Final Rule remains in place, President Trump has shown little interest in expanding the EV market or maintaining strong incentives for domestic EV production. His administration has already begun rolling back Biden-era policies aimed at increasing EV uptake, including reviewing tax credits, freezing funding for charging infrastructure, and reconsidering the 2024 vehicle emissions rules, which sought to reduce tailpipe emissions by nearly 50% by 2032.[21] These reversals represent a shift away from government-driven EV expansion.

That said, President Trump has maintained a hardline stance on limiting China’s role in the auto industry. His administration has continued efforts to curb Chinese EV imports and reduce reliance on Chinese battery technology, primarily through expanded trade restrictions. In February 2025, he imposed additional tariffs on Chinese imports, which also apply to EVs, reinforcing earlier tariff increases under the Biden administration.[22] His administration has also considered implementing Section 232 tariffs on Chinese EV supply chain components, such as batteries and critical minerals, for national security reasons.[23]

On balance, despite his broader skepticism of government-backed EV policies, President Trump has highlighted American EV manufacturing as a demonstration of domestic industrial strength, emphasizing the importance of domestic production over reliance on foreign competitors. This reflects a nuanced approach to EV policy, one that rejects federal incentives and emissions regulations but still prioritizes restricting China’s influence in the global auto industry.

C. Convergence of Regulatory Focus on Supply Chains

China is currently the dominant player in the battery market, with Chinese companies producing 80% of global EV batteries as of March 2025.[24] Access to high-voltage batteries and battery technology are necessary components of EV manufacturing and therefore critical to the expansion of the domestic EV market. Major battery manufacturers in China have been identified as having continued ties to forced labor in the Xinjiang region of China.[25] The Uyghur Forced Labor Prevention Act (UFLPA), which took effect in June 2022, prohibits import of “any goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part in the Xinjiang Uyghur Autonomous Region of the People’s Republic of China.”[26] Although ICTS is not explicitly tasked with combatting forced labor, we assess that—just as with efforts to strengthen domestic manufacturing—the Final Rule nevertheless strengthens a constellation of efforts to deter the use of forced labor abroad, combat the corollary economic benefits to China and Chinese companies, and keep products made using forced labor from reaching our shores.

III. Key Provisions of the Final Rule

The Final Rule defines “Connected Vehicle” as any on-road vehicle that “integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.”[27]

Scope of Covered Parties. The Final Rule applies to all “Connected Vehicle Manufacturers,” defined as a “U.S. person who (1) [m]anufactures or assembles completed connected vehicles in the United States for sale; (2) [i]mports completed connected vehicles for sale in the United States; and/or (3) [i]ntegrates ADS software on a completed connected vehicle for sale in the United States,”[28] as well as to “VCS Hardware Importers,” who are “U.S. person[s] who import (1) VCS hardware for further manufacturing, incorporation, or integration into a completed connected vehicle that is intended to be sold or operated in the United States or (2) VCS hardware that has already been installed, incorporated, or integrated into a connected vehicle, or a subassembly thereof, that is intended to be sold as part of a completed connected vehicle in the United States.”[29]

The Final Rule prohibits these Connected Vehicle Manufacturer and VCS Hardware Importers from importing into the United States vehicles with “Covered Software,” defined as “software-based components, including application, middleware, and system software in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables the function of the Vehicle Connectivity Systems or Automated Driving Systems at the vehicle level”—with limited exclusions.[30]

Changes in “Covered Software” Definition. Based on public comments on the Proposed Rule, BIS changed its definition of “Covered Software,” narrowing its scope from software that “supports” the function of Vehicle Connectivity Systems and Automated Driving Systems to software that “directly enables” these systems.[31] Software subcomponents, including “legacy codes” designed, developed, or supplied before March 17, 2026, are excluded from the definition of “Covered Software,” provided they are not modified or maintained by entities controlled by foreign adversaries after that date. This exclusionary period—introduced in response to industry concerns—aims to prevent sudden market disruptions and provide the affected parties with additional time to adapt to the new requirements.

Changes in the Definition of VCS. VCS includes any “hardware or software item installed in or on a completed connected vehicle that directly enables the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz,” such as Bluetooth, cellular, satellite, or Wi-Fi connections as well as microcontrollers and/or modules enabling such functions.[32] BIS excluded certain common hardware and software components[33] with limited connectivity capabilities from the definition based on the reasoning that they do not pose as significant a risk as initially anticipated.

Changes in the Definition of ADS. ADS includes “hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain.”[34] Notably, the Final Rule only applies to systems that allow a vehicle to operate autonomously at Levels 3 and above of automation (per SAE International standards).[35] Systems classified as Levels 0 to 2 (e.g., cruise control, lane keeping assistance program) do not qualify as ADS because they rely on the driver making decisions while operating the vehicle and require the driver’s engagement and attention to do so.[36]

Changes in the Definition of a “Person Owned by, Controlled by, or Subject to the Jurisdiction or Direction of a Foreign Adversary.” The Final Rule establishes specific standards for determining whether a party has a covered connection to a foreign adversary and is, therefore, subject to the prohibitions of the Final Rule. If any of the following criteria are met, the person is considered “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”:

Any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;
Any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States;
Any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or
Any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified [above] possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity.[37]

Most notably, U.S. and EU-based companies with joint ventures, subsidiaries, or affiliates incorporated in a foreign adversary may also fall within the above definition, though as noted previously, the prohibitions in the Final Rule are limited to “persons owned by, controlled by, or subject to the jurisdiction or direction of” China and Russia. Vehicle manufacturers, importers, and exporters operating subsidiaries in these jurisdictions should conduct a thorough risk assessment to ensure compliance with the Final Rule.

Additionally, BIS clarified that in determining whether VCS hardware or connected vehicles that incorporate Covered Software are “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of [China] or Russia,” BIS will not make its determination “based solely on the country of citizenship of one or more natural persons who are employed by, contracted by, or otherwise similarly engaged in such actions through the entity designing, developing, manufacturing, or supplying the hardware.”[38] Therefore, companies will need to undertake a careful analysis of their supply chains to determine when a supplier does or does not qualify as “owned by, controlled by, or subject to the jurisdiction or direction of” China or Russia.

The first model year to be impacted by the regulations will be model year 2027, which provides auto manufacturers and their suppliers only a brief time to map their supply chains and, when necessary, locate and qualify alternate non-China and Russia-linked suppliers for VCS and ADS software systems (as related hardware prohibitions came into effect for subsequent model years).[39]

Advisory Opinions. The Final Rule also establishes an advisory opinion process to allow VCS Hardware Importers and Connected Vehicle Manufacturers to obtain guidance from BIS on whether a prospective transaction may be prohibited.[40] Such requests may be submitted via the CARS webpage and must involve actual (not hypothetical) transactions and disclose the proposed parties to the transaction.

IV. Timing and Implementation

Based on the understanding that it will take time for Connected Vehicle Manufacturers and VCS Hardware Importers to evaluate and adjust their supply chains to comply with the new regulations, BIS has established the following timeline for when the prohibitions will take effect:

Model Years 2027–2029 vehicles: Connected Vehicle Manufacturers are prohibited from knowingly importing into and selling within the United States connected vehicles containing Covered Software designed, developed, manufactured, or supplied by persons linked China or Russia. This includes completed connected vehicles that incorporate covered VCS or ADS software designed, developed, manufactured, or supplied by “persons owned by, controlled by, or subject to the jurisdiction or direction of [China] or Russia,” regardless of whether the vehicles are manufactured or assembled in the United States.[41]
Model Year 2030 vehicles or, for hardware not associated with a vehicle model year, as of January 1, 2029: Connected Vehicle Manufacturers are prohibited from knowingly importing VCS hardware or connected vehicles containing VCS hardware designed, developed, manufactured, or supplied by “persons owned by, controlled by, or subject to the jurisdiction or direction of [China] or Russia,” or knowingly selling the same within the United States.[42]

While BIS may have intended staggering effective dates of the new prohibitions for different model years and focusing on software first to be less disruptive for industry, we note that the software affected by the rule’s earliest implementation date can be highly specific to the hardware on which VCS and ADS systems rely to gather and process relevant sensor data. Connected Vehicle Manufacturers will likely need to review and modify their software and hardware in tandem in order to be in a position to continue importing their cars and ADS and VCS systems, parts, and components by mid-2026.

V. Compliance Obligations

The Final Rule imposes three additional compliance measures: (1) Declarations of Conformity, (2) recordkeeping, and (3) supply chain due diligence requirements.

Declarations of Conformity: The Final Rule requires VCS Hardware Importers and Connected Vehicle Manufacturers to submit Declarations of Conformity to BIS at least 60 days prior to the importation of the first import or sale of items associated with a particular vehicle model or calendar year beginning for model year 2027.[43] Declarations of Conformity will be required annually thereafter and whenever a VCS Hardware Importer or Connected Vehicle Manufacturer discovers a “material change” to the information conveyed that makes a prior Declaration of Conformity “no longer to the information conveyed in a previously submitted Declaration of Conformity.[44] Such material change updates must be submitted within 60 days of the discovery of the change, and the obligation remains ongoing until 10 years after submission of the original Declaration of Conformity.[45]
1. Submission Procedures: The Declaration of Conformity form is accessed and submitted through BIS’s CARS webpage.[46] OICTS recommends the prioritization of Declarations of Conformity for covered software transactions “due to the separate implementation timelines for the covered software and VCS hardware prohibitions.”[47] A Declaration of Conformity may incorporate assessments produced by third parties as long as the assessment is disclosed.[48] If a previously submitted Declaration of Conformity remains accurate the following year, Connected Vehicle Manufacturers and VCS Hardware Importers may submit a confirmation that associates the relevant new model year vehicles to an existing Declaration of Conformity.[49] After the submission of a Declaration of Conformity, OICTS will only follow up directly if additional information is required.[50]
2. VCS Hardware Importers: Prior to import of items for the covered model year vehicles described above, VCS Hardware Importers are required to submit a Declaration of Conformity for all VCS hardware not otherwise prohibited outlining, inter alia, detailed item information, due diligence efforts undertaken to ensure compliance with this rule, and third-party external endpoints to which the VCS hardware connects.[51] After considering public comments, BIS will no longer require the submission of Hardware Bills of Materials (HBOMs)[52] to support Declarations of Conformity.[53] However, BIS will require entities to maintain primary business records supporting their certification that they conducted adequate supply chain due diligence, which could include HBOMs.[54]
3. Connected Vehicle Manufacturers: Connected Vehicle Manufacturers will be required to submit a Declaration of Conformity for the covered model year vehicles described above prior to import that includes, inter alia, information on the make, model, and trim of the group of completed vehicles and any “Covered Software” contained within the completed vehicles.[55] BIS requires Connected Vehicle Manufacturers to keep documentation supporting these Declarations as well, which may be in the form of Software Bills of Materials (SBOM).[56] Notably, BIS makes clear that Declarations of Conformity are not required if “the only foreign interest in a transaction [with respect to the “Covered Software” contained within the vehicle] arises from a foreign person’s equity ownership of a U.S. person, whether through public shares or otherwise.[57]
Recordkeeping: Under the Final Rule, VCS Hardware Importers and Connected Vehicle Manufacturers will be obliged to maintain all primary business records related to the execution of each transaction for which Declarations of Conformity and authorizations have been sought for a minimum of 10 years after the date of submission. These records must be furnished on demand to BIS.[58] As described above, while HBOMs and SBOMs are not required to support a Declaration of Conformity, they can nevertheless be useful for this purpose where they are available.

Due Diligence: The Final Rule requires companies to undertake due diligence of their entire supply chain, including third-party suppliers and contractors. To support this endeavor, the Final Rule provides that companies may optionally use a qualified third-party assessor to ensure compliance, though in certain cases, the use of a third-party assessor will be mandated in the terms of an approved specific authorization (as described below).[59] BIS provides the following minimum guidelines for third-party assessors, which may also be illustrative in understanding how BIS would audit the due diligence efforts of covered VCS Hardware Importers and Connected Vehicle Manufacturers:
1. Identify the suppliers of each relevant component and describe the nature of any foreign interest;
2. Describe the methodology undertaken, including the policies and other documents reviewed, personnel interviewed, and any facilities, equipment, or systems examined;
3. Describe the effectiveness of the VCS hardware importer or connected vehicle manufacturer’s corporate policies related to compliance with this rule;
4. For VCS Hardware Importers or Connected Vehicle Manufacturers conducting transactions under the auspices of a general authorization or specific authorization, describe any vulnerabilities, or deficiencies in the implementation of the authorization; and
5. Recommend any improvements or changes to policies, practices, or other aspects to maintain compliance with this subpart, as applicable to each transaction.[60]

VI. General and Specific Authorizations

General Authorizations BIS may issue General Authorizations for certain types of transactions otherwise prohibited, considering any information it deems relevant and appropriate.[61] OICTS will publish General Authorizations on its website and in the Federal Register as they are issued and will maintain a repository of previously issued General Authorization Letters for public reference.[62] If it is unclear whether a particular transaction is authorized under a General Authorization, industry users may request an Advisory Opinion from OICTS through a submission on the CARS webpage.[63] OICTS will issue an Advisory Opinion to the requestor within 60 days of receipt unless otherwise specified.[64] For transactions authorized by a General Authorization, the submission of a Declaration of Conformity for that transaction is not required.[65]

Specific Authorizations BIS also may, at its discretion, issue Specific Authorizations on a case-by-case basis in response to applications submitted through the CARS webpage by affected parties and will consider both the import’s risk factors and proposals that the applicant offers to implement to mitigate such risks.[66] OICTS encourages requestors to include in their Specific Authorization applications as many details and materials as possible to demonstrate any nexus with China and/or Russia as it relates to covered software and VCS hardware, as well as mitigation measures the company has or intends to implement.[67] Similar to their recommendation for Declarations of Conformity, OICTS advises that applicants prioritize Specific Authorizations for covered software transactions “due to the separate implementation timelines for the covered software and VCS hardware prohibitions.”[68]

The Final Rule establishes that BIS will respond to applicants, in most cases, with an update within 90 days of the initial application.[69] While reviewing a Specific Authorization application, OICTS may request additional information, including an oral briefing.[70] As a condition to granting a Specific Authorization, OICTS may “require unique terms” regarding compliance, auditing, or verification requirements to “mitigate any risk arising from the otherwise prohibited transaction.”[71] Generally, Specific Authorizations will be approved for no less than one model year.[72]

VII. Penalties

Violations under the Final Rule are punishable by civil and criminal penalties under the International Emergency Economic Powers Act (IEEPA).[73] Civil penalties under IEEPA consist of monetary fines up to $377,700 per violation (an amount adjusted annually for inflation) or twice the value of the transaction, whichever is greater.[74] In case of willful violation, criminal penalties can reach up to a fine of $1,000,000, and if the violator is a natural person, the criminal penalty is either imprisonment for no more than 20 years, or both a fine and imprisonment.[75]

VIII. Impact of the Final Rule

The Final Rule requires auto manufacturers and importers to carefully and thoroughly review their supply chains and due diligence processes. As explained above, the Final Rule takes a staggered approach—it would impose a narrower set of obligations beginning with model years 2027–2029 (applying only to VCS and ADS connected software) and expand to include hardware for model year 2030 and beyond (at which point the Final Rule will apply to both software and hardware). This staggered approach is intended to allow manufacturers and importers time to comply with the more onerous and comprehensive obligations for model years 2030 and beyond. Even still, the initial model year 2027 obligations are substantial and will implicate hardware design by default. Auto manufacturers have little more than 18 months to undertake the following:

1. Identify which parts will be affected by the Final Rule.

As described above, for model years 2027–2029, the Final Rule prohibits the importation or sale of connected vehicles equipped with covered VCS or ADS connected software designed, developed, manufactured, or supplied by certain persons linked to China or Russia. For model year 2030 and forward, the Final Rule expands to include both VCS or ADS software and hardware designed, developed, manufactured, or supplied by certain persons linked to China or Russia.

Sophisticated hardware used in VCS and ADS technologies often takes years, potentially decades, to develop, and software is often built around specific hardware. This means that even though the Final Rule regulates only software for model years 2027–29, in reality, modifications to software may also affect hardware compatibility and require manufacturers to source new hardware long before the model year 2030 deadline. Accordingly, it is imperative that manufacturers start to understand how their supply chain may be affected by the Final Rule now.

2. Evaluate and document sourcing for all affected parts.

Manufacturers should endeavor to identify from where all components for affected parts are sourced and collect documentation detailing the same. If not in place already, manufacturers should ask sourcing entities to guarantee in writing that no relevant products in their supply chain come from “persons owned by, controlled by, or subject to the jurisdiction or direction of” China or Russia.[76] Collecting relevant documentation will be critical to comply with the Final Rule’s requirement that manufacturers submit Declarations of Conformity to BIS, starting with model year 2027 vehicles.

3. Source and replace affected software and hardware or related components.

At present, a significant portion of technology supporting internet or Bluetooth connectivity in the United States is imported from China, including many hardware and software components. This means that (a) manufacturers will likely be required to replace at least some components in their supply chain for VCS and ADS hardware and software if they wish to continue importing vehicles containing these items into the United States, (b) manufacturers may have trouble sourcing these items from entities outside of China given China’s current dominance, and (c) suppliers outside of China may be inundated with similar requests and may not be able to keep up with the increased demand, resulting in supply chain delays. Ultimately, given these constraints, some vehicles that were in the supply chain pipeline for the U.S. market may no longer be releasable, causing delays for U.S. consumers hoping for access to cutting edge vehicles. Acting early is essential to ensuring that these changes will not cause disruptions to customers, damage brand loyalty, or harm manufacturers’ and importers’ fiscal interests.

4. Implement or bolster compliance protocols.

The Final Rule will require that manufacturers maintain records related to Declarations of Conformity and authorizations for a minimum of 10 years after the date of submission. Similarly, manufacturers will be expected to continually evaluate from where VCS and ADS hardware and software are sourced. Manufacturers should be prepared to bolster or implement sourcing controls and recordkeeping protocols to ensure compliance with the Final Rule.

Gibson Dunn remains ready to assist parties in preparing for these changes, including supply chain diligence, sourcing documentation, preparing required declarations, and evaluating and fortifying your compliance programs and controls.

[1] Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 90 Fed. Reg. 5,360 (Jan. 16, 2025) [hereinafter Connected Vehicles Final Rule] (codified at 15 C.F.R. § 791.300 et seq.).

[2] This includes all Chinese and Russian companies involved in the connected vehicle supply chain (not merely automobile manufacturers), as well as their foreign affiliates. See 15 C.F.R. 791.301.

[3] 90 Fed. Reg. at 5,382 (“[A] foreign interest can include, but is not limited to, an interest through ownership of the item itself, intellectual property present in the item, a contractual right to use, update, or otherwise impact the property, (e.g., ongoing maintenance commitments, any license agreement related to the use of intellectual property), profit-sharing or fee arrangement linked to the property, as well as any other cognizable interest.”). However, as discussed herein, Declarations of Conformity will not be required “if the only foreign interest in a transaction arises from a foreign person’s equity ownership of a U.S. person, whether through ownership of public shares or otherwise.” 15 C.F.R. § 791.305(l).

[4] Press Release, BIS, Commerce Finalizes Rule to Secure Connected Vehicle Supply Chains from Foreign Adversary Threats, BIS Press Release (Jan. 14, 2025), https://www.bis.gov/press-release/commerce-finalizes-rule-secure-connected-vehicle-supply-chains-foreign-adversary (“BIS recognizes the acute national security threat presented by foreign adversary involvement in the commercial vehicle supply chain and intends to issue a separate rulemaking addressing the technologies present in connected commercial vehicles – including in trucks and buses – in the near future.”).

[5] Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 79,088, 79,116 (Sept. 26, 2024) [hereinafter NPRM].

[6] Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 15,066 (Mar. 1, 2024) [hereinafter ANPRM].

[7] “Foreign adversaries” are currently defined as the People’s Republic of China, including Hong Kong and Macau (“China”), Cuba, Iran, North Korea, Russia, and the regime of “Venezuelan politician Nicolás Maduro”—though, as discussed above, the prohibitions in the Final Rule apply directly to China and Russia. 15 C.F.R. § 791.4.

[8] See 15 C.F.R. §§ 791.302–305.

[9] See Connected Vehicles, BIS, https://www.bis.gov/node/22645 (last accessed Mar. 18, 2025).

[10] Connected Vehicles Final Rule, 90 Fed Reg. at 5,374.

[11] NPRM, 89 Fed. Reg. at 79,091.

[12] Connected Vehicles Final Rule, 90 Fed Reg. at 5,374–75.

[13] NPRM, 89 Fed. Reg. at 79,089.

[14] Connected Vehicles Final Rule, 90 Fed. Reg. 5,360, at 5,367.

[15] See id.

[16] See id. at 5,368.

[17] See id. at 5,369.

[18] See id.

[19] See Matthew Broersma, US House Passes Bill Targeting Chinese EV Battery Tech, Silicon (Sept. 16, 2024), https://www.silicon.co.uk/e-innovation/green-it/us-bill-china-battery-579757.

[20] See, e.g., David Shepardson, Trump Administration Takes Aim at Biden Electric Vehicle Rules, Reuters (Mar. 12, 2025), https://www.reuters.com/sustainability/climate-energy/trump-administration-begins-effort-reverse-epa-vehicle-rules-2025-03-12/.

[21] See, id.

[22] Fact Sheet: President Donald J. Trump Imposes Tariffs on Imports from Canada, Mexico, and China, White House (Feb. 1, 2025), https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-imposes-tariffs-on-imports-from-canada-mexico-and-china/.

[23] See, e.g., Jarret Renshaw & Chris Kirkham, Exclusive: Trump Transition Team Plans Sweeping Rollback of Biden EV, Emissions Policies, Reuters (Dec. 17, 2024), https://www.reuters.com/business/autos-transportation/trump-transition-team-plans-sweeping-rollback-biden-ev-emissions-policies-2024-12-16/.

[24] See, e.g., Christian Shepherd, How China Pulled Ahead to Become the World Leader in Electric Vehicles, Wash. Post (Mar. 3, 2025), https://www.washingtonpost.com/world/2025/03/03/china-electric-vehicles-jinhua-leapmotor/.

[25] EV Batteries and Forced Labor: Investigating Possible Links Between CATL and Xinjiang-Based Companies, Sayari (May 16, 2024), https://sayari.com/wp-content/uploads/2024/05/Sayari_EV_Batteries_Report.pdf.

[26] Uyghur Forced Labor Prevention Act, U.S. Customs & Border Protection (Oct. 16, 2024), https://www.cbp.gov/trade/forced-labor/UFLPA; see Uyghur Forced Labor Prevention Act, Pub. L. No. 117-78, 135 Stat. 1525.

[27] 15 C.F.R. § 791.301.

[28] Id.

[29] Id.

[30] Id. (emphasis added). The following categories are notably excluded from the definition of “Covered Software”: (1) firmware (i.e., “software specifically programmed for a hardware device with a primary purpose of directly controlling, configuring, and communicating with that hardware device”; (2) open-source software (i.e., “software for which the human-readable source code is available in its entirety for use, study, re-use, modification, enhancement, and redistribution by the users of such software”), provided such software has not been modified for proprietary purposes and not redistributed or shared; and (3) software subcomponents that were “designed, developed, manufactured, or supplied prior to March 17, 2026, as long as those software subcomponents are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after March 17, 2026.” Id.

[31] See NPRM, 89 Fed. Reg. at 79,116; see also 15 C.F.R. § 791.300.

[32] 15 C.F.R. § 791.300.

[33] BIS excluded hardware or software that exclusively: “(1) enables the transmission, receipt, conversion, or processing of automotive sensing (e.g. LiDAR, radar, video, ultrawideband); (2) enables the transmission, receipt, conversion, or processing of ultrawideband communications to directly enable physical vehicle access (e.g., key fobs); (3) enables the receipt, conversion or processing of unidirectional radio frequency bands (e.g., global navigation satellite systems (GNSS), satellite radio, AM/FM radio); or (4) supplies or manages power for the VCS.” Id.

[34] Id.

[35] Connected Vehicles Final Rule, 90 Fed. Reg. at 5,373.

[36] Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles J3016_202104, SAE International (Apr. 30, 2021), https://www.sae.org/standards/content/j3016_202104; see Connected Vehicles Final Rule, 90 Fed. Reg. at 5,364.

[37] See 15 C.F.R. § 791.301.

[38] Id. §§ 791.302(b), 791.303(c).

[39] See id. § 791.308.

[40] See id. § 791.310.

[41] Id. § 791.302; see id. § 791.308.

[42] Id. §§ 791.303–791.304; see id. § 791.308.

[43] Id. §§ 791.305, 791.308.

[44] See id. § 791.305.

[45] Id. § 791.305(g). The 60-day timeline for submitting updates to a Declaration of Conformity reflects a key change from the original 30-day timeline in the Proposed Rule. See Connected Vehicles Final Rule, 90 Fed. Reg. at 5,396.

[46] Compliance Application and Reporting System, BIS, https://cars.bis.gov (last accessed Mar. 18, 2025).

[47] Declarations of Conformity Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/declarations-of-conformity (last accessed Mar. 18, 2025); .

[48] Id.

[49] Id.

[50] Id.

[51] 15 C.F.R. § 791.305(a)(1).

[52] Hardware Bill of Materials (HBOM) means “a formal record [of] the supply chain relationships of parts, assemblies, and components required to create a physical product, including information identifying the manufacturer and related firmware.” See id. § 791.301.

[53] See Connected Vehicles Final Rule, 90 Fed. Reg. at 5,383.

[54] See id.

[55] See 15 C.F.R. § 791.305(a)(2).

[56] Software Bill of Materials (SBOM) means “a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.” Id. § 791.301.

[57] Id. § 791.305(l).

[58] See id. §§ 791.312–791.313(a).

[59] See id. § 791.315(a).

[60] See id. § 791.315(d).

[61] See id. § 791.306.

[62] General Authorizations Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/general-authorizations (last accessed Mar. 18, 2025).

[63] Id.

[64] Advisory Opinion Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/advisory-opinions (last accessed Mar. 18, 2025).

[65] General Authorizations Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/general-authorizations (last accessed Mar. 18, 2025).

[66] See 15 C.F.R. § 791.307; Specific Authorizations Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/specific-authorizations (last accessed Mar. 18, 2025).

[67] Specific Authorizations Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/specific-authorizations (last accessed Mar. 18, 2025).

[68] Id.

[69] See 15 C.F.R. § 791.315(h).

[70] Specific Authorizations Frequently Asked Questions, BIS, https://www.bis.gov/oicts/connected-vehicles/specific-authorizations (last accessed Mar. 18, 2025).

[71] Id.

[72] Id.

[73] See 15 C.F.R. § 791.318.

[74] See 50 U.S.C. § 1705; see also Inflation Adjustment of Civil Monetary Penalties, 89 Fed. Reg. 106,308, 106,310 (Dec. 30, 2024).

[75] See 15 C.F.R. § 791.318.

[76] See id. § 791.301; supra Section III.

The following Gibson Dunn lawyers prepared this update: Roxana Akbari, Soumya Bhat Kandukuri*, Soo-Min Chae*, Hayley Lawrence, Lindsay Bernsen Wardlaw, Chris Mullen, Hugh Danilack, Christopher T. Timura, Adam M. Smith, Stephenie Gosnell Handler, and Vivek Mohan.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade Advisory & Enforcement practice group:

United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Donald Harrison – Washington, D.C. (+1 202.955.8560, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
Matthew S. Axelrod – Washington, D.C. (+1 202.955.8517, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Amanda H. Neely – Washington, D.C. (+1 202.777.9566, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, [email protected])
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, [email protected])
Mason Gauch – Houston (+1 346.718.6723, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, [email protected])
Lindsay Bernsen Wardlaw – Washington, D.C. (+1 202.777.9475, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, [email protected])

Asia:
Kelly Austin – Denver/Hong Kong (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])
Dharak Bhavsar – Hong Kong (+852 2214 3755, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Irene Polieri – London (+44 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 224, [email protected])
Melina Kronester – Munich (+49 89 189 33 225, [email protected])
Vanessa Ludwig – Frankfurt (+49 69 247 411 531, [email protected])

*Soumya Kandukuri, an associate in Palo Alto, and Soo-Min Chae, a visiting attorney in Washington, D.C., are not admitted to practice law.

The U.S. Environmental Protection Agency (EPA) has recently announced a series of decisions that have the potential to transform the regulatory environment for light- and heavy-duty motor vehicles and off-road engines (mobile sources). These efforts may create a sustained period of regulatory uncertainty for industry as these actions play out at the agency level and, likely, in court. However, these regulatory shifts also create an opportunity for stakeholders in the vehicle industry to shape future policy and strategy through active participation in the upcoming rulemaking processes.

On March 12, 2025, EPA formally announced its intention to reconsider the 2009 Greenhouse Gas Endangerment Finding (Endangerment Finding) under Section 202(a) of the Clean Air Act, as well as all regulations and actions that rely on the Endangerment Finding—for example, the Greenhouse Gas Emissions Standards for Heavy-Duty Vehicles, Phase 3. This pronouncement follows the Administration’s recent submission of several of California’s Section 209 waivers of preemption under the Clean Air Act—several of which were granted in the waning days of the Biden Administration—to Congress as agency rules subject to the Congressional Review Act (CRA), seeking to rescind California’s authority for its separate emission rules.

These efforts may create a sustained period of regulatory uncertainty for industry as these actions play out at the agency level and, likely, in court. However, these regulatory shifts also create an opportunity for stakeholders in the vehicle industry to shape future policy and strategy through active participation in the upcoming rulemaking processes.

Key takeaways for regulated industry parties include:

EPA may seek to undertake substantive revisions to the regulations that flow from the Endangerment Finding contemporaneously with the process to revisit the Endangerment Finding, or it may first pursue revisions to the Endangerment Finding as a stand-alone action. Which path EPA chooses may affect the timeline for finalization and implementation of these actions, and thus, determine how and when these actions will affect regulated parties.
Legal challenges to EPA’s planned deregulatory efforts are near-certain, and opponents of revisions to applicable emissions standards are likely to seek to prevent these changes from taking effect by seeking early injunctive or declaratory relief, or stays of the actions. This uncertainty will create a complex compliance environment for regulated industry, as existing rules may remain in place while litigation proceeds.
Even during this regulatory overhaul by EPA, it is likely that core principles of emissions law—including preemption of state and local standards under Section 209 of the Clean Air Act—will remain intact.
Industry stakeholders should consider active participation in EPA’s upcoming rulemaking processes and intervention in future litigation, in order to advocate for a commonsense, clear, and comprehensive regulatory scheme.

Reconsideration of the Endangerment Finding for Greenhouse Gases

President Trump’s “Unleashing American Energy” Executive Order, published on January 20, 2025, directed EPA Administrator Lee Zeldin to provide recommendations on the legality and continuing applicability of the 2009 Greenhouse Gas Endangerment Finding issued under Section 202(a) of the Clean Air Act. In response, on March 12, 2025, EPA formally announced its intention to reconsider the Endangerment Finding.[1] And because the Endangerment Finding underpins many of the agency’s rules aimed at combatting climate change, EPA has also stated that it intends to reconsider all prior regulations and actions that rely on the Endangerment Finding.

History of the Endangerment Finding

The Endangerment Finding was developed by EPA in response to the Supreme Court’s 2007 decision in Massachusetts v. EPA.[2] The case arose following a petition requesting that EPA regulate the emissions of carbon dioxide and other greenhouse gases from motor vehicles. EPA denied the petition and concluded that the Clean Air Act did not authorize the agency to issue regulations addressing climate change.[3] EPA’s decision was appealed, and the Supreme Court held that EPA erred when it denied the petition. The Court found that carbon dioxide falls within the broad definition of “air pollutant” under the Clean Air Act, and that Section 202(a)(1) of the Act authorizes EPA to regulate carbon dioxide emissions from new motor vehicles.[4] The Court remanded the matter back to EPA, requiring the agency to consider whether such emissions “may reasonably be anticipated to endanger public health or welfare.”[5]

On remand, EPA ultimately determined in 2009 that greenhouses gases, including carbon dioxide, methane, nitrous oxide, hydrofluorocarbons, perfluorocarbons, and sulfur hexafluoride, may reasonably be anticipated to endanger public health and welfare.[6] This finding laid the foundation for a host of regulations setting limits for greenhouse gas emissions, including emissions standards for mobile sources.

What to Expect

In its March 12 announcement, EPA stated only that it would “reconsider” the Endangerment Finding, declining to prejudge the outcome of that proceeding.[7] However, EPA hinted that it may revise aspects of the 2009 rulemaking that the agency now views as inadequate—for example, suggesting that it was inappropriate for EPA to “not consider any aspect of the regulations that would flow from” the “Endangerment Finding,” including “future costs” of compliance, and characterizing as procedurally “flawed and unorthodox” the way in which the Endangerment Finding concluded that carbon dioxide emissions present an endangerment risk.[8]

Based on these pronouncements, it appears EPA will reevaluate the propriety of the Endangerment Finding on both substantive and procedural grounds—reconsidering the scientific evidence underpinning the 2009 finding and reevaluating whether the original procedural approach was appropriate. As with any new rulemaking, the agency must provide sufficient technical and legal justification for a revised finding, complete the public notice and comment process, and allow for inter-agency reviews, as appropriate.

With respect to the scientific evidence underpinning the 2009 finding, EPA has noted that the 2009 finding did not directly conclude that carbon dioxide from vehicles causes endangerment. Instead, the agency determined in 2009 that a mix of six gases globally contributed “an unknown amount above zero to climate change, and that climate change contributed, not caused, an unknown amount above zero of endangerment to public health.”[9] With this history, it appears less likely that EPA will reverse course on the fundamental question of whether climate change is in fact occurring, or whether the six greenhouse gases identified in the 2009 finding are harmful. Instead, EPA may revisit the question of whether the United States’ contribution to global climate change warrants the level of regulation currently in place. For example, EPA could take the position that the significant emission-producing activities of other nations such as China and India weaken any causal connection between greenhouse gas emissions in the United States and any endangerment to the public health and welfare.

With respect to the procedural arguments, EPA takes the position that the 2009 Endangerment Finding “intentionally ignored costs of regulations that EPA knew would follow from the Finding—and indeed ignored any other policy impacts of those regulations.”[10] Any revised finding based upon these potential procedural gaps will likely consider the costs associated with compliance—and may find that such costs outweigh the benefits of the finding itself.

The procedural requirements for reopening the Endangerment Finding are significant. EPA must first appoint new members to the Science Advisory Board (SAB) and Clean Air Scientific Advisory Committee (CASAC), the members of which were dismissed in January 2025. These boards provide independent scientific and technical peer review, consultation, advice, and recommendations to the EPA Administrator and make recommendations regarding the revision or development of air quality criteria and standards.[11] Following any input from these boards, EPA must then draft a new finding and proceed through the traditional rulemaking process, allowing time for public comment. If the procedural history of the 2009 Endangerment Finding is any indication, the process may take years. Following the Supreme Court’s decision in Massachusetts v. EPA in April 2007, EPA published the draft Endangerment Finding via an Advance Notice of Proposed Rulemaking (ANPR) in July 2008. EPA provided a 120-day public comment period for the ANPR, and received more than 200,000 public comments. After evaluating the public comments received, the agency issued a Notice of Proposed Rulemaking (NPRM) in April 2009, providing for a 60-day public comment period and holding two in-person public hearings. EPA received more than 380,000 public comments during this period, which in turn had to be evaluated and addressed. The final Endangerment Finding was signed by the EPA Administrator in September 2009.[12] Even if EPA attempts to take a more streamlined approach to its revisions to the Endangerment Finding, the agency likely will be required to adhere to the requirements of notice-and-comment rulemaking before finalizing any new finding—a process which is likely to take months at a minimum, if not longer.

Beyond these procedural requirements, any revision to the Endangerment Finding is likely to be subject to litigation. State Attorneys General and climate-focused organizations are likely to challenge any rollback of the Endangerment Finding and potentially seek injunctive relief on the basis that the revocation of the 2009 finding—or the elimination of, or revision to, related individual rules—will cause irreparable harm.

Implications for Clean Air Act Preemption

In addition to engendering significant uncertainty regarding a broad swath of emission-relevant regulations and rules, reconsideration of the Endangerment Finding may also have implications for Section 209 of the Clean Air Act, which preempts most state vehicle emission programs. Section 209 prohibits states from adopting or enforcing “any standard relating to the control of emissions from new motor vehicles or new motor vehicle engines subject to this part.”[13] If the Endangerment Finding is eliminated, states may argue that EPA is not exercising its authority under the Clean Air Act to regulate greenhouse gas emissions, and as such, Section 209 no longer preempts states from issuing their own greenhouse gas emissions standards. However, this argument will struggle against the plain language of Section 209, which provides for blanket preemption of any state or local regulation of “emissions” from “vehicles” or “engines” subject to regulation under Title II, Part A of the Clean Air Act;[14] the preemption language is not limited to “air pollutant[s]” regulated under the Act. As such, once a vehicle or engine is subject to regulation under Part A, no state can issue emissions standards for that vehicle or engine. Demonstrating this point, the California Air Resources Board sought preemption waivers for greenhouse gas standards for light-duty vehicles prior to EPA’s endangerment finding in 2009. In light of this, state efforts to avoid preemption may face legal headwinds.

Opponents of a revised Endangerment Finding may also argue that undoing or weakening the Endangerment Finding opens the door for state common law tort claims previously found to be preempted by the Clean Air Act. But such claims will run up against hostile case law, which has emphasized that the Clean Air Act’s preemptive force stems from the Act’s delegation of regulatory authority, not the EPA’s exercise of that authority.[15] So while challenges to the Clean Air Act’s preemptory effect based upon revocation of the Endangerment Finding may lead to lengthy litigation and a period of regulatory uncertainty, those challenges also will face considerable legal headwinds.

Considerations for Regulated Industry

While EPA’s rulemaking process is ongoing with respect to the Endangerment Finding, and during the pendency of any resultant litigation, vehicle and engine manufacturers may face uncertainty on compliance obligations associated with the existing emissions standards. This substantial regulatory uncertainty may have the effect of increasing compliance costs across the industry.

Whether EPA will undertake substantive revisions to regulations that flow from the Endangerment Finding, such as the Phase 3 emissions standards, contemporaneously with the Endangerment Finding process is currently unclear. Rather than proceeding on parallel tracks, EPA may choose first to prioritize revising the Endangerment Finding as a stand-alone action—leaving intact the individual rules that are reliant on the Endangerment Finding—because a significant revision to the Endangerment Finding will streamline the subsequent process of undoing the rules that rely on the finding. Under this approach, if there is significant delay in the rollback of the Endangerment Finding, these regulations could remain in place well into the current Administration.

To combat this uncertainty and reduce the costs of compliance with a shifting set of rules, regulated industry should proactively engage with EPA via the rulemaking process to ensure that the industry’s concerns, priorities, and needs regarding the future of emissions regulation are heard. The significant impact of regulatory uncertainty to the industry’s compliance costs is an important consideration that EPA should weigh as it determines how to revise the Endangerment Finding and the regulations stemming from it.

Revocation of California’s Clean Air Act Waivers via the Congressional Review Act

At the tail end of the Biden Administration, EPA issued several waivers under Section 209 of the Clean Air Act, authorizing California to set its own mobile source emissions regulations—specifically, California’s Omnibus Low NOx[16] and Advanced Clean Cars II[17] programs. In April 2023, the Biden Administration also granted California’s waiver request for its Advanced Clean Trucks Regulation.[18]

The Clean Air Act provides for broad preemption of state or local standards relating to the control of emissions from new motor vehicles or new motor vehicle engines subject to the Act.[19] However, the Act authorizes the EPA Administrator to waive this preemption for California, provided that California’s own standards are at least as protective as federal standards, are not arbitrary and capricious, are necessary to meet “compelling and extraordinary conditions,” and are not otherwise inconsistent with federal motor vehicle emissions regulations.[20] Section 177 further allows other states to adopt standards identical to California regulations that have received a waiver.[21] In response to a challenge to California’s waivers for a similar mobile source program (Advanced Clean Cars I), the D.C. Circuit recently upheld this grant of unique authority to California, and the Supreme Court declined to hear the question of Section 209’s constitutional validity.[22]

On February 19, 2025, the Trump Administration submitted[23] the decisions to grant California waivers for its Omnibus Low NOx, Advanced Clean Cars II, and Advanced Clean Trucks programs to Congress for consideration under the Congressional Review Act (CRA).[24] The CRA provides an expedited process by which Congress can reverse an agency rulemaking by means of a joint disapproval resolution passed by both chambers of Congress and signed by the president. If the disapproval resolution is introduced within 60 legislative days of Senate session from a rule’s publishing in the Federal Register or transmission to Congress (whichever is later), the Senate may consider the disapproval resolution by non-filibusterable majority vote. The Biden Administration did not submit the decisions granting these waivers to Congress when those decisions were published, so the 60-legislative-day CRA clock was triggered when the Trump Administration submitted the waivers to Congress in February. Congress has not yet taken action with respect to these waivers.[25]

Should Congress act to revoke these waivers, however, legal challenges to the revocation would prove difficult. Congress’s CRA activity follows ordinary constitutional requirements under Article I, Section 7 of the U.S. Constitution (with the act passing both chambers, and either signed by the president or passed over the president’s veto). Courts ordinarily decline to review the procedural validity of enrolled bills,[26] and the joint resolutions revoking the waivers have the same status as a bill. Further, the CRA strips federal courts’ jurisdiction to review any congressional “determination, finding, action, or omission under” the CRA.[27]

Further EPA Regulatory Rollbacks

The Trump Administration has also announced plans to target a series of longer-standing EPA rules significant to the automotive industry.

Light-, Medium-, and Heavy-Duty Vehicle Regulatory Rollbacks

EPA’s March 12 announcement specifically targets the light-, medium-, and heavy-duty tailpipe emissions rules that the Trump Administration has likened to electric vehicle mandates. It does so largely on the grounds that the Biden Administration EPA based its findings concerning the technical feasibility of such rules on the increased availability of electric vehicles and zero-emission vehicles.

Clean Trucks Plan (CTP). EPA’s “Clean Trucks Plan” is an initiative first announced by the Biden Administration on August 5, 2021 which encompasses three rules: the “Control of Air Pollution from New Motor Vehicles: Heavy-Duty Engine and Vehicle Standards,” the “Multi-Pollutant Emissions Standards for Model Years 2027 and Later Light- and Medium-Duty Vehicles,” and the “Greenhouse Gas Emissions Standards for Heavy-Duty Vehicles—Phase 3.”

Control of Air Pollution from New Motor Vehicles: Heavy-Duty Engine and Vehicle Standards (“Heavy-Duty Truck NOx Rule”).[28] Adopted on December 20, 2022, this first rule issued under the Clean Trucks Plan set more stringent standards for heavy-duty highway engines’ NOx, PM, HC, and CO emissions. Because the regulation does not directly regulate greenhouse gas emissions, the rulemaking did not rely upon the greenhouse gas Endangerment Finding. According to EPA, the reconsideration of this rule is grounded in concerns that the regulations are not squarely rooted in statutory authority, that the rules are unrealistic for large truck manufacturers absent a shift to electric vehicles, and that the rules’ costs are coercive and compel truck makers to reengineer their fleets towards allegedly uneconomic and unproven electric technologies, resulting in market distortions and reduced customer choice.[29]
The Multi-Pollutant Emissions Standards for Model Years 2027 and Later Light- and Medium-Duty Vehicles (“Multi-Pollutant Rule”).[30] The 2027 and Later Light- and Medium-Duty tailpipe emissions rule, finalized on March 20, 2024, stretches well beyond trucks to regulate tailpipe emissions for light- and medium-duty fleets, as well. The rule limits the emission of criteria pollutants (PM, NOx, VOC, SOx and CO), air toxics, and greenhouse gasses. In particular, the rule dramatically lowered fleet-wide light- and medium-duty greenhouse gas emissions limits. The rule’s regulatory authority for greenhouse gas emissions limits is tied to the greenhouse gas Endangerment Finding, but the limitations on criteria pollutants and air toxics rest on independent endangerment findings. Here, EPA’s reasons for reconsideration mirror those of the Heavy-Duty rule rollbacks, including a lack of grounding in statutory authority, a compelled shift in production to electric vehicles, and significant costs that distorts the market and reduce consumer choice.
Greenhouse Gas Emissions Standards for Heavy-Duty Vehicles – Phase 3
(“Phase 3”).[31] EPA’s Phase 3 heavy-duty emission standards increased the stringency of heavy-duty vehicle fleet-wide CO2 emission standards for MY 2032 and later, but with limits lowered beginning for MY 2027 in some vehicle categories. This rule relied upon the greenhouse gas Endangerment Finding for its regulatory authority.

Corporate Average Fuel Economy (CAFE) Standards. On January 28, 2025, Secretary Sean Duffy directed[32] the Department of Transportation (DOT) to conduct an immediate review and reconsideration of all existing fuel economy standards applicable to all models of motor vehicles produced from model year 2022 forward, including the CAFE standards for MY 2024-2026 passenger cars and light trucks[33] and for MY 2027-2031 passenger cars and light trucks and fuel efficiency standards and MY 2030-2035 heavy-duty pickup trucks and vans.[34] The Biden Administration’s 2022 CAFE standards had raised fuel economy standards for passenger cars and light trucks 8% annually for MY 2024-2025 and 10% for MY 2026,[35] and 2% per year for passenger cars MY 2027-2031 and for light trucks MY 2029-2031, resulting in an average light-duty vehicle fuel economy of 50.4 mi/gal by 2031.[36] Heavy-duty pickup truck and van fuel efficiency requirements were also strengthened, increasing 10% per year for MY 2030-2032 and 8% per year for MY 2033-2035, to an average of 35 mi/gal by 2035.[37] Secretary Duffy’s memorandum grounds the review of the CAFE standards in the impossibility of meeting the existing standards without “rapidly shifting production away from internal-combustion-engine (‘ICE’) vehicles to alternative electric technologies.” The memorandum contends that this shift distorts the market by forcing automakers to reengineer their fleets and phase out popular ICE vehicles—reducing consumer choice and harming existing jobs—and therefore violates the “technological feasibility” and “economic practicability” requirements of the Energy Policy and Conservation Act of 1975.[38]

Potential Timeline of Regulatory Rollbacks

Because regulatory authority for these rules—other than the Phase 3 rulemaking—does not rest solely on the greenhouse gas Endangerment Finding, replacement of these rules may require EPA to undertake additional, separate rulemaking activities. For example, the speediest of the Clean Trucks Plan rulemakings, the Heavy-Duty Truck NOx Rule, was announced in an NPRM published on March 28, 2022,[39] with its public comment period closing on May 13, 2022, and the final rule published on January 24, 2023, ultimately taking effect March 27, 2023. In all, 477 days passed between the announcement of the Clean Trucks Plan and the implementation of its first significant constituent element. This suggests that a rollback of this rule may require a similar timeframe.

In addition to the actual rulemaking timelines themselves, the near-certain legal challenges to the reversal of the Endangerment Finding may further delay the reconsideration of related mobile source emissions regulations. To the extent that EPA’s reconsideration of existing emissions regulations is predicated on the reversal of the Endangerment Finding, challengers may ask courts to hold these reversals in abeyance pending the resolution of challenges to the underlying Endangerment Finding repeal. This risk is particularly prominent for rules significantly targeting greenhouse gas emissions, which are most directly reliant on the Endangerment Finding. The possibility that courts hold these individual rule repeals in abeyance pending litigation over the Endangerment Finding may mean that attempts at a more accelerated repeal process focused on the legal—rather than factual—basis for these revised rules are subject to significant delays.

Such delays are likely to present compliance uncertainties for the automotive industry, and the related legal disputes are likely to extend beyond the term of the current presidential administration or, as with the pending reversals of California’s Section 209 waivers, within the final 60 days of the administration where actions become vulnerable to CRA review.

Opportunities for Industry Involvement

The rulemaking process—both for the Endangerment Finding repeal and for the Biden Administration’s various tailpipe emissions regulations—present opportunities for regulated industry to participate in and contribute to EPA’s new and revised rules. Industry may seek to enter into the rulemaking record evidence of the impact of, and compliance costs flowing from, various of EPA’s repeal or replacement strategies. This, in turn, could result in more favorable—or at least more manageable—final rules down the line.

Industry members may also seek to pursue litigation strategies that support rulemaking activity aligned with established legal positions on agency authority. Recent legal challenges to mobile source emissions regulations, such as the challenge to the Section 209 waiver granted to California’s Advanced Clean Car I Program, have been led by adjacent industries, like the liquid fuels industry. While these organizations have faced some difficulties in demonstrating the redressability of their injuries and therefore establishing that they possess standing to challenge the rules,[40] the Supreme Court’s pending decision in Diamond Alternative Energy LLC v. EPA may ultimately confirm these entities’ standing, opening the door to future litigation by these groups on issues of fundamental importance to the motor vehicle and engine manufacturing industry.[41] As motor vehicle and engine manufacturing companies weigh litigation options, this development should be an important consideration.

* * *

The burgeoning regulatory overhaul at EPA will lead to a period of uncertainty for regulated industry, as EPA revisits the Endangerment Finding and revises existing rules governing greenhouse gas emissions and other pollutants. Challenges to EPA’s deregulatory actions—and to a revision of the Endangerment Finding in particular—are near-certain, and any major revisions to applicable greenhouse gas emissions standards are at risk of being stayed pending the outcome of legal challenges to the Endangerment Finding revocation. This uncertainty will create a complex compliance environment for the industry, with existing rules remaining in place while litigation proceeds, in turn increasing compliance costs and further obscuring the future of emissions regulation in the United States. Additionally, if the timelines for such challenges to EPA’s efforts extend beyond the end of the Trump Administration, industry is at risk of yet more uncertainty under a new administration, which may seek to use many of the same tactics to undo any deregulatory efforts that are implemented between now and the end of 2028.

To reduce the risk of years of future uncertainty, industry stakeholders should consider active participation in EPA’s upcoming rulemaking processes. Industry participants will also have the opportunity to affect the outcome of challenges to EPA’s upcoming efforts by participating in future litigation over these agency actions. By participating in the rulemaking and litigation process, regulated parties have the chance to advocate for a commonsense, clear, and comprehensive regulatory scheme that provides near- and long-term clarity and stability for both industry and consumers alike.

[1] Press Release, U.S. EPA, EPA Launches Biggest Deregulatory Action in U.S. History (Mar. 12, 2025), https://www.epa.gov/newsreleases/epa-launches-biggest-deregulatory-action-us-history.

[2] 549 U.S. 497 (2007).

[3] Control of Emissions From New Highway Vehicles and Engines, 68 Fed. Reg. 52922 (Sept. 8, 2003).

[4] Id.

[5] 42 U.S.C. § 7521(a)(1).

[6] Endangerment and Cause or Contribute Findings for Greenhouse Gases Under Section 202(a) of the Clean Air Act, 74 Fed. Reg. 66496 (Dec. 15, 2009).

[7] Press Release, U.S. EPA, Trump EPA Kicks Off Formal Reconsideration of Endangerment Finding with Agency Partners (Mar. 12, 2025), https://www.epa.gov/newsreleases/trump-epa-kicks-formal-reconsideration-endangerment-finding-agency-partners.

[8] Id.

[9] U.S. EPA, Endangerment Finding One Pager, https://www.epa.gov/system/files/documents/2025-03/final-pager-endangerment.pdf.

[10] Id.

[11] See Request for Nominations to the EPA Clean Air Scientific Advisory Committee (CASAC), 89 Fed. Reg. 81074 (Oct. 7, 2024).

[12] U.S. EPA, Timeline of EPA’s Endangerment Finding, https://www.epa.gov/sites/default/files/2021-05/documents/endangermentfinding_timeline.pdf.

[13] 42 U.S.C. § 7543.

[14] Id.

[15] See American Electric Power Co. Inc. v. Conn., 564 U.S. 410, 424 (2011) (Holding that “[t]he critical point is that Congress delegated to EPA the decision whether and how to regulate carbon-dioxide emissions from powerplants; the delegation is what displaces federal common law.”); see also Bell v. Cheswick Generating Station, 734 F.3d 188 (3d Cir. 2013); Comer v. Murphy Oil USA, 839 F. Supp. 2d 849 (S.D. Miss. 2012), aff’d on other grounds, 718 F.3d 460 (5th Cir. 2013).

[16] California State Motor Vehicle and Engine and Nonroad Engine Pollution Control Standards; The “Omnibus” Low NOx Regulation; Waiver of Preemption; Notice of Decision, 90 Fed. Reg. 643 (Jan. 6, 2025).

[17] California State Motor Vehicle Pollution Control Standards; Advanced Clean Cars II Regulations; Waiver of Preemption; Notice of Decision, 90 Fed. Reg. 642 (Jan. 6, 2025).

[18] California State Motor Vehicle and Engine Pollution Control Standards; Heavy-Duty Vehicle and Engine Emission Warranty and Maintenance Provisions; Advanced Clean Trucks; Zero Emission Airport Shuttle; Zero-Emission Power Train Certification; Waiver of Preemption; Notice of Decision, 88 Fed. Reg. 20688 (Apr. 6, 2023).

[19] 42 U.S.C. § 7543(a).

[20] 42 U.S.C. § 7543(b).

[21] 42 U.S.C. § 7507.

[22] See Ohio v. Env’t Prot. Agency, 98 F.4th 288 (D.C. Cir. 2024), cert. granted in part sub nom. Diamond Alternative Energy, LLC v. EPA, 220 L. Ed. 2d 288 (Dec. 13, 2024), and cert. denied sub nom. Ohio v. EPA, No. 24-13, 2024 WL 5112340 (Dec. 16, 2024).

[23] Press Release, U.S. EPA, Trump EPA to Transmit California Waivers to Congress in Accordance with Statutory Reporting Requirements (Feb. 14, 2025), https://www.epa.gov/newsreleases/trump-epa-transmit-california-waivers-congress-accordance-statutory-reporting.

[24] 5 U.S.C. §§ 801-808.

[25] On March 6, 2025, the Government Accountability Office (GAO) issued an opinion that the CAA preemption waivers are adjudicatory orders, not rules, and are therefore not subject to the CRA. Letter, Gov’t Accountability Off., B-337179 (Mar. 6, 2025). GAO opinions are not binding on Congress and do not prevent Congressional consideration of agency actions under the CRA. The opinion does highlight, however, the ongoing dispute regarding the nature of EPA CAA waiver decisions and whether they constitute agency rulemaking subject to CRA review (and attendant procedural requirements) or whether they constitute a lesser form of agency action and are exempt from the CRA.

[26] See Marshall Field & Co. v. Clark, 143 U.S. 649 (1892) (describing the enrolled-bill rule).

[27] 5 U.S.C. § 805.

[28] Control of Air Pollution From New Motor Vehicles: Heavy-Duty Engine and Vehicle Standards, 88 Fed. Reg. 4296 (Jan. 24, 2023).

[29] U.S. EPA, Heavy-Duty Vehicles – Powering the Great American Comeback Fact Sheet, https://www.epa.gov/system/files/documents/2025-03/heavy-duty-vehicles-powering-the-great-american-comeback-factsheet.pdf.

[30] Multi-Pollutant Emissions Standards for Model Years 2027 and Later Light-Duty and Medium-Duty Vehicles, 89 Fed. Reg. 27842 (Apr. 18, 2024).

[31] Greenhouse Gas Emissions Standards for Heavy-Duty Vehicles – Phase 3, 89 Fed. Reg. 29440 (Apr. 22, 2024).

[32] Sean Duffy, Sec’y of Transp., Memorandum on Fixing the CAFE Program (Jan. 28, 2025), https://www.transportation.gov/sites/dot.gov/files/2025-01/Signed%20Secretarial%20Memo%20re%20Fixing%20the%20CAFE%20Program.pdf.

[33] Corporate Average Fuel Economy Standards for Model Years 2024-2026 Passenger Cars and Light Trucks, 87 Fed. Reg. 25710 (May 2, 2022).

[34] Corporate Average Fuel Economy Standards for Passenger Cars and Light Trucks for Model Years 2027-2032 and Fuel Efficiency Standards for Heavy-Duty Pickup Trucks and Vans for Model Years 2030-2035; Correction, 89 Fed. Reg. 52540 (July 29, 2024).

[35] Press Release, U.S. DOT, USDOT Announces New Vehicle Fuel Economy Standards for Model Year 2024-2026 (Apr. 1, 2022), https://www.transportation.gov/briefing-room/usdot-announces-new-vehicle-fuel-economy-standards-model-year-2024-2026.

[36] Press Release, NHTSA, USDOT Finalizes New Fuel Economy Standards for Model Years 2027-2031 (June 7, 2024), https://www.nhtsa.gov/press-releases/new-fuel-economy-standards-model-years-2027-2031.

[37] Id.

[38] See 49 U.S.C. § 32902(f).

[39] Control of Air Pollution From New Motor Vehicles: Heavy-Duty Engine and Vehicle Standards, 87 Fed. Reg. 17414 (Mar. 28, 2022).

[40] Ohio v. Env’t Prot. Agency, 98 F.4th 288 (D.C. Cir. 2024), cert. granted in part sub nom. Diamond Alternative Energy, LLC v. EPA, 220 L. Ed. 2d 288 (Dec. 13, 2024), and cert. denied sub nom. Ohio v. EPA, No. 24-13, 2024 WL 5112340 (U.S. Dec. 16, 2024).

[41] Diamond Alternative Energy, LLC v. EPA, 220 L. Ed. 2d 288 (Dec. 13, 2024).

The following Gibson Dunn lawyers prepared this update: Stacie Fletcher, Rachel Levick, Veronica Goodson, Monica Murphy, Laura Stanley, and Tom Harvey.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Environmental Litigation and Mass Tort practice group:

Stacie B. Fletcher – Washington, D.C. (+1 202.887.3627, [email protected])

Rachel Levick – Washington, D.C. (+1 202.887.3574, [email protected])

This update provides an overview of China’s major antitrust developments during 2024 and expectations for 2025.

Happy New Year of the Snake!

In 2024, we saw continued efforts by the Chinese authorities to build on the existing antitrust framework by supplementing new regulations and guidelines. These refreshed rules provide valuable insights on the interpretation and application of the Anti-Monopoly Law (AML) in China. On the merger control side, there has been a reduction in the overall volume of merger review cases given the increased notification thresholds, while technology and semiconductor mergers remain heavily scrutinized. On non-merger enforcement, authorities are consistently pursuing industries that are close to people’s livelihood, with a focus on the public utilities sector, energy suppliers and the automobile industry. Lastly, the Supreme People’s Court published a new judicial interpretation guide on monopoly civil dispute cases, which sheds important light on the procedural and substantive rules governing antitrust litigation in China.

The tech sector is likely to be a particular area of focus for SAMR, in particular given the trade tensions between the PRC and the United States.

I. Legislative and Regulatory Developments

In 2024, several regulations were revised or introduced to further develop China’s antitrust framework. Some selected highlights include:

Regulations on Filing Thresholds for Concentration of Undertakings (the “Merger Notification Thresholds Regulations”)
Guidelines on Horizontal Merger Review (the “Horizontal Merger Review Guidelines”)
Revised Notification Form for Anti-Monopoly Review of Simple Cases of Concentration Between Undertakings (the “Simplified Form”) and Publication Form for Simple Cases of Concentration Between Undertakings (the “Public Notice Form”)
Guide to the Anti-Monopoly Compliance of Undertakings (the “Undertakings’ Compliance Guide”)
Interim Provisions on Regulation of Unfair Competition on the Internet (the “Internet Regulation Provisions”)
Antitrust Guidelines on Standard-Essential Patents (SEP) (the “SEP Guidelines”)

A summary of these selected legislations is set out below.

Merger Notification Thresholds Regulations. These State Council-issued regulations came into effect in early January 2024. The filing thresholds are increased to reflect economic growth, such that undertakings must obtain merger clearance from SAMR if:

The undertakings’ combined worldwide turnover is more than RMB 12 billion (~USD 1.66 billion)(an increase from RMB 10 billion (~USD 1.38 billion)) and the Chinese turnover of each of at least two of the undertakings involved is more than RMB 800 million (~USD 110 million) (an increase from RMB 400 million (~USD 55.2 million)); or

The undertakings’ combined Chinese turnover is more than RMB 4 billion (~USD 552 million) (an increase from RMB 2 billion (~USD 276 million)) and the Chinese turnover of each of at least two of the undertakings involved is more than RMB 800 million (an increase from RMB 400 million).

Horizontal Merger Review Guidelines. These SAMR guidelines, which came into effect in December 2024, provide insights on the general approach of SAMR in the evaluation of horizontal mergers based on market shares:

Combined Market Shares	Evaluation
More than 50%	Presumption of anticompetitive effects
25% to 50%	Likely to have anticompetitive effects
15% – 25%	Unlikely to have anticompetitive effects
Below 15%	Presumption no anticompetitive effects

The guidelines also offer an overview of the relevant tools used by SAMR in its merger review. These include, for example, the Herfindahl–Hirschman Index (HHI) supplemented by Concentration Ratios (CRn) for assessing market concentration; and quantitative analysis methods such as Upward Pricing Pressure (UPP), Gross UPP Index (GUPPI), and Merger Simulation for analyzing unilateral effects. Where anticompetitive effects are identified, SAMR may also look at whether any counteracting factors exist, such as constraints from potential competition, whether market entry is possible, timely, and sufficient, and buyer power. The “failing firm theory” is also provided for the first time, where SAMR will consider whether: (1) the business operator being acquired is facing operational difficulties and will exit the market in the short term if not merged; (2) there is no alternative solution (other than the proposed merger) that would cause less damage to competition; and (3) compared to the market exit, the potential anticompetitive effects of the merger are weaker.

Further, the guidelines also explain how the authorities can obtain evidence materials from various sources apart from the concentration parties, including upstream suppliers, downstream/end customers, government departments, industry associations, and competitors. In particular, the guidelines provide that the opinions of downstream customers on concentration are more important than the views of upstream suppliers and the merger parties.

Streamlined Simplified Filing Forms. SAMR revised the Simplified Form and the Public Notice Form in September 2024. These revisions simplified the procedure for transactions that are unlikely to have significant competitive effect in China by requiring parties to fill in less information and fewer details compared to before. For example, parties are no longer required to prepare and submit a non-confidential version of the Simplified Form. Further, the requirements for a detailed assessment of the impacts of the proposed concentration are reduced. Similarly, the number of mandatory information items required in the Simplified Form has been reduced.

Undertakings’ Compliance Guide. This guide, which took effect in April 2024, applies to businesses operating within China and those outside China if their activities impact the domestic market. It outlines the structure for effective internal compliance management, including the roles of various departments and the responsibilities of the compliance governance department. Businesses are encouraged to establish professional compliance teams, identify and assess compliance risks, and regularly update these assessments. Additionally, an undertaking may apply for compliance incentives before and during the formal investigation and enforcement process. Such incentives may include leniency or a reduction in the monetary penalty imposed, and even full exemptions from administrative penalties. SAMR will decide on whether to grant such incentives based on factors such as the completeness, veracity, and effectiveness of the antitrust compliance mechanism of the business.

Internet Regulation Provisions. These SAMR-issued provisions, which took effect in September 2024, are the first comprehensive regulations specifically aimed at preventing and deterring unfair competition online, protecting the rights of operators and consumers, and promoting the sustainable development of the digital economy. The provisions prohibit acts such as causing confusion as to the source of products or services, false advertising, the use of misleading or false information that may damage the reputation of competitors, and using technical means (such as internet traffic hijacking) to disrupt competitors’ online business operations. Platform operators are tasked with managing competitive behaviors, taking necessary actions against unfair practices, and maintaining records for at least three years.

SEP Guidelines. These SAMR-issued guidelines, which took effect in November 2024, build on existing Chinese antitrust law and provisions, aiming to balance the interests of SEP holders and implementers by ensuring both intellectual property protection and fair market competition. There is new guidance on the promotion of “ex-ante” and “in-process” supervision, requiring proactive reporting of possible antitrust issues to the authorities by parties such as SEP holders and operators. Further, the new guidelines also require antitrust authorities to strengthen such pre-emptive and interim supervision.

Separately, the new guidance also states that in determining whether there is an abuse of SEPs to exclude or restrict competition, the authorities should give full consideration to the disclosure of information, licensing commitments, and licensing negotiations (in good faith) concerning the SEPs. For example, SEP holders are required to declare that they agree to license other operators on a “fair, reasonable, and non-discriminatory” (FRAND) basis. Nonetheless, the failure to engage in such “good conduct” in itself does not necessarily result in a violation of antitrust laws.

The SEP Guidelines also cover SEP patent pools, prohibiting the use of such patent pools to reach monopoly agreements. In addition, guidance is provided on the determination of SEP-related abuse of dominant market position, where the antitrust authorities will consider whether SEP holders are charging unfairly high royalties, imposing unreasonable terms, or forcing SEP implementers to accept package licensing. There is also guidance restricting SEP holders from abusing the remedies for infringement of patent rights.

Further Legislative Efforts. In addition to the various finalized regulations and guidance discussed above, SAMR introduced draft regulations in 2024, including the Draft Measures for the Implementation of the Regulation on Fair Competition Reviews, and the Draft Interim Measures for the Administration of Compliance Data Reporting for Online Transactions. SAMR is also expected to formulate penalty scales for monopolistic conduct and abuse of dominance to ensure consistent enforcement. It appears that sustained legislative efforts can be expected in 2025.

II. Merger Control

Merger Review

In 2024, SAMR closed 643 merger review cases in total (as compared to 797 cases in 2023). Of these, 623 (~97%) received unconditional approval, 1 received conditional clearance, and 19 were withdrawn by the filing parties after SAMR’s acceptance of their case.

Overall, there were fewer merger cases for review, likely because of the increased merger notification thresholds (see above). Of the cases notified, SAMR completed most reviews within 30 days (around 91% of cases were reviewed under the simplified procedure). That said, SAMR took 512 days to complete its review in the sole conditional clearance case, which is much longer than the average review time of 309 days in 2023. The lengthy review was attributable to SAMR’s exercising of its relatively new power to extend the review period by “stopping the clock” and reflects SAMR’s strategy to focus its resources on cases that raise substantive competitive issues.

This conditional clearance case was the JX Nippon/Tatsuta merger, which involved two Japanese entities in the semiconductor space and was conditionally cleared in June 2024. This case is an example of SAMR’s authority to impose remedies on a deal that fell below the merger notification threshold. Specifically, the deal was first notified in January 2023 but fell below the notification thresholds when the thresholds were raised in January 2024. The parties requested to withdraw the filing based on the new turnover thresholds, but SAMR declined the request and continued with its review, eventually issuing a conditional clearance with a series of behavioral remedies imposed for a period of 8 years. The remedies include:

When selling JX Nippon and Tatsuta products to Chinese customers, neither JX Nippon nor its distributors shall: (i) bundle products or impose unreasonable conditions; (ii) restrict separate purchases or discriminate against customers who do so; or (iii) obstruct partners from choosing third-party products;
JX Nippon shall supply blackened rolled copper foil and isotropic conductive adhesive films on FRAND terms; and
JX Nippon shall maintain compatibility levels with third-party products unless required by customers.

Another case worth highlighting is the Synopsys/Ansys acquisition between two US software companies, which is the largest technology sector deal in 2024. Notably, SAMR exercised its discretionary power to call in this merger in May 2024, even though the acquisition was below the revised notification thresholds. This call-in was suspected to be due to concerns from Chinese domestic competitors and downstream customers over the horizontal effects of electronic-design automation. Furthermore, the merger parties are broadly active in simulation software and electronic design automation tools and have significant key strategic presence in China, including in semiconductors, automotive, and aerospace. These are all sectors that SAMR has been historically focusing its review on and it is expected that SAMR will continue to keep a close eye on these industries.

Gun-Jumping Enforcement

Following the Chinese Anti-Monopoly Law (AML) amendments in 2022 (see our 2022 Review) and SAMR’s release of the Merger Control Compliance Guidelines in 2023 (see our 2023 Review), SAMR increased the gun-jumping fines and clarified the sanctions for gun-jumping. These sanctions can be up to 10% of the undertaking’s revenue in the prior year for cases that have the effect of restricting competition (which can be further multiplied by two to five times for particularly serious cases) or up to RMB 5 million (~ USD 0.69 million) for cases that do not restrict competition.

In 2024, we saw the first two gun-jumping decisions published by SAMR since the 2022 AML amendments. The first decision, published on 7 June 2024, was made against Shanghai Highly (Group) Co., Ltd and Qingdao Haier Air Conditioner Gen. Corp., Ltd, where SAMR fined each company RMB 1.5 million (~USD 0.21 million) for obtaining a joint venture business license before obtaining merger approval from SAMR. While SAMR did approve the joint venture in the end, obtaining the business license typically indicates the implementation of the joint venture, and therefore the parties were found to have improperly “jumped the gun”.

The second gun-jumping decision, published on 5 August 2024, involved Maoming Urban and Rural Construction Investment and Development Group, where it completed the share transfer registration of the acquisition of a 51% stake in Guangdong Zhongyuan Investment during the public notice period (and therefore before SAMR clearance). While SAMR ultimately found no exclusion or restriction of competition, it still imposed a fine of RMB 1.75 million (~USD 0.24 million) for gun-jumping.

The increased fines and clear sanctions indicate that SAMR is committed to enforcing compliance and deterring companies from bypassing regulatory approval processes. The enforcement actions will likely encourage compliance awareness and more cautious behavior from companies involved in mergers and acquisitions.

III. Non-Merger Enforcement

Like previous years, the enforcement decisions published by SAMR in 2024 indicate a continued focus on the usual sectors, including public utilities, energy suppliers, and construction material manufacturers. While pharmaceutical corporations and industry associations have not been a focus this year, unlike in 2023, automobile companies are back in the spotlight. In 2024, automobile companies had the highest number of enforcement actions brought against them. In total, SAMR and local AMRs brought enforcement actions against over 64 automobile companies and related associations.

A key development in 2024 is the completion of Alibaba’s three-year compliance rectification program under SAMR’s supervision, which began in 2021 when SAMR fined Alibaba RMB 18.2 billion (~USD 2.51 billion) for Alibaba’s restrictive dealing practices. Specifically, Alibaba was found to have restricted platform merchants to exclusively use the Alibaba platform by prohibiting merchants from opening stores or participating in promotional activities on other competitive platforms. On 30 August 2024, SAMR announced that Alibaba has completion the rectification program and recognized its compliance efforts.

Similarly, Meituan also received a hefty fine of RMB 3.4 billion (~ USD 469 million) from SAMR back in 2021 for abusing its market position by implementing the “choose one from two” obligation, forcing merchants to form partnerships and distribute products exclusively with its platform. In November 2024, Meituan announced that as part of its rectification efforts, it would invest 1 billion RMB to share profits with merchants on the platform. The first batch of funds is expected to cover 15,000 shops to support the innovative development of catering merchants. Interestingly, while Meituan’s rectification program should have ended in October 2024 according to the initial timeline set out in SAMR’s decision, we have yet to see any official announcement from SAMR on the completion of Meituan’s rectification program.

On 13 August 2024, the first data monopoly enforcement case by an AMR took place, where the Shanghai Municipal Administration for Market Regulation fined Ningbo Sumscope Information Technology Co Ltd (Sumscope) for monopolizing financial data products. Sumscope, a financial information technology company, entered into an exclusive agreement with a bond broker, granting exclusive rights to use and resell the broker’s real-time bond brokerage transaction data. Sumscope then processed and packaged this data into a product, which it sold to downstream customers. The Shanghai AMR found that Sumscope’s refusal to provide such data to other service providers constituted a refusal to deal. Additionally, Sumscope imposed unreasonable trading conditions by setting a minimum transaction amount of RMB 700,000 (~ USD 96,600) for its information services. The AMR determined that Sumscope abused its market dominance and fined the company RMB 4.53 million (~ USD 0.63 million). This enforcement highlights the authority’s focus on ensuring the efficient circulation of financial data.

IV. Antitrust Litigation

In the antitrust litigation space, the Supreme People’s Court (the “SPC”) issued the Judicial Interpretation Concerning the Application of Law in the Trial of Monopoly Civil Dispute Cases (the “Civil Judicial Interpretation”), which took effect on 1 July 2024, replacing the previous judicial interpretation from 2012. The Civil Judicial Interpretation introduces several key updates and clarifications to the legal framework governing antitrust litigation in China. Some highlights include:

In terms of procedural rules for monopoly-related civil disputes, the Civil Judicial Interpretation has alleviated the burden of proof on plaintiffs by confirming the high probative value of antitrust administrative decisions in follow-on litigation, clarifying situations where market definition does not need to be proven, and reducing the difficulty of proving market dominance. The judicial interpretation also implements the requirement under the AML to improve the coordination mechanism between judicial and administrative enforcement, and specifies that litigation can be “suspended” when parallel administrative enforcement is ongoing, and that the limitation period will be interrupted by administrative complaints, among other mechanisms.
Regarding substantive rules, the Civil Judicial Interpretation provides more comprehensive and detailed guidance for disputes involving monopoly agreements and abuse of market dominance. For example, it clarifies the four elements of abuse of market dominance, establishes a more comprehensive framework for assessing unfair high/low prices, and adds new scenarios for identifying unreasonable terms.
Additionally, the judicial interpretation specifically addresses issues in the digital economy. It offers responses to problems such as algorithmic collusion, most-favored-nation (MFN) clauses, and platforms openness issues.

The Civil Judicial Interpretation crystallizes the SPC’s judicial practices and is a welcomed addition to the existing guidelines, as it will provide greater legal certainty for market participants.

The SPC also published a total of nine representative anti-monopoly cases for the year of 2024. These cases provide valuable guidance on the interpretation and application of AML in practice. There are two cases particularly worth highlighting:

Patent on Desloratadine Citrate Disodium API Case: The SPC ruled that although the defendant held a dominant market position, this position was significantly weakened due to strong indirect competition constraints from the downstream market. Furthermore, the defendant’s practice of exclusive dealing did not exceed the scope of legitimate exercise of patent rights and therefore did not constitute an abuse of market dominance. Additionally, the SPC provided helpful guidance on identifying unfairly high prices, stating that a significant price increase relative to cost increase alone is insufficient to prove unfair pricing. Instead, factors such as the internal rate of return after the price increase and the alignment between price and economic value must be comprehensively considered.
Industrial Lubricants Hub-and-Spoke Agreement Case: The SPC found that Shell (China) Limited coordinated and organized its authorized distributors to engage in practices such as bid-rigging and submitting high bids, effectively acting as an organizer of a horizontal monopoly agreement among the distributors. In accordance with China’s Tort Liability Law, the SPC held that Shell (China) and the relevant distributors should be jointly liable for their actions as co-infringers, among other liabilities. This case is the first hub-and-spoke agreement monopoly case adjudicated by Chinese courts. Since the alleged monopolistic behavior occurred before 2017, which predates the enforcement date of the 2022 AML, the 2008 AML applies to this case. Although the 2008 AML did not explicitly regulate hub-and-spoke agreements, the SPC was still able to address civil tort liability under the 2008 AML and the Tort Liability Law. The 2022 AML formally incorporated hub-and-spoke agreements into its regulatory scope under Article 19. This case not only highlights the application of the 2008 AML but also provides valuable guidance for interpreting and enforcing Article 19 of the 2022 AML in future cases.

In addition, the case of Li v. Didi also offers insightful perspectives on legal issues and practical interpretations of the AML. This case involves a claim filed by an individual consumer against Didi, alleging that the company engaged in differential treatment towards plaintiff through big data and algorithms, constituting an abuse of market dominance. In December 2023, the Beijing Intellectual Property Court dismissed plaintiff’s claims in the first instance judgement. In November 2024, the SPC upheld the decision made in the first instance and rejected plaintiff’s appeal. The SPC ruled that ride-hailing services do not constitute a separate relevant product market. Instead, the relevant market in this case should at least include the broader transportation service market, which encompasses both ride-hailing services and traditional taxi services that can be booked online. The court found that Didi does not hold a dominant position in this relevant market. Furthermore, the differential treatment applied to different user accounts was deemed to have legitimate justification and did not constitute an abuse of market dominance.

Several cases highlighted in our 2023 Review remain ongoing, including the Lizhen v. Alibaba case, for which the SPC held an open trial in January 2025, and the JD.com v. Alibaba case, where Alibaba filed an appeal with the SPC. We will continue to monitor the developments in these cases and the SPC’s rulings in 2025.

V. Conclusion

Throughout 2024, the Chinese authorities have continued their efforts to provide comprehensive guidance on the compliance, enforcement and interpretation aspects of the AML. Meanwhile, we anticipate increasing overlap between administrative enforcement and judicial activities, and the coordination between the two will be a key focus in the coming year. Businesses are advised to closely monitor regulatory and enforcement developments, thoroughly assess anti-monopoly compliance risks in their business activities, and proactively formulate compliance strategies to address potential challenges.

The following Gibson Dunn lawyers prepared this update: Sébastien Evrard and Katie Cheung.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition practice group, or the following authors in the firm’s Hong Kong office:

Sébastien Evrard (+852 2214 3798, [email protected])

Katie Cheung (+852 2214 3793, [email protected])

While financial regulators have recently been closing particular matters, time is of the essence and firms should carefully consider their circumstances and whether and how to engage with DOE staff on the Sprint Initiative. If you are interested in discussing these developments, Gibson Dunn’s lawyers are available to assist with any questions you may have.

Commodity Futures Trading Commission (CFTC or “Commission”) Acting Chairman Caroline D. Pham announced a new enforcement initiative as part of her keynote address at FIA BOCA50 on March 11, 2025 (published on March 13, 2025). The new 30-day compliance and remediation initiative or enforcement “sprint” (the “Sprint Initiative”) focuses on non-compliance matters that do not involve fraud or manipulation (such as recordkeeping, reporting or other compliance violations). Although a careful analysis of the particular circumstances of each matter will be necessary, the Sprint Initiative provides a significant opportunity for market participants that are currently under investigation, subject to an enforcement action, or engaged in CFTC Division of Enforcement (DOE) inquiries—as well as firms without open inquiries who may provide a new self-report of a violation—to participate and potentially quickly settle such matters with the Commission.

Acting Chairman Pham set forth the parameters to the Sprint Initiative in her address, noting that firms with relevant matters or issues may approach DOE staff within the next two weeks to provide remediation updates (such as a presentation, white paper, or other submission) and “reasonable” settlement offers. With respect to settlement offers, Acting Chairman Pham remarked that the CFTC will take a more “holistic approach” to civil monetary penalties by looking at precedent over the last 10 years, not “just the last few years” when penalties at the CFTC have been steeper than historical amounts in comparable cases. She explained that the CFTC will seek to expeditiously resolve matters in the next 30 days to conserve the CFTC’s resources and free up DOE staff to pursue fraudsters and scammers and seek recoveries for victims, whether through disgorgement, restitution, or other measures.

Her address comes within weeks of structural changes within the DOE to refocus DOE’s priorities and resources on fraud and manipulation. Additionally, on February 25, 2025, the DOE issued an Enforcement Advisory on Self-Reporting, Cooperation, and Remediation (the “February 25 Advisory”) which rescinded all previous guidance from DOE and set forth the parameters under which market participants can receive credit for self-reporting, cooperation, and remediation in connection with enforcement investigations. Settlement offers in connection with the Sprint Initiative should apply the guidance set forth in the February 25 Advisory.[1]

[1] Gibson Dunn issued a client alert on March 5, 2025, detailing the contours and ramifications of the February 25 Advisory. See https://www.gibsondunn.com/cftc-issues-enforcement-advisory-regarding-impact-of-self-reporting-cooperation-and-remediation-on-potential-enforcement-actions/.

The following Gibson Dunn lawyers prepared this update: Jeffrey Steiner, Osman Nawaz, David Burns, Stephanie Brooker, Amy Feagles, and Adam Lapidus.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s White Collar Defense & Investigations or Derivatives practice groups, or any of the following:

Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, [email protected])

Osman Nawaz – New York (+1 212.351.3940 ,[email protected])

David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])

Stephanie Brooker – Washington, D.C. (+1 202.887.3502, [email protected])

Amy Feagles – Washington, D.C. (+1 202.887.3699, [email protected])

Adam Lapidus – New York (+1 212.351.3869, [email protected])

Gibson Dunn lawyers will closely monitor these rules as the rulemaking process proceeds, and we stand ready to advise clients through the rule making procedure and on how to comply with final rules should they come into effect.

On February 19, 2025, Gibson Dunn submitted a comment to the California Privacy Protection Agency regarding its proposed regulations on automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits. Along with others, including industry groups, companies, and legislators, Gibson Dunn highlighted some of the most troubling aspects of the proposed regulations, which, as drafted, would impede innovation and impose unprecedented burdens on businesses, all without commensurate benefits to the privacy or security of Californians. A copy of Gibson Dunn’s comment can be found here.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), narrowly directed the California Privacy Protection Agency (CPPA) to issue regulations “governing access and opt-out rights with respect to business’ use of automated decisionmaking technology” and requiring businesses to perform cybersecurity audits and risk assessments when the “processing of consumers’ personal information presents a significant risk to consumers’ privacy or security.” The proposed regulations, however, go far beyond this grant of authority and, if enacted as drafted, would require businesses to comply with a range of obligations that do not advance privacy or security. Key issues with the proposed regulations include:

An overbroad definition of ADMT. The proposed regulations define ADMT to include “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” As Gibson Dunn explains in our comment letter, this broad definition would sweep in technology that merely “executes” or “substantially facilitates” human decisionmaking, which significantly exceeds the plain language definition of “automated” This overbroad definition could potentially subject a tremendous range of ordinary business activities to these regulations, which is why we have urged the CPPA to narrow the scope of its definition.

Overbroad definition of“significant decisions” as the trigger for key obligations. The trigger for many of the obligations in the proposed regulations is the use of ADMT in connection with a “significant decision.” The draft rules define “significant decision” broadly and in a manner that is unrelated to the privacy and security considerations undergirding the CCPA. This conflicts with the animating purpose of the CCPA to protect privacy and security, and attempts to leverage the narrow mandate to regulate those risks in the context of ADMT to instead regulate socially important activities generally.

Limitations on first-party advertising. The proposed regulations would also upend the rules governing first-party advertising. In particular, the CPPA’s proposal would require businesses to give consumers opt-out rights when businesses use ADMT to profile consumers for “behavioral advertising” within the business’s own distinctly-branded websites, applications, or services, even though the CCPA specifically excluded such first-party advertising from those opt-out requirements. Our comment urges the CPPA to strike provisions related to “behavioral advertising” from the proposed regulations.

A “pre-use notice” for ADMT. The proposed regulations would require businesses to provide consumers with a burdensome, “prominent and conspicuous” “pre-use notice” for ADMT detailing information about the opt out right and any exceptions; how the ADMT works (including its “logic,” “key parameters,” and “intended output”); and the role of humans in the decision. Again, the CCPA does not actually authorize pre-use notices. Rather, it only provides for access and opt-out rights.

Detailed information in pre-use notices and access requests. Not only do the proposed regulations require the dense information outlined above for pre-use notice to be described in “plain language”, but the rules also require individualized responses that detail how ADMT has been used with respect to that consumer. This requirement fails to acknowledge the challenges of translating complex models into a form understandable by ordinary consumers, and creates a substantial risk of misleading disclosures, since these models are constantly changing and vary in their application to individuals.

Onerous risk assessments. The CPPA has also used its statutory authority to propose regulations requiring risk assessments for data processing that poses “risks to privacy” to construct a regime that requires businesses to opine on a range of issues unrelated to privacy. For example, the draft regulations require businesses to comment on the “completeness, representativeness, timeliness, validity, accuracy, consistency, and reliability” of their information sources and the “logic” of certain algorithms. The CPPA has not explained how these factors relate to privacy, which is the stated purpose of the risk assessments.

Rigid cybersecurity audits. The cybersecurity audits required by the proposed regulations are also problematic. The draft regulations contain a detailed checklist with dozens of requirements, and do not permit businesses to use audits conducted in compliance with other accepted standards. This approach would lead to substantial compliance costs for businesses without materially improving the safety or security of consumers.

Inconsistent rules on “physical or biological identification or profiling.” The proposed regulations require businesses that use “physical or biological identification or profiling” for a “significant decision” or “extensive profiling” to conduct evaluations and implement policies, procedures, and training to ensure accuracy and nondiscrimination. The CCPA, however, does not authorize regulation of “identification” and the proposed regulations also conflict with other statutory provisions. For example, the CCPA permits businesses to use sensitive personal information, including biometrics, to improve the services they offer without offering an opt-out right to consumers. The proposed regulations would create a contradictory right to opt-out of the use of biometric information to improve a business’s algorithm..

Gibson Dunn’s comment letter discusses these and other issues, urging the CPPA to revise the proposed regulations to focus on the privacy and security issues that animated the CCPA and CPRA. Gibson Dunn lawyers will closely monitor these rules as the rulemaking process proceeds, and we stand ready to advise clients through the rule making procedure and on how to comply with final rules should they come into effect.

Please click on the link below to view Gibson Dunn’s comment:

READ MORE

The following Gibson Dunn lawyers prepared this client alert: Ashlie Beringer, Keith Enright, Cassandra Gaedt-Sheckter, Jane Horvath, Natalie Hausknecht, Jacob Arber, Stanton Burke, Eric Brooks, and Emma Wexler.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Artificial Intelligence or Privacy, Cybersecurity & Data Innovation practice groups:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, [email protected])
Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Ryan T. Bergsieker – Denver (+1 303.298.5774, [email protected])
Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Natalie J. Hausknecht – Denver (+1 303.298.5783, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, [email protected])
Kristin A. Linsley – San Francisco (+1 415.393.8395, [email protected])
Timothy W. Loose – Los Angeles (+1 213.229.7746, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Ashley Rogers – Dallas (+1 214.698.3316, [email protected])
Sophie C. Rohnke – Dallas (+1 214.698.3344, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, [email protected])
Frances A. Waldmann – Los Angeles (+1 213.229.7914,[email protected])
Debra Wong Yang – Los Angeles (+1 213.229.7472, [email protected])

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, [email protected])
Patrick Doris – London (+44 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Lore Leitner – London (+44 20 7071 4987, [email protected])
Vera Lukic – Paris (+33 1 56 43 13 00, [email protected])
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, [email protected])
Christian Riis-Madsen – Brussels (+32 2 554 72 05, [email protected])
Robert Spano – London/Paris (+44 20 7071 4000, [email protected])

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

The Gibson Dunn Data Centers and Digital Infrastructure Practice Group is closely monitoring legislative, regulatory, and political developments regarding the growth of data centers. We are prepared to assist clients regarding all aspects of data center development. Please contact one of the Gibson Dunn attorneys listed below or the attorney with whom you usually work if you have any questions.

With the growing use of generative AI and quantum computing technology, clients are increasingly interested in the opportunities and challenges presented by the accelerating demand for data centers and the electricity that powers them. While the federal government considers setting ground rules for power plants looking to co-locate with data centers as an end-run around long waits for transmission grid upgrades, state governments too are grappling with the growing demand for data centers—sometimes by providing tax incentives for their developments, but at other times by imposing regulations that typically apply only to public utilities. This client alert provides a snapshot of recent developments in key states for data center development on topics ranging from real estate to tax to energy to foreign investment. We first discuss what are seen as the most dominant states for data center development in 2025—longtime hegemon Virginia and emerging leaders Arizona, Georgia, Illinois and Texas—and round out our discussion with other states that are in the data center mix in their own way, including longtime players (California, Oregon, Washington), rising markets (Indiana, Kentucky, Mississippi, Nevada, Ohio, Pennsylvania), and smaller markets that are proving to be regulatory trendsetters (Minnesota, Utah).

State legislatures, governors, and utility regulators have squarely trained their focus on ensuring long-term sustainable pathways to data center development in their states. As discussed in more detail below, most jurisdictions that have found success in attracting more data centers are focusing now on continuing to incentivize data centers while formalizing their processes for adding these large loads to their electricity grids, and on ensuring that other customer classes, such as residential customers, do not bear undue costs of these load service expansions. Although state lawmakers and regulators appear to be mostly bullish on data centers, many states have nonetheless begun adopting more rigorous requirements for data centers sourcing power supply, largely in response to concerns that further load increases may mean rate increases for other customer classes or shortages in energy supply. And once data centers are up and running, local taxing authorities are knocking on the door and demanding big tax checks employing clever and novel approaches.

As discussed in more detail below, recent state actions on data centers have included:

The adoption of data center-specific utility tariffs, rate schedules, and procedures aimed at increasing financial requirements for data center developments to ensure grid infrastructure improvements being installed for data centers will be utilized and paid for by the data centers themselves, including specific provisions outlining requirements for load being co-located with behind-the meter generation;
Continued availability of tax incentives for data center development, notwithstanding pressure in some states to revisit these incentives, but also tax increases for data centers in some jurisdictions;
Increasing opportunities for data centers to source power supply from competitive suppliers, especially in Utah;
State and utility moves toward building new gas-fired generation to support data center load growth;
Proposed legislation in Arizona to allow siting small modular nuclear reactors at data center sites without obtaining a public utility commission certificate of environmental compatibility;
But also, in the case of Minnesota, regulatory action to treat large backup generators like other types of generation, notwithstanding their lack of grid connection, accompanied swiftly by proposed legislation by data center supporters to ensure that backup generation is not subject to increased regulatory burdens;
Enhanced (for some) or streamlined (for others) zoning and siting requirements for data centers; and
In Illinois and Indiana, proposed legislation to restrict foreign investment in data centers when the foreign investor hails from a country unfriendly to the United States, echoing similar actions and proposals at the federal level.

Dominant Jurisdictions: Virginia, Arizona, Georgia, Illinois, and Texas

Virginia

Data Center Regulatory Outlook: Addition of generation is encouraging but some counties are seeking revenue opportunities or zoning limitations, which could negatively impact some projects

Virginia historically supports data center expansion and Governor Youngkin continues to endorse their growth. In his January 2025 State of the Commonwealth speech, Youngkin highlighted the need for Virginia’s energy supply to grow as data centers, which contribute $9.1 billion to Virginia’s GDP, enter the state. He stated that “Richmond should not stop [Virginia communities] from capitalizing on these incredible economic opportunities.”
That said, the Virginia General Assembly and some local governments are working to limit or impose conditions on new data centers. Currently pending approval by the governor is H.B. 1601 (Del. Joshua E. Thomas-D), which would require site assessments before new data centers are approved. A handful of other bills to regulate data centers failed this legislative session, which adjourned in late February 2025.
In early March 2025, Dominion Energy, the largest electricity utility in the state, filed for a certificate of public convenience and necessity with the Virginia State Corporation Commission to construct the Chesterfield Energy Reliability Center, a 944 MW natural gas-fired power plant to be located in Chesterfield County adjacent to another operational power plant, the Chesterfield Power Station. The Chesterfield Energy Reliability Center has long been part of the discussion of the state’s strategy to accommodate load growth from data centers.
Loudon County is considering changes to the county’s comprehensive plan and zoning ordinance which would increase the regulatory hurdles applicable to data centers in the county. The comprehensive plan amendment would make data centers a “conditional use” in locations where they are now a core or complementary use, and a zoning ordinance amendment would make data centers a “Special Exception” use in areas whether they are currently permitted by right. If approved, these changes would require data centers to go through a public hearing process and meet certain conditions to be constructed. A February board vote moved the issue forward, and a second vote is expected in March 2025.
The city of Manassas is considering a 67% tax increase for “computer equipment and peripherals used in a data center.” The city will approve its final budget following a public hearing on April 28, 2025.
Henrico County is considering a 550% increase in tax on data center computers and related equipment. County supervisors are expected to review the budget during March 2025.
Fairfax County enacted a requirement in September 2024 that data centers be built at least 200 feet from abutting property and undergo a noise study.

Arizona

Data Center Regulatory Outlook: Pending legislation could mean significant opportunities for development of small modular nuclear reactors; zoning modifications could negatively impact some projects

Arizona has extended its data center tax breaks to data centers certified before December 31, 2033 for the “use, installation, assembly, repair or maintenance” of data center equipment, not just the sale of such equipment.
H.B. 2774 (Rep. Michael Carbone-R), which has been passed by the Arizona House and currently sits before the Senate, would reduce state regulation of data centers, allowing them to place a small modular nuclear reactor (SMR) at a data center without a certificate of environmental compatibility. Additionally, in counties with a population of 500,000 or less, a new SMR co-located with a large energy user would be exempted from the certificate of environmental compatibility process and county zoning restrictions.
During a December 2024 meeting in which Arizona’s largest utility obtained permission to build new transmission lines for a data center, an ACC commissioner asked the utility to confirm that the costs of the transmission line “would be borne by the data center,” which the utility confirmed.
In October 2024, the ACC endorsed the Integrated Resource Plans of three large utilities: Arizona Public Service, Tucson Electric Power, and UniSource Energy. To meet the growing energy demand posed by data centers in the state, these utilities plan to add thousands of megawatts of new capacity from solar, wind, battery storage, and natural gas sources.
In December 2024, the Phoenix City Council a pproved a series of data center regulations, including regulations on external design specifications and location, approving zoning changes that seek to locate future data centers away from employment centers. The regulations were motivated by concerns over land and power demand, and job creation.
In January 2023, the City of Chandler adopted a zoning code amendment that specifically addressed data centers, classifying them as a “primary use only permitted in planning area development . . . zoning designations,” and requiring a sound study, noise mitigation measures, and a detailed communications protocol to notify impacted residents about the construction process.

Georgia

Data Center Regulatory Outlook: Greater formalization of major utility interconnection procedures means additional process but also predictability

Georgia has a tax exemption for certain data center equipment, and although the Georgia legislature attempted to suspend new exemptions from July 2024 through June 2026 with H.B. 1192, the Governor vetoed that bill in May 2024.
In January 2025, Georgia state senator Chuck Hufstetler (R) proposed S.B. 34, which would require costs of data center-related utility infrastructure to be recovered in a way that is “designed to recover such costs solely from commercial data centers or are prorated based on electric demand.” Provisions like this respond to concerns that data center-related utility costs could be allocated to other types of customers.

In January 2025, the Georgia Public Service Commission unanimously approved new rules that allow Georgia Power Company, the largest utility in Georgia, to require additional terms and conditions of service for new customers with more than 100 MW of load, including data centers. The new rules specifically allow the utility to impose minimum billing requirements and longer contract terms for these large load customers. According to Georgia Power’s filing, these new rules are meant “to protect Georgia Power’s customers and ensure that the cost to serve new large load customers are appropriately born[e] by those customers.”

Georgia Power Company has also been enhancing and formalizing its ten-step interconnection process for large load, such as data centers, including by requiring that data center developers provide affidavits attesting to their level of site control and who will be the end user of their facilities, as well as increased vetting requirements for financial guarantors.

Illinois

Data Center Regulatory Outlook: Notable incentives for large projects indicate a state welcoming of data centers

Since Illinois’s 2019 enactment of exemptions from certain sales, use, and occupation taxes, and an additional 2021 exemption from certain construction employment taxes, data centers have grown rapidly in the state. In addition to those tax incentives, proximity to a major population center and fiberoptic networks, aggressive redevelopment plans for retired corporate campuses in greater Chicagoland, and access to flexible power purchase options through Illinois’s retail electric competition program have made Illinois an attractive alternative to the established Northern Virginia data center hub.
In December 2024, Governor Pritzker, alongside key industry stakeholders, announced a collaboration to establish the new National Quantum Algorithm Center in the Illinois Quantum and Microelectronics Park in Chicago. “Quantum computers have the potential to solve the complex problems and grand challenges that companies and society face,” said Governor Pritzker, noting that deployment of this advanced “quantum system in Illinois will help spur additional commercialization opportunities for entrepreneurs—making the State an even more desirable destination for leading global technology companies spurring job creation and private investment.”
In January, state senator Sue Rezin (R) introduced S.B. 0094, which would establish that no foreign company may construct or cause to be constructed a data center in the state unless the Illinois Commerce Commission, the Illinois Power Agency, and the Department of Commerce and Economic Opportunity conduct a joint study of the energy consumption of the prospective data center and certify to the governor and the General Assembly that the energy used by the new data center is a new self-generated load and does not affect the load supply of PJM Interconnection or the Midcontinent Independent System Operator. The bill defines a “foreign company” as an entity that (i) is at least 51% owned by a foreign adversary or (ii) is headquartered in a country with a government that is a foreign adversary.

Texas

Data Center Regulatory Outlook: Proposed legislation could lead to greater formalization of interconnection procedures for large generator co-location; passage could mean additional process but also predictability

In addition to Texas’s state sales tax exemption on certain equipment for qualifying data centers, individual counties also provide property tax abatements to data center developers.
S.B. 6 (Sens. Phil King-R & Charles Schwertner-R), introduced in February 2025, would prepare the grid for increased power demand and address certain challenges posed by large loads by requiring (i) the Public Utility Commission of Texas (PUCT) to implement a new transmission charge to be paid by all retail customers served by generation located behind-the-meter (e.g., data centers that have entered into co-location arrangements to avoid transmission costs) to ensure that all users of the Electric Reliability Council of Texas (ERCOT) transmission system contribute to transmission cost recovery; (ii) PUCT to establish standards for interconnecting large (i.e., over 75 MW, as may be lowered by PUCT as necessary) load customers at ERCOT transmission voltage; (iii) co-located power generation companies, municipally-owned utilities and electric cooperatives to notify, and seek approval of, PUCT and ERCOT before implementing a new net metering arrangement between an existing registered generation resource and an unaffiliated retail customer if such customer’s demand exceeds 10% of the generation facility’s nameplate capacity and the facility owner has not proposed to construct an equal amount of replacement capacity in the same area; (iv) large loads to install equipment that would allow the load to be disconnected remotely during firm load shed; and (v) ERCOT to develop a reliability service to competitively procure demand reductions from large loads in advance of a projected energy emergency alert event.

Rising Markets: Indiana, Kentucky, Mississippi, Nevada, Ohio, Pennsylvania

Indiana

Data Center Regulatory Outlook: Greater formalization of some utility interconnection procedures means additional process but also predictability; proposed legislation could provide incentives for small modular nuclear reactors

Since 2019, Indiana has offered tax incentives for data centers providing property, sales, and use tax exemptions for data centers for a term of up to 50 years.
The Indiana General Assembly is currently considering two proposed bills that would affect data centers. H.B. 1007 (Rep. Edmond Soliday-R) would provide additional tax credits for small modular nuclear reactors in Indiana that could be combined with the tax incentives for data centers. The bill passed the Indiana House of Representatives in February 2025 and is now before the Senate.
S.B. 431 (Sen. Eric Koch-R) would ban construction of data centers in Indiana by or for foreign companies without a study showing that the data center would use self-generated electricity and would not affect the load supply of Indiana’s regional transmission organizations. Like a similar bill in Illinois, the bill defines a “foreign company” as an entity that (i) is at least 51% owned by a foreign adversary or (ii) is headquartered in a country with a government that is a foreign adversary. The bill passed the Indiana Senate in February 2025 and is now before the House.

In February 2025, the Indiana Utility Regulatory Commission issued an order approving a settlement between Indiana Michigan Power Company, the Indiana Office of Utility Consumer Counselor, and other intervenors including data center developers, that governs how large loads, including data centers, connect to the grid in Indiana. The settlement agreement approved in the order imposes minimum contract terms on these large load customers as well as exit fees if a large-load customer reduces its capacity more than 20% or terminates its contract, but did not address cost allocation.

Kentucky

Data Center Regulatory Outlook: Planned additions of generation and new incentives indicate a state welcoming of data centers

Data center investment and siting is expected to boom in Kentucky as the state offers generous tax incentives, water access, and aligned stakeholders (state government, local utilities, and public service commission) in a friendly business environment.
In April 2024, Kentucky lawmakers passed H.B. 8, which created a fifty-year sales and use tax exemption for “qualified data center projects.” Qualified data center projects are defined as entities that provide qualified data center infrastructure, are located within a consolidated local government with a population greater than 500,000, and, in the case of owners, operators, or colocation tenants, invest at least $450 million within five years.
In February 2025, in expectation of significant load growth through 2032 and 1,750 MW of “high load factor, energy intensive data centers,” the Kentucky Utilities Company and Louisville Gas and Electric Company applied to the Kentucky Public Service Commission for permission to construct two 645 MW natural gas plants, one 400-MW/1,600-MWh battery storage project, and one selective catalytic reduction facility for an existing coal plant. The Kentucky Public Service Commission is expected to rule on the request by November.

Mississippi

Data Center Regulatory Outlook: New incentives and a supportive utility regulator indicate a state welcoming of data centers

Data center investment in Mississippi has rapidly increased since Mississippi’s legislature enacted tax incentives. As discussed in more detail below, the legislature is now considering exempting data centers from certain sales and use taxes. The state is well-situated for growth as it offers a robust network of fiber connectivity and is situated at the crossroads of two major fiber cables stretching across the southeast United States from Atlanta to Dallas and into the Midwest from New Orleans to Chicago.

In February 2025, the Mississippi Senate unanimously passed S.B. 3168, a bill aimed at attracting data center investment through tax incentives. The proposed bill is now pending in the Mississippi House of Representatives. The bill would allow eligible “business enterprises” to apply for exemption from certain sales and use taxes related to the purchase, lease, or expansion of data centers. “Business enterprises” are defined as certain for-profit businesses that are the owner, operator, tenant or affiliate of a data center with a minimum capital investment of (i) $250 million in the case of newly constructed data centers that will create thirty five full time jobs with a minimum average annual salary of 125% the average annual state wage or (ii) $100 million in the case of an addition or expansion of a data center that meets the same criteria. The bill also provides for two automatic ten-year extensions of the tax exemptions for such business enterprises.
In January 2025, a data center developer announced a $10 billion data center investment in Lauderdale County, Mississippi. In February 2025, the Mississippi Public Service Commission approved a special contract between that developer and Mississippi Power Company (MPC), a local utility company that serves approximately 192,000 customers, with MPC agreeing to provide electric service. In its order approving the special contract, the Mississippi Public Service Commission found the special contract to be in the best interest of the MPC and its customers.
In January 2024, both houses of the Mississippi legislature nearly unanimously passed tax incentives in S.B. 2001 as well as two bills appropriating money, in anticipation of significant data center development. Thereafter, Governor Tate Reeves announced the single largest capital investment in Mississippi history to build two data centers in Madison County.

Nevada

Data Center Regulatory Outlook: Proposed new incentives and a supportive utility regulator indicate a state welcoming of data centers

In March 2025, the Public Utilities Commission of Nevada approved a stipulation agreement that would allow a developer to power its data center in Nevada with only clean energy under a new clean transition tariff with its interconnecting utility, NV Energy. This new model could offer data centers greater choice in where they receive power from in Nevada.
Nevada allows for a partial abatement of certain taxes for new or expanded data centers in Nevada, but these abatements are subject to eligibility requirements, including requirements to invest a certain amount of capital investment in the data center and employ a certain number of Nevada citizens at the data center depending on the length of the requested abatement period.
Introduced by Assemblymember Erica Mosca (D) in February 2025, A.B. 226 would require all businesses seeking tax abatements, including data centers, to develop and implement a community benefits plan, would allow the Nevada Office of Economic Development to investigate whether a business is following its community benefits plan, and would require a business to repay any abatements with interest if the business is found not to substantially have complied with the terms of its community benefits plans.
Pending S.B. 69 would require companies with tax abatements for certain projects with capital investments of $1 billion or more to enter into agreements with the city’s or county’s governing body and fire protection district to defray the cost of local governmental services and infrastructure that will service the project.

Ohio

Data Center Regulatory Outlook: Legislative changes support data centers while outcome of important regulatory proceeding is unknown

Ohio offers a tax exemption for the sale, storage, use, or other consumption of equipment for data centers. In January 2025, some legislators expressed support for eliminating that the sales tax exemption, but that proposal has not yet materialized as a bill in either house of the legislature.

In January 2025, Ohio lawmakers proposed H.B. 15 (Rep. Roy Klopfenstein-R) and S.B. 2 (Sen. Bill Reineke-R). Both bills propose changes to Ohio’s energy regulatory regime that are meant to support data center growth while protecting other ratepayers. Among other things, both proposals would repeal legislation that currently allows electric utilities to increase certain components of electricity rates without specific Public Utilities Commission of Ohio (PUCO) review under programs known as electric security plans, a move expected to help moderate rate changes applicable to large loads like data centers. In addition, S.B. 2 proposes to codify the right of electric utilities to provide behind-the-meter generation service (i.e., co-location with load) subject to proposed safeguards to ensure that behind-the-meter service costs are not allocated to customers not receiving that service.

In 2024, AEP Ohio, Ohio’s largest electric utility, proposed a special data center tariff that would, among other things, set increased customer requirements for data center and cryptocurrency loads, such as minimum contract terms, exit fees, and minimum demand charges. In late October 2024, AEP Ohio filed a settlement proposal at the PUCO; hyperscalers and generators filed a competing proposal in the same docket. Key differences between the proposals include the size of load that will be subject to the new tariff and the minimum rates a data center could be required to pay under the new tariff. This proceeding is ongoing.

Pennsylvania

Data Center Regulatory Outlook: Incentives and permitting reform initiative indicate a state welcoming of data centers

In 2021, Pennsylvania created the Computer Data Center Equipment Exemption Program, which exempts computer data center equipment from sales and use tax when sold to, used, or consumed in a data center.
In January 2025, Pennsylvania Governor Josh Shapiro announced his “Lightning Plan” focused on meeting energy and infrastructure needs within the state. The plan includes a proposal to establish a Pennsylvania Reliable Energy Siting and Electric Transition Board (RESET Board) to streamline permitting and support for new energy projects and offer tax breaks for projects providing electricity to the grid. The announcement emphasized that Pennsylvania is one of only 12 states without a state entity that administers major energy project siting decisions. Creation of the RESET Board would require legislation, which Shapiro’s office in mid-March announced would soon be introduced for consideration in both houses.

Longtime Leaders: California, Oregon, Washington

California

Data Center Regulatory Outlook: Greater formalization of utility interconnection procedures and tariffs means additional process but also predictability, while pending legislation would increase incentives while also increasing reporting requirements and regulatory requirements, which could increase costs to data centers

S.B. 57 (Sen. Steve Padilla-D), currently before the California Senate, proposes the “Ratepayer and Technological Innovation Protection Act,” which would require (i) the California Public Utilities Commission (CPUC) to establish a special electrical corporation tariff for transmission and distribution services to data centers to, among other things, (a) provide protections for residential, agricultural, and small business ratepayers and prevent cost shifting to those ratepayers, (b) meet certain sustainability requirements, and (c) ensure that electrical grid investments to serve data centers are fully recovered from the data centers through the use of a services contract to repay an electrical corporation’s investment costs to serve the data center; and (ii) 100% of electricity delivered to data centers is provided by zero-carbon resources by 2030.
S.B. 58 (Sen. Steve Padilla-D), currently before the California Senate, would provide a partial exemption from certain taxes on data center equipment with respect to data centers that meet certain sustainability requirements, including, but not limited to, creating at least 20 qualifying jobs and investing at least $200 million, using a skilled and trained workforce for constructing the data center facility, utilizing at least 70% carbon-free energy for the first year of the data center’s operations and a specified percentage of carbon-free energy determined for each subsequent year thereafter, sourcing at least 50% of their energy supply from behind-the-meter sources, avoiding diesel fuel, using water-efficient cooling systems, and employing an onsite battery storage.
A.B. 222 (Assemblymember Rebecca Bauer-Kahan-D), currently before the California State Assembly, would introduce reporting and disclosure requirements with respect to energy use by data center operators that provide computing resources to AI developers. It would authorize CPUC to require data center operators to annually report energy consumption and performance data and to adopt energy efficiency performance standards for data centers.
Pacific Gas & Electric (PG&E), the largest utility company in California and in the U.S., has proposed Electric Rule 30, which aims to create a streamlined approach for interconnecting new transmission-level electric retail customers, including data centers, into PG&E’s existing transmission system. Electric Rule 30 includes provisions that would address design and construction specifications, ownership of facilities, the location of facilities, land rights, contracts required to receive electric retail service, the installation of facilities to provide service to new transmission-level customers, and customer’s responsibilities for PG&E facilities.

Oregon

Data Center Regulatory Outlook: Legislation and utility rules setting data center-specific requirements mean additional process but also predictability; if legislation passes, it could increase costs to data centers

Oregon lawmakers introduced the POWER Act, H.B. 3546 (Rep. Pam Marsh-D) on February 11, 2025, to regulate data centers. The bill aims to protect consumers from rising energy costs and reduce greenhouse gas emissions. Among other things, the bill would place data centers and cryptocurrency miners into a new class of utility customers. It also would authorize energy regulators to make rules to ensure that homes and small businesses in the state will not shoulder the energy costs of data centers.
H.B. 3546 only applies to data centers served by investor-owned utilities, like Portland General Electric and PacifiCorp. Electric cooperatives that serve data centers in eastern Oregon already have similar authority. The bill would require large energy users to sign a 10-year contract to pay for a minimum amount of energy used and the cost of new transmission. Some legislators, like Representative Virgle Osborne (R) voiced concerns with the bill while Bob Jenks, executive director of the Citizens Utility Board, testified at a recent legislative hearing in support of the bill.
In December 2024, the Oregon Public Utility Commission ruled in favor of a PacifiCorp proposal that would penalize large-load customers, such as data centers, whose energy use at new facilities is not in line with forecasted needs. The new rules, which PacifiCorp argues will incentivize more accurate load forecasts and help avoid unnecessary or premature spending, will take effect in February 2025.

Washington

Data Center Regulatory Outlook: New workgroup shows attention to data centers; outcome of workgroup not yet known

Washington law provides an exemption from taxes imposed on certain retail sales to qualifying businesses and to qualifying tenants of certain equipment in eligible data centers.

In February 2025, Washington Governor Bob Ferguson issued E.O. 25-05 directing the Washington Department of Revenue to establish a data center workgroup aimed at evaluating the impacts of data centers on Washington’s tax revenue, economy, environment, and energy use. The workgroup is tasked with balancing “industry growth, tax revenue needs, energy constraints, and sustainability” and must submit its findings and policy recommendations to the governor by December 1, 2025.

Regulatory Trendsetters: Minnesota and Utah

Minnesota

Data Center Regulatory Outlook: Agency decision adds to regulatory burden for data centers, but pending legislation could reverse the agency; other pending legislation, if passed, would provide helpful new incentives and but also new zoning requirements that could negatively impact some data center developments

Minnesota’s Public Utilities Commission voted in February not to exempt a data center development from permitting rules for generators at a proposed data center facility. Under Minnesota law, a “large energy facility”—that is, a generating plant or combination of plants at a single site with a combined capacity 50 [MW] or more” must obtain a certificate of need from the Public Utilities Commission. Although the data center developer stated that its diesel generators would be a backup power source and not connected to the grid, the Public Utilities Commission ruled that the project must obtain a certificate of need.
The Minnesota Senate, during the 2025 legislative session, will consider F. 1393 (Sen. Andrew Mathews-R), a bill clarifying that large data centers would not require a certificate of need for emergency backup generators not connected to the grid. When a data center in Maryland faced a comparable certificate requirement in 2023, the Maryland government passed a similar law in May 2024 to provide an exemption from backup generators that do not connect to the grid.
H.F. 1277 (Rep. Greg Davids-R), before the Minnesota House this legislative session, would allow large-scale data centers to be eligible for a tax exemption for purchases of equipment, software, and electricity.
S.F. 608 (Sen. Bill Lieske-R), before the Minnesota Senate this legislative session, would restrict the placement of data centers in municipal zoning districts.

Utah

Data Center Regulatory Outlook: Innovative program will allow new options for data centers to secure competitive access to power purchases, which could mean cost savings

Although Utah has a vertically-regulated electricity regime—meaning that the electric utility is generally the only seller from which a customer can buy power—Utah recently adopted an innovative statute that would allow large energy users, like data centers, to purchase electricity directly from large-scale power generators when the utility and large load customer fail to agree to terms of service within 90 days of the utility completing its evaluation of the service request. In early March 2025, the Utah Senate passed S.B. 132 (Sen. Scott D. Sandall-R), which “establishes alternative processes for providing electric service to customers with large electrical loads.”
In addition to allowing the state’s large power generators to individually contract with new, large-load customers, the law contains provisions meant to ensure that the incremental costs associated with the large load energy requirements are paid by the large-load customer, rather than being offloaded to existing customers.

The following Gibson Dunn lawyers prepared this update: Eric Feuerstein, Joseph Warin, Tory Lauterbach, Matt Donnelly, Emily Naughton, Sara Ghalandari, Amanda H. Neely, Jess Rollinson, Simon Moskovitz, Vlad Zinovyev, Teddy C. Okechukwu, Sally Gamboa, Laura Marcus, and Jason Zhang*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Artificial Intelligence, Data Centers & Digital Infrastructure, Energy Regulation & Litigation, Land Use & Development, Mergers & Acquisitions, National Security, Power & Renewables, Public Policy, Real Estate, Tax, Tax Controversy & Litigation, or White Collar Defense & Investigations practice groups, or the following authors:

William R. Hollaway, Ph.D. – Chair, Energy Regulation & Litigation Practice Group,
Washington, D.C. (+1 202.955.8592, [email protected])

Tory Lauterbach – Partner, Energy Regulation & Litigation Practice Group,
Washington, D.C. (+1 202.955.8519, [email protected])

Vivek Mohan – Co-Chair, Artificial Intelligence Practice Group,
Palo Alto (+1 650.849.5345, [email protected])

Sara Ghalandari – Partner, Land Use & Development Practice Group,
San Francisco (+1 415.393.8250, [email protected])

Evan M. D’Amico – Partner, Mergers & Acquisitions Practice Group,
Washington, D.C. (+1 202.887.3613, [email protected])

Stephenie Gosnell Handler – Partner, National Security Practice Group,
Washington, D.C. (+1 202.955.8510, [email protected])

Peter Hanlon – Co-Chair, Power & Renewables Practice Group,
New York (+1 212.351.2425, [email protected])

Nick Politan – Co-Chair, Power & Renewables Practice Group,
New York (+1 212.351.2616, [email protected])

Michael D. Bopp – Co-Chair, Public Policy Practice Group,
Washington, D.C. (+1 202.955.8256, [email protected])

Amanda H. Neely – Of Counsel, Public Policy Practice Group,
Washington, D.C. (+1 202.777.9566, [email protected])

Eric M. Feuerstein – Co-Chair, Real Estate Practice Group,
New York (+1 212.351.2323, [email protected])

Emily Naughton – Partner, Real Estate Practice Group,
Washington, D.C. (+1 202.955.8509, [email protected])

Matt Donnelly – Partner, Tax Practice Group,
Washington, D.C. (+1 202.887.3567, [email protected])

Sanford W. Stark – Co-Chair, Tax Controversy & Litigation Practice Group,
Washington, D.C. (+1 202.887.3567, [email protected])

F. Joseph Warin – Co-Chair, White Collar Defense & Investigations Practice Group,
Washington, D.C. (+1 202.887.3609, [email protected])

*Jason Zhang, a recent law graduate in the New York office, is not yet admitted to practice law.

Kelley v. Homminga, No. 25-9013 & Devon Energy Production Co. v. Oliver,
No. 25-9014 – Decided March 14, 2025

The Texas Supreme Court unanimously held that the Fifteenth Court of Appeals’ jurisdiction is limited to cases within its exclusive appellate jurisdiction and those transferred to it under the Texas Supreme Court’s power to equalize dockets.

“We conclude S.B. 1045 is susceptible of only one reasonable construction: the Legislature did not intend the Fifteenth Court to hear every civil appeal within its statewide jurisdiction.”

Background:

In 2023, the Texas Legislature passed S.B. 1045, creating the Fifteenth Court of Appeals, a new intermediate appellate court with exclusive, statewide appellate jurisdiction over appeals involving the State and appeals from Texas’s recently created business court. Shortly after the Fifteenth Court began hearing cases in September 2024, a question about the scope of its jurisdiction arose: Does it have general, statewide appellate jurisdiction in addition to its exclusive intermediate appellate jurisdiction?

Two cases presented the issue: Kelley v. Homminga and Devon Energy Production Co. v. Oliver. In both cases, the defendants appealed directly to the Fifteenth Court, even though neither appeal was within the Fifteenth Court’s exclusive jurisdiction. Both sets of defendants argued that the Fifteenth Court could hear their appeals because it had general appellate jurisdiction. Each set of plaintiffs moved to transfer the appeal to the regional court of appeals that would ordinarily hear the case—in Kelley, the First or Fourteenth Court, and in Devon, the Thirteenth Court.

The Fifteenth Court denied both transfer motions over dissents by Chief Justice Brister. The majority held that because the Government Code grants the Fifteenth Court general appellate jurisdiction over civil cases statewide, the Fifteenth Court could hear the cases. But in Chief Justice Brister’s view, this would increase the number of appeals in the Fifteenth Court and divert judicial resources to cases outside the court’s exclusive jurisdiction. He further expressed concern that construing the court’s jurisdiction so broadly would incentivize forum-shopping and lead to gamesmanship. The First Court agreed with the Fifteenth Court majority, while the Thirteenth and Fourteenth Courts disagreed. In accordance with Texas Rule of Appellate Procedure 27a, the Fifteenth Court promptly notified the Texas Supreme Court of the courts’ disagreement so that it could resolve the dispute.

Issue:

Does the Fifteenth Court of Appeals’ jurisdiction extend beyond (1) the cases over which it has exclusive intermediate appellate jurisdiction and (2) cases transferred to it by the Supreme Court for docket equalization purposes?

Court’s Holding:

No. S.B. 1045’s text and structure indicate that the Fifteenth Court’s jurisdiction is limited to cases that are (1) within its exclusive jurisdiction or (2) transferred to it by the Supreme Court for docket equalization purposes.

What It Means:

In a unanimous per curiam opinion, the Supreme Court held that the Fifteenth Court’s jurisdiction extends only to those cases involving the State or from the business court.
The Supreme Court’s decision ensures that the Fifteenth Court will remain focused on quickly and efficiently resolving the categories of cases the Legislature placed within its exclusive jurisdiction. Indeed, instead of being “[b]urdened with thousands of civil cases of every stripe,” today’s decision ensures that the Fifteenth Court will be able “to give special attention to those cases the Legislature has defined as critical to the State’s interests.” Op. at 10.
The prompt decisions by the Fifteenth Court, regional courts of appeals, and Supreme Court underscore their commitment to providing timely and predictable answers to disputes that arise as the Fifteenth Court of Appeals proceeds with its work.
Any appeals filed in the Fifteenth Court that fall outside its exclusive jurisdiction are subject to transfer.

The Court’s order and opinion for Kelley v. Homminga, No. 25-9013, are available here.

The Court’s order and opinion for Devon Energy Production Co. v. Oliver, No. 25-9014, are available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Texas Supreme Court. Please feel free to contact the following practice group leaders:

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 [email protected]	Allyson N. Ho +1 214.698.3233 [email protected]	Julian W. Poon +1 213.229.7758 [email protected]
Brad G. Hubbard +1 214.698.3326 [email protected]

Related Practice: Texas General Litigation

Trey Cox +1 214.698.3256 [email protected]	Collin Cox +1 346.718.6604 [email protected]	Gregg Costa +1 346.718.6649 [email protected]
John Adams +1 214.698.3335 [email protected]	David Woodcock +1 214.698.3211 [email protected]

This alert was prepared by Texas of counsels Ben Wilson and Kathryn Cherry and associates Elizabeth Kiernan, Stephen Hammer, and Jaime Barrios.

From the Derivatives Practice Group: This week, the Acting Chairman Caroline D. Pham announced a 30-day compliance and remediation initiative for investigations and matters that do not involve customer harm or abuse.

New Developments

CFTC Staff Withdraws Advisory on Swap Execution Facility Registration Requirement. On March 13, the CFTC Division of Market Oversight (“DMO”) announced it is withdrawing CFTC Letter No. 21-19, Staff Advisory Swap Execution Facility (“SEF”) Registration Requirement, effective immediately. As stated in the withdrawal letter, DMO determined to withdraw the advisory since it has created uncertainty regarding whether certain entities are required to register as SEFs. [NEW]
Acting Chairman Caroline D. Pham Delivers Keynote Address at FIA BOCA50. On March 11, Acting Chairman Caroline D. Pham announced a new 30-day compliance and remediation initiative or enforcement sprint. This initiative involves review of the CFTC’s currently open investigations and enforcement matters regarding compliance violations, such as recordkeeping, reporting or other compliance violations without customer harm or market abuse. The CFTC will seek to expeditiously resolve these matters in the next 30 days to conserve the CFTC’s resources and free up Division of Enforcement staff to pursue fraudsters and scammers and seek recoveries for victims, whether through disgorgement, restitution, or other measures. [NEW]
SEC Crypto Task Force to Host Roundtable on Security Status. On March 3, the SEC announced that its Crypto Task Force will host a series of roundtables to discuss key areas of interest in the regulation of crypto assets. The “Spring Sprint Toward Crypto Clarity” series will begin on March 21 with its inaugural roundtable, “How We Got Here and How We Get Out – Defining Security Status.” The SEC indicated that initial roundtable on March 21 is open to the public, will be held from 1 p.m. to 5 p.m. at the SEC’s headquarters at 100 F Street, N.E., Washington, D.C and that the primary discussion will be streamed live on SEC.gov, and a recording will be posted at a later date. The SEC also noted that information regarding the agenda and roundtable speakers will be posted on the Crypto Task Force webpage.
CFTC Commissioner Christy Goldsmith Romero to Step Down from the Commission and Retire from Federal Service. On February 26, Commissioner Christy Goldsmith Romero announced she is stepping down from the Commission and will retire from federal service. Commissioner Romero extended gratitude towards President Biden for her nomination, the U.S. senate for its unanimous confirmation, and her current and former staff and CFTC for their public service.
CFTC Releases Enforcement Advisory on Self-Reporting, Cooperation, and Remediation. On February 25, the CFTC’s Division of Enforcement issued an Advisory on how the Division will evaluate a company’s or individual’s self-reporting, cooperation, and remediation when recommending enforcement actions to the Commission and establishes the factors the Division will consider. This marks the first time the Division will use a matrix to determine the appropriate mitigation credit to apply. Commissioner Kristin N. Johnson released a statement that “any effort to adopt new reporting processes, particularly processes that require inter-division guidelines and infrastructure, must be consistent with the mandates of [the CFTC]” and consequently, that she does not support the Advisory. Additional information regarding the Advisory can be found in our client alert.

New Developments Outside the U.S.

The ESAs Acknowledge the European Commission’s Amendments to the Technical Standard on Subcontracting Under the Digital Operational Resilience Act. On March 7, the European Supervisory Authorities (EBA, EIOPA and ESMA – the “ESAs”) issued an opinion on the European Commission’s (“EC”) rejection of the draft Regulatory Technical Standard (“RTS”) on subcontracting. The EC indicated that it rejected the original draft RTS on subcontracting, which specified further elements that financial entities must determine and assess when subcontracting ICT services that support critical or important functions under the Digital Operational Resilience Act (“DORA”), on the grounds that certain elements exceeded the powers given to the ESAs by DORA. The opinion acknowledges the assessment performed by the EC and opines that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. The ESAs said that, for this reason, they do not recommend further amendments to the RTS in addition to the ones proposed by the EC. The ESAs encouraged the EC to finalize the adoption of the RTS without further delay as submitted to the ESAs.
EC Publishes Sustainability Omnibus Package. On February 26, the EC published the sustainability omnibus package and accompanying Q&A, alongside the Clean Industrial Deal communication and investment simplification package. ISDA said that the proposals are intended to simplify sustainability reporting and due diligence, as well as reduce administrative burdens on companies. The EC has also launched a consultation until March 26 on draft amendments to the Taxonomy Disclosures delegated act, including, inter alia, the suspension of the Trading Book Key Performance Indicator to 2027. The EC also proposed to delay the Corporate Sustainability Due Diligence Directive (“CSDDD”) transposition deadline and application date by one year to July 26, 2027 and 2028 respectively. Other CSDDD proposals include the removal of the EC review clause to evaluate whether additional due diligence requirements should be imposed on the provision of financial services and investment activities by July 26, 2026, the removal of the EU-wide harmonized civil liability regime and the deletion of the requirement to terminate business relationships. The EC’s proposed changes to the Carbon Border Adjustment Mechanism (“CBAM”) regulation include an exemption for small importers of CBAM goods and a postponement of the obligation for importers to purchase CBAM certificates to February 1, 2027. The Clean Industrial Deal further notes that the EC is working on a CBAM review report that will assess the functioning of the mechanism and potential scope extension to other emissions trading system sectors which will be presented in the autumn, followed by a legislative proposal in early 2026. The proposed amendments to the Corporate Sustainability Reporting Directive, CSDDD and CBAM will now be considered for adoption by the European Parliament and the Council.

New Industry-Led Developments

ISDA Expands SwapsInfo to Include European CDS Trading Activity. On March 13, ISDA announced that it has expanded its SwapsInfo derivatives database and website to include European credit default swaps (“CDS”) trading activity, creating a more comprehensive picture of derivatives trading in the EU, UK and US. The new data includes EU and UK index and single-name CDS traded notional and trade count, based on transactions publicly reported by 18 European approved publication arrangements and trading venues. [NEW]
ISDA Submits Paper to ESMA on OTC Derivatives Identifier for MIFIR Transparency. On March 11, ISDA submitted a paper to ESMA setting out its view on how the delegated act specifying the identifying reference data to be used for over-the-counter (“OTC”) derivatives transparency under the Markets in Financial Instruments Regulation (“MIFIR”) should be implemented. The delegated act leaves room for interpretation by ESMA on which unique identifier should be used, creating a risk that the International Securities Identification Number may be retained in some form. The ISDA paper makes the case for the use of the unique product identifier (“UPI”), maintaining its position that this will create more effective transparency and a more attractive consolidated tape, as well as reducing cost and complexity, and aligning with the increasing international consensus on using the UPI as the basis for OTC derivatives identification. [NEW]
ISDA Responds to FSB Consultation on Leverage In NBFI. On February 28, ISDA responded to the Financial Stability Board’s (FSB) consultation on leverage in the non-bank financial intermediation (NBFI) sector. ISDA made the following points: overly prescriptive regulatory recommendations for all NBFI-sector firms across all geographies and market sectors could be inappropriate; the ways in which the use of leverage in the NBFI sector would create financial stability risks deserve further examination; ISDA believes the FSB should undertake a deeper analysis of the impact of the proposed measures on the cost of hedging, market liquidity and liquidity needs in times of stress; and the FSB should account for how the use of derivatives and secured financing, which the FSB characterizes as leverage-inducing activities, support key functions performed by financial markets, including: financing, hedging, price discovery, and market stabilization through countercyclical behaviors.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus, New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki, New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

This Review addresses (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, wiretapping, biometrics, anti-hacking and computer intrusion statutes, and TCPA; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Review and Outlook, and additional developments relevant to AI will be covered in the Artificial Intelligence Review and Outlook.

I. INTRODUCTION

II. REGULATION OF PRIVACY AND DATA SECURITY

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. New Comprehensive State Privacy Laws Passed in 2024
b. Comprehensive State Privacy Laws Becoming
Effective in 2025
c. State Privacy Frameworks and Trends

i. Enforcement and Rulemaking Authority
ii. Scope of Automated Decisionmaking Regulations
iii. Consumer Rights

2. Other State Privacy Laws

a. Florida’s Online Protection for Minors Act
b. Protecting Georgia’s Children on Social Media Act of 2024
c. Maryland’s Kids Code
d. New York’s SAFE for Kids Act
e. Illinois’ Amended Biometric Information Privacy Act
f. Colorado’s Privacy of Biometric Identifiers and Data Bill
g. New York’s Amended Labor Law
h. California’s Protecting Our Kids from Social Media Addiction Act
i. Colorado and California’s Amendments to the “Sensitive Data” Definition

3. Federal Legislation

a. Comprehensive Federal Privacy Legislation
b. Other Introduced Legislation

B. Enforcement and Guidance

1. Federal Trade Commission

a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security
d. Notable FTC Enforcement Actions
e. Financial Privacy
f. Children’s and Teens’ Privacy
g. Biometric Information

2. Consumer Financial Protection Bureau

a. A Dramatic Shift Under the Trump Administration
b. Impact of the Trump Administration’s Actions on the Pre-Trump CFPB’s Ambitious Agenda
c. Other Regulators and Private Litigation: Filling a Potential Enforcement Gap

3. Securities and Exchange Commission

a. Regulation
b. Enforcement
c. SEC Enforcement Outlook for 2025

4. Department of Health and Human Services and HIPAA

a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions

5. Other Federal Agencies

a. Department of Homeland Security
b. Department of Justice
c. Department of Commerce
d. Department of Energy
e. Department of Defense
f. Federal Communications Commission

6. State Agencies

a. California

i. California Privacy Protection Agency
ii. California Attorney General

b. Other State Agencies

III. CIVIL LITIGATION REGARDING PRIVACY AND DATA SECURITY

A. Data Breach Litigation
B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
C. Anti-Hacking and Computer Intrusion Statutes

1. CFAA
2. CDAFA

D. Telephone Consumer Protection Act Litigation
E. State Law Litigation

1. California Consumer Privacy Act Litigation

a. Limited Reach of the CCPA’s Private Right of Action
b. Other CCPA Defenses

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act (BIPA)

i. Application of BIPA to Cloud Services Companies
ii. In-State Processing of Non-Illinois Residents’ Data
iii. Biometric Data Must Be “Capable of Identifying” the Plaintiff
iv. BIPA Damages Amendment v. Defendant’s Lack of Control of the Data at Issue
vi. Pleading Requirement for AI Model-Training Theory
vii. Other Noteworthy Developments

b. Texas Biometric Privacy Law Litigation
c. New York Biometric Privacy Law Litigation

F. Other Noteworthy Litigation

IV. CONCLUSION

I. INTRODUCTION

Congress’s continued failure to pass a comprehensive privacy law left the states—as well as federal agencies—to keep leading the charge in defining and regulating cybersecurity and privacy in the United States. The states embraced this charge in 2024—seven states enacted new comprehensive privacy laws, and four states’ comprehensive privacy laws took effect. With 11 new comprehensive privacy laws slated to take effect in 2025 and 2026, 20 states and approximately half of the U.S. population will be covered by a state comprehensive privacy law by 2026. While the newly enacted laws generally follow a similar framework and share common core requirements, important variations are starting to emerge, which threaten to further complicate the already heavy compliance burden for companies operating across state lines. At the same time, there was a growing emphasis on children’s online privacy and biometric data in 2024, and a number of states amended their existing comprehensive privacy law to reflect this focus. State regulators similarly pursued an aggressive enforcement agenda in 2024, with a notable focus on children’s data/social media, biometric data, and data brokers.

There was also significant legislative, rulemaking, and enforcement activity at the federal level in 2024. Notably, the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), which prohibits data brokers from transferring American’s sensitive personal data to certain foreign countries, was enacted and went into effect in 2024. In addition, numerous federal agencies—including the FTC, SEC, CFPB, DOJ, and HHS—promulgated privacy and data protection regulations and guidance on a range of issues, including children’s online privacy, biometric data, health data, location data, data brokers/national security, and cybersecurity incident disclosure, among other issues. Many federal agencies also brought enforcement actions against companies for alleged privacy, data security, and related violations.

While we expect some of these trends to continue in 2025 and beyond, particularly at the state level, the Trump administration’s early policy changes—defined by deregulation of the technology industry, removal of what some consider historical barriers to innovation, and a reversal of Biden-era policies related to content moderation, AI and digital assets, among other things—signal a significant shift at the federal level that will inevitably shape state policy and enforcement priorities.

Litigation likewise remained active in 2024, with a continued uptick in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics laws. Litigation is expected to continue in these areas in 2025.

This Review contextualizes these and other 2024 developments by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, wiretapping, biometrics, anti-hacking and computer intrusion statutes, and TCPA; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in detail by Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Outlook .

II. REGULATION OF PRIVACY AND DATA SECURITY

The state comprehensive data privacy law expansion trend continued in 2024, with seven states enacting new laws: Minnesota, Nebraska, New Hampshire, New Jersey, Maryland, Kentucky, and Rhode Island. Comprehensive data privacy laws took effect in four states in 2024: Florida, Texas, Oregon, and Montana. In 2025, another eight states—Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee, and Maryland—will see their laws go into effect, and laws will take effect in three more states—Indiana, Kentucky, and Rhode Island—in early 2026. At that point, the total number of effective comprehensive state privacy laws will be 20, just seven years after California enacted the trail-blazing California Consumer Privacy Act. In addition, at the time of this report, the Connecticut, Iowa, and Tennessee legislatures are in various states of amending their current laws and another 16 states are actively considering data privacy legislation, with drafting and negotiations in various phases, and states have continued to enact narrower sector-specific laws covering minors, biometric information, and health information. We discuss these laws below and highlight different states’ approaches to consumer rights.

Some state governments have also demonstrated a commitment to enforcing their data privacy laws, and announced several significant enforcement actions in 2024. With the continued absence of comprehensive federal privacy legislation, we suspect that states will continue to actively enforce their respective privacy laws. We discuss state-level enforcement below in our State Agencies section.

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. New Comprehensive State Privacy Laws Passed in 2024

Since California enacted the first comprehensive state privacy law in 2018, 19 other states have followed suit with their own comprehensive privacy legislation. The pace of legislation has accelerated in recent years—while only five states enacted privacy laws between 2018-2022, eight enacted laws in 2023, and seven more in 2024. Currently, 16 other states are also considering privacy legislation: Alabama, Arkansas, Georgia, Hawaii, Illinois, Massachusetts, Mississippi, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, South Carolina, Vermont, Washington, and West Virginia.

The seven state privacy laws enacted in 2024—Minnesota, Nebraska, New Hampshire, New Jersey, Maryland, Kentucky, and Rhode Island—generally share the same basic requirements, providing consumers with rights to access, correct and delete their personal data, and opt out of targeted advertising, profiling, and the sale of personal data. Although these core elements remain consistent, certain states have introduced unique provisions. We discuss the state laws passed in 2024 that will go into effect in 2025 in more detail below. For analysis of comprehensive privacy laws that took effect in 2024 (including Florida, Texas, Oregon, and Montana), please refer to last year’s review.

b. Comprehensive State Privacy Laws Becoming Effective in 2025

A few months into 2025, comprehensive state privacy laws for five states—Delaware, Iowa, Nebraska, New Hampshire, and New Jersey—have already gone into effect with three more—Tennessee, Maryland and Minnesota—coming online later this year. While these laws are largely coextensive with existing comprehensive privacy laws, they also contain distinguishing features, which we summarize below. Nebraska’s and New Hampshire’s laws are substantially similar to existing state privacy laws, so we do not summarize those.

Delaware

The Delaware Personal Privacy Act for the most part aligns with other states’ laws, but notably does not provide entity-level exemptions for institutions of higher education or most nonprofit organizations, unless the nonprofit provides services to victims or witnesses of child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.[1]

Delaware—along with Minnesota (discussed below) and Oregon—also requires that, as part of a consumer access request, data controllers disclose to the consumer the list of specific third parties, rather than just the categories of third parties, to which a business has disclosed that consumer’s personal data.

Iowa

The Iowa Consumer Data Protection Act differs from other comprehensive state privacy laws by omitting several widely adopted consumer rights.[2] Iowa does not mandate data protection assessments for processing activities involving “heightened risk of harm to consumers,” which sets it apart from every other state except for Utah, which also does not have this requirement.[3] Consumers also lack the right to opt out of processing for targeted advertising and profiling. They do, however, have the right to opt out of the sale of personal data. Iowa also diverges from most states in the manner it requires consent to collect and process sensitive data.[4] The common practice is for controllers to obtain opt-in consent, but Iowa requires pre-use notice with an opportunity for consumers to opt out prior to having their data collected. This approach is distinctly controller-friendly, setting the default presumption that controllers can collect sensitive consumer data unless the consumer takes action to opt out.

Maryland

Maryland’s Online Data Privacy Act, which will take effect in October 2025, has some of the strictest requirements in the country.[5] It is the only state to prohibit the sale of sensitive personal information entirely. With respect to minors, Maryland prohibits the sale of their personal information and the processing of their personal information for targeted advertising.[6] Maryland defines a minor as anyone under the age of 18, as compared to 16 and under in California’s and Virginia’s comprehensive data privacy laws (among others). And, unlike other states, Maryland extends this obligation to any business that “knew or should have known” the consumer’s age. Other states, like Texas and Connecticut, require actual knowledge or willful disregard of the consumer’s age.[7]

Minnesota

Most states give consumers the right to opt out of automated processing that furthers a significant decision (such as an employment decision), but, with its Consumer Data Privacy Act, Minnesota is the first state to offer consumers the right to question these decisions.[8] Minnesota’s right to question includes the ability to: (1) know the reason behind the decision, (2) know what actions the consumer might have taken to secure a different decision in the future, (3) review the personal data used, and (4) correct inaccurate personal data and have the decision reevaluated. As businesses become more reliant on automated programs to assist in decisionmaking, this “right to question” will be a unique area of compliance that companies operating in Minnesota will have to be ready for.

New Jersey

With the New Jersey Data Privacy Law, which we also covered in last year’s update, New Jersey joins California and Colorado in the small group of states that grants rulemaking authority to a state agency.[9] New Jersey’s privacy law authorizes its director of the Division of Consumer Affairs to promulgate implementing regulations under Senate Bill 332, allowing the state agency to create rules to better carry out the law’s intended purpose. The state agency has not yet proposed any regulations under this authorization.

Tennessee

The Tennessee Information Protection Act, while largely similar to other comprehensive state privacy laws, is unique in that it recognizes an affirmative defense to a violation.[10] If a data controller either maintains and complies with a written policy that aligns with the National Institute of Standards and Technology privacy framework or has documented policies designed to safeguard consumer privacy, it may avail itself of this defense.[11]

c. State Privacy Frameworks and Trends

The recent wave of state privacy legislation shows that most states are converging on core obligations, but meaningful divides on specific issues are also emerging. This section examines some of the most important distinctions between state privacy laws and their implications for compliance.

i. Enforcement and Rulemaking Authority

All state privacy laws, except California, grant enforcement authority solely to the state attorney general, prohibiting private citizens from filing lawsuits. To date, public actions have only been filed in California and Texas, although other state Attorneys General continue to serve non-public violation notices, requests for information, or civil investigative demands, and this is expected to increase as more state laws go into effect.

Only three states—California, Colorado, and New Jersey—have empowered state agencies to issue regulations related to their respective privacy laws.[12] While California and Colorado have already issued regulations, New Jersey only recently empowered its Division of Consumer Affairs within the Department of Law and Public Safety to do so. Unlike California and Colorado, New Jersey did not set a deadline for passing regulations, making it uncertain whether and when the state will exercise its rulemaking authority.

ii. Scope of Automated Decisionmaking Regulations

All states with privacy laws (except Utah and Iowa) allow consumers to opt out of certain forms of automated decisionmaking. States typically define automated decisionmaking as the processing of personal information to analyze or predict personal aspects such as health or behavior in furtherance of a significant decision.[13] Some states restrict this right to “solely” automated decisionmaking, while others provide the right to opt out of automated decisionmaking more broadly. The statutory scope of these opt out rights will become increasingly important as businesses roll out new automated processing tools.

Opt-out right for “solely” automated decisionmaking[14]	Opt-out right for automated decisionmaking[15]	No opt-out right[16]
Connecticut Delaware Florida Indiana Maryland Montana Nebraska New Hampshire Rhode Island Tennessee Texas	California*[17] Colorado Kentucky Minnesota New Jersey Oregon Virginia	Iowa Utah

Definition of “Sale”

Every state with privacy laws imposes obligations on businesses that “sell” personal information. Some states define the “sale” of data as an exchange for “monetary or other valuable consideration,” while others define sale as an exchange for “monetary consideration” only.

These differences can have major impacts, particularly for businesses that participate in marketing cooperatives or other similar organizations that provide services in exchange for data, rather than payment.

Monetary or other valuable consideration[18]	Monetary consideration only[19]
California Colorado Connecticut Delaware Florida Maryland Minnesota Montana Nebraska New Hampshire New Jersey Oregon Rhode Island Texas	Indiana Iowa Kentucky Tennessee Utah Virginia

Children

Since the Children’s Online Privacy Protection Act (COPPA) was enacted in 1998, state privacy law has generally considered children’s data to be sensitive data subject to the COPPA Rule’s requirement that businesses must obtain parental consent before collecting personal information from children under 13 years old.[20]

However, in recent years, many state laws have expanded their youth privacy protections to include heightened opt-in consent requirements for teenagers under the age of 16, requiring businesses to get affirmative consent for targeted advertising or the sale of data. New Jersey and Minnesota extend the opt-in requirement to those under 17, and Delaware extends it to age 18.

Maryland goes further than any other state by prohibiting targeted advertising and the sale of data entirely if a business “knew or should have known” that the individual is under 18.

Opt-in consent for sale of data or targeted advertising (for children under 16 years old)[21]	Opt-in consent for sale of data, targeted advertising, and profiling (for children under 16 years old)[22]	No targeted advertising or sale of data[23]	No age-specific provisions[24]
California Connecticut Delaware (<18) Minnesota (<17) Montana New Hampshire	New Jersey (<17) Oregon	Maryland (<18)	Colorado Florida Indiana Iowa Kentucky Nebraska Rhode Island Tennessee Texas Utah Virginia

iii. Consumer Rights

Although most states offer consumers the right to opt out of targeted advertising and the right to access and delete their data, many states provide additional consumer protections.

Most states require businesses to honor universal opt-out mechanisms, such as the Global Privacy Control. Universal opt-out mechanisms allow consumers to opt out of personal data sales and targeted advertising automatically, rather than adjusting their preferences on a site-by-site basis.

By the end of January 2026, 11 states will require controllers to recognize universal opt-out mechanisms. California, Colorado, Delaware, Montana, Nebraska, and Texas currently have an active requirement. New Jersey, Minnesota, and Maryland will require controllers to recognize universal opt-out mechanisms in the second half of 2025, followed by Connecticut and Oregon in January 2026.

Most laws require businesses to disclose the “categories” of third parties that receive consumer information (for example, advertisers or payment processors). Delaware, Minnesota, and Oregon, however, require businesses to disclose a list of specific third parties in response to an access request. In Rhode Island, no request is necessary—a business is required to post the list of specific third parties in a conspicuous location on its website.

Delaware and New Jersey are notable for being the only two states that require businesses to actually delete information after receiving a consumer request to delete.[25] Most states allow data to be kept if it is de-identified or removed from non-exempt use cases.[26]

	States with requirement	States without requirement
Universal opt-out mechanism[27]	California Colorado Connecticut Delaware Maryland Minnesota Montana Nebraska New Hampshire New Jersey Oregon Texas	Florida Indiana Iowa Kentucky Rhode Island Tennessee Utah Virginia
Response to right to access must include a list of “specific third parties” that have received the consumer’s personal data[28]	Delaware Minnesota Oregon Rhode Island (must be posted publicly)	California Colorado Connecticut Florida Indiana Iowa Kentucky Maryland Montana Nebraska New Hampshire New Jersey Tennessee Texas Utah Virginia
Actual deletion required on request (not just de-identification or removal from non-exempt use cases)[29]	Delaware New Jersey	California Colorado Connecticut Florida Indiana Iowa Kentucky Maryland Minnesota Montana Nebraska New Hampshire Oregon Rhode Island Tennessee Texas Utah Virginia

2. Other State Privacy Laws

In addition to the comprehensive state privacy laws discussed above, states have continued to legislate in specific sectors, particularly in relation to minors’ data, biometric information, and employee social media data.

a. Florida’s Online Protection for Minors Act

On March 25, 2024, Florida Governor Ron DeSantis signed legislation to ban social media platforms from allowing children aged 13 and under to create social media accounts. The law requires social media platforms to delete existing accounts for children under the age of 14, and allows minors who are 14 and 15 to have social media accounts only upon parental consent.[30] The law is effective as of January 1, 2025.[31]

The law also imposes a range of other restrictions. Websites that publish “material harmful to minors”—which generally refers to “obscene” materials, like pornography—must verify the age of the person attempting to access the material.[32] Social media platforms must also verify the age of users, using “commercially reasonable method[s]” and conduct such age verification through an independent third party.[33] These third parties may not retain or use personal identifying information for other purposes than age verification, and must anonymize and protect personal identifying information from unauthorized access.[34]

The law has been challenged by three internet-industry groups, which cite First Amendment concerns. According to these plaintiffs, the law is unconstitutional as it restricts minors’ access to speech and forces businesses to collect sensitive data.[35] The law is currently paused from enforcement until a preliminary injunction motion for one of the ongoing cases is resolved.[36]

b. Protecting Georgia’s Children on Social Media Act of 2024

On April 23, 2024, Georgia Governor Brian Kemp also signed legislation imposing new restrictions on minors’ internet usage. Under the Protecting Georgia’s Children on Social Media Act of 2024, social media companies are required to prevent minors, defined as those under 16 years old,[37] from using their services without the “express consent” of a parent or guardian.[38] Social media companies are also required to use commercially reasonable efforts to verify the age of account holders.[39] The law goes into effect on July 1 of this year.[40]

In addition to the age verification requirements, social media companies must make available, upon a parent or guardian’s request, a list and description of features offered on their platforms that parents and guardians can utilize to censor or moderate content.[41]

Regarding minors’ personal data, social media platforms are prohibited from displaying any advertising to a minor based on their personal information, except age and location, and may not collect personal information from a minor’s posts, content, messages, text, or usage activities other than what is “adequate, relevant, and reasonably necessary for the purposes for which such information is collected.”[42]

c. Maryland’s Kids Code

On May 9, 2024, Maryland Governor Wes Moore signed legislation requiring data protection impact assessments for the processing of children’s data and default privacy settings for children. The law is effective as of October 1, 2024. The law defines “child” as any consumer under the age of 18.[43] It requires companies that operate online products that are “reasonably likely to be accessed by children” to provide, upon request of the Division of Consumer Protection of the Office of the Attorney General, a data protection impact assessment that identifies the purpose of an online product, how it uses children’s data, and whether it is designed in a manner consistent with the best interests of children.[44] “Best interests of children” refers to the reasonable foreseeability of material physical, financial, psychological, or emotional harm to children; a highly offensive intrusion on children’s reasonable expectation of privacy, or discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.[45] The law also requires that these companies put in place default privacy settings that offer children a “high level of privacy,” restricting companies’ ability to profile minors or process unnecessary data.[46]

On February 3, 2025, an internet-industry trade association filed a complaint against the Maryland Attorney General, alleging that the Maryland Kids Code violated the First Amendment and 14th amendment. The plaintiff remarked that the law “presents websites with an impossible choice: either proactively censor broad categories of constitutionally protected speech or force users to submit sensitive personal information.” The plaintiff also takes issue with the law’s data protection impact assessment, alleging a First Amendment violation for “compel[ling] speech in the form of a data impact statement.” It additionally argues that the “reasonably likely to be accessed by children” and “best interests of children” standards are vague.[47] A ruling is expected in the coming weeks.

d. New York’s SAFE for Kids Act

On June 20, 2024, New York Governor Kathy Hochul signed the Stop Addictive Feeds Exploitation (SAFE) For Kids Act, the first set of restrictions in the nation on purportedly addictive social media feeds for minors. “Minor” under the law means individuals under the age of 18.[48] The law mandates that, unless parental consent is granted, minors may not receive “addictive feeds,” which are defined as websites, online services, or applications in which multiple pieces of media are recommended, selected, or prioritized for display to a user based on information associated with them or their device, unless specifically requested by the user (i.e., through a manual search).[49] The law also creates restrictions on platforms that offer “addictive feeds” as a significant part of their services, prohibiting these platforms from sending notifications to minors about the “addictive feed” between the hours of twelve to six a.m. Eastern Time, unless they receive parental consent.[50] This law will go into effect 180 days after New York Attorney General Letitia James finalizes regulations necessary for implementation.

e. Illinois’ Amended Biometric Information Privacy Act

On August 2, 2024, Illinois Governor J.B. Pritzker signed into law amendments to the Illinois Biometric Information Privacy Act (BIPA). These amendments were effective immediately.[51] Principal among these amendments was the provision that collecting the same biometric data from an individual using the same method is considered a single BIPA violation, and disclosing the same biometric data from the same person to the same recipient using the same method constitutes another single violation.[52] The amendments were enacted in response to the Illinois Supreme Court’s holding in Cothron v. White Castle that separate claims accrue under BIPA each time a private entity collects, and each time a private entity discloses, a person’s biometric data without that person’s consent.[53] Cothron’s holding would have allowed damages to accrue exponentially, and the recent amendments aim to mitigate that possibility. Since the amendments were signed into law, several courts have differed on whether the amendments should apply retroactively.

f. Colorado’s Privacy of Biometric Identifiers and Data Bill

On May 31, 2024, Colorado Governor Jared Polis approved a bill expanding consumers’ privacy rights and controllers’ and processors’ privacy obligations to biometric identifiers and biometric data.[54] Specifically, the bill requires controllers to make available to the public, with limited exceptions, a written policy specifying for biometric data and biometric identifiers: i) a data retention schedule, ii) a protocol for responding to data security incidents, including notifying consumers (processors must have a protocol for notifying controllers),[55] and iii) guidelines for required deletion.[56] Biometric identifiers or biometric data must be deleted at the earliest of i) when the initial purpose for collection has been satisfied, ii) 24 months after the consumer last interacted with the controller, or iii) the earliest feasible date, which must be no more than 45 days (or up to 45 additional days) after storage is no longer necessary as determined by an at least once-yearly audit.[57]

Under the bill, employers must receive employees’ consent, which employers must not require as a condition of employment, to collect and process biometric data or biometric identifiers unless collection and processing is reasonably expected for a job or background check or is to: i) grant access to locations or systems, ii) record the employees’ full work day hours, iii) improve workplace or employee safety or security, or iv) improve public safety or security in a crisis.[58]

The bill also includes consumer rights and protections that are generally common requirements in state privacy laws, such as notice, consent, and access rights. Specifically, the bill prohibits a controller from collecting biometric identifiers or biometric data unless the controller first discloses the collection, the specific purpose for collection, the length of retention, and, if the biometric identifier is being shared, the specific purpose for sharing.[59] The controller also must not share the biometric identifier unless the consumer consents to such sharing or requests the sharing to complete a financial transaction, the sharing is to a processor and is necessary for the purpose of collection, or the sharing is otherwise required by law.[60] The bill grants consumers the right to access their biometric data collected by a controller, including the categories of biometric data collected or shared, its sources, the purposes for its collection or sharing, and the identities of third parties with which the controller discloses the biometric data.[61] A controller is prohibited from purchasing a biometric identifier unless the purchase is unrelated to the service provided to the consumer, the controller pays the consumer and the consumer provides consent, and the controller cannot refuse to provide, or charge a different rate for, a service because a consumer did not consent to the collection or processing of its biometric identifier, unless such collection is necessary to provide the service.[62]

The bill, which amends the Colorado Privacy Act (CPA), takes effect July 1, 2025.[63]

g. New York’s Amended Labor Law

On September 14, 2023, New York Governor Kathy Hochul signed legislation amending the New York State Labor Law to restrict employers from accessing their employees’ and job applicants’ “Personal Accounts.”[64] This law is currently in effect.[65] Personal Account under the law covers several popular social media applications, defined as “an account or profile on an electronic medium where users may create, share, and view user-generated content . . . exclusively for personal purposes.”[66] The law applies to all employers operating in the state of New York, excluding law enforcement agencies, fire departments, and departments of corrections and community supervision.[67]

The law prohibits employers from requesting, requiring, or coercing their employees or job applicants to provide a password, username, or other information to access a Personal Account, to access their Personal Accounts in their employer’s presence, or to reproduce information from their Personal Accounts.[68] Employers are prohibited from retaliating against any employee or job applicant that refuses to provide such information.[69]

The law still enables employers to retrieve employee or job applicant information for the purpose of investigating or reporting alleged misconduct, provided the information is in the public domain or voluntarily shared.[70] The law also enables employers to require employees to disclose access information to a Personal Account on the employer’s internal information systems,[71] or to an account used for business purposes.[72]

h. California’s Protecting Our Kids from Social Media Addiction Act

On September 20, 2024, California enacted its Protecting Our Kids from Social Media Addiction Act. The law prohibits operators of “addictive” internet-based services or applications from providing “addictive feeds” to minors, unless the operator does not have actual knowledge that the user is a minor or obtains verifiable parental consent to provide such feeds to the minor user.[73] The law also prohibits these operators from sending notifications to minor users between certain hours.[74] Operators are also required to annually disclose the number of minor users of its service or application.[75]

This law was blocked from enforcement earlier this year, with the trial court concluding that the law was likely an unconstitutional restriction on protected speech. As of January 28, 2025, the Ninth Circuit has granted a permanent injunction against the law’s enforcement, pending the defendants’ appeal.[76]

i. Colorado and California’s Amendments to the “Sensitive Data” Definition

On April 17, 2024, Colorado Governor Jared Polis signed a bill to expand the definition of “sensitive data” under the CPA to include “biological data” and “neural data,” which went into effect on August 7, 2024. Similarly, on September 28, 2024, California passed a bill to amend the definition of “sensitive personal information” in the California Consumer Privacy Act to include “neural data,” which went into effect immediately.

Both laws define “neural data” to include information generated by measuring the activity of a consumer’s central or peripheral nervous system.[77] Colorado requires that “neural data” “be processed by or with the assistance of a device,”[78] whereas California provides that “neural data” “is not inferred from nonneural information.”[79] Both laws would apply to novel neurotechnology devices and more commonplace items like electroencephalograms (EEGs).[80] Colorado has gone one step further by including “biological data” in its definition of “sensitive information,” which it defines as “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes.”[81]

3. Federal Legislation

a. Comprehensive Federal Privacy Legislation

Calls for comprehensive federal privacy legislation remain loud and unanswered, despite bipartisan congressional efforts to introduce new legislation.

The comprehensive American Privacy Rights Act (APRA) was introduced on April 7, 2024, by a bipartisan and bicameral group of lawmakers, and attempts to create a unified data privacy standard addressing the collection and processing of personal data as well as data breaches.[82] As proposed, APRA would grant consumers the right to access, correct, delete, and export collected data and to know who their data is transferred to and the purpose for transfer.[83] The Congressional Research Service notes that APRA would also preempt state privacy laws, subject to certain exceptions.

Since its introduction APRA has seen little movement, due to strong opposition from a variety of stakeholders and prioritization of other legislation. State regulators, such as the California Privacy Protection Agency, oppose APRA as it would preempt state laws in the same area. Certain interest groups opposed the removal of provisions relating to civil rights protections and algorithmic accountability. A last-minute cancellation of the House Committee on Energy and Commerce’s scheduled markup of the APRA on June 27, 2024 was the last official action taken on the bill.

While momentum for APRA has slowed, former FTC Chair Jon Leibowitz stated “[t]here’s 85% agreement between Democrats and Republicans about what should be in it, so I expect real movement on privacy legislation, even if what goes through lacks a private right of action, for example.” However, given the many other competing objectives of the new Trump Administration in the early days of the Administration, it is unlikely that a bill will be passed in the coming months.

b. Other Introduced Legislation

Congress passed only one privacy-related law in 2024, which focused on national security issues, although a number of consumer and individual privacy-related laws w ere introduced. In April 2024, President Biden signed H.R. 815 into law, which included the Protecting Americans’ Data from Foreign Adversaries Act of 2024.[84] PADFAA represents an effort to regulate the transfer of personal data from the U.S. due to national security concerns. The law, which went into effect on June 23, 2024, prohibits data brokers from selling, transferring, or disclosing personally identifiable sensitive data of a U.S. individual to any foreign adversary country (China, Russia, Iran, and North Korea) or any entity controlled by a foreign adversary country.[85] PADFAA defines “personally identifiable sensitive data” broadly as “any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.”[86]

Other proposed privacy legislation covered a range of topics—including workplace privacy, health privacy, financial privacy, privacy for children online, facial recognition, and AI—several of which attracted significant bipartisan support, but lawmakers remained divided over the same two issues that sunk more comprehensive federal privacy legislation: (1) whether federal privacy laws should preempt state laws (a position attracting more Republican support); and (2) whether it should include a private right of action (which more Democrats favor).

Of the proposed privacy-focused legislation in 2024, much of the focus was on digital privacy and safety, especially for children on social media. Congress held widely publicized hearings on the topic, questioning social media executives on their failure to protect children online. In July 2024, the U.S. Senate overwhelmingly passed a pair of measures seeking to put more responsibility on social media platforms to ensure child safety online: The Kids Online Safety Act, which establishes a duty of care for online platforms and requires them to activate the most protective settings for kids by default, and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), which amends COPPA. COPPA 2.0 extends existing COPPA protections by banning online companies from collecting personal information from teenage users over the age of 12 and under 17, and broadening the entities and services covered. It also makes it unlawful to collect and use personal information from children and teens in targeted advertisements while affording users a right to erasure of their content and imposes new obligations for businesses that collect personal information from children and teens. The full House of Representatives has yet to debate either bill and it is unclear if action will be taken in 2025 to move either forward.

Other privacy bills introduced in 2024 include: The Verifying Kids’ Online Privacy Act (amending COPPA to define a child as an individual under the age of 16 rather than 13 and requiring operators to verify the age of individuals accessing their service), the Stop Spying Bosses Act (requiring disclosure of or prohibiting surveillance, monitoring, and collection of worker data),[87] the No Robot Bosses Act (prohibiting employers from relying exclusively on automated decisionmaking systems to make decisions regarding employment),[88] the Reproductive Data Privacy and Protection Act (ensuring government entities that seek to compel disclosures relating to reproductive or sexual health information cannot do so for investigatory purposes),[89] the American Donor Privacy and Foreign Funding Transparency Act (restricting the ability of federal government entities to collect or require submission of information on the identification of donors to tax-exempt organizations),[90] the Protecting Privacy in Purchases Act (prohibiting payment card networks from requiring firearms retailers to use a merchant category code that would distinguish it from a general merchandise or sporting goods retailer),[91] and others described in this Review.

Congress also considered cybersecurity-related legislation: The Healthcare Cybersecurity Act of 2024 (requiring the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to work together and implement a variety of measures to improve cyber defenses in the healthcare sector),[92] the Farm and Food Cybersecurity Act of 2024 (requiring studies and simulation exercise for food-related cyber emergencies, threats, and disruptions),[93] and the Health Infrastructure Security and Accountability Act (creating mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses, and business associates along with requiring independent audits).[94]

B. Enforcement and Guidance

In 2024, federal regulators continued to actively pursue enforcement action and rulemaking related to cybersecurity and data privacy. This section summarizes the noteworthy efforts by the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), Securities and Exchange Commission (SEC), Department of Health and Human Services (HHS), and other federal and state agencies. The priorities reflected in federal enforcement actions and rulemakings will likely shift in 2025, as the newly appointed agency leaders implement the Trump Administration’s policy agenda.

1. Federal Trade Commission

The FTC continued its active regulation and enforcement of cybersecurity and data privacy in 2024. A number of the FTC’s litigation matters, many of which represented its focus on sensitive consumer data such as geolocation and health information, reached settlement. The impact of the agency’s rulemaking can also be seen in its recent settlement agreements. For example, aspects of its Standards for Safeguarding Customer Information Rule (Safeguards Rule) were often cited in settlements of data privacy enforcement matters through terms, such as limiting an entities’ agents’ access to consumer information only where necessary.

The FTC also launched, via orders pursuant to Section 6(b) of the FTC Act, fact-finding studies into eight companies to investigate how the companies use consumers’ personal data to engage in personalized pricing—the practice of charging different customers different prices for the same good. In his concurring statement, Former Commissioner, and current Chair, Andrew Ferguson emphasized the primary goal of these studies as fact-finding rather than pursuing enforcement action or rulemaking. He suggested that any necessary remedial action should be left to Congress and state lawmakers.

Other areas that the FTC prioritized included algorithmic bias and AI, commercial surveillance, data security, and children’s privacy. Further, the FTC expanded its regulatory and enforcement scope related to biometric information.

This section discusses the FTC’s notable actions in 2024; however, it bears noting that the agency’s outlook this year will be impacted by President Trump’s February 18, 2025 executive order requiring independent agencies to consult with the White House about its strategic plans, priorities, and draft regulations. While the executive order expressly lists the FTC, SEC, and FCC as impacted agencies, the CFPB probably will be impacted as well if it is operational under the Trump administration.

a. FTC Organization Updates

On March 25, 2024, Republican Melissa Holyoak was sworn in as a Commissioner for the FTC, filling the seat left open by former Commissioner Christine Wilson in March 2023. Subsequently, on April 2, 2024, Republican Andrew Ferguson was sworn in as a Commissioner, filling the seat left open by former Commissioner Noah Phillips in October 2022.

In December 2024, President Donald Trump announced he planned to appoint Commissioner Ferguson to replace then-Chair Lina Khan. During the same month, reports circulated with a leaked document that professed to lay out Ferguson’s priorities for the agency, if he were selected as the Chair. Specifically, it stated Ferguson’s “Agenda for the FTC” would: “Reverse Lina Khan’s Anti-Business Agenda,” with “no more novel and legally dubious consumer protection cases,” and by “stop[ping] abus[e of] FTC enforcement authorities as a substitute for comprehensive privacy legislation”; “Hold Big Tech Accountable and Stop Censorship,”[95] including through focused antitrust enforcement; “Protect Freedom of Speech and Fight Wokeness,” including by “end[ing] the FTC’s attacks on online anonymity”; and “Fight the Bureaucracy to Implement Trump’s Agenda.” On January 20, 2025, President Trump appointed Andrew Ferguson as the new FTC Chairman.

In December 2024, President Trump also announced he planned to nominate Mark Meador as the new Republican FTC commissioner to replace the seat left open by prior Chair Lina Khan, whose term expired on January 31, 2025. Meador is currently a partner at law firm Kressin Meador Powers and previously worked for the FTC and the DOJ and as Deputy Chief Counsel for Antitrust & Competition to Republican Senator Mike Lee. Meador has vocally supported efforts to regulate big technology companies and has called for increased antitrust enforcement.

If Meador is confirmed, the FTC will be led by a Republican majority for the first time since Commissioner Bedoya was confirmed in 2022.

b. Algorithmic Bias and Artificial Intelligence

Algorithmic bias has been a growing concern regarding the use of AI technology for the FTC under former FTC chair, Lina Khan. In 2023, Khan, in a guest editorial for the New York Times, expressed concern over AI tools being fed information “riddled with errors and bias,” thereby “automating discrimination” and unfairly inhibiting people’s access to financial services, employment, and housing, among others.

In December 2023, the FTC filed a complaint and proposed stipulated order against a convenience store chain. The FTC alleged the chain used AI-based facial recognition technology (FRT) to identify customers who may have been engaging in shoplifting and other problematic behavior. In March 2024, the court entered the stipulated order, which prohibits the company from using FRT for five years. In December of 2024, the FTC once again filed a complaint and proposed stipulated order, this time against an AI and Deep Learning-based video analytics and video cloud software company, alleging that the company made false, misleading, or unsubstantiated claims that its AI-powered facial recognition software was free of gender or racial bias, and that it had one of the highest accuracy rates on the market despite lacking the evidence to support such claims. The complaint also alleged that the company did not train its FRT software on “millions of faces” as it advertised, but only on approximately 100 unique individuals. The FTC’s finalized order against the company prohibits the company from misrepresenting the accuracy and efficacy of its technology without competent and reliable testing of the technology to support its claims, among other restrictions and requirements.

Newly appointed Chair Ferguson has expressed his disagreement with the FTC’s prior approach to AI, indicating his belief that the “pro-regulation side of the AI debate” is “the wrong one.” For example, Chair Ferguson has expressed some disagreement with the FTC’s approach to defining bias. In his statement concurring in the FTC’s action against the AI and Deep Learning-based video analytics and video cloud software company, IntelliVision, he expressed discomfort with relying on “statistical disparity in false-positive and false-negative rates” to define or determine the presence of bias and instead focused on IntelliVision’s failure to substantiate its claims that its software had “zero gender or racial bias.”

c. Commercial Surveillance and Data Security

In 2023, as discussed in our prior alerts, the FTC issued an Advance Notice of Proposed Rulemaking on commercial surveillance and data security. In July 2024, the FTC issued orders to “eight companies offering surveillance pricing products and services . . . seek[ing] information about the potential impact these practices have on privacy, competition, and consumer protection.” In January 2025, the FTC then released its initial findings in a surveillance pricing market study, which provided insights into the level of detail at which consumer behavior and demographics are surveilled and analyzed and the effects this has on surveillance pricing. That same day, the FTC announced it would open up public comments on its commercial surveillance probe, which, unrelated to any proposed rulemaking, asked for public input until April 17, 2025 from businesses and workers about their experiences or views on the impact of surveillance pricing. On January 22, 2025, Chair Ferguson closed public comments. The unexplained shutdown of public comments has been criticized by fellow FTC Commissioner Alvaro Bedoya.

While Chair Ferguson has voiced support for the FTC’s attempts to inform consumers regarding the extent of commercial surveillance, he has criticized the FTC’s approach to targeted advertising and AI arguing both that such targeted advertising is beneficial to consumers, and that mass data collection is difficult to avoid but also critical for the operation of many free internet services. The FTC may take a different approach to commercial surveillance concerns going forward. Both Chair Ferguson and Commissioner Melissa Holyoak dissented from the former Democratic majority in the FTC for what the Republican Commissioners perceived as rushing to publish the initial findings of the surveillance pricing study. Chair Ferguson and Commissioner Holyoak opined that it was irresponsible for the FTC to put forward such a preliminary “beta” version of their findings, just to publicize an FTC statement on the matter prior to the start of President Trump’s term.

d. Notable FTC Enforcement Actions

In 2024, the FTC continued to aggressively enforce data privacy and the uses of sensitive consumer information. There are a few trends that businesses can observe as part and parcel of the agency’s agenda last year—in case resolutions, the FTC required the entities collecting and using location and health information for non-essential functions to delete that data, and invest in significant privacy and data security programs. Irrespective of an administration change, the FTC likely will continue to focus on the failure to protect or the misuse of sensitive data—actions that Commissioner Holyoak has supported in multiple concurring statements she published supporting related FTC actions and settlements.

Corporate Landlord of Single-Family Homes. The FTC and a corporate landlord reached a settlement to resolve the FTC’s allegations of undisclosed “junk fees,” improper retention of tenants’ security deposits and refunds, and misrepresentation of home inspection and maintenance practices. The company agreed to pay a $45 million fee that the FTC says will be used to refund impacted consumers. The company is also permanently restrained from mispresenting monthly lease pricing and fees, property conditions, and the circumstances under which it will deduct funds from consumers’ security deposits. Consistent with the agency’s recent focus on consumer data retention, the settlement requires the corporate landlord to delete all financial data collected from consumers outside limited circumstances.

Digital Marketing and Data Aggregator. After facing allegations of impermissibly collecting and using consumers’ location data for advertising purposes, a marketing company reached a settlement with the FTC. The administrative complaint alleged the company failed to fully disclose to consumers how their location data, which would reveal where they live and work, would be used for purposes other than necessary app functions. The agreed-upon order prohibits the company from sharing in any way consumers’ precise location data, or offering any product or service designed to target consumers based on their location. The FTC also required the company to destroy all stored location data or ensure the data is deidentified.

Substance Abuse Telehealth Firms. The DOJ settled an action it brought on behalf of the FTC against two telehealth companies for alleged violation of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) through unfair and deceptive trade practices relating to alcohol and substance abuse treatment. In addition to the monetary penalties, the court-approved joint stipulations banning the companies from disclosing consumer health information to third parties for advertising purposes. The companies must also implement a privacy and data security program to formalize the process by which they keep health information secure, as well as a data retention schedule to limit the time period that they retain consumer data.

Online Therapy. In May 2024, an online therapy firm began issuing refund notifications to impacted consumers, based on a 2023 settlement with the FTC arising out of allegations that the firm shared consumers’ sensitive data with third parties. The FTC has indicated that it considers sensitive consumer data to include email addresses, IP addresses, and answers to personal health questions. The online therapy provider was charged with sharing such consumer information with online and app advertisers without setting appropriate limitations for the advertisers’ use of the data, and without obtaining consumer consent.

Software Provider. The FTC settled allegations against a UK-based software provider that its Czech subsidiary collected and sold consumer browsing information without adequate notice and consent. The subsidiary is alleged to have sold the browsing data to more than 100 third parties. As per the final order, the company and its subsidiaries are required to delete the copies of the data that was sold, and to obtain consent from future consumers before selling browsing data for advertising purposes.

Data Brokers. The FTC brought a second amended complaint against a data broker for allegedly violating Section 5 of the FTC Act by selling consumers’ precise location data. The second amended complaint comes after the presiding federal district court judge denied the data broker’s attempt to dismiss the suit. In her concurring statement in support of the Commission’s vote to file the amended pleading, Commissioner Holyoak underscored the importance of “vigorously pursuing” the action in order to protect precise geolocation information identifying consumers’ visits to sensitive locations. A separate data broker also agreed to settle FTC claims that it unlawfully tracked and sold sensitive location data. The Commission voted 5-0 to approve the final order, which prohibits the data broker from selling sensitive location data or collecting such data, outside a limited number of approved purposes.

Security Camera Company. The DOJ settled an action it brought on behalf of the FTC against a security camera company that is alleged to have violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM). The company is also alleged to have had insufficient security measures over consumer data it collected, allowing a hacker to access customers’ security camera data in 2021. The hacker is alleged to have accessed cameras in particularly sensitive locations such as psychiatric hospitals and women’s health clinics. The company agreed to pay a $2.95 million monetary penalty for its CAN-SPAM violation and implement an information privacy program, among other actions.

Smart Home Technology. In December, the FTC sent the first set of payments to consumers allegedly harmed by a home security company’s misuse of credit reports. The company, which agreed to a settlement with the FTC in 2021, paid $5 million to be disbursed directly to consumers. According to the FTC, the company’s sales representatives relied on false or unverified information to help consumers get financing approval for products and services that they would not otherwise be qualified to receive. The FTC’s December payment of nearly $500,000 is directed to 470 consumers, who filed a valid claim. Additional funds are stated to be distributed at a later date.

e. Financial Privacy

Pursuant to Section 6(b) of the FTC Act, the FTC issued orders to eight firms, including financial services firms, that advertise using customer information and machine learning technologies to engage in targeted pricing to consumers. The orders require recipient companies to disclose documents showing how they use consumer data, such as credit history, to engage in “surveillance pricing,” also known as “personalized pricing.” This pricing practice involves charging different prices for the same product based on the consumer’s personal data. The firms were mandated to provide documents and information relating to four specific aspects of their personalized pricing:

The types of products and services offered using personalized pricing;
The personalized pricing offerings’ underlying data and how such data was collected;
Targeted clients and their use of the offerings; and
Resulting pricing differentials for the same offering and other impacts.

In a concurring statement, then-Commissioner Ferguson underscored the primary goal of these studies as gathering information rather than pursuing enforcement actions, expressing the importance of revealing to Congress and the public “whether and how consumers’ private data may be used to affect their pocketbooks.” He voiced less enthusiasm for the Commission taking remedial action based on the studies’ outcome, suggesting instead that state and federal legislators may address any needed response through privacy laws.

In addition to launching the personalized pricing study, the FTC began to incorporate aspects of its Safeguards Rule in case resolutions. Settlement agreements of actions involving unsecured consumer information, in particular, reflect certain components of the Safeguards Rule. For example, a common settlement term requires companies to implement information privacy programs and abstain from misleading consumers about the strength and integrity of their consumer privacy measures. One important feature of these programs is that the entity must place limitations on an employee’s, contractor’s, and authorized third parties’ access to consumer information based on job necessity.

f. Children’s and Teens’ Privacy

At the end of 2023, the FTC proposed amendments to COPPA, aiming to shift the burden for protecting children’s privacy and security from parents to service providers. As of January 16, 2025, the FTC finalized changes to COPPA. The final rule’s amendments include:

Opt-in parental consent requirements for covered operators to disclose children’s personal information to third-party companies for targeted advertising or other purposes;
Limits on data retention where covered operators may only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected;
Public disclosure requirements for COPPA’s self-regulatory Self-Harbor programs, such as disclosure of information on their membership lists; and
Several amended definitions, including the expansion of “personal information” to include biometric identifiers and government-issued identifiers.

In adopting the final rule, the FTC decided against adopting some proposed changes it received during the public comment period, such as a requirement to limit the use of push notifications directed to children without parental consent and changes to requirements applicable to educational technology companies that operate in a school environment.

In 2023, the FTC also sought comment on the Entertainment Software Rating Board’s (ESRB) application for a “Privacy-Protective Facial Age Estimation” technology that analyzes a user’s face to confirm their age, which would serve as a consent mechanism under COPPA’s requirement that parents consent to an online service collecting their children’s personal data. On March 29, 2024, the FTC denied the ESRB’s application with a vote of 4-0 due to insufficient information. The FTC made this denial without prejudice to enable the ESRB to re-file the application in the future, when the FTC anticipates that additional information will assist in the understanding of age verification technologies. The FTC otherwise took no position on the merits of the application.

In 2024, the FTC continued to pursue enforcement actions against major technology companies in relation to children’s and teens’ privacy. For example, the FTC referred a complaint to the DOJ against a technology company for possibly violating COPPA by allowing children to use its application without parental consent. The FTC also took action against an anonymous messaging application marketed to kids and teens for allegedly violating COPPA by failing to ensure that a parent receives direct notice of and consents to its practices around collecting, using, or disclosing their child’s personal information.[96] Although not an enforcement action, the FTC additionally examined the data collection and use practices of nine big technology companies, which eventually led to a report upon which the FTC based recommendations to policymakers and companies.

g. Biometric Information

In May 2023, the FTC published its Policy Statement on Biometric Information. See the Biometric Information section of our 2024 annual update for additional details on the policy statement.

The policy statement specified that making unsubstantiated marketing claims regarding the validity, reliability, accuracy, performance, fairness, or efficacy of technologies relying on biometric information constitute deceptive practices under Section 5 of the FTC Act. In December 2024, the FTC announced a proposed consent order with an AI and Deep Learning-based video analytics and video cloud software company to settle the FTC’s allegations that the company could not substantiate its marketing claims on the accuracy of its facial recognition technologies, including its accuracy across genders, ethnicities and skin tones. The proposed order prohibits the company from making misrepresentations regarding the efficacy and lack of bias in its facial recognition technologies.

2. Consumer Financial Protection Bureau

Over the past year, the CFPB finalized and proposed multiple rulemakings which implicate privacy issues, with a flurry of such action in the waning days of the Biden Administration. As of this report’s publication, the Trump Administration has paused implementation of several of these rulemakings, and the agency’s future is currently uncertain.

a. A Dramatic Shift Under the Trump Administration

Following significant actions by the CFPB in 2024—including related to data privacy, data security, and algorithmic decisionmaking—thus far in 2025, the interim CFPB Directors appointed by President Trump have imposed significant operational changes that raise significant questions about the agency’s future scope and direction.

After removing Rohit Chopra as CFPB Director on January 31, 2025, President Trump appointed in quick succession Treasury Secretary Scott Bessent and then Office of Management and Budget Director Russell Vought as Acting CFPB Directors. Bessent and then Vought moved rapidly to freeze virtually all CFPB activities, ordering employees to stop all enforcement and litigation activity; halting rulemakings and suspending effective dates of pending rules; closing the CFPB’s Washington, DC office for a week and cancelling the headquarter’s lease; canceling the CFPB’s next pull of funding from the Federal Reserve; cancelling over $100 million in vendor contracts; firing probationary-period staff; and dismissing (without explanation) various enforcement actions filed during the Biden Administration. While President Trump and the head of DOGE, Elon Musk, have expressed a desire to eliminate the CFPB, the Trump Administration has recently taken the position in court that it only intends to make the agency more “streamlined and efficient.”

Consistent with this position, Jonathan McKernan, President Trump’s nominee for CFPB Director, testified in early March before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, that he would continue to enforce consumer protection laws while advocating for reforms to increase accountability and end the CFPB’s “past excesses.” At the time of publication, McKernan’s nomination is pending confirmation.

b. Impact of the Trump Administration’s Actions on the Pre-Trump CFPB’s Ambitious Agenda

Precisely how CFPB under Trump-appointed leadership will reshape the agency’s approach to consumer protection remains to be seen.

The outgoing CFPB pursued an ambitious and aggressive rulemaking, policy, and enforcement agenda, often in reliance on novel and expansive interpretations of its statutory authority. In the near term, regulated parties can expect new CFPB leadership to critically examine these initiatives—likely rescinding some rules and guidance, and continuing to drop certain enforcement actions while continuing to pursue others.

For example, there is substantial uncertainty around the agency’s key 2024 rulemakings and guidance related to data privacy, data security, and AI. Specifically, on December 3, 2024, the CFPB proposed a sweeping new rule that would subject data brokers to the Fair Credit Reporting Act, with the goal of limiting the sharing of consumer financial data. On March 5, 2025, the comment period for this rule was extended from March 3, 2025, until April 2, 2025, with the Bureau stating it was doing so in order to give interested persons additional time to consider and submit comments. What new leadership will do with respect to this rule remains to be seen, although it seems unlikely they will embrace it in its proposed form.

Additionally, the effective date of the agency’s final rule issued in October 2024 under Section 1033 of the Consumer Financial Protection Act (CFPA) requiring certain financial institutions to make data such as account and transaction information available upon request to consumers and authorized third parties has been suspended. The ordered suspension sweeps in all other CFPB final rules that had not gone into effect as of February 3, 2025, like the final rule issued in June 2024 aiming to mitigate AI-driven bias in housing appraisals that was slated to go into effect in approximately June 2025. However, a significant final rule issued in November 2024 establishing the agency’s supervisory power over nonbank digital payment providers took effect before then-Acting Director Bessent’s February 3, 2025 instruction freezing final rules, so whether action will be taken to rescind the rule remains to be seen.

The CFPB’s prior leadership had also intensified scrutiny of AI in financial services, issuing guidance and a special edition of its Supervisory Highlights emphasizing compliance obligations, which new CFPB leadership may also rescind.

In the longer term, the CFPB’s future is uncertain. Courts might step in to limit an administrative shutdown of the agency. The National Treasury Employees Union (NTEU), which represents unionized CFPB employees, brought an action in federal court challenging Vought’s stop-work directive, arguing that separation-of-powers principles prevent the Trump Administration from winding down a congressionally authorized agency.[97] The court in that matter ordered a senior CFPB official to testify on March 10, 2025 about the status of the agency’s statutorily required activities in connection with NTEU’s request for a preliminary injunction to halt mass terminations and other cuts. Additionally, the City of Baltimore and Economic Action Maryland Fund has challenged Vought’s attempt to transfer the CFPB’s funds to the Federal Reserve, arguing, among other things, that such action violated the Administrative Procedure Act because the agency would be deliberately leaving itself without enough funding to perform its legally mandated duties.[98] A preliminary injunction preventing the funds transfer is in place until March 14, 2025.[99]

c. Other Regulators and Private Litigation: Filling a Potential Enforcement Gap

If the CFPB’s activities continue to wane, other regulators may step up their enforcement activities. For example, the FTC, which has concurrent enforcement authority with the CFPB over certain statutes, can police “unfair practices” under the FTC Act and has insight into the CFPB’s investigations and enforcement under the agencies’ memorandum of understanding. State attorneys general also have broad authority to enforce state consumer protection laws, may enforce the (federal) Consumer Financial Protection Act in their respective jurisdictions under 12 U.S.C. § 5552, and have a “blueprint” for enforcement activity in the form of a report published by the CFPB in January 2025, prior to the leadership transition. State banking departments may also enhance supervisory oversight over non-bank financial institutions in light of any perceived supervisory gap at the federal level.

Additionally, private litigants may seize upon regulatory uncertainty to pursue consumer litigation.

Businesses that have invested in compliance with recent CFPB mandates must now reassess their strategies in light of shifting federal priorities and the possibility of increased state and private litigation risk. As the regulatory pendulum swings, staying ahead of both federal and state developments will be critical for businesses seeking to navigate this rapidly evolving environment.

3. Securities and Exchange Commission

The SEC continued its historic levels of enforcement activity in 2024, with a continued emphasis on disclosure and transparency requirements surrounding cybersecurity. The SEC’s new cybersecurity disclosure rule for public companies also went into effect in 2024, and numerous companies filed disclosures as required under the rule. In addition, the SEC finalized new cybersecurity disclosure rules for broker-dealers and registered investment advisers.

a. Regulation

Companies begin disclosures of cybersecurity incidents. The SEC’s new cyber disclosure rule for public companies, which requires them to publicly disclose material cyber incidents, went into effect in December 2023, and 2024 was the first full year of implementation of the rule.[100] In 2024, approximately 50 public companies filed cybersecurity disclosures on Form 8-K. Many of these disclosures were for non-material impacts. Initially, several companies made non-material disclosures under the new cybersecurity reporting Item 1.05, which was specifically created for disclosures of material cybersecurity incidents. As a result, the Director of the SEC’s Division of Corporate Finance issued a statement suggesting that such disclosures were appropriate under Form 8-K Item 8.01, which is for miscellaneous statements, rather than Item 1.05. Due to the strict timing requirements, some companies have made filings under item 1.05, stating that the company could not determine that the impact was material, only to later amend their 8-K filing to state that the company had found the impact to not be material. Notably, fewer than 20% of filings state a material impact.

Additionally, on June 24, 2024, the SEC issued five new compliance and disclosure interpretations addressing hypothetical scenarios involving the public company disclosure requirement. Four of these interpretations concern ransomware payment, and provide guidance on how to conduct materiality assessments in scenarios where the company makes such a payment, while the fifth addresses materiality determinations following a series of separate but potentially related incidents.

SEC adopts data breach notification requirements for additional financial institutions. On August 2, 2024, a final rule went into effect updating Regulation S–P to require registered investment advisers, transfer agents, and broker-dealers to notify customers within 30 days if their information may have been stolen. Covered institutions have 18 months for larger entities or 24 months for smaller entities[101] from the date of publication in the federal register to comply with the requirements. Key requirements under the new regulation include:

Covered institutions must implement an incident response program regardless of whether an incident has occurred.
Covered institutions must disclose an incident to customers as soon as practicable, and no later than 30 days after discovery of an incident. The customer notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. This requirement is waived where an institution determines that the affected data will not be used or it is reasonably likely that it will not be used in a way that adversely affects customers.
Expands existing requirements to safeguard customer data and dispose of unused customer data to include additional types of data and apply to transfer portals in addition to previously covered institutions.

b. Enforcement

Court dismisses much of the SEC’s complaint against Software Company. The SEC originally sued a software company in 2023 over a high-profile breach of the company’s computer system in 2020. In light of the breach, the SEC alleged that the company had made materially false statements regarding its cybersecurity practices in certain public filings and on its publicly facing website, then subsequently made misleading statements regarding a series of cybersecurity incidents that culminated in a high-profile cyber attack.

As we previously discussed in our July 25, 2024 client alert, the court dismissed the majority of the SEC’s claims. The remaining claims are related to the Security Statement that the company posted to their website in 2017. Most notably, the court rejected the SEC’s attempt to bring an internal accounting controls violation claim under Section 13(b)(2)(B) in the context of cybersecurity-related actions. The court reasoned that the SEC’s position that its authority to regulate an issuer’s “system of internal accounting controls” includes the authority to regulate cybersecurity controls was “not tenable,” and unsupported by the statute, legislative intent, or precedent.

The court’s decision also calls into question the SEC’s ability to rely on claims of inadequate disclosure controls and procedures in similar circumstances, given that the court ruled that a single disclosure failure is insufficient to put the adequacy of a company’s disclosure controls and procedures in issue.

SEC fines transfer agent for alleged failure to protect client funds. A transfer agent was hacked in 2022 and 2023, resulting in the theft of $6.6 million in client funds. The company recovered about $2.6 million and fully reimbursed clients. The SEC found that the transfer agent had failed to take adequate measures to secure client funds, censured the respondent, issued a cease-and-desist order, and fined the transfer agent for $850,000.

SEC fines stock exchange operator for allegedly failing to meet disclosure requirements. The SEC alleged that the parent company of a number of stock exchanges waited several days after learning about a cyberattack to inform compliance and legal officials at the subsidiary exchanges. The SEC took the position that this violated the Regulation Systems Compliance and Integrity (Reg-SCI) by preventing the subsidiary exchanges from making their own timely disclosures to the SEC. The company agreed to pay $10 million to settle the charges but did not admit the allegations.

SEC settles with marketing firm over alleged disclosure and internal control failures. The SEC settled with a communications and marketing company for $2.1 million over the company’s alleged violation of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. The SEC alleged that the company failed to create sufficient internal cybersecurity disclosure controls, which resulted in delayed response to a 2021 ransomware attack. The SEC order notes that data security was critical to the company’s business because the company secured sensitive client data. The company settled the allegations following an investigation without admitting fault.

c. SEC Enforcement Outlook for 2025

On October 21, 2024, the SEC Division of Examinations published its annual examination priorities, which include cybersecurity as one of the Division’s planned areas of focus in 2025. However, President Trump’s nominee to chair the SEC is expected to be more pro-business than the outgoing chair, which may result in less enforcement activity overall. Moreover, Republican members of the Commission, Mark Uyeda and Hester Pierce, have expressed skepticism regarding the SEC’s previous efforts regarding cybersecurity, with both issuing dissents against recent cybersecurity enforcement actions. Commissioner Uyeda also previously issued a statement sharply criticizing the 2023 public-company disclosure rules. Nevertheless, the SEC recently announced the reformation of the crypto and cybersecurity division as the Cyber and Emerging Technologies Unit, with a focus on “[r]egulated entities’ compliance with cybersecurity rules and regulations,” among other priorities. Accordingly, while we expect the SEC will continue to focus on cybersecurity in 2025, there will likely be lower and less aggressive enforcement activity related to cybersecurity.

4. Department of Health and Human Services and HIPAA

In October 2024, the Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR) announced the launch of a Risk Analysis Initiative to guide health care organizations in conducting thorough evaluations of their cybersecurity practices. The initiative focuses on protecting the confidentiality, integrity, and availability of protected health information to reduce the likelihood of cyber incidents. OCR explained that it “created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with [HIPAA’s] Security Rule,” which sets standards for protecting ePHI through administrative, technical, and physical safeguards, requiring businesses to conduct thorough risk assessments, implement and document security measures, and maintain continuous ePHI protections. The Risk Analysis Initiative signals renewed interest in enforcing HIPAA’s Security Rule, underscoring the need for covered entities to ensure they are conducting thorough and accurate ePHI-related risk assessments.

Relatedly, on December 27, HHS issued a notice of proposed rulemaking aimed at improving HIPAA’s Security Rule. The proposed rule would require HIPAA-covered entities and their business associates to bolster existing cybersecurity protections for protected health information, including encrypting protected health information, deploying additional technical controls to shield against malicious software, and requiring multi-factor authentication. In announcing the proposed rule, Deputy Secretary Andrea Palm emphasized the “increasing frequency and sophistication of cyberattacks in the health care sector” that “pose a direct and significant threat to patient safety” and disrupt patient care. The responsibility for finalizing the rule now lies with the Trump administration, which may be more skeptical of implementing new regulations. Specifically, President Trump issued an Executive Order requiring a “Regulatory Freeze Pending Review,” directing federal agencies, including the HHS, to “not propose or issue any rule in any matter . . . until a department or agency head appointed or designated by the President . . . reviews and approves the rule.” Thus, it is unclear whether the proposed rule will proceed under the new administration.

a. Rulemaking on HIPAA Compliance and Data Breaches

HHS finalized two significant HIPAA rules in 2024. On February 8, OCR finalized a rule updating the Confidentiality of Substance Use Disorder Patient Records regulations to improve coordination among providers by allowing a single consent for treatment, payment, and health care operations, while also permitting de-identified disclosures to public health authorities. The rule strengthens patient protections by aligning enforcement with HIPAA, introducing civil penalties for violations, requiring specific consent for substance use disorder counseling notes, and creating a safe harbor for investigative agencies acting with reasonable diligence before requesting records.

OCR finalized another rule on April 26, which modifies the HIPAA Privacy Rule to strengthen protections for reproductive health care by prohibiting the use or disclosure of protected health information to investigate or impose liability on individuals, health care providers, or others involved in lawful reproductive health care. The rule also requires covered entities to obtain signed attestations for specific requests related to reproductive health care and mandates that these entities update their Notice of Privacy Practices to reflect these new privacy protections.

b. Telehealth and Data Security Guidance

HHS released a statement in May 2024, explaining that it will extend COVID-era telehealth and audio-only services beyond 2024, as was planned. As HHS explained, this change was prompted by “changes in patterns of care and higher levels of use of telehealth and audio-only services that can be expected to continue into future benefit years.” Thus, any telehealth or audio-only services between patients and qualified health professionals “that is reimbursable under applicable state law and otherwise meets applicable risk adjustment data submission standards may be submitted to issuers’ External Data Gathering Environment” servers “for purposes of HHS-operated risk adjustment program for the 2024 benefit year and beyond.” In practice, the extension of telehealth and audio-only services beyond 2024 allows insurers to include these services in their risk adjustment data, which helps determine the appropriate reimbursement they receive for covering individuals enrolled in the Affordable Care Act marketplace and Medicaid. Through this policy pronouncement, HHS has signaled its ongoing commitment to and recognition of telehealth’s growing role in healthcare delivery.

c. Reproductive and Sexual Health Data

In addition to OCR’s final rule strengthening data protections for reproductive health care, discussed above, the FTC also took action to protect individuals’ reproductive health data. In April 2024, it finalized an order banning a data broker and its successor from sharing or selling sensitive, precise location data, which the FTC alleged could be used to track visits to “medical and reproductive health clinics and places of worship.” In addition to the ban, the order requires the data broker and its successor to develop a program to maintain a comprehensive list of sensitive locations, delete previously collected data unless deidentified or consented to by consumers, and establish privacy programs and safeguards to ensure data is not used for identifying individuals or associating with sensitive locations.

d. HHS Enforcement Actions

HHS made data privacy and cybersecurity a key focus in 2024, ramping up enforcement efforts for HIPAA violations, including actions involving “ransomware, phishing, health information left unsecured on the internet, impermissible access to electronic PHI, reproductive health information impermissibly disclosed, and untimely patient access to PHI.”

Of note, the HHS reached a sizable settlement involving HIPAA Security Rule violations. In December 2024, HHS announced a $1.19 million penalty against Clearway Pain Solutions Institute for violations of the HIPAA Security Rule “following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system” to “retrieve PHI for use in potential fraudulent Medicare claims.” HHS concluded that the contractor had gained impermissible access on three separate occasions, compromising the PHI of over 34,000 individuals. OCR also found that Clearway Pain Solutions Institute failed to conduct a thorough risk analysis of potential vulnerabilities to electronic protected health information (ePHI) and failed to terminate former workforce members’ access to ePHI.

Reproductive health data breaches have been another priority over the last year. On November 26, 2024, HHS announced a settlement with Holy Redeemer Family Medicine for HIPAA Privacy Rule violations linked with disclosure of a female patient’s entire medical record to a prospective employer. The disclosure allegedly included the patient’s obstetric and gynecological history, as well as “other sensitive health information concerning reproductive health care.” The HHS complaint stated that Holy Redeemer Family Medicine violated the HIPAA privacy rule because it lacked the adequate consent for the release of the full medical record. Under the settlement, Holy Redeemer Family Medicine agreed to pay a fine and implement a comprehensive corrective action plan requiring it to submit breach notification reports to HHS, develop policies for compliance with the Privacy Rule, and train employees on HIPAA compliance.

Lastly, HHS also ramped up enforcement under OCR’s Risk Analysis Initiative, announcing its first enforcement action under the initiative in October 2024. A 2022 ransomware attack affected the PHI of 14,273 patients at Bryan County Ambulance Authority (BCAA), prompting OCR’s investigation into the entity’s alleged failure to conduct a proper risk analysis. HHS found that the entity had failed to conduct a compliant risk analysis to determine the potential risks to its ePHI systems. The parties reached a settlement requiring BCAA to pay $90,000, implement a corrective action plan to ensure HIPAA Security Rule compliance, and submit to a three-year OCR monitoring.

5. Other Federal Agencies

a. Department of Homeland Security

The Department of Homeland Security (DHS), together with the European Commission’s Directorate-General for Communications Networks, Content, and Technology, released a joint report comparing cyber incident reporting frameworks, further expanding on its earlier efforts in standardizing reporting processes. By identifying key similarities and differences, the report aims to inform future evaluations of cyber incident reporting processes and enhance alignment between U.S. and EU cybersecurity measures, in particular through a comparative analysis of the recommendations from the U.S. Cyber Incident Reporting Council, the 2023 DHS report on Harmonization of Cyber Incident Reporting to the Federal Government, and the EU’s NIS2 Directive (Directive 2022/2555). Further input has also been provided by the Cybersecurity and Infrastructure Security Agency (CISA) and the European Union Agency for Cybersecurity (ENISA).

The DHS’s CISA has also published several updated guidelines, including an updated “Trusted Internet Connections (TIC) 3.0 Catalog,” providing a list of deployable security controls, security capabilities, and best practices, along with multiple updates to its “Public Safety Communications and Cyber Resiliency Toolkit” or the “Marine Transportation System Resilience Assessment Guide.” It has recently also published a revised “National Cyber Incident Response Plan,” to which stakeholders from across public and private sectors could provide their input by January 15, 2025. Additionally, CISA has been involved in investigations regarding allegations that the People’s Republic of China (PRC) targeted commercial telecommunications infrastructure. CISA notified affected companies, rendered technical assistance, and shared information to assist potential victims. Lastly, CISA is also investigating the recent cybersecurity incident at the U.S. Department of the Treasury.

b. Department of Justice

Final Rule on Foreign Adversaries’ Access to Sensitive Data. On December 27, 2024, the Department of Justice (DOJ) issued a Final Rule aimed at restricting foreign adversaries’ access to Americans’ sensitive personal and government-related data. Previously, in February 2024, the Biden administration already directed federal agencies to halt the transfer of sensitive American data to China, Russia, and other foreign adversaries via a corresponding executive order.

This Final Rule now grants the DOJ authority to prohibit or impose stringent conditions on transactions involving such data when they pose a national security threat. Among other things, the rule bans transfer of three types of data to parties affiliated with the target countries: (1) bulk U.S. sensitive personal data, which includes covered personal identifiers, precise geolocation data, biometric identifiers, human genomic data, and personal financial data; (2) U.S. government-related data, which includes any data that is either precise geolocation data for certain locations, or sensitive personal data linked or linkable to certain government employees or contractors; and (3) human genomic or biospecimen data.[102]

Additionally, companies handling personally identifiable information, financial data, healthcare records, and biometric data are therefore advised to review their cross-border data transfer agreements and conduct data risk assessments, ensure localization of critical datasets, and implement sufficient contractual protections when dealing with international data partners. In short, this rule requires U.S. companies to be able to identify any transaction that could allow access to covered data by a foreign entity, in particular from China, Cuba, Iran, North Korea, Russia, and Venezuela.

Children’s Privacy Violations. In August 2024, the DOJ, with urging from the FTC and Congress, filed a civil lawsuit in the U.S. District Court for the Central District of California against a social media company over violations of children’s privacy laws. Allegations include unauthorized data collection, application of digital tools to surveil minors, and other non-compliance with COPPA. In particular, according to the complaint, from 2019 to the present the company knowingly permitted children to create regular accounts (i.e., not accounts created in the so-called “Kids Mode”) and interact with adults, collected their personal information without parental consent (even for those accounts which were created in Kids Mode), and failed to delete this data upon parental request, while having inadequate policies to manage children’s accounts. The complaint further alleges that the company also violated a 2019 Permanent injunction, in part by neglecting its mandate to preserve records about activities from minors below the age of 13 on the platform.

Civil Cyber-Fraud Initiative. Initiated in 2021, the DOJ’s Civil Cyber-Fraud Initiative (CCFI), which is intended to encourage disclosure and to hold accountable entities and individuals that put U.S. information or information systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches, gained significant momentum in 2024, leading to multiple settlements with government contractors and private companies accused of failing to meet cybersecurity standards.[103] Such failure to comply can take multiple forms, including outright violations of legal provisions, falsified cybersecurity certificates, or an inability to fulfill contractual obligations.

While multiple cases concerning disputes over compliance with federal cybersecurity requirements have been settled, United States ex rel. Craig v. Georgia Tech Research Corp remained ongoing, supported by an intervention from the DOJ in August 2024, at the time of the publication of this article. Companies contracting with the US Government must adhere to National Institute of Standards and Technology (NIST) cybersecurity frameworks to mitigate enforcement risks (also, see below, section A.5.c. Department of Commerce).

Cybercrime and Dark Web Marketplaces. The DOJ has intensified efforts to enforce against cybercrimes relating to cryptocurrencies, and dismantle cybercrime marketplaces selling stolen data, hacking tools, or illicit goods. Key operations included the takedowns of the dark web marketplaces Nulled and Cracked (which impacted at least 17 million victims from the United States), and the takedown of Rydox (which sold, amongst others, sensitive data from thousands of victims residing in the United States), along with arrests regarding Incognito Market, an extensive dark web effort to traffic illicit drugs to the United States and around the world.

Furthermore, the DOJ, often in collaboration with international partners, also successfully targeted ransomware groups responsible for major cyberattacks, including, amongst others:

Together with its international partners and the FBI, the DOJ disrupted the LockBit ransomware group, one of the most active ransomware groups in the world that has targeted over 2,000 victims, received more than USD 120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars. Actions against LockBit included seizing numerous websites and servers managed by LockBit administrators. These were complemented by indictments against key figures, the issuing of the search warrants, and the development of decryption capabilities to restore systems encrypted by the LockBit ransomware variant.
An alleged North Korean government-affiliated cybercriminal was charged for attacks targeting U.S. hospitals and critical infrastructure.

c. Department of Commerce

In October 2024, the U.S. Department of Commerce (DOC), through the Bureau of Industry and Security’s (BIS) Office of Information and Communications Technology and Services (OICTS), issued a landmark decision prohibiting the use of Kaspersky’s antivirus software and cybersecurity products in the United States or by U.S. persons, “due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.” The decision marked the first time OICTS exercised its authority with regards to Information and Communications Technology and Services (ICTS) supply chain regulations. While it was based on an interim final rule implementing an Executive Order from the Biden administration, the corresponding final rule was issued in December 2024.

Additionally, cybersecurity risks stemming from supply chains have in particular been under heightened scrutiny of the DOC—although the impact of the new Trump administration on these remains to be seen:

For example, the BIS issued a Notice of Proposed Rulemaking regarding a rule banning the import and sale of connected vehicles from China (including Hong Kong) and Russia, citing risks related to espionage, cyber threats, and unauthorized data collection, which has been finalized while still under the Biden administration on 19 January 2025. The rule also restricts key vehicle software and hardware deemed to pose “undue or unacceptable risks” to national security, with certain software restrictions beginning in 2027 and hardware restrictions following in 2029.
Furthermore, BIS has announced an Export Control Framework to further strengthen the U.S.’s cybersecurity capabilities from a hardware perspective. The framework is aimed at limiting the spread of advanced artificial intelligence technologies while tightening restrictions on advanced computing. It specifically imposes strict controls on the export, reexport, and transfer of advanced computing integrated circuits and the model weights of leading AI systems.
BIS has also proposed a new rule imposing restrictions on U.S. Infrastructure-as-a-Service (IaaS) providers, in particular cloud service providers, concerning their role in training large AI models. The rule would require IaaS providers to implement Customer Identification Programs (CIPs) to collect “Know Your Customer” (KYC) information, and is ultimately aimed at preventing foreign adversaries from accessing advanced AI capabilities.

Separately, in February 2024, the DOC’s National Institute of Standards and Technology (NIST) released Version 2.0 of its Cybersecurity Framework (CSF ). The updated CSF is now organized around six key functions: Identify, Protect, Detect, Respond, and Recover, along with CSF 2.0’s newly added “Govern” function, emphasizing the importance of cybersecurity governance and risk management. It also now addresses explicitly all organizations and not just those in critical infrastructure, its original target audience.

Lastly, in December 2024, the DOC released a strategic report titled “The Decisive Decade: Advancing National Security at the Department of Commerce.” The report outlines key policy objectives in the digital space, emphasizing U.S. leadership in critical technologies, international security collaborations, and private-sector partnerships to enhance cybersecurity. It serves as a roadmap for maintaining economic security and technological dominance while addressing threats from foreign adversaries.

d. Department of Energy

Cybersecurity continues to be a point of emphasis underpinning power systems and critical infrastructure resilience. In 2024, the U.S. Department of Energy (DOE) released and endorsed various implementation strategies and adoption guidelines intended to drive the voluntary adoption of uniform cybersecurity practices across the energy sector.

In March 2024, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) partnered with the National Association of Regulatory Utility Commissions (NARUC) to publish “Cybersecurity Baselines” for distributed energy resources (DERs) and their electric distribution systems. Intended for asset scoping and baseline prioritization, the Cybersecurity Baselines are intended to enhance system resilience and provide a starting point from which a solid cybersecurity foundation can be built and later expanded upon, following a risk-informed roadmap. The final version of the accompanying Implementation Guidance is expected to be published in mid-2025.

Cybersecurity also remains a critical pillar of DOE’s efforts to protect clean energy infrastructure. In particular, a key focus has been modernizing and securing U.S. hydropower plants, which is central to the DOE’s cybersecurity strategy. The DOE has also issued several cybersecurity guidelines, including those for energy procurement and introduced new Supply Chain Cybersecurity Principles, developed in collaboration with Idaho National Laboratory.

In addition, the Energy Threat Analysis Center (ETAC)—a public-private partnership that convenes experts from the federal government and the U.S. energy sector—became operational in Q4 2024. Jointly managed by CESER and the DOE’s Office of Intelligence and Counterintelligence, and in partnership with the national laboratories, and in close coordination with the Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborative (JCDC), it is aimed at strengthening the collective defense, response, and resilience of the U.S. energy sector, improve national security in the energy sector, enhance analysis capabilities and facilitate an increased sharing of information.

In addition to providing external guidance and support, the DOE has also continued efforts to enhance its own cybersecurity following recent cyberattacks. In particular, in January 2024, the DOE issued its Cybersecurity Strategy. Other governmental bodies also highlighted the importance of the DOE and its mission to protect sensitive data and critical infrastructure as well as ensuring supply chain security. For example, the Office of the Inspector General (OIG) noted that a crucial role for this will fall on the recently established Vetting Center, where a Vetting Center Policy Group has been established in 2024. Assessing the outcome of this will be crucial for contractors and vendors doing business with the DOE, as they should anticipate increased emphasis on and scrutiny of their cybersecurity practices in 2025.

e. Department of Defense

In October 2024, the Department of Defense (DoD) finalized a much anticipated rule implementing its Cybersecurity Maturity Model Certification (CMMC) program for defense contractors, broadly aimed at increasing the security of controlled, unclassified information within the defense industry.[104] The CMMC will set three “levels” of cybersecurity requirements based on the nature of information held by contractors, with the aim of creating a baseline level of cybersecurity for almost all DoD contract solicitations. These requirements include confirming that Cloud Service Providers used by contractors meet certain risk standards, protocol for processing, storing, and transmitting controlled unclassified information; and submitting annual compliance self-assessments.

In addition to enhancing the cybersecurity of its supply chain, the DoD announced its plan to prioritize strengthening its Defense Industrial Base (DIB), which is a network of foreign companies and organizations that support the DoD and other U.S. defense requirements. In March 2024, the DoD announced a cybersecurity strategy aimed at improving the DIB’s cybersecurity capabilities and its IT interoperability and integration with the DoD, and in May 2024, the DoD’s Chief Information Officer released a playbook for implementing shared security authorization packages across DoD systems to make system assessments more efficient. In June 2024, the Pentagon released a blueprint for the DoD to prioritize providing joint warfighting IT capabilities between U.S. forces and mission partners, modernizing information networks, optimizing IT governance, and cultivating a digital workforce.

f. Federal Communications Commission

As noted in the 2023 update, the Federal Communications Commission (FCC) announced its new Privacy and Data Protection Task Force in June 2023. Since its inception, the Task Force has been active in various enforcement and rule –making efforts.

Enforcement. The FCC also levied large fines and settled several claims related to company data practices. In April 2024, the FCC fined American wireless carriers nearly $200 million for allegedly sharing their customers’ location data without consent. The FCC Enforcement Bureau investigation found that the carriers sold location data access to aggregators, who then resold the access to third parties, in an alleged attempt to offload their obligation to obtain customer consent.

In June 2024, a leading Latin American telecommunications company agreed to pay $100,000 to resolve allegations that the company failed to report a data breach in a timely manner in violation of FCC rules and conditions of Liberty’s license. In July 2024, the FCC announced a $34.6 million settlement and consent decree with a phone captioning company to resolve allegations that the company unlawfully retained call content beyond the duration allowed and submitted inaccurate information to the Telecommunications Relay Service (TRS) Fund Administrator. Also in July 2024, the FCC announced a $16 million settlement with an American wireless prepaid service provider to resolve allegations that the company failed to reasonably protect customer information in connection with multiple data breaches. In September 2024, a major American wireless carrier entered into a $13 million settlement with the FCC regarding a data breach of a cloud vendor for the carrier, exposing customer information that the vendor was supposed to have destroyed. The FCC faulted the carrier for failing to ensure the vendor had destroyed the data. Also in September 2024, another major American wireless carrier reached a $31.5 million settlement with the FCC to resolve investigations into multiple data breaches, including access to the names, addresses, dates of birth, and Social Security numbers for 47.8 current, former, and prospective customers. The $31.5 million settlement consisted of a $15.75 million penalty and a $15.75 million investment by the carrier into its cybersecurity infrastructure.

TCPA Rulemaking. The FCC continued its focus on curtailing robocalls and robotexts by adopting new rules in February 2024. While previous rules have made it clear that consumers have a right to revoke their consent to receive automated calls and messages, the new rules require that revocation requests be honored within a reasonable time, not to exceed 10 business days from receipt. The rules also codified the FCC’s previous ruling that consumers can revoke their consent through any reasonable means.

Approved in December 2023, TCPA rules requiring lead generators, comparison shopping websites, and similar companies to obtain a consumer’s prior express written consent to receive automated calls from each marketing partner went into effect on January 25, 2025.[105] A February 3, 2025 decision from the Eleventh Circuit Court of Appeals recently vacated this “one-to-one consent rule” under the TCPA, which may create uncertainty for other recent TCPA regulations.[106]

Cyber Trust Mark. In March 2024, the FCC voted to create a voluntary cybersecurity labeling program for devices that meet certain cybersecurity and privacy standards. Qualifying products will bear a label including a new “U.S. Cyber Trust Mark” to help consumers differentiate trustworthy products and will also include a scannable QR code with additional product information. Examples of eligible products include smart home appliances and fitness trackers.

6. State Agencies

State attorneys general continued to lead the charge as privacy regulators in 2024, enforcing both existing consumer protection laws and comprehensive data privacy laws that an increasing number of states are enacting. Attorneys general have not been alone in their work, however, as other state agencies, including new dedicated privacy regulatory agencies, work in tandem with attorneys general. State agencies and state attorneys general are expected to be particularly active and continue the trend in 2025 in light of the Trump administration’s predicted reduction in enforcement activity at the federal level.

a. California

i. California Privacy Protection Agency

In 2024, the California Privacy Protection Agency (CPPA) began to take a more active role in privacy regulation and enforcement in California. In January 2024, the agency launched a website dedicated to enlightening the public regarding privacy rights and, throughout the year, announced partnerships and initiatives related to strengthening privacy protections. The CPPA also published its first two California Consumer Privacy Act (CCPA) enforcement advisories, addressing the application of data minimization to consumer requests and avoidance of dark patterns, respectively. Along with the enforcement advisories, the CPPA and AG have issued confidential notices of violation to various companies, including, but not limited to the scope of their enforcement advisories.

Additionally, the CPPA announced changes to its leadership. After over three years leading the CPPA, Executive Director Ashkan Soltani stepped down from his position, effective January 2025. Tiffany Garcia, the former Chief Deputy Executive Director of the CPPA, will serve as Interim Executive Director until a permanent replacement is named. Before joining the CPPA, Garcia served for four years as Deputy Secretary for Fiscal Policy and Administration at the California Business, Consumer Services and Housing Agency.

On January 1, 2024, the California Department of Justice transferred administrative responsibility for the state’s data broker registry to the CPPA. In October 2024, the CPPA announced a public investigative sweep of data broker registration compliance. The CPPA subsequently announced a series of settlement agreements with data brokers resolving claims that the companies failed to register and pay required fees, which is subject to a $200 fine per day. In December 2024, the CPPA voted to adopt regulations substantially increasing the fees for data broker registration from $400 to $6,600 and clarifying procedural requirements under California’s Delete Act, which requires data brokers to register with the CPPA.

In November, the CPPA advanced draft CCPA regulations on cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT) to the formal rulemaking process. The notice and comment period was open from November 22, 2024 until February 19, 2025. In addition to adding rights and requirements for the use of ADMT (described in detail in the ), the proposed regulations would revise the existing CCPA regulations to require businesses to conduct cybersecurity audits and risk assessments. These changes include an expansion of the definition of sensitive personal information, additional requirements for implementing consumer rights, and updates to the opt-out framework. Gibson Dunn has laying out the significant issues with the draft regulations.

ii. California Attorney General

Though the CPPA has begun privacy enforcement in California, the California Attorney General (CA AG) continued to play an active role in enforcing the CCPA in 2024. In January 2024, the CA AG announced an investigative sweep focused on streaming services. The CA AG also announced two settlement agreements under the CCPA in 2024. The first, with a major tech company, handled by Gibson Dunn, addressed the CCPA’s requirement that a business disclose and provide consumers the right to opt out of the selling or sharing of their personal information. The settlement agreement required a low settlement penalty of $375,000 and injunctive terms that reiterated existing requirements of the law but notably did not require any changes to business practices. The second settlement, which the CA AG brought with the Los Angeles City Attorney, resolved claims that a mobile game company violated the CCPA and COPPA by failing to obtain parental consent for collecting and sharing children’s data from a mobile app. In addition to a $500,000 civil penalty, the settlement agreement requires the company to obtain consent for processing children’s and teen’s personal information, provide a just-in-time notice when children’s data is sold or shared, and properly configure third-party software-development kits to comply with children’s data legal requirements.

b. Other State Agencies

In 2024, state attorneys general in other states began to enforce their recently enacted state comprehensive privacy laws and build out privacy enforcement infrastructure. For example:

The Texas Attorney General (Texas AG) has been particularly active in enforcing Texas’s data protection laws. In June 2024, the Texas AG announced the launch of a data privacy and security initiative, establishing a dedicated data privacy protection team. Focused on the sale of geolocation data, the Texas AG opened an investigation into car manufacturers’ collection and sale of driver data and subsequently brought a lawsuit against a car manufacturer under the Deceptive Trade Practices Act. The Texas AG issued notices of violation to multiple other companies for allegedly sharing sensitive user data without proper notice and consent under the recently effective Texas Data Privacy and Security Act and notifications of apparent failure to register as data brokers to over 100 companies a few months after the close of the Texas Data Broker Law’s initial registration period. Gibson Dunn has advised clients in response to many confidential investigations and notices over the past year. The Texas AG also filed a complaint against a popular social media platform under the SCOPE Act, alleging that the company failed to obtain parental consent before sharing, disclosing, or selling a minor’s personal information and failed to offer required parental controls.
In February 2024, the Connecticut Attorney General (CT AG) published a report describing enforcement actions under the Connecticut Data Privacy Act in the first six months since the law took effect. The report states that the CT AG has issued numerous warning letters, received 30 complaints, issued inquiries and cure notices addressing deficiencies in privacy policies, sensitive data, teen data, and data brokers.
In December 2024, the Colorado Department of Law adopted rules updating language in the Colorado Privacy Act Regulations to include newly adopted definitions of biometrics and adding a process for issuing opinions and guidance. Additionally, as part of a roll-out process, the Colorado Attorney General recognized Global Privacy Control (GPC) as the first universal opt-out mechanism to meet the CPA’s standards, and required businesses to implement GPC opt-outs by July 2024.
The Oregon and Virginia Attorneys General have initiated confidential investigations into compliance with their newly effective state privacy laws, some of which have been handled by Gibson Dunn.
Ahead of the January 1, 2025 effective date of the New Hampshire Data Privacy Act, the New Hampshire Department of Justice announced the creation of a data privacy unit. Delaware created a Personal Data Privacy Portal in anticipation of the Delaware Personal Data Privacy Act, which also took effect January 1, 2025.

III. Civil Litigation Regarding Privacy and Data Security

A. Data Breach Litigation

Data breaches and cybersecurity incidents have continued to pose a threat to businesses, resulting in substantial economic losses and putting companies at risk of litigation. According to the Identity Theft Research Center (ITRC), although there were fewer data breaches in 2024 than in 2023—2,850 as opposed to 3,122 total data breaches—due to the scale of some of the 2024 breaches, the number of data breach victims actually increased by 257% from 2023. We summarize a few of the notable data breach suits below.

A large telecommunications company faced multiple class action lawsuits stemming from a data breach that allegedly resulted in the exposure of approximately 73 million account holders’ personal data.[107] These class actions have now been transferred to and consolidated in the Northern District of Texas, alleging claims for, among other things, negligence, breach of contract, and unjust enrichment.[108] The class actions also allege that the telecommunications company violated state consumer protection laws, deceptive and unfair trade practices laws, and personal consumer information laws.[109]

A federal court denied a pharmaceutical wholesaler’s motion to dismiss, finding that plaintiffs had adequately pleaded standing in seeking damages for the risk of future harm resulting from a data breach.[110] Specifically, the court found that, because the plaintiff had pleaded actual attempted misuse, standing had been adequately pleaded, even though the attempted misuse was prevented by the Social Security Administration.[111]

A pair of recent decisions also provide insight into the role that fiduciary duty claims play in data breach litigation. In November 2024, the Supreme Court of Alabama affirmed a lower court dismissal of a data breach class action against a management consulting firm, which had allegedly collected sensitive personal and health information from employees, patients, and vendors; and where the submission of sensitive personal information is a pre-requisite for employment.[112] The court affirmed the dismissal of the case due to lack of standing and failure to sufficiently plead claims, including because the plaintiff failed to plead that a fiduciary duty existed between her and her former employer.[113] Specifically, the court held that while Griggs argued that as NHS has influence and dominion over Griggs and her data, under Alabama precedent, a principal or employer is not the fiduciary of the agent or employee, and Griggs failed to provide any support for the court to provide an exception in her case. In a July 2024 decision out of the Northern District of Georgia, a court found that a plaintiff had sufficiently pleaded evidence to show a fiduciary relationship existed between a company that retained health information.[114] Unlike the Alabama case, the Georgia case did not involve an employer-employee relationship. The Northern District of Georgia court allowed breach of fiduciary duty claims, determining that “in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law.”[115] Additionally, 2024 saw a number of significant data breach settlements that will shape what new cases are filed and negotiation in existing cases:

A health network agreed to a $65 million settlement, which was later approved by the court, to resolve the claims of nearly 135,000 patients and employees whose personal data was breached due to a ransomware attack, including more than 600 patients who had their personal medical-record photos posted on the internet after the health network refused to pay the ransom.
A personal genomics company agreed to a $30 million settlement to resolve a multi-district class action brought on behalf of more than six million customers who claimed that their personal data was stolen, including, for a small set of customers, information about their health based on the analysis of their genetic data.
A mobile payment company and its subsidiary agreed to a $15 million settlement to settle claims stemming from two separate data breaches, one by a former employee and another by third parties that used old phone numbers to access users’ accounts, that allegedly exposed the personally identifiable information, account numbers, and trading activity of more than 8.2 million users.

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies

The flood of lawsuits brought under federal and state wiretapping statutes continued in 2024, with hundreds of cases being filed, frequently by the same plaintiff law firms. Many technology companies offer web- and app-based tools (such as software development kits, pixels, chat features, or similar tools) that web and app developers can use to track users’ activity on their website or app. Plaintiffs have brought lawsuits alleging that the use of these tools in a variety of different sectors (such as healthcare, video, finance, and more) violates federal and state wiretapping statutes by “recording” (or “eavesdropping” on) plaintiffs’ activity on websites and apps (which plaintiffs characterize as their “communications” with web and app developers). For example, plaintiffs have alleged that third-party technology companies were able to “wiretap” and “eavesdrop” on their online chat communications with businesses through the technology used to implement those chat features.[116] Some of these lawsuits were filed directly against the developers that own the websites and apps at issue.[117] Others were filed against the companies that offer this technology to web and app developers and allegedly receive the communications at-issue.[118]

As described in last year’s Review, the plaintiffs in these cases often bring claims under both the federal Wiretap Act and state wiretapping laws, which can carry high penalties for violations. The federal Wiretap Act is a one-party consent statute, so there is no liability if even one party to a communication consents to share it unless the communication is intercepted for the purpose of committing a crime or tortious act.[119] The Act provides for statutory damages consisting of $100 a day for each day of violation or $10,000, whichever is greater.[120] Some states have adopted more restrictive two-party (or all-party) consent statutes while also providing for high statutory damages. For example, California’s wiretapping and eavesdropping laws prohibit wiretapping or eavesdropping on communications without the consent of all parties involved and provide for $5,000 in statutory damages per violation.[121]

These claims continue to be especially difficult to defend against at early stages of the case, as courts in 2024 have sometimes refused to consider a defendant’s privacy policy to show consent at the motion-to-dismiss stage.[122] A significant number of these cases have continued to survive past the pleadings stage, though several others have been dismissed outright.[123] In one significant decision, a California federal district court dismissed wiretapping and other privacy-based claims against a technology company based on the plaintiffs’ failure to plausibly allege that the company intended for third parties to use its pixel technology to send sensitive health information (contrary to the company’s instructions).[124] This decision teed up an intra-District split on the proper standard for assessing intent for wiretapping claims in the Northern District of California, where many of these cases are brought.[125] In addition, the caselaw has continued to develop regarding what sort of harm plaintiffs must show to pursue a claim, with some courts finding a statutory violation sufficient (based on an asserted privacy injury)[126] and others requiring more in light of a 2021 U.S. Supreme Court decision.[127]

There were more decisions in 2024 at the summary judgment stage as well, with mixed results. For example, a California federal court granted summary judgment for the defendant web developer on the plaintiff’s California wiretapping claim.[128] The plaintiff alleged the defendant violated California’s wiretapping statute when she visited the defendant’s website, because her keystrokes were recorded by computer code embedded on the website.[129] The plaintiff claimed that this recording violated the California wiretapping statute’s prohibition on “read[ing] or attempt[ing] to read or learn the contents or meaning of electronic communications” without the consent of all parties to the communication.[130] The court held the defendant did not “read, attempt to read, or to learn the contents or meaning” of the communications because the keystrokes were immediately “hashed,” or transformed into an “incomprehensible alphanumeric string called a hash,” and the unhashed information was not retained anywhere.[131] As another example, another California federal court granted summary judgment for the defendant social media companies on the plaintiffs’ federal and California wiretapping claims.[132] The plaintiffs alleged the defendants’ web-based tools collected and sent their information when they visited websites that used those tools.[133] The court held plaintiffs had not produced any evidence that the defendants had intercepted the “contents” of their communications as required under the federal and California wiretapping claims, and that even if plaintiffs had done so, it did not appear the defendants had obtained any communications “during transmission” as to one of the two tools.[134] By contrast, another California federal court denied in substantial part a technology company’s motion for summary judgment in a lawsuit where the plaintiffs alleged their private health information entered into a period-tracking app was surreptitiously shared with the technology company through the company’s software development kit embedded on the app.[135] The court permitted the plaintiffs’ federal and California wiretapping claims to proceed, finding “factual disputes” existed regarding “the alleged transmission of data via [the defendant]’s SDK, and its subsequent use vel non.”[136]

In 2024, certain tracking technology cases also reached preliminary or final settlements encompassing wiretapping claims. For example, the plaintiffs filed an unopposed motion for final approval of the parties’ proposed class action settlement in a case based on a technology company’s purported surreptitious tracking of users’ web-browsing activity even when users browsed in “Incognito mode.”[137] Included as part of this “groundbreaking settlement that yields substantial benefits” for class members are the technology company’s agreements to rewrite its disclosures to inform users that it collects private browsing data, to “delete and/or remediate billions of data records that reflect class members’ private browsing activities,” and to permit users in Incognito mode to block third-party cookies by default.[138] Under the terms of the settlement, class members retain their right to sue the defendant individually for damages, including for the “significant statutory damages available under the federal and state wiretap statutes.”[139]

C. Anti-Hacking and Computer Intrusion Statutes

The federal Computer Fraud and Abuse Act (CFAA) generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[140] As described in last year’s Review, the U.S. Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), subsequent cases, and the Department of Justice’s decision in 2022 to narrow its CFAA enforcement policies have limited the CFAA’s legal and practical scope. Decisions this past year have continued to grapple with the proper scope of the CFAA and similar state statutes, such as California’s Comprehensive Data Access and Fraud Act (CDAFA).

1. CFAA

In 2024, courts continued to confront questions about the scope of “authorization” under the CFAA. For example, in July 2024, a federal jury in Delaware found that an online travel agency violated the CFAA by using an airline’s website without authorization or in excess of its authorized access.[141] The airline characterized the travel agency’s unauthorized use of its website as “screen scraping,” which the airline defined as “using an ‘automated system or software . . . to extract data from [the airline’s] website for commercial purposes,’ such as selling [the airline’s] flights on websites other than [the airline]’s.”[142] According to the airline, the travel agency continued screen scraping even after the airline sent cease-and-desist letters and developed a program to block such unauthorized activity.[143] The jury awarded $5,000 to the airline, which represented the amount of “actual economic harm” caused by the travel agency’s violation of the CFAA.[144] Following the jury verdict, the travel agency filed a motion for judgment as a matter of law, arguing in part that the airline failed to prove that it suffered a loss of at least $5,000 in any one-year period, as required under the CFAA.[145] The court agreed, granting judgment in favor of the travel agency.[146] The court entered an amended judgment in accordance with its ruling on January 31, 2025.[147] This was one of the first civil trials involving a CFAA claim.

Other 2024 decisions similarly addressed the meaning of “authorization” under the statute. In a case before the Sixth Circuit, an IT administrator created company email accounts for potential buyers of the company to use.[148] When the potential purchase fell through, the IT administrator searched the buyers’ email accounts to preserve certain emails for litigation purposes.[149] The Sixth Circuit held that the IT administrator’s actions were not “without authorization” because, as the manager of the email accounts, he had undisputed authorization to access them.[150] The Sixth Circuit next considered whether the IT administrator’s actions “exceed[ed] authorization,” observing that “[d]etermining the parameters of authorization . . . is not always easy to pin down.”[151] But the court ultimately did not decide the issue, finding the IT administrator did not violate the statute because the CFAA prohibits only “intentionally” exceeding unauthorized access, and the administrator “lack[ed] notice that his access [was] unauthorized.”[152] The Sixth Circuit thus affirmed summary judgment in favor of the defendants.

As another example, in a federal Idaho case, a company alleged that three of its former employees improperly accessed its internal healthcare record system to obtain confidential and proprietary information to form a competing business.[153] While they were employed by the company, the three defendants were all issued credentials to access the system.[154] After one defendant was fired, he allegedly increased another defendant’s permissions in the system, which the latter defendant used to access material he was not otherwise authorized to access. The court pointed to Van Buren v. United States, 593 U.S. 374 (2021), noting the Supreme Court had indicated “the question of authorized access is a ‘gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.’”[155] The court went on to note that the Supreme Court “left open the issue of ‘whether [the authorization] inquiry turns only on technology (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.’”[156] Because one defendant had allegedly wrongfully expanded the other defendant’s access beyond what was authorized, the court held it could not conclude at the motion-to-dismiss stage that such conduct fell outside the scope of the CFAA.

2. CDAFA

Courts have also grappled with issues under state-law analogs to the CFAA, which plaintiffs sometimes invoke alongside wiretapping and other privacy-related claims. One such statute, the CDAFA, is California’s version of the CFAA, and its provisions “generally prohibit[] tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.”[157] The CDAFA creates a private right of action against any person who commits certain listed violations “for compensatory damages and injunctive relief or other equitable relief.”[158] “Access” under the statute means to “cause output from” the “logical, arithmetical, or memory function resources of a computer.”[159] Only someone who has “suffer[ed] damage or loss by reason of a violation” of the statute may bring a civil action.[160]

As was the case last year, in 2024, several district courts considered CDAFA claims as part of the recent wave of litigation related to website tracking technologies. Of particular note is what appears to be a growing divide among the district courts on the issue of whether the loss of value in a plaintiff’s data can qualify as “damage or loss” under the statute.

Most courts have held that the loss of value of personal data is not enough to show “damage or loss” under the CDAFA.[161] For example, a California district court dismissed the plaintiffs’ CDAFA claim in a case where the plaintiff alleged her interactions with her medical center’s online patient portal, including her private medical data, were surreptitiously forwarded to certain third parties due to the center’s use of tracking pixels on its website.[162] The plaintiff argued the loss of value of her data constituted “damage or loss” under the CDAFA. The court rejected that argument, holding that the “loss of the right to control [one’s] data, the loss of the value of [one’s] data, and the loss of the right to protection of the data” are not losses covered by the CDAFA.[163]

Some courts, however, have accepted the lost-value-of-data theory. For example, in a federal California case, the plaintiff alleged that his personal information entered into a chat feature on the defendant’s website was surreptitiously shared with other companies due to the code used to support the chat feature.[164] The court declined to dismiss the plaintiff’s CDAFA claim, holding the plaintiff had sufficiently alleged that the defendant “has a stake in the value of his misappropriated data.”[165] The court pointed to the Ninth Circuit’s decision in In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir. 2020), for support, reasoning that the Ninth Circuit had found the plaintiffs in that case “had sufficiently alleged their [data] carried financial value” under the CDAFA.[166]

D. Telephone Consumer Protection Act Litigation

Originally enacted in 1991, the Telephone Consumer Protection Act (TCPA) regulates certain forms of telemarketing activities and the use of automatic telephone dialing systems (ATDS).[167] TCPA litigation historically centered on issues concerning the technical definition of an ATDS, but in 2021, the Supreme Court clarified and restricted the definition in its 2021 opinion in Facebook Inc. v. Duguid, in which the Court endorsed a narrow definition that limited the definition of ATDS to devices that store or produce telephone numbers by using a random or sequential number generator.[168] With the definition of an ATDS largely resolved, the interpretation of other key provisions in the TCPA has become the focus of ongoing litigation.

In one notable decision in 2024, the Fourth Circuit reversed a motion to dismiss a putative class action, holding that the plaintiff alleged facts sufficient to state a claim that the defendant’s fax invitation to attend a free webinar constituted an “unsolicited advertisement” under the TCPA.[169] The court held that it is reasonable to infer that the free webinar had a “commercial character,” even though specific products were not mentioned in the fax.[170] The court further reasoned that, by accepting the defendant’s fax invitation, the plaintiff would have potentially provided contact information and consent to future promotional materials—which gave the fax the requisite “commercial nexus” to the defendant’s business.[171]

On the other hand, the Fourth Circuit held in a different case that the TCPA does not apply to faxes that are received through online fax services.[172] The court reasoned that because an online fax service does not receive an electronic signal “over a regular telephone line” or have the capacity to transcribe text or images “onto paper,” it does not meet the statute’s definition of a “telephone facsimile machine.”[173]

Looking ahead, the Supreme Court is expected to issue a decision in a case that addresses whether the Hobbs Act, which limits the judicial review of FCC final orders to appellate courts, requires a federal district court to accept the FCC’s interpretations of the TCPA.[174] Because the FCC’s interpretations can affect how courts evaluate claims and defenses in TCPA actions, this decision could have a significant impact on how these cases are litigated and resolved.

E. State Law Litigation

1. California Consumer Privacy Act Litigation

The CCPA provides a limited private right of action, allowing consumers, individually and as a class, to pursue civil litigation when their personal information falls subject to “unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”[175] The CCPA provides for the greater of either statutory damages—between $100 and $750 per consumer per incident—or actual damages, plus injunctive or declaratory relief, and any other relief a court deems appropriate.[176] In practice, this private right of action is used almost exclusively to address data breaches. While there was not significant movement in 2024 on these issues, some courts have issued rulings supporting an expansive interpretation of what constitutes a “data breach” subject to the private right of action. Moreover, in 2024, several courts focused on the threshold consideration of whether defendants qualified as a “business” subject to the CCPA, as well as defenses to the CCPA. The details of these rulings are summarized below.

a. Limited Reach of the CCPA’s Private Right of Action

In several suits over the past year, courts did not reach the merits of alleged violations of the CCPA because they first assessed whether a defendant was subject to the private right of action. Courts generally interpreted the statute to require that the defendant qualify as a “business”—an entity that collected or otherwise made determinations about how to process plaintiffs’ personal data—to be subject to the statute’s private right of action, though they differed on whether a traditional service provider could be sufficiently subject to those requirements.[177] For example, in a putative class action against a debt collection and accounts receivable management company, the court dismissed the CCPA claim, holding that though plaintiffs did plead that the company “obtained” and “received” the plaintiffs’ PII, the complaint did not allege that the defendant “determined how and why [plaintiffs’] PII should be processed.”[178] In another suit, the court held that a cloud-based software company did not qualify as a “business” because enabling the secure transfer of files by hosting them on the company’s file-sharing software did not amount to “determin[ing] why and how consumers’ PII was processed.”[179] However, in a suit against a health information technology company, the court held that the defendant’s use of plaintiffs’ PII “to develop, improve, and test” the defendant’s services—a common type of processing by “service providers”—was sufficient to make it subject to the CCPA.[180]

Another court addressed the scope of a data breach, effectively doubling down on prior courts’ broadening of the common understanding of the triggering event required for the private right of action. In that case, plaintiffs brought a putative class action against a mental healthcare company that was alleged to have been disclosing users’ mental health information to a third party without providing notice to users.[181] The company moved to dismiss the plaintiffs’ CCPA claim, arguing that CCPA’s private right of action applies only to traditional data breaches.[182] The court disagreed and denied the motion to dismiss the claim, holding that courts have allowed CCPA claims to “survive a motion to dismiss where a plaintiff alleges that defendants disclosed plaintiff’s personal information without his consent due to the business’s failure to maintain reasonable security practices.”[183]

b. Other CCPA Defenses

In 2024, defendants continued to invoke CCPA defenses, such as narrow exemptions and the statute’s notice requirement, with varying success.

International Law Firm. After an international law firm discovered a significant cybersecurity breach of its systems, plaintiffs brought a putative class action lawsuit against the firm asserting multiple claims, including violations of the CCPA.[184] The firm argued in part in its motion to dismiss that because the named plaintiff was employed by one of the defendant’s clients, the “business-to-business” exception applied because the defendant received his data as part of a business-to-business transaction.[185] Though this exemption expired on January 1, 2023, it was in place at the time of the 2021 data breach, so the court dismissed the plaintiff’s claim with prejudice.[186] Though defendants can no longer rely on this exemption for data breaches taking place in 2023 and beyond, this case serves as a reminder that it remains a viable defense to breaches occurring before that time.

Hotel and Casino Entity. A hotel and casino entity was subject to a data breach in November 2022, in which the PII of thousands of customers was accessed by hackers.[187] A class action suit was brought against the entity asserting multiple claims, including violations of the CCPA.[188] The entity contended plaintiffs’ claim for statutory damages under the CCPA was barred because notice of the CCPA claim was untimely.[189] One of the named plaintiffs had filed his individual complaint—which did not assert a CCPA claim—and mailed a CCPA pre-suit notice on the same day.[190] Several months later, plaintiffs filed a consolidated complaint which included a statutory damages CCPA claim.[191] The court held that the plaintiffs had satisfied the notice requirement because the defendant was provided with the required cure period before the plaintiff brought the claim to court.[192] The court further held that the allegations in plaintiff’s letter were sufficient to provide statutory notice and that the defendant’s measures taken after receipt of the letter did not cure the unauthorized release of the plaintiffs’ data and were instead designed to address future threats.[193]

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act (BIPA)

2024 was another active year for Illinois’s Biometric Information Privacy Act (BIPA). There were both plaintiff- and defense-friendly developments, as well as a novel, significant settlement. Of note for plaintiff-friendly developments, courts permitted a complaint against a cloud service provider to survive a motion to dismiss, and concluded that plaintiffs located outside Illinois may be able to bring BIPA claims against defendants who allegedly process their data within Illinois. The year also saw some of the most important pro-defendant developments in recent years, which collectively limit the scope of BIPA to a considerable extent. Most notably, the Ninth Circuit held that biometric data must be capable of identifying the plaintiff to be subject to BIPA, and the Illinois state legislature amended BIPA to greatly reduce the likelihood that a plaintiff may recover an astronomical damages award. In addition, district courts recognized limitations on BIPA, including that the statute doesn’t apply when the defendant doesn’t control the data at issue, and that a plaintiff has to plead specific facts in order to rely on a theory that her biometric data was included in an AI model’s training dataset.

i. Application of BIPA to Cloud Services Companies

In a putative class action against a cloud service provider in the U.S. District Court for the Western District of Washington, a plaintiff alleged that the cloud service provider violated BIPA by allowing a third-party video game publisher to use its cloud computing services to facilitate the use of biometric data.[194] Specifically, the complaint alleged that a feature offered by the video game publisher, which allowed users to upload facial images that the game publisher then used to create a customized player resembling the user, involved the creation of a scan of face geometry (a biometric identifier under BIPA) and that the provider received the plaintiff’s scan from the video game publishers, transmitted it to third-party gaming platforms, and stored it on its servers. A magistrate judge recommended that the provider’s motion to dismiss be denied. The court reasoned that, despite the provider’s assertion that it “had no ability to access users’ biometric data and [was] unaware of [its] receipt of such information,” the court must take as true the allegation that the provider “knowingly obtained” the data and that it remained in the provider’s “control” as the provider “disseminate[d] and store[d] it” on its servers.[195] Thus, the court concluded that the plaintiff had plausibly alleged both the provider’s “possession” and “collection” of biometric data, even absent any allegation that the provider itself had “extracted Plaintiff’s face geometry.”[196] The district court ultimately adopted the magistrate judge’s report and recommendation,[197] and shortly thereafter, the parties reported that they had reached a settlement.[198] The outcome of this case may signal an increased risk faced by service providers based on conduct undertaken by their clients.

ii. In-State Processing of Non-Illinois Residents’ Data

Customers of a sandwich chain filed a putative class action against the company, alleging that it violated BIPA by recording its drive-through customers’ voice interactions and, using technology located at its corporate headquarters in Illinois, extracting from each recording a unique voiceprint.[199] The company moved to dismiss, arguing in part that BIPA shouldn’t be applied extraterritorially to two of the named plaintiffs, who visited the company’s drive-throughs in Indiana and Tennessee rather than Illinois. The district court denied the motion to dismiss, reasoning that the two named plaintiffs who never used a drive-through in Illinois had nonetheless “alleged that the extraction, collection, analysis, and use of their voiceprints all occurred at Defendant’s headquarters in Illinois” and that such allegations provided a sufficient nexus to Illinois.[200] However, the court was careful to qualify that “discovery may reveal that the connection to Illinois is sufficiently tenuous as to warrant revisiting the matter at the summary judgment stage.”[201] The decision could lead other plaintiffs located outside the borders of the State of Illinois to bring BIPA claims under a theory that the defendant processed their biometric data within the state. It remains to be seen, however, whether other courts will be receptive to such a theory.

iii. Biometric Data Must Be “Capable of Identifying” the Plaintiff

In a notable case before the Ninth Circuit this year, a non-user of a social media platform who appeared in user-uploaded photos that the platform processed with facial-recognition technology in an effort to identify consenting users in connection with a feature that helped users tag their photos argued for a sweeping interpretation of BIPA: that the social media company needed to obtain consent to the use of facial recognition from every anonymous non-user who appeared in a photo uploaded by a user.[202] The plaintiff’s reading effectively would have outlawed facial-recognition technologies like defendant’s, as well as many popular biometric identification technologies, such as most biometric security systems.

In the first appellate ruling of its kind, the Ninth Circuit affirmed the district court’s judgment for the defendant on the ground that BIPA applies only to data that can be used to identify the plaintiff, and therefore does not apply to the anonymous data that the company created from photos of non-users for the purpose of determining whether they were users of the service who had consented to identification. The decision effectively overruled earlier rulings from courts within the Ninth Circuit, which had held that data is covered by BIPA so long as it meets the plain meaning of a “scan of face geometry”—a type of “biometric identifier” under the statute.[203] The ruling is potentially a watershed development. By its terms, the ruling significantly cabins the reach of BIPA, curtailing the ability of individuals anonymous to the defendant (such as non-users of a product or service) to bring suit under the statute.

District courts have since applied this ruling to the same effect. One court in the Northern District of Illinois dismissed a BIPA claim against a consumer electronics company.[204] The plaintiff had alleged that the company collected data subject to BIPA when its technology analyzed photos on users’ phones and tablets to create “unique . . . digital face templates” for each person’s face, which it used to recognize the same face in multiple photos and group together photos of that same face.[205] Relying on the Ninth Circuit’s ruling, the court explained that the plaintiffs failed to allege that the company had created data “capable of identifying a person’s identity.”[206] Although the technology “group[ed] unidentified faces together,” it was the device’s users who had the option to “add names to the face[]” groupings.[207]

The Ninth Circuit’s ruling is a significant, defense-friendly development, and its precise contours will continue to be developed through litigation at the district court level.

iv. BIPA Damages Amendment

In a sweeping decision, the Illinois Supreme Court held in 2023 that a BIPA violation accrues each time a private entity collects or discloses biometric data without prior informed consent, not just upon the first collection or disclosure.[208] The court acknowledged the defendant’s concerns that this broad reading of the statute could lead to “annihilative liability” but determined that “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.”[209] The court concluded its decision with a “respectful[] suggest[ion] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”[210]

In 2024, the legislature heeded the Illinois Supreme Court’s call and amended BIPA to address companies’ concerns about astronomical damages awards.[211] As amended, BIPA now clarifies that a plaintiff can recover from a defendant only once under section 15(b) for violations involving the collection of “the same biometric identifier or biometric information from the same person using the same method of collection” and once under Section 15(d) for violations involving the disclosure of “the same biometric identifier or biometric information from the same person to the same recipient” where such data was collected “using the same method of collection.”[212] The amendment greatly reduces the likelihood that an individual plaintiff can recover an outsized damages award under the statute. However, courts are currently split on the question of whether the amendment applies retroactively.[213]

v. Defendant’s Lack of Control of the Data at Issue

A plaintiff brought a putative class action against a software company under sections 15(a) and 15(b) of BIPA, alleging that the company “acquired [her facial scan] when third parties viewed her photograph with a device running the [] operating system owned and controlled by [the defendant].”[214] Notably, the plaintiff did “not allege that her biometrics were physically stored on [the defendant’s] hardware.”[215]

The Northern District of Illinois granted the defendant’s motion to dismiss. The court rejected the plaintiff’s argument that the company “possess[ed]” or “collect[ed]” the alleged facial scans simply because it (1) “designed, licensed, and updated the facial scan software on users’ devices”; (2) “exercised control over the device users’ ability to access and use the facial scan software”; and (3) “retained the ability to control whether and how a user could use the facial scan software.”[216] As the court explained, “control of the facial scan software is not the same as control of the facial scan data that is collected using the software” onto users’ own devices.[217] In other words, offering “a tool that can be used to collect a facial scan is not the same as actually doing the collecting.”[218]

The court’s decision is notable. It paves the way for defendants to seek dismissal of BIPA claims when it is clear from the face of the complaint that the alleged data at issue remains on physical devices or other hardware controlled by third parties and the defendant does not itself exercise any control over the data.

vi. Pleading Requirement for AI Model-Training Theory

A plaintiff brought suit under BIPA against the developer of a mobile app that generates avatars from photos that users upload.[219] The plaintiff had never used the defendant’s app or personally uploaded his photos to it. Rather, his theory was that the defendant violated section 15(b) by training the AI model that powered the app on a publicly available dataset of five billion photos that allegedly included images of him.

Without reaching the merits of the plaintiff’s claims, the court dismissed the complaint for lack of standing. The court accepted the defendant’s argument that the plaintiff failed to provide a sufficient basis to conclude that his photos were even included in the dataset at issue. The plaintiff simply speculated that they might be, since the dataset was purportedly assembled by scraping popular social media sites that he uses.

The court’s decision confirms that a plaintiff must allege facts that make it at least plausible that his photos are at issue when predicating a lawsuit on an AI model-training theory.

vii. Other Noteworthy Developments

In a multidistrict litigation, a group of plaintiffs brought a consolidated class action complaint against a facial recognition company, alleging (among other things) that the company “covertly scraped over three billion photographs of facial images from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted to harvest the individuals’ unique biometric identifiers and corresponding biometric information.”[220] The district court denied the defendant’s motion to dismiss with respect to the plaintiffs’ BIPA claims, concluding that the statute applies to “biometric data extracted from photographs.”[221]

Then, this year, the court granted preliminary approval of a global settlement of the litigation.[222] The proposed settlement is noteworthy for its novel terms: it would provide the class members a 23% stake in the company. At then-current potential valuations, the class members’ stake was estimated to be worth roughly $52 million. Counsel for the plaintiffs issued a statement that the defendant lacked the funds needed to pay a large settlement, so the parties worked instead to find “a creative solution.”[223] The settlement is yet to receive final approval.

b. Texas Biometric Privacy Law Litigation

In the first-ever lawsuit filed by the Texas Attorney General under Texas’s Capture or Use of Biometric Identifier Act (CUBI), Texas claimed a large social media company violated the statute by allegedly collecting biometric data without adequate consent from photos and videos that users uploaded to the platform as part of a suite of now-deprecated features relying on facial recognition technology.[224] The case had been set to go to trial in June 2024, but the parties ultimately settled, with the defendant agreeing to pay $1.4 billion without admitting liability.

c. New York Biometric Privacy Law Litigation

Beyond BIPA and CUBI, there were also noteworthy decisions involving New York City’s Biometric Identifier Information Law this year.[225] A pair of decisions, one from the Southern District of New York and the other from the Western District of Washington, held that the prohibition on “profiting” from biometric data in New York City’s law is limited to transactions involving the data itself and does not extend to other benefits that the defendant may derive from the use of that data.

First, earlier this year, a plaintiff filed a complaint against a major live-entertainment company, alleging that the company violated New York City’s law by using facial recognition software to identify and exclude from its venues attorneys employed by law firms that are involved in litigation against it.[226] The law applies where a defendant “profit[s] from the transaction of biometric identifier information,” so the “question presented,” the court explained, was whether the “defendant profits when it shares biometric data with a third-party vendor to facilitate” the attorneys’ exclusion.[227] The court granted the defendant’s motion to dismiss. It concluded that the complaint failed to allege that the defendant profited from the transaction itself, as the statute requires.[228] Rather, the complaint asserted that the defendant “profits when it purchases a product or service,” a theory of liability that “defies common sense.”[229]

Second, a group of plaintiffs filed a putative class action against two retailers, alleging that their technologies that enable customers to simply walk out of their stores with their chosen products without queuing up at the checkout line violate New York City’s law.[230] The complaint alleged that one of the defendants profited from the plaintiffs’ biometric data by “sharing, leasing, trading or selling its . . . devices and databases by . . . allow[ing] [the defendant] to link individuals’ biometric information to other valuable forms of information[,] . . . allowing [the defendant] (or other third parties willing to pay [the defendant] for such packaged data) to make more targeted advertising, marketing, pricing, and promotional decisions.”[231] The court granted the defendants’ motion to dismiss. Citing the decision involving the live-entertainment company, the court rejected the plaintiffs’ argument regarding the statute’s profit element, concluding that “the profit Plaintiffs allege appears to ‘flow from [the defendant’s] employment of [a] broader program, albeit one advanced by biometric data sharing’”—an “unpersuasive” theory.[232] The court dismissed the plaintiffs’ claims against the other defendant as well, reasoning that they “fail to allege sufficient facts that [the defendant] plays any part in the control of the . . . technology or otherwise share in biometric identifier information as defined” under the statute.[233]

F. Other Noteworthy Litigation

Daniel’s Law Ruled Constitutional. In 2024, a federal judge rejected a constitutional challenge to Daniel’s Law, a New Jersey privacy statute enacted in 2020 in response to the tragic murder of the son of a federal judge. The statute allows law enforcement officials and their immediate family members (Covered Persons) to request that any person, business, or association not disclose their home address or unpublished telephone numbers.[234] In 2023, amendments to the statute permitted Covered Persons to assign a Daniel’s Law claim to a third party, and provided for actual damages (set at a minimum of $1,000 as liquidated damages) for each violation, punitive damages upon a showing of willful or reckless disregard of the law, and reasonable attorneys’ fees and other litigation costs—triggering a surge of litigation against a wide range of businesses that interact with New Jersey residents.[235] In a suit involving a third-party assignee, defendants moved to dismiss the claims on the basis that Daniel’s Law is unconstitutional on its face on the basis that it violated the First Amendment and that it is a strict liability statute.[236] In November 2024, the District Court of New Jersey denied the motion to dismiss and held that Daniel’s Law is constitutional.[237] As a threshold matter, the court held that Daniel’s Law is a privacy statute, so its content-based regulation of speech was not subject to strict scrutiny.[238] Instead, the court applied the three-factor test that the Supreme Court has used for balancing the right of privacy against the right of free speech and concluded that Daniel’s Law passed this test.[239] The defendants also argued that the law was unconstitutional on its face as a strict liability statute, that it provides for actual or liquidated damages for non-compliance without regard to fault.[240] The court rejected this argument as well, concluding that “Daniel’s Law must be read as imposing liability only if a defendant unreasonably disclosed or made available the home addresses and unlisted telephone numbers of covered persons after the statutory deadline had expired.”[241] Due to the exposure created by the statutory penalty of actual damages or $1,000 per violation and the short response window, this ruling has significant implications for any business interacting with New Jersey residents, and businesses should implement policies and procedures for complying with take-down requests in the 10-day window. Shortly after the ruling, the court issued an order permitting the defendants to appeal,[242] so we will continue to monitor this case in 2025.

Cellular Data as Property. In the first appellate decision addressing whether cellular data is property, the Ninth Circuit held that cellular data can be categorized as property that is subject to conversion.[243] Plaintiffs in a class action suit sued a major technology company alleging the company performed passive data transfers using plaintiffs’ cellular data without their knowledge or consent, asserting a claim for conversion under California law.[244] The court held in connection with a motion to dismiss that cellular data can constitute property for purposes of a conversion claim—which requires a showing that there is a property right at issue—because even though the data is intangible, it allows access to a cellular network, can be limited by a user’s data plan, is capable of exclusive possession or control, and can be valued, bought and sold.[245] The court also held that the plaintiffs plausibly alleged the company used their data in a way that was inconsistent with their own property interests.[246] The court observed that when the company transfers information from its own servers, the data spent during that transfer is allocated to the customer, and accordingly is treated by the wireless carrier as if it is data that the customers themselves used.[247] Therefore, the company’s use of plaintiffs’ cellular data to transfer the information prevented plaintiffs from using all the cellular data they purchased and was inconsistent with the plaintiffs’ property interests.[248]

Video Privacy Protection Act (VPPA) Litigation. Courts continued to determine the scope of the VPPA in 2024. One notable case focused on a narrow liability exception under VPPA and the level of scrutiny that should apply to VPPA. The Massachusetts District Court denied a motion to dismiss a class action suit filed against a broadcasting company where plaintiffs alleged the company disclosed their PII and viewing history to third parties without their consent.[249] The company argued that their actions fell within the narrow exception for disclosures made “incident to the ordinary course of business,” but the court held that the alleged “marketing, advertising, and analytics” uses of the data did not fall within the exception’s permissible uses.[250] The court also held that the alleged disclosures of consumers’ PII constituted commercial speech for First Amendment purposes and required application of intermediate scrutiny to VPPA, which it passed.[251]

Another federal district court also dismissed a class action suit against a casino and entertainment company that owns and operates a website that offers online video games that users can access by registering for an account with their personal information.[252] The company installed a tracking tool on its website that the plaintiff alleged shares information about a users’ gaming history with a third party.[253] The court held the VPPA was inapplicable because the company did not qualify as a video tape service provider under the statute.[254] The court reasoned that video games do not constitute prerecorded content that is subject to the VPPA unless the video game is interlaced with “cut scenes” that are similar to prerecorded video clips.[255]

A California state court, meanwhile, denied class certification in a case asserting claims for invasion of privacy and for violations of the federal Wiretap Act, CIPA, and related common law claims arising from Meta’s offering of “Business Tools” to HBO and its alleged tracking of users’ video-viewing activities.[256] The court denied class certification because there was no classwide method to prove whether any particular video was viewed by a class member or by someone using their account: “an individualized inquiry is necessary to determine whether the data . . . reflects a particular class or subclass member’s own video-viewing behavior rather than the video-viewing behavior of a friend or family member who has accessed that individual’s HBO account.”[257]

A Georgia federal court, however, granted class certification in a VPPA case based on a similar theory as the California case above.[258] Plaintiff alleged that WebMD violated the VPPA, because by installing the “Facebook Pixel” on webmd.com, WebMD allegedly disclosed the video-viewing activity of its users to Facebook without their consent.[259] In granting Plaintiffs’ motion for class certification, the court rejected WebMD’s argument that an individualized inquiry would be required, noting that scenarios a user might have allowed someone else to use their computer or a video was not working at the time when the user clicked on the link were the “exceptions,” not the rule.[260] Specifically, the court wrote, “WebMD does not point to any instances in which its concerns became a reality nor does it point to any evidence regarding these concerns being anything more than exceedingly rare potential exceptions . . . the idea that class certification should be denied merely due to a possibility at this stage that a website gave a 404 error or a family member used someone else’s computer seems absurd.”[261]

State Video Privacy Statutes. The Ninth Circuit upheld district court dismissals of two class action suits against two major technology companies that alleged each company violated two state privacy statutes by unlawfully retaining users’ PII: The New York Video Consumer Privacy Act and the Minnesota Video Privacy Law.[262] Plaintiffs alleged that both state privacy statutes provide a private right of action for the unlawful retention of personal information, but the Ninth Circuit disagreed, holding that neither of the privacy statutes had such a private right of action.[263]

IV. CONCLUSION

In 2024, the privacy and cybersecurity landscape in the U.S. continued to be defined by an expansion of state comprehensive privacy laws, and regulatory and enforcement activity led by federal and state agencies, as well as civil litigation brought by private plaintiffs. This was driven in large part by the rapid development and advances in data-intensive technologies like generative AI, the unrelenting cyber threat posed by malicious actors and foreign adversaries, and an increasing focus on protecting biometric data and children’s online privacy. We expect these trends to continue in 2025 as existing data-intensive technologies and use cases take hold and new ones emerge. In the absence of comprehensive federal legislation, we expect federal and state agencies to continue to lead the charge on the regulatory front and continue to aggressively pursue enforcement actions against companies and individuals. However, given the shift at the federal level driven by the Trump administration’s focus on deregulation, pro-innovation, and reversal of Biden-era policies around content moderation, AI, and digital assets, we expect a significant alteration in policy and enforcement priorities at the state and federal levels. We will continue to track and analyze these developments in the year ahead.

[1] Del. Code, tit. 6, § 12D-103(c)(13) (Delaware Personal Data Privacy Act).

[2] Iowa Code § 715D.1 to 715D.9 (Iowa Consumer Data Protection Act).

[3] See N.J. Rev. Stat. §§ 56:8-166.1(9)(a)(9); Mont. Code § 30-14-2801 to 30-14-2817; Colo. Rev. Stat. Ann. § 6-1-1309(1).

[4] “Sensitive data” is defined as “a category of personal data that includes the following:

Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law.
Generative or biometric data that is processed for the purpose of uniquely identifying a natural person.
The personal data collected from a known child.
Precise geolocation data.” Iowa Code § 715D.1 (26).

[5] Md. Code Ann., Com. Law § 14-4605(b)(7)(iii) (Maryland Personal Information Protection Act).

[6] Id. § 14-4607(A)(4).

[7] See N.J. Rev. Stat. §§ 56:18-1 to 56:18-14 (New Jersey Data Privacy Act); Neb. Rev. Stat. § 87-1102(25) (Nebraska Consumer Data Privacy Act); Fla. Stat. § 501.701-22 (Florida Digital Bill of Rights); Conn. Gen. Stat. Ann. § 42-520 (Connecticut Data Privacy Act); Tex. Bus. & Com. Code §§ 541.001 to 541.205 (Texas Data Privacy and Security Act).

[8] Minn. Stat. §§ 325O.01 to 325O.14 (Minnesota Consumer Data Privacy Act).

[9] N.J. Rev. Stat. §§ 56:18-1 to 56:18-14 (New Jersey Data Privacy Act).

[10] Tenn. Code §§ 47-18-3301 to 47-18-3315 (Tennessee Information Protection Act).

[11] Id. § 47-18-3213(a)(1)(A).

[12] Cal. Civ. Code § 1798.100 et seq. (California Consumer Privacy Act/California Privacy Rights Act); Colo. Rev. Stat. Ann. § 6-1-1308 et seq. (Colorado Privacy Act); N.J. Stat. Ann. § 56:18-1 et seq. (New Jersey Data Privacy Act).

[13] See, e.g., Virginia provides an opt out right of “the processing of the personal data for the purposes of . . . profiling [which is to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements automated decisionmaking] in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Va. Code Ann. § 59.1-575, 577.

[14] Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Fla. Stat. § 501.701; Ind. Code § 24-15-1-1; Md. Code Ann., Com. Law § 14-4601; Mont. Code Ann. § 30-14-2801; Neb. Rev. Stat. § 87-1102; N.H. Rev. Stat. Ann. § 359-T:1; R.I. Gen. Laws § 6-48.1-1; Tenn. Code Ann. § 47-18-3301; Tex. Bus. & Com. Code § 541.001.

[15] Cal. Civ. Code § 1798.100; Colo. Rev. Stat. Ann. § 6-1-1308; Ky. Rev. Stat. § 367.390; Minn. Stat. § 3250.01; N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570; Va. Code Ann. § 59.1-575.

[16] Iowa Code § 715D.1; Utah Code Ann. § 13-61-101.

[17] California’s law does not directly provide a right to opt out, but instructs the California Privacy Protection Agency (CPPA) to issue regulations “governing access and opt-out rights with respect to a business’ use of automated decisionmaking technology.” Cal. Civ. Code § 1798.185(a)(15). The CPPA has drafted regulations on automated decisionmaking that include the right to opt-out, but the regulations are not yet final.

[18] Cal. Civ. Code § 1798.100; Colo. Rev. Stat. Ann. § 6-1-1308; Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Fla. Stat. § 501.701; Md. Code Ann., Com. Law § 14-4601; Minn. Stat. § 3250.01; Mont. Code Ann. § 30-14-2801; Neb. Rev. Stat. § 87-1102; N.H. Rev. Stat. Ann. § 359-T:1; N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570; R.I. Gen. Laws § 6-48.1-1; Tex. Bus. & Com. Code § 541.001.

[19] Ind. Code § 24-15-1-1; Iowa Code § 715D.1; Ky. Rev. Stat. § 367.390; Md. Code Ann.; Tenn. Code Ann. § 47-18-3301; Utah Code Ann. § 13-61-101; Va. Code Ann. § 59.1-575.

[20] 16 C.F.R. § 312.5(a)(1) (2013) (requiring operators to “obtain verifiable parental consent before any collection, use, or disclosure of personal information from children”).

[21] Cal. Civ. Code § 1798.100; Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Minn. Stat. § 3250.01; Mont. Code Ann. § 30-14-2801; N.H. Rev. Stat. Ann. § 359-T:1.

[22] N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570.

[23] Md. Code Ann., Com. Law § 14-4601.

[24] Colo. Rev. Stat. Ann. § 6-1-1308; Fla. Stat. § 501.701; Ind. Code § 24-15-1-1; Iowa Code § 715D.1; Ky. Rev. Stat. § 367.390; Neb. Rev. Stat. § 87-1102; R.I. Gen. Laws § 6-48.1-1; Tenn. Code Ann. § 47-18-3301; Tex. Bus. & Com. Code § 541.001; Utah Code Ann. § 13-61-101; Va. Code Ann. § 59.1-575.

[25] There is an implicit exception if businesses must retain data in order to comply with federal or state laws or regulations. Both statutes contain a blanket statement that nothing in the law should be construed to interfere with a business’s ability to comply with federal or state laws or regulations.

[26] As a representative example, Virginia provides that businesses may comply with a request to delete by “opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter.” Va. Code Ann. § 59.1-577(b)(5).

[27] States with requirement: Cal. Civ. Code § 1798.100; Colo. Rev. Stat. Ann. § 6-1-1308; Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Md. Code Ann., Com. Law § 14-4601; Minn. Stat. § 3250.01; Mont. Code Ann. § 30-14-2801; Neb. Rev. Stat. § 87-1102; N.H. Rev. Stat. Ann. § 359-T:1; N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570; Tex. Bus. & Com. Code § 541.001.

[28] States with requirement: Del. Code Ann. tit. 6, § 12D-101; Minn. Stat. § 3250.01; Or. Rev. Stat. § 646A.570; R.I. Gen. Laws § 6-48.1-3(a) (requiring that “all third parties to whom the controller has sold or may sell customers’ personally identifiable information” be identified in a “conspicuous location on its website”).

[29] States with requirement: Del. Code Ann. tit. 6, § 12D-104(c)(5); N.J. Stat. Ann. § 56:8-166.10.

[30] Fla. Stat. § 501.1736(2)(b)(1), 501.1736(3)(a).

[31] Id. § 501.1736.

[32] Id.

[33] Id. § 501.1738(1).

[34] Id. § 501.1738(2).

[35] Id.

[36] Id.

[37] Ga. Code. Ann. § 39-6-1(3).

[38] Id. § 39-6-2(c).

[39] Id. § 39-6-2(a).

[40] Id. § 39-6-1.

[41] Id. § 39-6-2(e).

[42] Id. § 39-6-3.

[43] Md. Code Ann., Com. Law § 14-4801(e).

[44] Id. §§ 14-4804(b); 14-4807.

[45] Id. § 14-4801(c).

[46] Id. § 14-4805(a).

[47] Complaint, NetChoice v. Brown, Case No. 1:25-cv-00322-RDB (Feb. 3, 2025).

[48] N.Y. General Business Law § 1500.6.

[49] Id. § 1500.1; § 1501.

[50] Id. § 1502.

[51] Pub. Act 103-0769.

[52] Id.

[53] Cothron v. White Castle System, Inc., 216 N.E.3d 918, 929 (Ill. 2023).

[54] The bill defines biometric data as “one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes.” The bill defines “biometric identifiers” as “data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual.” H.B. 24-1130, 74th Gen. Assemb., Reg. Sess. (Colo. 2024).

[55] Colo. Rev. Stat. Ann. § 6-1-1314(3).

[56] Id. § 6-1-1314(2).

[57] Id. § 6-1-1314(2)(III).

[58] Id. § 6-1-1314(6).

[59] Id. § 6-1-1314(4)(a).

[60] Id. § 6-1-1314(4)(b).

[61] Id. § 6-1-1314(5).

[62] Id. § 6-1-1314(4)(c).

[63] H.B. 24-1130, 74th Gen. Assemb., Reg. Sess. (Colo. 2024).

[64] A.B. A836, 2023-2024 Leg., Reg. Sess. (N.Y. 2024); S.B. S2518-A, 2023-2024 Leg., Reg. Sess. (N.Y. 2024).

[65] N.Y. Labor Law § 201.

[66] Id. § 201-i(1)(d).

[67] Id. § 201-i(1)(c), (6).

[68] Id. § 201-i(2)(a).

[69] Id. § 201-i(3)(a).

[70] Id. § 201-i(5)(c).

[71] Id. § 201-i(2)(b).

[72] Id. § 201-i(5)(a)(i), (ii).

[73] Cal. Health & Saf. Code § 27000.5(b)(1).

[74] Id. § 27002(a)(1).

[75] Id. § 27005.

[76] NetChoice, LLC v. Bonta, No. 5:24-cv-07885-EJD (9th Cir.).

[77] Colo. Rev. Stat. Ann. § 6-1-1313(16.7); Cal. Civ. Code § 1798.140(ae)(1)(G)(ii).

[78] Colo. Rev. Stat. Ann. § 6-1-1313(16.7).

[79] Cal. Civ. Code § 1798.140(ae)(1)(G)(ii).

[80] H.B. 24-1058, 74th Gen. Assemb., Reg. Sess. (Colo. 2024); S.B. 1223, 2023-2024 Leg., Reg. Sess (Cal. 2024).

[81] Colo. Rev. Stat. Ann. § 6-1-1313(2.5).

[82] American Privacy Rights Act of 2024, H.R. 8818, 118th Cong. § 2 (2024).

[83] Id.

[84] Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50(I)(2)(a).

[85] Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50(I)(2)(c)(4).

[86] Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50(I)(2)(c)(8).

[87] H.R. 7690, 118th Cong. (2nd Sess. 2023).

[88] H.R. 7621, 118th Cong. (2nd Sess. 2023).

[89] H.R. 7841, 118th Cong. (2nd Sess. 2023).

[90] H.R. 8293, 118th Cong. (2nd Sess. 2023).

[91] S. 4075, 118th Cong. (2nd Sess. 2023).

[92] S. 4697, 118th Cong. (2nd Sess. 2023).

[93] S. 3661, 118th Cong. (2nd Sess. 2023).

[94] S. 5218, 118th Cong. (2nd Sess. 2023).

[95] On February 20, 2025, the FTC issued a Request for Information on “how technology platforms deny or degrade … users’ access to services based on the content of the users’ speech or their affiliations.”

[96] FTC v. NGL Labs, LLC, No. 2:24-cv-05753-JLS-PVC (C.D. Cal. 2024).

[97] Nat’l Treasury Employees Union v. Vought, No. 1:25-cv-381.

[98] Mayor & City Council of Baltimore v. Vought, No. 25-cv-00458.

[99] Mayor & City Council of Baltimore v. Vought, No. 25-cv-00458 (MJM) (Feb. 28, 2025, D. Md.).

[100] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023).

[101] Designation of size depends on the type of Covered Institution. See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer, 89 FR 47688, Table 3 (June 3, 2024) (to be codified at 17 C.F.R. pts. 240, 248, 270, 275), https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information#footnote-357-p47719.

[102] Under the rule, covered persons include 1) foreign individuals who are resident in countries of concern; 2) entities that are 50% or more owned by covered persons or by countries of concern; and 3) employees or contractors of such entities or of countries of concern.

[103] See, for example, United States ex rel. Matthew Decker v. Pennsylvania State University, Case No. 2:22-cv-03895-PD (E.D. Pa. Oct. 5, 2022).

[104] Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Program (2024), 32 C.F.R. § 170, https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170.

[105] Consumer Guide, Federal Communications Commission, One-to-One Consent Rule for TCPA Prior Express Written Consent Frequently Asked Questions (Dec. 2024), DOC-408396A1.pdf (fcc.gov).

[106] Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025).

[107] Complaint, Garner et al v. AT&T Inc., No. 3:24-cv-00962-E (N.D. Tex. 2024), ECF No. 1.

[108] Id.

[109] Id.

[110] Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661 (W.D. Ky. 2024).

[111] Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661 , 675–95 (W.D. Ky. 2024).

[112] Griggs v. NHS Mgmt., LLC, No. SC-2023-0784, 2024 WL 4797211 (Ala. Nov. 15, 2024).

[113] Id. at *3–*8.

[114] Miller v. NextGen Healthcare, Inc., No. 1:23-CV-2043-TWT, 2024 WL 3543433, 1317 –20 (N.D. Ga. July 25, 2024).

[115] Id. at 1318.

[116] See, e.g., D’Angelo v. FCA US, LLC, 726 F. Supp. 3d 1179, 1187–88 (S.D. Cal. 2024).

[117] See, e.g., id.

[118] See, e.g., Jackson v. LinkedIn Corp., 2024 WL 3823806 (N.D. Cal. Aug. 13, 2024).

[119] 18 U.S.C. § 2511(2)(d).

[120] 18 U.S.C. § 2520(2)(B).

[121] See Cal. Penal Code §§ 631(a), 632(a), 637.2.

[122] See, e.g., Yoon v. Meta Platforms, Inc., No. 24-cv-02612-NC, 2024 WL 5264041, at *4 (N.D. Cal. Dec. 30, 2024).

[123] Compare, e.g., Jackson v. LinkedIn Corp., 744 F. Supp. 3d 986 (N.D. Cal. Aug. 13, 2024) (denying defendant’s motion to dismiss California wiretapping claim), with, e.g., B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1065 (C.D. Cal. 2024) (dismissing federal and California wiretapping claims without leave to amend).

[124] Doe I v. Google LLC, 741 F. Supp. 3d 828, 840–41 (N.D. Cal. 2024); see also B.K. v. Desert Care Network, No. 2:23-cv-05021, 2024 WL 1343305, at *1, *7 (C.D. Cal. Feb. 1, 2024).

[125] See Doe I, 741 F. Supp. 3d at 841 (noting “[i]t’s possible that this ruling is contrary to Judge Orrick’s analysis of intent in a similar pixel case”).

[126] See, e.g., D’Angelo, 726 F. Supp. 3d at 1193 (“The Court recognizes that there is a disagreement in this District about whether TransUnion undermined In re Facebook’s holding that a violation of CIPA is sufficient to allege an injury-in-fact.”).

[127] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021).

[128] Williams v. DDR Media, LLC, No. 22-cv-03789, 2024 WL 4859078 (N.D. Cal. Nov. 20, 2024).

[129] Id. at *1.

[130] Id. at *2.

[131] Id. at *5.

[132] Griffith v. TikTok, Inc., No. 5:23-CV-00964-SB-E, 2024 WL 5279224, at *3, *12 (C.D. Cal. Dec. 24, 2024).

[133] Id. at *1–2.

[134] Id. at *10.

[135] Frasco v. Flo Health, Inc., No. 21-cv-00757-JD, 2024 WL 4280933 (N.D. Cal. Sept. 23, 2024).

[136] Id. at *4.

[137] Unopposed Motion for Final Approval of Class Action Settlement, Brown v. Google LLC, No. 4:20-cv-03664-YGR-SVK (N.D. Cal. 2024), Dkt. 1098-2.

[138] Id. at 2.

[139] Id.

[140] 18 U.S.C. § 1030(a).

[141] Verdict Form, Ryanair DAC v. Booking Holdings Inc., No. 1:20-cv-01191 (D. Del. 2022), Dkt. 457.

[142] Id., Dkt. 76.

[143] Id.

[144] Id., Dkt. 457.

[145] Id., Dkt. 466.

[146] Id., Dkt. 516.

[147] Id., Dkt. 518.

[148] Abu v. Dickson, 107 F.4th 508, 513 (6th Cir. 2024).

[149] Id.

[150] Id. at 514–15.

[151] Id. at 515.

[152] Id. at 516.

[153] Moonlight Mountain Recovery, Inc. v. McCoy, No. 1:24-cv-00012-BLW, 2024 WL 4027972, at *1 (D. Idaho Sept. 3, 2024).

[154] Id.

[155] Id. at *4.

[156] Id.

[157] CTI III, LLC v. Devine, 2022 WL 1693508, at *3 (E.D. Cal. May 26, 2022).

[158] Cal. Penal Code § 502(e)(1); see also id. § 502(c) (listing violations).

[159] Id. § 502(b)(1).

[160] Id. § 502(e)(1).

[161] See Heiting v. Taro Pharms. USA, Inc., 709 F. Supp. 3d 1007, 1021 (C.D. Cal. 2023) (noting that “the majority of courts to consider the issue” have found the CDAFA “contemplates some damage to the computer system, network, program, or data contained on that computer, as opposed to data generated by a plaintiff while engaging with a defendant’s website”).

[162] Doe v. Cnty. of Santa Clara, No. 23-cv-04411-WHO, 2024 WL 3346257, at *1, *11 (N.D. Cal. July 8, 2024).

[163] Id. at *9.

[164] Esparza v. Kohl’s, Inc., 723 F. Supp. 3d 934 (S.D. Cal. 2024).

[165] Id.at 945 (noting “Plaintiff alleges there is a market for his data that Defendant . . . allegedly profit[s] from”).

[166] Id. at 945.

[167] 47 U.S.C. § 227.

[168] Facebook, Inc. v. Duguid, 592 U.S. 395 (2021).

[169] Fam. Health Physical Med., LLC v. Pulse8, LLC, 105 F.4th 567, 575 (4th Cir. 2024).

[170] Id. at 572–73.

[171] Id. at 573.

[172] Career Counseling, Inc. v. AmeriFactors Fin. Grp., LLC, 91 F.4th 202, 210 (4th Cir. 2024)

[173] Id.

[174] McLaughlin Chiropractic Assocs., Inc. v. McKesson Corp., 145 S. Ct. 116 (2024).

[175] Cal. Civ. Code § 1798.150(a)(1).

[176] Id.

[177] See Johnson v. Cornerstone Nat’l Ins. Co., No. 22-04135, 2024 WL 5265372, at *6–7 (W.D. Mo. Apr. 29, 2024) (granting motion to dismiss where plaintiffs had alleged only that a software company had helped an insurance company design and set up a system, not that it actually accessed individuals’ confidential information).

[178] In re NCB Mgmt. Serv., Inc. Data Breach Litig., No. 23-1236, 2024 WL 4160349, at *17–18 (E.D. Pa. Sept. 11, 2024).

[179] In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623, 641 (N.D. Cal. 2024).

[180] Miller v. NextGen Healthcare, Inc., 742 F. Supp. 3d 1304, 1327 (N.D. Ga. 2024).

[181] M.G. v. Therapymatch, Inc., No. 23-cv-04422, 2024 WL 4219992, at *1 (N.D. Cal. Sept. 16, 2024).

[182] Id. at *7.

[183] Id.

[184] Owens v. Smith, Gambrell and Russell Int’l, LLP, No. CV23-01789, 2024 WL 3914663, at *1 (C.D. Cal May 30, 2024).

[185] Id. at *11.

[186] Id. at *11–12.

[187] In re Eureka Casino Breach Litig., No. 2:23-cv-00276, 2024 WL 4253198, at *1 (D. Nev. Sept. 19, 2024).

[188] Id.

[189] Id. at *13.

[190] Id.

[191] Id.

[192] Id.

[193] Id. at *13–14.

[194] Mayhall v. Amazon Web Servs., Inc., No. C21-1473-TL-MLP, 2024 WL 3842563 (W.D. Wash. May 29, 2024).

[195] Id. at *5.

[196] Id. at *5–6.

[197] Mayhall v. Amazon Web Servs., Inc., 2:21-cv-01473 (W.D. Wash. Nov. 5, 2024), ECF No. 112.

[198] Mayhall v. Amazon Web Servs., Inc., 2:21-cv-01473 (W.D. Wash. Jan. 15, 2025), ECF No. 114.

[199] Polizzi v. Jimmy John’s, LLC, No. 3:23-cv-02168 (C.D. Ill. July 17, 2024), ECF No. 24.

[200] Id. at 12.

[201] Id. at 13.

[202] Zellmer v. Meta Platforms, Inc., 104 F.4th 1117 (9th Cir. 2024).

[203] See, e.g., Colombo v. YouTube, LLC, 679 F. Supp. 3d 940, 944–45 (N.D. Cal. 2023).

[204] G.T. v. Samsung Elecs. Am. Inc., 742 F. Supp. 3d 788 (N.D. Ill. 2024).

[205] Id. at 793

[206] Id. at 801.

[207] Id.

[208] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918 (Ill. 2023), as modified on denial of reh’g (Ill. July 18, 2023).

[209] Id. at 928–29.

[210] Id. at 929.

[211] 740 Ill. Comp. Stat. Ann. 14/20(b) (2024).

[212] Id. at (b)–(c).

[213] Compare Gregg v. Central Transp. LLC., No. 24 C 1925, 2024 WL 4766297, at *2–3 (N.D. Ill. Nov. 13, 2024) with Schwartz v. Supply Network, Inc., No. 23 CV 14319, 2024 WL 4871408 (N.D. Ill. Nov. 22, 2024).

[214] Bhavilai v. Microsoft Corp., 716 F. Supp. 3d 640, 641 (N.D. Ill. 2024).

[215] Id.

[216] Id.

[217] Id.

[218] Id.

[219] Brantley v. Prisma Labs, Inc., No. 23 C 1566, 2024 WL 3673727 (N.D. Ill. Aug. 6, 2024).

[220] In re Clearview AI, Inc., Consumer Priv. Litig., 585 F. Supp. 3d 1111, 1118 (N.D. Ill. 2022), clarified on denial of reconsideration, 2022 WL 2915627 (N.D. Ill. July 25, 2022).

[221] Id. at 1122–23.

[222] Preliminary Order of Approval of Class Action Settlement, In re Clearview AI, Inc., Consumer Priv. Litig., No. 21-cv-0135 (N.D. Ill. June 21, 2024), ECF No. 580.

[223] See Plaintiff’s Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement, In re: Clearview AI, Inc. Consumer Privacy Litigation, 1:21-cv-00135 (N.D. Ill. June 12, 2024), ECF No. 578, at 5.

[224] State of Texas v. Meta Platforms, Inc., No. 22-0121 (Tex. 71st Dist. Ct., Harrison Cnty.).

[225] N.Y.C. Admin. Code § 22-1202.

[226] Gross v. Madison Square Garden Ent. Corp., No. 23-CV-3380 (LAK) (JLC), 2024 WL 2055343 (S.D.N.Y. May 7, 2024).

[227] Id. at *1.

[228] Id. at *2.

[229] Id. at *1.

[230] Mallouk v. Amazon.com, Inc., No. C23-852-RSM, 2024 WL 3511015, at *1 (W.D. Wash. July 23, 2024).

[231] Id. at *5.

[232] Id. (quoting Madison Square Garden, 2024 WL 2055343, at *1).

[233] Id. at *6.

[234] N.J.S.A. § 56:8-166.1. et seq.

[235] Id.

[236] Id. at *1.

[237] Id.

[238] Id. at *7–8.

[239] Id. at *8.

[240] Id. at *10.

[241] Id. at *12 (predicting that the Supreme Court of New Jersey would construe Daniel’s Law as requiring a covered person or assignee to establish an entity’s negligence in order to obtain an award of actual or liquidated damages).

[242] See Order, Atlas Data Priv. Corp. v. We Inform, LLC, No. 1:24-cv-04037 (D.N.J. Ill. Dec. 2, 2024), ECF. No. 27.

[243] Taylor v. Google, LLC, No. 22-16654, 2024 WL 837044, at *2 (9th Cir. Feb. 28, 2024).

[244] Id.

[245] Id. at *1–2.

[246] Id. at *2.

[247] Id.

[248] Id.

[249] Saunders et al v. Hearst Television, Inc., 711 F. Supp. 3d 24, 28–29 (D. Mass. Jan. 11, 2024).

[250] Id. at 32.

[251] Id. at 32–33.

[252] Mendoza v. Caesars Ent., Inc., No. 1:23-cv-03591, 2024 WL 2316544, at *1 (D.N.J. May 22, 2024).

[253] Id. at *2.

[254] Id.

[255] Id. (citing Aldana v. GameStop, No. 22-cv-7063, 2024 WL 708589, at *6 (S.D.N.Y. Feb. 21, 2024)).

[256] McDaniel, et al. v. Meta Platforms, Inc., et al., Case No. 21-cv-383231 (Cal. Super. Ct. Dec. 30, 2024).

[257] Id.

[258] Jancick v. WebMD LLC, No. 1:22-CV-644-TWT, 2025 WL 560705 (N.D. Ga. Feb. 20, 2025)

[259] Id. at *1.

[260] Id. at *4.

[261] Id.

[262] Baptiste v. Apple Inc., No. 23-15392, 2024 WL 1086832, at *1 (9th Cir. Mar. 13, 2024).

[263] Id. at *2.

[264] Reforming Intelligence and Securing America Act, H.R. 7888, 118th Cong. (2nd Sess. 2023).

[265] U.S. v. Hasbajrami, No. 1:11-cr-623 (LDH), 2025 WL 258090 (E.D.N.Y. Jan. 21, 2025), superseded by U.S. v. Hasbajrami, No. 1:11-CR-623 (LDH), 2025 WL 447498 (E.D.N.Y. Feb. 10, 2025).

[266] See Complaint, De La Torre v. LinkedIn Corporation, 5:25-cv-00709 (N.D. Cal., Jan. 21, 2025), ECF No. 1.

[267] Id. at 5.

[268] Id. at 14–20.

[269] See Plaintiff’s Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement, In re: Clearview AI, Inc. Consumer Privacy Litigation, No. 1:21-cv-00135 (N.D. Ill. June 12, 2024), ECF No. 578.

The following Gibson Dunn lawyers prepared this update: Jane Horvath, Cassandra Gaedt-Scheckter, Ashley Rogers, Natalie Hausknecht, Abbey Barrera, Jay Mitchell, Michael Brandon, Becca Smith, Jacob Arber, Trenton Van Oss, Megan Hulce, Andrew Kuntz, Viola Li, Bina Nayee, Sarah Scharf, Julie Sweeney, Nick Carey, Courtney Wang, Hayato Watanabe, Caelin Moriarity Miltko, Lauren Trujillo, Ashley Marcus, Lucy Musson, Shannon Summer, Sophia Amir, Advait Ramanan, Christina Barta, Shri Dayanandan, Sam Gensburg, Gabriela Li, Danilo Risteski, Marcus Seete, Amy Xi Shao, Ananya Subrahmanian*, and Emma Wexler.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Privacy, Cybersecurity & Data Innovation or Artificial Intelligence practice groups:

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

*Ananya Subrahmanian, an associate in New York, is not yet admitted to practice law.

On March 5, 2025, the Court of Appeals for the Federal Circuit issued a decision in Lashify, Inc. v. ITC, No. 23-1245 (Fed. Cir. Mar. 5, 2025) that rewrites long-standing ITC precedent concerning what types of domestic industry investments and activities may be considered under the economic prong of the domestic industry analysis. The Lashify decision therefore greatly expands the scope of what activities may qualify a company to bring a Section 337 Investigation before the ITC.

In this case, complainant Lashify sought to bar the importation of eyelash extensions, including cases and applicators, that allegedly infringe a Lashify utility patents and two design patents. While Lashify markets and distributes its products in the United States, all its manufacturing operations occur abroad, and its products are imported. Based on certain findings related to technical domestic industry and, for economic domestic industry, the nature of Lashify’s domestic activities and investments, the ITC concluded that Lashify had not proven a violation of Section 337. As to economic domestic industry, the ITC concluded that Lashify’s investments directed to sales, marketing, warehousing, quality control, and distribution—as opposed to manufacturing—were insufficient to prove the existence of a significant domestic industry.

For a company to bring a patent infringement action before the ITC, it must prove that it has a sufficiently “significant” or “substantial” domestic industry; essentially, a showing that a company’s investments in the United States with respect to a product practicing an asserted patent are sufficiently quantitatively and qualitatively significant. Under 19 U.S.C. § 1337(a)(3), a company may show this, for example, based on “significant employment of labor and capital” in the United States. Historically, the ITC has interpreted this requirement to exclude certain activities on their own (i.e., without corresponding domestic manufacturing) as qualifying as domestic industry; namely, costs associated with selling, advertising, and distributing in the United States.

In Lashify, the Federal Circuit rejected the ITC’s long-standing precedent and interpretation of § 1337(a)(3), holding that the language of the statute is “straightforward,” and does not limit what types of domestic activities may be considered to establish a domestic industry. Writing for the Court, Judge Taranto stated that “there is no carveout of employment of labor or capital for sales, marketing, warehousing, quality control, or distribution,” and that there is no “suggestion [in the statute] that such uses, to count, must be accompanied by significant employment or other functions, such as manufacturing.” Put differently, the Federal Circuit has held that any significant employment of labor and capital may qualify as meeting the economic prong of the domestic industry requirement.

In so ruling, the Federal Circuit has opened the proverbial floodgate for companies seeking to file Section 337 Investigations before the ITC whose only domestic investments and activities in the United States are related to marketing, sales, and distribution—without any corresponding domestic manufacturing. Assuming the Federal Circuit’s decision in Lashify stands, the ITC can expect a wave of investigations to be filed by companies who would otherwise historically would not have been able to satisfy the economic domestic industry prong. Of course, this ruling also leaves unresolved many questions including for example, what would qualify under the statute as “significant” investment in activities such as marketing and distribution of a domestic industry product. The question of significance is a highly litigated and disjointed area of ITC law, and remains ripe for debate and clarification.

Given the gravity of the Federal Circuit’s decision, we expect the ITC to request an en banc appeal of this holding.

The following Gibson Dunn lawyers assisted in preparing this update: Brian Buroker, Kate Dominguez, Benjamin Hershkowitz, Mark Reiter, Brian Rosenthal, Paul Torchia, David Brzozowski, and Nathaniel Scharn.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, or the following leaders and members of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:

Brian Buroker – Washington, D.C. (+1 202.955.8541, [email protected])
Kate Dominguez – New York (+1 212.351.2338, [email protected])
Benjamin Hershkowitz – New York (+1 212.351.2410, [email protected])
Mark Reiter – Dallas (+1 214.698.3360, [email protected])
Brian Rosenthal – New York (+1 212.351.2339, [email protected])
Paul Torchia – New York (+1 212.351.3953, [email protected])

Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, [email protected])
Allyson N. Ho – Dallas (+1 214.698.3233, [email protected])
Julian W. Poon – Los Angeles (+ 213.229.7758, [email protected])

Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, [email protected])
Josh Krevitt – New York (+1 212.351.4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212.351.3922, [email protected])

An overview of certain recent developments and legislative changes that may affect the M&A market and the transaction business in Germany, originally published in M&A Review, 36, Volume 1-2/2025.

Gibson Dunn partner Sonja Ruttmann, of counsel Silke Beiter, and associates Maximilian Schniewind and Yannick Oberacker from our Munich office co-authored In the Play of Regulations: Outlook on Relevant Legislative Changes for the M&A Practice in 2025, originally published in M&A Review on February 13, 2025. The article gives an overview of certain recent developments and legislative changes that may going forward affect the M&A market and the transaction business in Germany.

Please click HERE to view, download or print this article in English language.

Sonja Ruttmann, Silke Beiter, Maximilian Schniewind und Yannick Oberacker aus Gibson Dunns Münchner Büro fassen in ihrem Artikel Im Spiel der Verordnungen: Ein Ausblick auf relevante Gesetzesänderungen für die M&A-Praxis 2025, der am 13. Februar 2025 in der M&A Review erschien, ausgewählte aktuelle Entwicklungen und Gesetzesänderungen mit Blick auf den M&A-Markt und das Transaktionsgeschäft in Deutschland zusammen.

Zum Beitrag in deutscher Sprache (im PDF-Format) gelangen Sie HIER.

The following Gibson Dunn lawyers prepared this article: Sonja Ruttmann, Silke Beiter, Maximilian Schniewind, and Yannick Oberacker.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Mergers and Acquisitions or Private Equity practice groups, or the authors in Munich:

Sonja Ruttmann (+49 89 189 33 256, [email protected])
Silke Beiter (+49 89 189 33 271, [email protected])
Maximilian Schniewind (+49 89 189 33 274, [email protected])
Yannick Oberacker (+49 89 189 33 282, [email protected])

Europe

02/26/2025

European Parliament | Report | Algorithmic Discrimination

The European Parliament published a report on algorithmic discrimination under the AI Act and the GDPR.

The Parliament underlines the legal uncertainties regarding the interaction between the AI Act and the GDPR. Indeed, the AI Act allows processing of special categories of personal data to detect and correct bias, while the GDPR imposes stricter conditions on such data usage, potentially limiting AI bias mitigation efforts.

For further information: European Parliament Report

02/26/2025

Court of Justice of the European Union | Decision | Automated Decision-making System

The Court of Justice of the European Union (“CJEU”) ruled that when their data is used by automated decision-making systems, data subjects may require the controller to explain the procedure and principles actually applied when processing personal data to obtain a specific result.

The decision stems from a case filed by an Austrian customer who was denied a mobile phone contract based on an automatic decision-making system. The Court highlighted that when asked by data subjects to provide explanations, information should be provided in a “concise, transparent, intelligible and easily accessible form”. This decision also addresses the concept of trade secrets.

For further information: CJEU Decision

02/13/2025

Court of Justice of the European Union | Decision | Calculation of GDPR Fines

The Court of Justice of the European Union (“CJEU”) clarifies the calculation of the fines for undertakings (C-383/23).

The CJEU considers that the maximum amount of the fine that can be imposed on an undertaking must be determined “on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year”.

For further information: CJEU Decision

02/04/2025

Cyber Solidarity Act | Entry Into Force | High Critical Sectors Concerned

On February 4, 2025, the Cyber Solidarity Act entered into force.

This regulation enhances the EU’s capacity to prepare for, detect, and respond to cybersecurity incidents. Entities operating in highly critical sectors or other critical sectors, as defined by Directive (EU) 2022/2555 (NIS 2), may be required to undergo “coordinated preparedness testing” to verify their compliance with minimum standards and expectations for critical services and infrastructure.

For further information: Commission Website and Cyber Solidarity Act

France

02/26/2025

CNIL | Work Program | Connected Vehicles

The French Supervisory Authority (“CNIL”) published the “compliance comity” work program for 2025 on connected vehicles and location data.

The comity’s work focuses on the use of location data from connected vehicles and will lead to the drafting of a recommendation which will soon be published for public consultation. Because of the lack of legal certainty surrounding the use of dashcams and associated privacy risks, the comity’s work program for 2025 is dedicated to the use of these devices by private individuals.

For further information: CNIL Press release [FR]

02/07/2025

French Supervisory Authority | Recommendations | Artificial Intelligence

On February 7, 2025, the French Supervisory Authority (“CNIL”) published two new recommendations on how AI should be used to comply with GDPR requirements.

The CNIL’s first recommendation focuses on data subject information and essentially provides that companies must ensure individuals are given sufficient information at the appropriate moment and that the processing of their data is entirely transparent. More specifically, it provides examples of information notices to be used in relation to web scraping or development of GPAI model. The second recommendation focuses on data subject rights and provide specific details on how companies can deal with their requests whether they apply to training data or to the model more generally.

For further information: CNIL Recommendations on Right of information, and Data subjects’ rights [FR]

02/05/2025

French Supervisory Authority | GDPR | 2024 Report

The French Supervisory Authority (“CNIL”) has published a 2024 report on sanctions issued during the year.

The report provides that a total of 331 decisions were handed down, including 87 sanctions, for a total of 55,212,400 euros in fines, 180 formal notices and 64 reminders of legal obligations. The recurring breaches found usually concern commercial prospecting and health data.

For further information: CNIL Report [FR]

01/31/2025

French Supervisory Authority | GDPR | Access Right

On January 31, 2025, the French Supervisory Authority (“CNIL”) updated its guidance on employees’ right of access to their work-related data and emails.

In this update, the authority clarifies that if a request involves a very large number of emails (though it did not define what constitutes “very large”), the employer may first provide the employee with a summary table listing the relevant messages. This allows the employee to specify which content they wish to receive. However, given the lack of further clarification, it appears that if the employee does not specify the data he wants, the employer remains obligated to provide all the requested data unless the employer identifies an actual risk for third party rights. Moreover, the French Authority published a case-law summary regarding the GDPR access right.

For further information: CNIL Guidance and Case-law Summary [FR]

Germany

02/14/2025

German Supervisory Authorities | Investigation | AI and Privacy

On February 14, 2025, several German Data Protection Supervisory Authorities announced a coordinated investigation into an AI provider.

Several German state data protection supervisory authorities, including those from Rhineland-Palatinate, Baden-Württemberg, Thuringia, Saxony-Anhalt, Hesse, Bremen, and Berlin, initiated coordinated investigations into the AI provider. This collaborative effort aims to ensure compliance with Article 27(1) of the General Data Protection Regulation (GDPR), which mandates that companies not established in the European Union appoint a representative within the EU. This effort underscores the impact of GDPR enforcement on AI development. In addition to this investigation, the Lower Saxony Supervisory Authority (“LfD Niedersachsen”) published a statement on February 21, 2025, drawing attention to the risks associated with the use of the Chinese AI-powered chatbot. The LfD Niedersachsen pointed out in particular that according to the privacy policy of the company providing the chatbot, user inputs including the uploaded documents are recorded, transmitted, stored and analyzed without any restriction.

For more information: Website of the Baden Württemberg Supervisory Authority [DE] and Website of the Lower Saxony Supervisory Authority [DE]

02/12/2025

Bremen Supervisory Authority | Recommendation | AI and Privacy

On February 12, 2025, the Data Protection Authority of Bremen (LfD Bremen) provided recommendations on the use of AI applications from providers outside the European Union that have not appointed a legal representative in the EU.

The LfD Bremen recommends, in order to ensure compliance with data protection regulations and mitigate risks associated with AI applications, to select AI providers who demonstrate transparency and provide documentation confirming GDPR compliance. Before installing AI models, the user should ensure that no personal data can be leaked, for example through a secure IT environment. According to the LfD Bremen, inputs of personal or confidential data into online interfaces should be avoided unless effective protective measures are in place. Users, especially workers, should be made aware of the risks involved, and AI competence as required by Article 4 of the AI Regulation from February 2, 2025, should be ensured. If the AI provider is based outside the EU, they should appoint a representative under Article 27 GDPR to facilitate the enforcement of data subjects’ rights and failure to do so can result in fines under Article 83(4) GDPR.

For more information: Website of the Bremen Supervisory Authority [DE]

01/29/2025

German Federal Administrative Court | Judgement | Advertisement

On January 29, 2025, the German Federal Administrative Court (BVerwG) ruled on the interplay of data processing under Article 6(1)(f) GDPR and consent for advertisement necessary under German competition law.

The BVerwG ruled that processing the contact data of dental practices taken from publicly accessible sources for the purpose of telephone advertising without at least presumed consent is impermissible. The court held that merely obtaining contact details from publicly accessible directories to conduct phone advertising does not constitute a legitimate interest under Article 6(1)(f) GDPR unless there is at least implied consent from the data subjects per § 7 Sec 2 No 1 UWG. Consequently, the company’s appeal was denied, as the interest in data processing for phone advertising did not outweigh the privacy protection guaranteed by GDPR and national law. The court confirmed that the prohibition on such data processing remains justified under the current legal framework, given its alignment with the need to protect the privacy of individuals from unsolicited advertising.

For more information: Official Court Website [DE]

Sweden

02/18/2025

Swedish Supervisory Authority | GDPR Guidance | Impact Assessment

On February 18, 2025, the Swedish Supervisory Authority (“IMY”) published a guidance on impact assessments.

The guidance consists of a practical guide and an annex with legal interpretative support.

For further information: IMY Website [SV] and Guidance for Impact Assessment [SV]

02/04/2025

Stockholm Administrative Court | Fine | Cookies

In February 2025, the Stockholm Administrative Court upheld a SEK 13 million (approx. €1.16M) fine against a media company for failure to comply with the principle of lawfulness provided under the GDPR.

The company was relying on legitimate interests for the processing of personal data collected via cookies. Such data was combined with purchase history and third-party data for creating profiles, including for marketing purposes. The court ruled that legitimate interest cannot serve as a legal basis and therefore upheld the administrative fine imposed by the Swedish Supervisory Authority (“IMY”). In its decision, the IMY stated that pursuant to Article 5(3) of the ePrivacy Directive, consent was required for the collection of data via cookies. This is the first publicly known case in Sweden where IMY explicitly referenced Article 5(3) of the ePrivacy Directive in its reasoning for a GDPR fine.

For further information: Stockholm Administrative Court Website [SV]

Switzerland

02/03/2025

Federal Data Protection and Information Commissioner | Guidelines | Cookies

The Swiss Supervisory Authority (“FDPIC”) published its guidelines on data processing using cookies and similar technologies.

The FDPIC describes the data protection requirements controllers must abide by when using cookies and similar technologies.

For further information: FDPIC Website

United Kingdom

02/22/2025

Information Commissioner’s Office | Report | Technologies

The Information Commissioner’s Office (“ICO”) published its Tech Horizons report of 2025.

The ICO’s Tech Horizons report examines emerging technologies and the regulatory challenges they face from a privacy perspective. This third edition of the report focuses on four technologies: connected transport; quantum sensing and imaging; digital diagnosis, therapeutics and healthcare infrastructure; and synthetic media and its identification and detection.

For further information: ICO Website

02/10/2025

Information Commissioner’s Office| Response | Data (Use and Access) Bill

The Information Commissioner’s Office (“ICO”) published its updated response to the Data (Use and Access) (DUA) Bill.

The ICO welcomed the recent changes introduced to the Bill and expressed its position on some of the recent amendments, including those related to the protection of children’s data and the expansion of the soft opt-in in direct marketing to cover charities.

For further information: ICO Website

02/06/2025

Information Commissioner’s Office | Guidance | Employment Practices and Data Protection

On February 5, 2025, the Information Commissioner’s Office (“ICO”) issued new guidance for employers on the management of employment records.

The guidance addresses key questions employers may encounter in relation to the collection, retention and use of employment records. For instance, the guidance covers various questions including: what lawful bases might apply to employment records, when employers can share workers’ personal data with other people or organizations, and how employers can handle sickness and injury records.

For further information: ICO Guidance

The following Gibson Dunn lawyers prepared this update: Partners: Ahmed Baladi, Vera Lukic, Joel Harrison, and Kai Gesing; Associates: Thomas Baculard, Billur Cinar, Hermine Hubert, and Christoph Jacob.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice groups:

Privacy, Cybersecurity, and Data Innovation:

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])