Impact of Trump Administration Regulatory Freeze Memorandum: Selected Regulations and Agency Actions
Client Alert | February 3, 2025
The memorandum could have implications for companies—including those in the technology sector—confronting questions relating to privacy, data, cybersecurity, and artificial intelligence.
On January 20, 2025, President Trump issued an executive memorandum ordering “all executive departments and agencies” to implement a regulatory freeze. This memorandum follows similar regulatory freeze memoranda issued by the Office of Management and Budget (OMB) on behalf of the president at the beginning of the Biden Administration in 2021 and issued by OMB on behalf of the president at the beginning of the Trump Administration in 2017. The memorandum:
- Places a moratorium on the issuance, proposal, or publication of any new “rules” or “regulatory actions”, pending review by President Trump’s appointees;
- Directs executive departments and agencies to immediately withdraw for review any rules sent to the OFR but not yet published in the Federal Register; and
- Directs executive departments and agencies to consider postponing for 60 days the effective dates for any rules that have been published in the Federal Register or otherwise issued which have not taken effect.
The issuance of a regulatory freeze is not unusual for a new administration. However, the scope of President Trump’s memorandum—against the backdrop of the frenetic regulatory activity of the post-2024 election Biden administration—means that this memorandum may carry meaningful impact for a number of regulations that companies are already taking steps to comply with. Several of the rule moratoria could have implications for companies—including those in the technology sector—confronting questions relating to privacy, data, cybersecurity, and artificial intelligence (AI). For example, two potentially significant rules appear to be in procedural limbo as a result of the order:
- The U.S. Commerce Department’s Bureau of Industry and Security’s (BIS) connected vehicles final rule, which bans certain imports and sales of vehicles from China (including Hong Kong) and Russia, as well as key hardware and software components, based on identified “undue or unacceptable risks” to U.S. national security and the safety and security of U.S. persons, was published in the Federal Register on January 16, 2025 and goes into effect on March 17, 2025.
- The Commerce Department’s Information and Communications Technology and Services Supply Chain (ICTS) final rule, which permits the Secretary of Commerce to prohibit ICTS transactions or impose mitigation measures for ICTS transactions involving “persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” posing certain “undue or unacceptable risks,” was published in the Federal Register on December 6, 2024 and goes into effect on February 4, 2025. Again, while both rules are directionally consistent with the Trump administration’s approach to China, it is possible their implementation could be delayed for review and potential modification under the regulatory freeze order.
The application of the regulatory freeze memorandum is complicated in practice. For example, the Department of Justice’s (DOJ) bulk U.S. sensitive personal data final rule, which seeks to ensure that U.S. persons’ sensitive personal data cannot be legally sold to foreign adversaries by preventing specified “countries of concern” and “covered persons” from obtaining in “covered data transactions” bulk sensitive personal data of U.S. persons and U.S. government-related data, was published in the Federal Register on January 8, 2025 and goes into effect on April 8, 2025. Under the regulatory freeze memorandum, DOJ may postpone the effective date for 60 days to review the rule. DOJ could also pursue notice and comment rulemaking to further delay the effective date, modify, or withdraw the rule. However, because the underlying statutory authority for the rule was the International Emergency Economic Powers Act (IEEPA), which grants the executive broad rulemaking authority and is not subject to the rulemaking requirements of the Administrative Procedures Act (APA), DOJ was not required to engage in rulemaking in the first place. Accordingly, DOJ and President Trump have more authority to modify, withdraw, or issue a new rule without formal rulemaking. While the rule is directionally consistent with the Trump administration’s tough-on-China stance, the future of this rule is uncertain and it is possible the rule could be delayed to allow the administration to review its specific provisions.
Below are two charts that cover some of the most relevant recent rulemaking in the areas of data privacy, cybersecurity, and AI, analyzed to reflect the impact of the regulatory freeze memorandum. The first chart focuses on rules issued by executive agencies led by cabinet secretaries. The second chart focuses on rules issued by independent agencies. The extent to which independent agencies are subject to the regulatory freeze memorandum is likely to be subject to litigation. Some independent agencies have taken steps consistent with the order set out in the memorandum, but it is not yet fully clear whether all independent agencies will view themselves as bound to do so. The scope of presidential authority over such agencies is expected to be an area of focus in this administration.
Executive Agencies Led By Cabinet Secretaries |
|||||
Agency |
Regulation |
Status |
Published in Federal Register? |
Change Post Regulatory Freeze of January 20, 2025 |
Prognosis |
DOJ |
Bulk Sensitive Personal Data Rule |
Final Rule: issued December 27, 2024 Effective date: April 8, 2025 (pending conclusion of Congressional review under Congressional Review Act) |
Yes: January 8, 2025 |
Finalized, but DOJ may postpone the effective date for 60 days to review. Government could pursue notice and comment for further delay of effective date, modification, or withdrawal of rule. Because rule issued under IEEPA, no rulemaking was required in the first place. President has more authority to modify, withdraw, or issue new rule without formal rulemaking. |
Uncertain. May be delayed. |
DoC |
Connected Vehicles Rule |
Final Rule: issued January 14, 2025 Effective date: March 17, 2025 |
Yes: January 16, 2025 |
Finalized, but DoC may postpone the effective date for 60 days to review. Government could pursue notice and comment for further delay of effective date, modification, or withdrawal of rule. Because rule issued under IEEPA, no rulemaking was required in the first place. President has more authority to modify, withdraw, or issue new rule without formal rulemaking. |
Uncertain. May be delayed. |
DoC |
IaaS NPRM |
NPRM |
Yes: January 29, 2024 |
Because not a final rule, to move forward, must be reviewed and approved by department or agency head appointed by President Trump. |
Uncertain. Unlikely to move forward in current form. |
DoC |
ICTS Regulations |
Final Rule: issued December 5, 2024 Effective date: February 4, 2025 |
Yes: December 6, 2024 |
Finalized, but DoC may postpone the effective date for 60 days to review. Government could pursue notice and comment for further delay of effective date, modification, or withdrawal of rule. Because rule issued under IEEPA, no rulemaking was required in the first place. President has more authority to modify, withdraw, or issue new rule without formal rulemaking. |
Uncertain. Unlikely to be delayed given the effective date. |
DoC |
ICTS Licensing Procedures Regulations |
ANPRM |
Yes: March 29, 2021 |
To move forward, must be reviewed and approved by department or agency head appointed by President Trump. |
Uncertain. Unlikely to move forward in current form. |
DoC |
AI Diffusion Rule |
Interim Final Rule Effective date: January 13, 2025 Deadline for comments: May 15, 2025 |
Yes: January 15, 2025 |
Since the IFR is already in effect, the regulatory freeze memorandum likely will have little impact on this rule. DoC/BIS are not able to delay the effective date for 60 days because the IFR is already in effect. However, DoC/BIS (with Trump-appointed leadership) may revise the IFR and replace it with a non-interim final rule in response to any comments received before May 15, 2025. |
Companies should take steps now to prepare to comply with the new regulations. The IFR is likely to face significant critique during the public comment period. Implementation will require coordination and cooperation among U.S. allies and may face pushback from countermeasures from affected countries and entities. Final rule likely to include changes. For more information about this IFR, please see Gibson Dunn client alert here. |
DoD / GSA / NASA |
Federal Acquisition Regulation: Controlled Unclassified Information |
Proposed Rule Deadline for comments: March 17, 2025 |
Yes: January 15, 2025 |
DoD/GSA/NASA could postpone deadline for comments on proposed rule, but the regulatory freeze memorandum is unlikely to have material impact. Unclear if proposed rule deemed to raise “substantial questions of law, fact, or policy.” Because not a final rule, to move forward, must be reviewed and approved by department or agency head appointed by President Trump. |
Likely to move forward in some form. |
DHS/ CISA |
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements |
Proposed Rule Deadline for comments: June 3, 2024 |
Yes: April 4, 2024 |
Because not a final rule, to move forward, must be reviewed and approved by department or agency head appointed by President Trump. |
There is significant uncertainty regarding the role that CISA will play in the Trump Administration, and it appears unlikely that these rules will move forward as proposed. However, because CIRCIA requires CISA to promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities, we may see revised regulations from CISA under the Trump Administration. |
Independent Agencies |
|||||
Agency |
Regulation |
Status |
Published in Federal Register? |
Impact if Regulatory Freeze Memorandum Were To Apply |
Prognosis |
FTC |
COPPA Rule |
Final Rule: issued January 16, 2025 Effective date: 60 days after publication in the Federal Register |
No: as of February 3, 2025 |
Since the rule is final but not yet published in the Federal Register, it could be subject to a regulatory freeze, if a majority of the Commissioners so decide. |
Uncertain. See Gibson Dunn client alert here for more information about the COPPA Rule. |
FTC |
Negative Option Rule (“Click to Cancel”) |
Final Rule: issued October 16, 2024 Effective dates: January 14, 2025 for some provisions; May 14, 2025 for most of the rule. |
Yes: November 15, 2024 |
The final rule has not fully taken effect. |
Currently pending a challenge in 8th Circuit. Gibson Dunn represents challengers consisting of an individual company and seven trade associations. The parties are currently briefing the merits of the rule challenge. |
FTC |
Non-Compete Rule |
Final Rule: issued April 23, 2024 Effective date: September 4, 2024 (but rule vacated by district court; the rule is not currently in effect) |
Yes: May 7, 2024 |
Since the final rule is published in the Federal Register and has been vacated, the regulatory freeze memorandum does not impact the rule. |
A district court set aside (vacated) the rule nationwide on August 20, 2024. FTC’s appeal of that decision is currently pending in the Fifth Circuit. The rule remains invalid, pending the resolution of the appeal. A separate district court granted a preliminary injunction applicable only to the plaintiff in that case. FTC’s appeal of that decision is currently pending the Eleventh Circuit. |
FTC |
Premerger Notification; Reporting and Waiting Period Requirements (Hart-Scott-Rodino (HSR) Rules) |
Final Rule: issued October 10, 2024 Effective date: February 10, 2025 |
Yes: November 12, 2024 |
The FTC and/or DOJ may postpone the effective date for 60 days to review.
|
The rule is currently being challenged in the United States District Court for the Eastern District of Texas. See here for more information. |
FCC |
CALEA Declaratory Ruling and NPRM |
Declaratory Ruling Adopted: January 15, 2025 Released: January 16, 2025 NPRM Adopted: January 15, 2025 Released: January 16, 2025 |
Declaratory Ruling: No, as of February 3, 2025 NPRM: No, as of February 3, 2025 |
Declaratory Ruling: “Declaratory ruling” is a term used by the FCC. Courts have generally concluded that FCC declaratory rulings are “declaratory orders” under the APA, and thus adjudications.[1] Therefore, an FCC declaratory ruling would likely not be in scope, as the regulatory freeze memorandum covers “rules” under APA section 551(4), not adjudications under APA section 554(e). NPRM: Because not a final rule, to move forward, must be reviewed and approved by department or agency head appointed by President Trump. |
Uncertain. In the waning days of the Biden administration, prior to assuming the Chairmanship, then FCC Chair-Nominee Brendan Carr issued a statement criticizing the Declaratory Ruling and Notice of Proposed Rulemaking, which was approved by the Commission’s Democrats on a party-line basis (3-2). How Chair Carr approaches the future of the Declaratory Ruling and NPRM remains to be seen. |
CFPB |
Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data |
Notice and request for information: issued January 10, 2025 Comments must be received on or before April 11, 2025 |
Yes: January 15, 2025 |
If the regulatory freeze were to apply, to move forward, the rule must be reviewed and approved by a department or agency head appointed by President Trump. |
Uncertain. As of February 1, 2025, President Trump removed Rohit Chopra, as Director of the CFPB. Treasury Secretary Scott Bessent has been designated as the Acting Director of the CFPB. On February 3, 2025, Secretary Bessent directed CFPB staff to stop all rulemaking and suspend the effective dates of rules not yet in effect. He also directed staff to stop any activity related to enforcement matters, litigation, and public communications. |
CFPB |
Required Rulemaking on Personal Financial Data Rights (Section 1033 of the Consumer Financial Protection Act Rule) |
Final Rule: issued October 22, 2025 Effective date: January 17, 2025 Compliance dates: beginning April, 2026 |
Yes: November 18, 2024. |
Since the final rule is published in the Federal Register and has gone into effect, the regulatory freeze memorandum does not impact the rule. |
Uncertain. It is unclear whether CFPB leadership appointed by President Trump will seek to revise or rescind this rule. The issuance of a rule of some kind is required by statute. There is speculation that the CFPB may decide to keep the rule in place given the length of time it took to develop and its issuance under the statutory mandate. Alternatively, new leadership could elect to engage in notice and comment rulemaking either to reconsider certain aspects of the rule or to rescind it and issue a new rule. There is also some reporting that this rule may be a target for congressional review under the Congressional Review Act.[2] However, if Congress were to enact a joint resolution of disapproval, the CFPB could not reissue a rule “in substantially the same form” as the current rule.[3] Treasury Secretary Scott Bessent has been designated as the Acting Director of the CFPB. On February 3, 2025, Secretary Bessent directed CFPB staff to stop all rulemaking and suspend the effective dates of rules not yet in effect. He also directed staff to stop any activity related to enforcement matters, litigation, and public communications. |
[1] See, e.g., City of Arlington, Tex. v. F.C.C., 668 F.3d 229, 241 & n.44 (5th Cir. 2012), aff’d, 569 U.S. 290 (2013); see also Emily S. Bremer, Declaratory Orders, Final Report to the Administrative Conference of the United States at 15 (Oct. 30, 2015).
[2] Katherine Hapgood, CFPB in Senate Banking Republican crosshairs for Congressional Review Act, PoliticoPro (Jan. 31, 2025), https://subscriber.politicopro.com/article/2025/01/cfpb-in-senate-banking-republican-crosshairs-for-congressional-review-act-00201742l.
[3] 5 U.S.C. § 801(b)(2).
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Artificial Intelligence or Privacy, Cybersecurity & Data Innovation practice groups:
Artificial Intelligence:
Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Frances A. Waldmann – Los Angeles (+1 213.229.7914,[email protected])
Privacy, Cybersecurity, and Data Innovation:
United States:
Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, [email protected])
Ryan T. Bergsieker – Denver (+1 303.298.5774, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Natalie J. Hausknecht – Denver (+1 303.298.5783, [email protected])
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, [email protected])
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, [email protected])
Kristin A. Linsley – San Francisco (+1 415.393.8395, [email protected])
Timothy W. Loose – Los Angeles (+1 213.229.7746, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – Co-Chair, San Francisco (+1 415.393.8247, [email protected])
Ashley Rogers – Dallas (+1 214.698.3316, [email protected])
Sophie C. Rohnke – Dallas (+1 214.698.3344, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, [email protected])
Debra Wong Yang – Los Angeles (+1 213.229.7472, [email protected])
Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – Co-Chair, London (+44 20 7071 4289, [email protected])
Lore Leitner – London (+44 20 7071 4987, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, [email protected])
Robert Spano – London/Paris (+44 20 7071 4000, [email protected])
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.