Administrative & Regulatory – Page 19

Increased Clarity for White-Collar Clients: The Department of Justice Unveils its Revised Corporate Self-Disclosure Policy

What should U.S. businesses take from the Department of Justice’s (“DOJ”) revisions to its Corporate Enforcement and Voluntary Self-Disclosure Policy (“CEP”)? While DOJ has long promoted self-disclosure of wrongdoing as a key way to obtain leniency, DOJ’s revised policy states clearly and unequivocally that self-disclosure will lead to non-prosecution in certain circumstances.
On May 12, 2025, the Criminal Division released a memorandum detailing the new administration’s goals for prosecuting corporate and white-collar crimes. The memorandum sets forth the government’s view that “overbroad and unchecked corporate and white-collar enforcement burdens U.S. businesses and harms U.S. interests,” and directs federal prosecutors to scrutinize all their investigations to avoid overreach that deters innovation by U.S. businesses. Matthew R. Galeotti, Chief of the DOJ Criminal Division, recently underscored these sentiments on May 12, 2025, at SIFMA’s Anti-Money Laundering and Financial Crimes Conference, stating that under the revised CEP, companies can avoid “burdensome, years-long investigations that inevitably end in a resolution process in which the company feels it must accept the fate the Department has ultimately decided.”
Companies that self-disclose possible misconduct and fully cooperate with the government will not be required to enter into a criminal resolution with the DOJ. Galeotti said that under CEP’s “easy-to-follow” flow chart, companies that (1) voluntarily self-disclose to the Criminal Division (2) fully cooperate, (3) timely and appropriately remediate, and (4) have no aggravating circumstances “will receive a declination, not just a presumption of a declination.” The revised CEP allows that even a company that self-discloses in good faith after the government becomes aware of the misconduct may still be eligible to receive a non-prosecution agreement with a term of fewer than three years, 75% reduction of the criminal fine, and no corporate monitorship.
To be sure, this does not mean that U.S. companies should use these policy changes as an opportunity to take unnecessary risks without fear of prosecution. Indeed, DOJ’s main priority is to prosecute individuals, including executives, officers, or employees of companies, and will “investigate these individual wrongdoers relentlessly to hold them accountable.” Although it remains to be seen how the government will implement its new guidelines, the revised enforcement policy is helpful to U.S. businesses, white-collar clients, and their advisors, who have long hoped for heightened transparency and clearer guidelines for potential outcomes under the DOJ’s corporate self-disclosure program.

Where There’s Fire, There’s Smoke … and Smoke Damage Disputes

In January 2025, dozens of wildfires ripped through Los Angeles in a way no one could have imagined. We all spent the week in front of televisions waiting to see which direction the winds would take the fires. Those not forced to officially evacuate had bags ready to go in case a new fire flared closer to home. And while the City braced for decades of rebuilding efforts, the insurance coverage attorneys waited for the inevitable coverage disputes to begin.
The initial response to the wildfires was not likely to generate disputes between the insurers and insureds. According to data from the California Department of Insurance (DOI), as of January 30, 2025, out of 31,210 claims related to the fires, 14,417 were immediately partially paid to the tune of $4.2 billion. Within a week, by February 5, 2025, the number of claims increased to 33,717 with 19,854 partially paid in the amount of $6.9 billion.1
During this time, insurers were following their modified obligations under the California Regulations given the DOI’s emergency declaration of January 9, 2025, which imposed certain additional obligations on the insurers for a total loss:

The insurer must offer an immediate payment of at least 30% of the contents policy limit up to $250,000 (Cal. Ins. Code § 10103.7).
An insured does not need to use the insurer’s inventory form and does not need to itemize the contents (Cal. Ins. Code § 2061(a)(2)(3)).
At an insured’s request, the insurer must advance at least four months of additional living expenses (Cal. Ins. Code § 2061(a)(1)), and the insured is entitled to at least 36 months of ALE coverage (Cal. Ins. Code § 2060(b)(1)).
Neither an insured nor an insurer can demand appraisal without the other’s consent (Cal. Ins. Code § 2071).
An insurer cannot cancel or refuse to renew a residential property policy in a zip code adjacent to a fire perimeter based solely on the wildfire location (Cal. Ins. Code § 675.1(b)(1)).
The insurer must provide a 60-day grace period for premium payments (Cal. Ins. Code § 2062).

While the total-loss claims were not going to spark much controversy, it was only a matter of time before the smoke damage claims ignited and the insurance world incurred an onslaught of coverage disputes.
Legal Decisions Regarding Smoke Damage
The question of whether smoke damage constitutes “property damage” is an ongoing issue in California. The matter was litigated heavily during the COVID-19 pandemic where businesses frequently claimed “property damage” from the virus. Courts in California generally found that COVID-19, without more, did not constitute “property damage.” Another Planet Entertainment, LLC v. Vigilant Ins. Co., 15 Cal. 5th 1106, 1117 (2024). In the weeks following the start of the 2025 wildfires, two decisions came down in California addressing coverage for smoke damage arising out of earlier fire events.

On January 10, 2025, the U.S. District Court for the Northern District of California issued a decision in Bottega LLC v. National Surety Corp., 2025 U.S. Dist. LEXIS 5666 (N.D. Cal. Jan. 10, 2025). In that case, the owner of a restaurant and a cafe sought business income loss coverage stemming from the 2017 North Bay wildfires, which had prompted a state of emergency. Id. at *2-3. While the fires did not reach the insured’s businesses, the businesses could not operate because of the related smoke and ash, requiring the employees to clean and make temporary repairs. Id. at *4. The court recognized that to trigger coverage, “there must be some physicality to the loss … of property – e.g., a physical alteration, physical contamination, or physical destruction.” Id. at *10, quoting Inns-by-the-Sea v. California Mut. Ins. Co., 71 Cal. App. 5th 688, 707 (2021) (emphasis in original). The court found there to be “direct physical loss and damage to” the businesses as “[c]ontamination that seriously impairs or destroys its function may qualify as a direct physical loss.” Bottega, 2025 U.S. Dist. LEXIS 5666 at *10-11. The court stated that, “the COVID-19 cases [the insurer] cites are unpersuasive because courts distinguished COVID-19 – a virus that can be disinfected – from noxious substances and fumes that physically alter property.” Id. at *11-12. Accordingly, the court reasoned, “[w]hereas a virus is more like dust and debris that can be removed through cleaning, [citation] smoke is more like asbestos and gases that physically alter property.” Id. at *12.
A competing decision was issued on February 7, 2025, by the California Court of Appeal in Gharibian v. Wawanesa General Ins. Co., 108 Cal. App. 5th 730 (2025). There, the insureds’ residence purportedly suffered smoke damage after the 2019 Saddle Ridge wildfire. Id. at 733. The insurer paid for the insureds to have the home professionally cleaned, but the insureds opted to clean the home themselves and filed a bad faith suit. Id. at 734-735. The Court of Appeal held that, “[u]nder California law, direct physical loss or damage to property requires a distinct, demonstrable, physical alteration to property. The physical alteration need not be visible to the naked eye, nor must it be structural, but it must result in some injury to or impairment of the property as property.” Id. at 738, quoting Another Planet Entertainment, LLC v. Vigilant Ins. Co., 15 Cal. 5th 1106, 1117 (2024). Relying on COVID-19 cases, the Gharibian court reasoned, “[h]ere there is no evidence of any ‘direct physical loss to [plaintiffs’] property.’ The wildfire debris did not ‘alter the property itself in a lasting and persistent manner.’ … Rather, all evidence indicates that the debris was ‘easily cleaned or removed from the property.’ … Such debris does not constitute ‘direct physical loss to property.’” Gharibian, 108 Cal. App. 5th at 738 (citations omitted).

These decisions leave California insurers unclear as to whether smoke damage constitutes “property damage” sufficient to trigger coverage under homeowners and commercial policies. In finding coverage, the Bottega court said the insured made some undefined “partial/temporary repairs” to the property after the nearby wildfire, which may have factored into the ultimate decision that “property damage” existed. Bottega, 2025 U.S. Dist. LEXIS 5666 at *4. In declining coverage, the Gharibian court dealt with a situation where the ash could be wiped from surfaces with no permeating smell of smoke and no referenced repairs. Gharibian, 108 Cal. App. 5th at 733. Given this conflicting precedent in California, what are insurers expected to do?
DOI Guidance
On March 7, 2025, the DOI provided guidance through Bulletin 2025-7,2 which sets forth the DOI’s “expectations with regard to how insurance companies process and pay smoke damage claims as a result of wildfires, including the recent Southern California wildfires.” The DOI’s Bulletin explicitly states that the “recent cases do not support the position that smoke damage is never covered as a matter of law.” (emphasis in original). The Bulletin reiterates the need for a full investigation into each smoke damage claim and states, “[i]t is not reasonable to deny a smoke damage claim without conducting an appropriate investigation, nor is it reasonable for the insurer to require the insured to incur substantial costs to investigate their own claim.” The DOI advised it would monitor insurers’ responses to such claims.
Conclusion
Ultimately, and consistent with the DOI Bulletin, the coverage evaluation will likely turn on a case-by-case basis, looking at the scope of damage to the insured and the physical alteration of the property. Absent the lack of a physical loss, smoke damage is usually not excluded by other provisions in the policy.3
Our best advice? Insurers are encouraged to continue to actively investigate these claims and be diligent throughout the claims handling process. To that end, insurers should hire experts where needed and push for information from the insureds as necessary to complete the claims investigation. Insurers also must be mindful of the growing anti-insurer sentiment in Los Angeles (regardless of the billions already paid on claims). We anticipate the litigation following these latest wildfires will provide new insight on whether smoke damage constitutes “property damage” to trigger coverage.

1 https://www.insurance.ca.gov/01-consumers/180-climate-change/Wildfire-Claims-Tracker.cfm.
2 https://www.insurance.ca.gov/0250-insurers/0300-insurers/0200-bulletins/bulletin-notices-commiss-opinion/upload/Bulletin-2025-7-Insurance-Coverage-for-Smoke-Damage-and-Guidance-for-Proper-Handling-of-Smoke-Damage-Claims-for-Properties-Located-in-or-near-California-Wildfire-Areas.pdf.
3 Other jurisdictions have held that smoke damage is not precluded by pollution exclusions. Kent Farms, Inc. v. Zurich Ins. Co., 140 Wn. 2d 396, 400 (2000); Allstate Ins. Co. v. Barron, 269 Conn. 394 (2004).

Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?)

Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different, as it allows account creation without parental consent. Instead, it places restrictions on account use for both minors and social media platforms.
As amended, the Virginia law will require social media companies to use “commercially reasonable” means to determine if a user is under 16. An example given in the law is a neutral age gate. The age verification is similar to those proposed other states’ social media laws. (And it was that requirement that was central to the court’s decision when striking down Arkansas’ law.) Use of social media by under-16s will default to one hour per day, per app. Parents can increase or decrease these time limits. That said, the bill expressly states that there is no obligation for social media companies to give those parents who give their consent “additional or special access” or control over their children’s accounts or data.
The law will limit use of age verification information to only that purpose. An exception is if the social media company is using the information to provide “age-appropriate experiences” – thought the bill does not explain what such experiences entail. Finally of note, even though these provisions may increase costs on companies, the bill specifically prohibits increasing costs or decreasing services for minor accounts.
Putting it Into Practice: We will be monitoring this law to see if the Virginia legislature has success in regulating children’s use of social media. This modification reflects not only a focus on children’s use of social media, but also continued changes to US State “comprehensive” privacy laws.
James O’Reilly contributed to this article

Understanding the FOIA Process: Submitting, Appealing, and Litigating Requests for Government Records

The Freedom of Information Act (FOIA), enacted in 1966, grants the public the right to access records from any federal agency, promoting transparency and accountability in government. Whether you’re a business owner, researcher, journalist, or private citizen, understanding the FOIA process — and how to challenge an agency’s response — is essential for ensuring your access rights are protected.
Step 1: Submitting a FOIA Request
To initiate a FOIA request:

Identify the Agency – Determine which federal agency holds the records you’re seeking. Each agency processes its own FOIA requests.
Draft the Request – Clearly describe the documents you seek. Be as specific as possible, including names, dates, locations, or subject matter to help narrow the search.
Submit the Request – Most agencies accept requests via email, web portals, or mail. Ensure your request is directed to the correct FOIA office and that it includes your contact information. Alternatively, FOIA.gov offers a submission portal for every federal agency subject to FOIA.
Fees and Waivers – Agencies may charge fees for search, duplication, or review time. You can request a fee waiver by demonstrating that disclosure is in the public interest.

Once submitted, agencies are generally required to respond within 20 business days, though this period can be extended for “unusual circumstances.”
Step 2: Appealing a Denial or Inadequate Response
If your request is denied in whole or in part, or if you receive no substantive response within 20 business days (absent any extensions), you can file an administrative appeal.

Deadlines – You typically must file your appeal within 90 days of the denial. Check the agency’s FOIA regulations for specific timelines.
Format – Appeals must be in writing and should include:

A copy of the original FOIA request.
The agency’s response (or a statement of the lack thereof).
Arguments explaining why the denial was improper.

Grounds for Appeal – Common bases include improper redactions, unjustified use of exemptions, failure to conduct an adequate search, or lack of timely response.

Agencies are required to decide administrative appeals within 20 business days. If the appeal is denied or ignored, the next step is usually litigation.
Step 3: Challenging the FOIA Response in Court
You have the right to challenge a denial in federal district court.

Jurisdiction – You generally can file a lawsuit in the district where you live, where the records are located, or in the District of Columbia.
Timing – You may sue after exhausting administrative remedies (i.e., completing the appeal process), or if the agency fails to respond to your original request or appeal within the statutory deadline.
Scope of Judicial Review – Courts will examine whether the agency:

Properly invoked FOIA exemptions.
Conducted an adequate and reasonable search.
Complied with procedural requirements.

Burden of Proof – The government bears the burden of justifying its withholding or redactions. Courts may order the release of improperly withheld records.
Attorneys’ Fees – If you substantially prevail in litigation, the court may award reasonable attorneys’ fees and litigation costs.

Final Thoughts
The FOIA process can be complex and time consuming, especially when agencies resist disclosure. However, the law provides multiple avenues for redress. Whether through administrative appeal or litigation, you have tools to hold the government accountable and access the records that shape public policy.
Listen to this post

Think Compliance Got Easier? Think Again—DOJ’s New Era in White-Collar Enforcement

Many have speculated as to how white-collar enforcement may change during President Trump’s second term. A recent memorandum by the Head of the Department of Justice’s (“Department”) Criminal Division, Matthew R. Galeotti, sheds light on that issue. Specifically, on May 12, Galeotti issued a memorandum—“Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime” (the “Galeotti Memorandum”). Galeotti covers a number of topics in the memorandum, including the “three core tenets” that the Criminal Division will follow when prosecuting white-collar matters. Those tenets are: “(1) focus; (2) fairness; and (3) efficiency.” We will cover each of those pillars in three posts this week. This post delves into the first tenet—focus.
As an initial matter, the Galeotti Memorandum affirms the Department’s commitment to “do justice, uphold the rule of law, protect the American public, and vindicate victims’ rights.” He emphasizes the “significant threat to U.S. interests” that white-collar crime poses. Galeotti explains that the Department is adopting a “targeted and efficient” approach to white collar cases that “does not allow overbroad enforcement to harm legitimate business interests.” Galeotti further cautioned that governmental overreach “punishes risk-taking and hinders innovation.”
Under the focus prong, the Galeotti Memorandum directs prosecutors to concentrate on issues that pose a “significant threat to US interests.” Galeotti first walks through the harms stemming from white-collar crime, including:

The exploitation of governmental programs, including health care fraud and defense spending fraud;
The targeting of U.S. investors or actions that otherwise undermining market integrity, such as elder fraud, investment fraud, and Ponzi schemes;
The targeting of monetary systems that compromise “economic development and innovation;”
Threats to the American economy and national security; and
The corruption of the American financial system.

In light of those harms, Galeotii identifies the following priority areas for the Criminal Division:

Health care fraud and other waste, fraud, and abuse;
Trade and customs fraud;
Elder fraud, securities fraud, and other fraud facilitated by variable interest entities;
Complex money laundering, including “Chinese Money Laundering Organizations;”
Fraud targeting “U.S. investors, individuals, and markets;”
Crimes that compromise national security;
Corporate support of “foreign terrorist organizations;”
Crimes implicating “the Controlled Substances Act and the Federal Food, Drug, and Cosmetic Act;”
Money laundering and bribery implicating “U.S. national interests,” “national security,” competition, and the benefit of “foreign corrupt officials;” and
Criminal conduct that involves “digital assets that victimize investors and consumers,” use those assets to further “other criminal conduct,” and “willful violations that facilitate significant criminal activity.”

In addition, the Department will focus on identifying and seizing the proceeds of crimes included in the list above and using those proceeds “to compensate victims.” Prosecutors will also prioritize crimes “involving senior-level personnel or other culpable actors, demonstrable loss,” and obstruction of justice.
The Department is also expanding its Corporate Whistleblower Awards Pilot Program to prioritize tips that result in forfeiture in areas such as:

Conduct involving “international cartels or transnational criminal organizations;”,
Federal immigration law violations;
Conduct “involving material support of terrorism;”
“Corporate sanctions offenses;”
Corporate conduct involving “[t]rade, tariff, and customs fraud;” and
Procurement fraud by corporations.

As noted above, we will delve into the other two prongs of the Galeotti Memorandum—fairness and efficiency—in two, follow-up posts. The first prong makes clear, however, that the Department is still focused on white collar crime—particularly in the health care industry.

Clearer Carrots and More Restrained Sticks: Key Updates to DOJ Corporate Enforcement Policies

“The Criminal Division is turning a new page on white-collar and corporate enforcement.” So pronounced the head of the US Department of Justice (DOJ) Criminal Division, Matthew Galeotti, in a recent speech rolling out several new policies regarding central elements of DOJ’s approach to corporate enforcement, including self-disclosure, whistleblowers, and corporate monitorships.1
In a new enforcement plan titled “Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime” (Enforcement Plan) and addressed to all Criminal Division personnel,2 Galeotti sets out several areas of focus for the Criminal Division that align with the Trump administration’s already-announced priorities and introduces some key process changes. The Enforcement Plan also recognizes the significant costs and intrusions that accompany federal probes and emphasizes the need for prosecutors to take all reasonable steps to minimize the length and impact of such investigations.
To that end, the Enforcement Plan introduced three particularly significant policy changes. First, and most meaningful, the Enforcement Plan unveiled an updated Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP)3 that provides a path to guaranteed declinations or non-prosecution agreements (NPAs). The intention is apparent: DOJ is continuing its emphasis on self-disclosure, cooperation, and remediation. To spur more self-disclosures, DOJ is offering “carrots” that are bigger and more definite, so that companies know what to expect when they make the decision to call DOJ. Second, the new policies also broaden the conduct covered by the Corporate Whistleblower Awards Pilot Program to cover key administration priorities, such as immigration, transnational criminal organizations (TCOs), sanctions, and tariffs.4 And, third, revised policies now limit the imposition of burdensome compliance monitorships as part of corporate criminal resolutions.5
Focus Areas
The Enforcement Plan directs the Criminal Division to be “laser-focused on the most urgent criminal threats to the country” and identifies 10 “high-impact areas” that will be prioritized in investigating and prosecuting white-collar crimes. These include some long-standing categories as well as some that align with the Trump administration’s earlier-stated goals. They include the following:

Waste, fraud, and abuse, including healthcare fraud and federal program and procurement fraud.
Trade and customs fraud, including tariff evasion.
Fraud in connection with “variable interest entities” (VIEs), defined as typically Chinese-affiliated companies listed on US exchanges.
Investment fraud.
National security threats and material support to foreign terrorist organizations, cartels, and TCOs.
Money laundering offenses.
Violation of federal drug control laws, including as they relate to fentanyl and opioids.
Bribery that impacts US national interests, national security, or competitiveness of US businesses.
Crimes involving digital assets.

The Enforcement Plan also specifies that the Criminal Division will focus on compensating victims and prioritizing schemes that involve senior-level personnel, demonstrable loss, and efforts to obstruct justice—in particular where that harm impacts US citizens.
New Paradigm for Self-Disclosure: Definite and Clear Benefits
In an effort to “transparently [describe] the benefits that a company may earn through voluntarily self-disclosing misconduct,”6 the Criminal Division now guarantees that it will offer a company a declination so long as it meets the following four factors:

The company voluntarily self-discloses misconduct that is not previously known to DOJ, prior to imminent threat of disclosure, and within a reasonably prompt time after the company becomes aware of it;
The company fully cooperates with the Criminal Division’s investigation;
The company timely and appropriately remediates the misconduct; and,
There are no “aggravating circumstances” related to the nature and seriousness of the offense, egregiousness or pervasiveness of the misconduct, severity of the harm, or a prior criminal resolution within the last five years based on similar misconduct.

This assurance of a declination replaced the predecessor version of the CEP, which only offered the “presumption” of a declination under those same factors. Now, assuming the company meets these factors, DOJ will enter into a declination, though the company will still be required to pay all disgorgement and forfeiture, as well as restitution to any victims, and the declination will be made public.
Even when a company does not meet all four criteria for a guaranteed declination, the new policy has defined benefits for what it calls “near miss” scenarios—i.e., those where a company self-disclosed after the government became aware of the conduct or where aggravating factors are present. In such circumstances, companies are promised significant self-disclosure benefits: an NPA with a term fewer than three years, a 75% reduction from the low end of the fine range, and avoidance of a corporate monitor.
Finally, for companies that make no self-disclosure, their full cooperation and remediation may still earn cooperation credit in the discretion of the prosecutor, which may include the form of the resolution, its term, a reduction in the monetary penalty (not to exceed a 50% reduction in the guidelines range), and whether to impose a corporate monitor.
To aid companies as they navigate these benefits, the CEP now includes the following flow chart:

Source: 9-47.120 – Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy
An Expanded Whistleblower Pilot Program
The Criminal Division also renewed its commitment to the Corporate Whistleblower Awards Pilot Program, originally unveiled under the last administration, with some modifications, primarily in terms of the types of matters covered, to align them with the Enforcement Plan’s areas of focus.
The three-year pilot program, launched in August 2024, was designed to offer significant payouts to tipsters who provide information on certain frauds that lead to asset forfeitures above US$1 million. While the mechanics of the program remain largely unchanged—including a 120-day window to self-disclose and receive the full benefits of the CEP, even if a whistleblower reported the same allegations to the government—the updated policy adds to its coverage matters in areas that the Trump administration has repeatedly highlighted as areas of priority. These priority areas include: procurement and federal program fraud; trade, tariff, and customs fraud; violations of federal immigration law; violations involving sanctions; and material support of foreign terrorist organizations, cartels, or TCOs, including money laundering, narcotics, and Controlled Substances Act violations. Notably, the program continues to include within its scope violations related to foreign corruption and bribery, including violations of the Foreign Corrupt Practices Act (FCPA) and Foreign Extortion Prevention Act (FEPA).
Monitors Reserved for Egregious Cases
As for independent compliance monitors, they will be fewer and far between, with the new policy noting that the value they add is often outweighed by the substantial costs and distractions that they impose on a company. DOJ now lists several criteria it will evaluate to ensure that an independent monitor will only be imposed when necessary and if the potential benefits justify the significant costs and burden.
In the “limited” circumstances when an independent compliance monitor is imposed, the DOJ will ensure that the monitorship is appropriately tailored, right-sized to the conduct, and focused on bringing the company back into good standing, where it can prevent future misconduct. To that end, DOJ will now require a fee cap, oversee budgets and workplans, and impose regular meetings with the Criminal Division.
Key Takeaways
These policy announcements reveal a much-anticipated shift by the Trump administration toward a corporate enforcement approach that recognizes and places greater emphasis on the practical impacts that DOJ actions have on corporations. By providing clearer guidelines and guaranteed benefits from self-reporting and cooperation—while limiting some of the more burdensome and costly penalties—DOJ is explicitly trying to adjust the carrot-and-stick calculations for companies that may encounter potential misconduct within their ranks. All companies active within the United States must carefully consider the ways that these policies change the risk environment.
Importance of Professional Internal Investigations
Conducting a focused, efficient, and credible internal investigation soon after allegations of misconduct arise remains as important as ever. To obtain the benefits of the revised CEP, including a certain declination or NPA, a company must self-disclose within a reasonably prompt period, which necessarily means that the company needs to know what the issue is and assess whether it warrants a disclosure. Moreover, with the renewed and expanded whistleblower incentives, if someone reports the misconduct both internally and to DOJ, there is only a 120-day window for the self-disclosure to satisfy the CEP requirements. In short, when an allegation arises that may reflect a federal criminal issue, a timely and professional investigation into the matter may yield substantial benefits.
Continue to Assess Compliance Programs
The DOJ announcements recognize the important role that US corporations have and that an effective compliance program is the “first line of defense” against misconduct.7 Such programs should include avenues for internal reporting and investigation of allegations, so that companies are well-positioned to benefit from the enhanced benefits under the CEP. Companies should also consider the “areas of focus” noted in the Enforcement Plan and how their compliance program addresses them, as applicable to the particular circumstances of their business. Consideration should be made to whether programs should now go beyond the historical areas of focus, such as antibribery and conflicts of interest, to policies, procedures, and trainings that cover sanctions, export controls, tariff compliance, and ensure companies avoid any connections to TCOs and cartels.
Carefully Evaluate Self-Disclosure Decisions
Although the “carrots” offered by DOJ are now clearer, more beneficial, and more predictable, decisions on whether, when, and how to self-disclose are always complex and involve many considerations. The prospect of a declination or NPA is attractive and now more apparent, but other consequences remain from self-disclosure in addition to the criminal fines and restitution, including ancillary litigation, business, and reputational risks. Decisions regarding self-reporting should be soberly reviewed with counsel.

In the Fight Against Noncompete Agreements, Florida Chooses Employers

The Florida Legislature passed the “Contracts Honoring Opportunity, Investment, Confidentiality, and Economic Growth (CHOICE) Act” last month to provide employers two new outlets for protecting confidential information and client relationships from departing employees. Notably, the CHOICE Act does not change or limit Florida’s existing restrictive covenant law but rather expands it to provide a covered garden leave agreement and a covered noncompete agreement. If signed by Gov. Ron DeSantis, the law will go into effect on July 1, 2025.
Key Highlights

The act creates a presumption that garden leave agreements and noncompete agreements adhering to its “covered” guidelines are enforceable and do not violate public policy.
The act requires courts to issue a preliminary injunction against employees who seek to violate a “covered” agreement.
To have the injunction dissolved or modified, the “covered” employee must establish either:

The employee will not perform similar work during the covered period or use the confidential information or customer relationships of the covered employer.
The employee will not engage in the same business or activity as the covered employer within the restricted area.
The employer has failed to pay the covered employee the compensation contemplated under the covered agreement and has had a reasonable amount of time to cure the deficiency.

Who Is Covered?
A “covered employee” is defined as an employee or individual who earns or is reasonably expected to earn a salary greater than twice the annual mean wage of either: (1) the county in which the employer has its principal place of business or (2) if the employer’s principal place of business is not in Florida, the county in which the individual resides. However, the law will not apply to healthcare practitioners licensed under Florida law.
A “covered employer” is defined as an entity or individual who employs or engages a covered employee.
What Are the Requirements?
Covered Garden Leave Agreement
A garden leave agreement allows an employer to prevent a departing employee from engaging in other employment provided the employee is still being paid. The period between the employee’s resignation and dissolution from the employer’s payroll is known as the “notice period.” Under the CHOICE Act, a garden leave agreement is enforceable if:

The employee cannot be required to provide services to their employer after the first 90 days of the notice period.
The employee may engage in nonwork activities at any time, including during normal business hours, during the remainder of the notice period.
The employee may work for another employer while still employed by the covered employer with the covered employer’s permission.
The employer will pay the employee their regular base salary plus benefits for the duration of the notice period.
The notice period will not extend beyond four years. However, an employer may choose to shorten the notice period at its discretion by providing the employee with 30 days advance written notice.

Covered Noncompete Agreements
Noncompete agreements prohibit an employee from providing services similar to the services provided to their employer for a period of time within a specific geographic region after the end of their employment. Under the CHOICE Act, a noncompete agreement is enforceable if:

The employee was provided the agreement seven days before the agreement or offer of employment expired and was advised in writing of their right to seek counsel.
The employee acknowledges in writing they will receive confidential information or customer relationships during their employment.
The noncompete period does not exceed four years.
The noncompete period is reduced for the duration of any non-working portion of the notice period of any applicable garden leave agreement between the covered employee and covered employer.

What Should Employers Do?

Review existing agreements for compliance with the act and consider revisions.
Remember these agreements may be introduced during the course of employment provided the employee still has seven days to consider signing the agreement before the offer expires.

Listen to this post

Costco’s Internal Investigation Confidentiality Restrictions Deemed Unlawful

On May 5, 2025, an Administrative Law Judge (“ALJ”) for the National Labor Relations Board (“NLRB” or the “Board”) ruled that retailer Costco Wholesale Corp. (“Costco”) violated the National Labor Relations Act (“NLRA” or the “Act”) when it asked employees involved in an internal investigation regarding sexual harassment allegations to sign a confidentiality agreement prohibiting them from discussing details concerning the investigation. The ALJ’s decision highlights considerations employers ought to take into account when balancing their interests in maintaining the integrity of internal investigations and complying with the NLRA.
A female employee at Costco’s Winston-Salem, North Carolina location submitted an internal complaint in August 2022, accusing a male coworker of sexual harassment. The employee spoke with several of the store’s managers about her complaint, one of whom presented the employee with a copy of Costco’s Acknowledgement of Confidentiality for Investigations form (the “Acknowledgment”) to sign. The Acknowledgment included a provision stating that the employee agreed “to maintain the confidentiality regarding this ongoing investigation.” The Acknowledgment also contained a provision requiring the employee to represent that she did not record any part of the investigation interview, as well as a provision stating that any violation of the terms of the Acknowledgment by the employee “may result in disciplinary action up to and including termination.”
Costco investigated the employee’s complaints in the following weeks and presented each employee interviewed with an identical copy of the Acknowledgment to sign. Costco concluded its investigation in March 2023, at which time a Costco Vice President sent the employee who submitted the complaint a letter advising her of the results of the investigation, including that the employee accused of harassment was no longer employed, and requesting that the employee treat the information in the letter as confidential.
The General Counsel for the NLRB alleged that the provisions in the Acknowledgment requiring the employees to maintain confidentiality of the investigation and refrain from recording any part of the investigation interviews, as well as the Costco Vice President’s confidentiality request in his March 2023 letter, violated Section 8(a)(1) of the NLRA by interfering with, restraining, and/or coercing employees in the exercise of their rights under Section 7 of the Act. The ALJ agreed with the General Counsel, holding in a May 5, 2025, decision that the complained-of provisions in the Acknowledgment were overly broad and that the Costco Vice President’s instructions in his letter impermissibly prevented the employee from disclosing or discussing matters affecting her and/or other employees’ terms and conditions of employment, both in violation of the Act.
The ALJ applied the Board’s Stericycle standard to the confidentiality provision in the Acknowledgment. Under the Stericycle standard, there is no presumption that an employer’s interest in maintaining the confidentiality of its internal investigations outweigh the impact a policy or work rule may have on employees’ exercise of Section 7 rights. Rather, the General Counsel must “prove that a challenged rule has a reasonable tendency to chill employees from exercising their Section 7 rights.” If the General Counsel carries this burden, the rule is presumptively unlawful, and the employer may only avoid a finding that it violated the act if it shows that the rule “advances a legitimate and substantial business interest and that the employer is unable to advance that interest with a more narrowly tailored rule.”
Applying the Stericycle standard, the ALJ concluded that the confidentiality provision in the Acknowledgment had a reasonable tendency to chill employees in the exercise of their Section 7 rights, highlighting that the Acknowledgment contained a blanket prohibition regarding employee communications about the ongoing investigation and warned employees of disciplinary consequences for failing to comply with the confidentiality restrictions. The ALJ also rejected Costco’s argument that the confidentiality provision was necessary to protect the integrity of its investigation, reasoning that its terms were (1) unlawfully overbroad because they required the employees to maintain confidentiality regarding information beyond the scope of what they learned or provided to Costco during the investigation process, and (2) not appropriately limited in time, as they could reasonably be interpreted as extending confidentiality restrictions beyond the conclusion of the investigation.
The ALJ similarly held that the Vice President’s instructions in his March 2023 letter violated the Act because they required the employee who submitted the harassment complaint to keep information about the investigation confidential after its conclusion. Further, the ALJ explained that the no-recording provision of the Acknowledgement violated the Act because it was broad enough to prohibit not only recording of the investigation interviews, but also any other conversations between employees and management, subject to the threat of discipline.
This decision adds to the recent scrutiny of employers’ confidentiality practices and raises additional considerations employers must balance in their efforts to protect the integrity of internal investigations while complying with federal labor law. Employers should examine their practices regarding employee obligations in connection with internal investigations to determine whether they are appropriate and reasonable in scope and time.
Employers should also continue monitoring for developments to Board law on this topic, as it is not yet clear how the Board’s approach to employers’ confidentiality practices will shift under the new administration. Though the Board currently applies the Stericycle standard to determine the legality of workplace rules, the new administration will likely overturn the Biden-era Stericycle decision, which was issued in 2023, and revert to the more employer-friendly Boeing standard that was established in 2017, during the first Trump Administration.
Under Boeing, the Board assesses whether work rules are lawful to maintain by analyzing the nature and extent of the rule’s potential impact on employees’ rights and the employer’s legitimate business justifications for the rule. Based on this analysis, the Board uses the Boeing standard to place rules in one of three categories—Category 1, 2, or 3—depending on whether they are always lawful to maintain, require case-by-case analysis, or are always unlawful to maintain. Unlike under Stericycle, the Board does not presume that a work rule is unlawful if the General Counsel proves that the rule has a reasonable tendency to chill employees from exercising their Section 7 rights when applying the Boeing standard. Employers favor the Boeing standard because it provides them with predictability and certainty when drafting work rules and gives greater weight to employers’ interests in maintaining workplace order through those rules.
While the Board’s reinstatement of the Boeing standard would be a welcome change for employers, it would not eliminate the concerns raised by the Costco decision entirely. Regardless of the standard in place governing the legality of work rules, employers will need to carefully consider how to appropriately balance promoting legitimate confidentiality interests and employees’ rights under the NLRA in order to avoid infringing upon those rights.

No Tax on Tips Provision Included in the House Ways and Means Committee’s 2025 Tax Bill

On May 14, the House Ways and Means Committee approved the Make American Families and Workers Thrive Again Act, which contains a no tax on tips provision. This Ways and Means Committee bill is the starting point in what may be an arduous journey through Capitol Hill, so the final version of no tax on tips may look different than this committee bill. Some no tax on tips highlights include:

Eligible employees would be able to deduct “qualified tips” to determine taxable income.
Qualified tips are cash tips (whether paid by cash, credit card, or debit card) in an occupation that traditionally and customarily received tips.
The secretary of the Treasury would be required to publish a list of traditional tip-receiving occupations within 90 days of the president signing the Act.
Qualified tips must be paid voluntarily without any consequence in the event of nonpayment, may not be subject to negotiation, and must be determined by the payor.
The recipient of the tips must not be a “highly compensated employee,” which for 2025 is an employee who earns $160,000 or more.
The deduction for qualified tips would be allowed for non-itemizers.
Because no tax on tips would be structured as an employee deduction, tips would continue to be included in the base for FICA taxes (Social Security or Medicare tax).
The employer would still be required to report the qualified tips on the W-2 provided to the employees.
This deduction for qualified tips would be allowed for the 2025 through 2028 tax years (four years only).

While the bill does not limit the amount of tips that may be deducted (i.e., subject to tax-free treatment), as bills previously introduced, it does eliminate the deduction for highly compensated employees as discussed above.
The bill has other details, including a limitation provision on persons who engage in a trade or business who also receive tips – for example, a chef who cooks the food for a dinner party at a private residence. In such a case, such person’s deduction for tips would be limited to the amount that their gross receipts exceed the cost of providing the service, such as food and beverage cost.
Once again, this is subject to change as Congress may look to reduce the cost of this and the other tax cuts in the bill. But, if the current no tax on tips bill is passed and signed into law without material changes, there may be a scramble during the 90 days after it is signed for the Treasury Department to determine which occupations traditionally receive tips and would be allowed the benefit of no tax on tips.
State Tax Issues

Considering the potential revenue implications of the Act, states would have to decide whether to conform (or decouple) from any change in the federal policy. Depending on the revenue implications, not all states may choose to conform, creating additional compliance and administration issues as state and federal taxing authorities would use divergent definitions of income.
Despite the revenue and compliance challenges a no tax on tips policy may create, almost a dozen states have introduced proposed bills at the state level for consideration during the 2025 legislative session (Arizona,1 Kentucky,2 Kansas,3 Maryland,4 Nebraska,5 New Jersey,6 New York,7 North Carolina,8 Oregon,9 South Carolina,10 and Virginia11). To date, none of these proposals have passed.

Other Issues and Industry-Specific Considerations

Regardless of how any no tax on tips initiative(s) takes shape, any change in tip taxation would impact reporting. The IRS estimates that tips are underreported to the tune of tens of billions of dollars every year. Enacting such a policy may create an incentive to broaden the understanding of a gratuity as much as possible. This may lead to reporting inconsistencies regarding the proper wage/tip classifications.
The no tax on tips promise might also lead to friction among the different classifications of employees in a very industry-specific manner. In the restaurant industry, for example, highly tipped employees, such as front of house restaurant, bar workers, or employees participating in a tip pool in a restaurant with significant tips would seem to be the most significant beneficiaries of the legislation. “Lightly tipped” employees, such as tipped quick service and fast casual restaurant workers, may receive modest or no benefits. In addition, non-tipped employees and restaurant managers, who may be legally precluded from receiving tips due to laws and regulations prohibiting tip sharing with management-level personnel, would receive no benefits from the legislation. Restaurant employers may be faced with requests for compensation increases from these employees, or a declining interest from restaurant workers in working their way up into management-level roles, if the compensation and income boost from tax-free tips is more attractive than the management compensation.
The change of a no tax on tips policy—either at the federal or state level—should be of interest for restaurant employers of tipped employees. Although the policy may benefit some restaurant workers, the legislation may present challenges to restaurant owners/operators who have experienced significant price and wage inflation, including historic increases in wages and benefits in many parts of the country over the past several years, while operating expenses and pressures have increased considerably. In addition, “tip credits,” which permit an employer to pay tipped employees a reduced hourly wage based upon the tips received by such employees in most U.S. states, have been challenged in parts of the country.

While the no tax on tips policy may provide significant tax savings to select tipped workers, the legislation may create challenges for restaurant owners and other businesses with workers designated by the Treasury Secretary to be a traditional tip-receiving occupation. As this policy begins to unfold, restaurant owners should be aware of and engage—at both the federal and state level—to try and shape these policies to address these issues.

1 See HB 2081, which would exempt tips for state income tax purposes.
2 See HB 26, which would exempt tips and overtime compensation for state income tax purposes through 2029.
3 See HB 277, which would exempt up to $25,000 of tips for state income tax purposes starting in 2026.
4 See HB 1400/SB 0823, which would have exempted tips for state income tax purposes.
5 See LB 28, which would have created a deduction for tips from taxable income for state income tax purposes starting in 2025.
6 See S 3741/A 5006, which would exempt tips for state income tax purposes starting in 2026.
7 See S 587/A 05856, which would exempt tips for state income tax purposes starting in 2025.
8 See HB 11, which would exempt tips, overtime pay and up to $2500 of an annual bonus for state income tax purposes.
9 See SB 560, which would exempt tips for state income tax purposes from 2026 through 2031.
10 See H 3520/S 0534, which would exempt tips for state income tax purposes.
11 See HB 1965, which would provide a deduction for tips and overtime from state taxable income starting in 2025.

DOJ Criminal Division Updates (Part 1): DOJ’s New White Collar Crime Enforcement Plan

On May 12, DOJ’s Criminal Division head, Matthew G. Galeotti, issued a memo to all Criminal Division personnel, entitled “Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime,” to “outline the Criminal Division’s enforcement priorities and policies for prosecuting corporate and white-collar crimes in the new administration.” The memo highlights 10 priority areas for investigation and prosecution, calls for a revision of the Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy to provide increased incentives to corporations, and previews “streamlining corporate investigations” with an emphasis on fairness and efficiency as well as a reduction in corporate monitorships.
Ten Priority Areas for Investigation and Prosecution
The memo enumerates the following ten areas of focus:

Health care fraud;
Trade and customs fraud, including tariff evasion;
Fraud perpetrated through VIEs (variable interest entities);
Fraud that victimizes U.S. investors, such as Ponzi schemes and investment fraud;
Sanctions violations or conduct that enable transactions by cartels, TCOs, hostile nation-states, and/or foreign terrorist organizations;
Provision of material support to foreign terrorist organizations;
Complex money laundering, including schemes involving illegal drugs;
Violations of the Controlled Substances Act and the FDCA (Food, Drug, and Cosmetic Act);
Bribery and money-laundering that impact U.S. national interests, undermine U.S. national security, harm the competitiveness of U.S. business, and enrich foreign corrupt officials; and
Digital asset crimes, with high priority to cases involving cartels, TCOs, drug money-laundering or sanctions evasion.

These 10 areas of focus — and the order in which they are listed — echo the priorities laid out in the Trump administration’s enforcement-related executive orders and memos published to date.[1]
More broadly, Galeotti described the priorities as DOJ’s effort to “strike an appropriate balance between the need to effectively identify, investigate, and prosecute corporate and individuals’ criminal wrongdoing while minimizing unnecessary burdens on American enterprise.” Galeotti explained that “[t]he vast majority of American business are legitimate enterprises working to deliver value for their shareholders and quality products and services for customers” and therefore “[p]rosecutors must avoid overreach that punishes risk-taking and hinders innovation.” Galeotti also makes clear that DOJ attorneys “are to be guided by three core tenets: (1) focus; (2) fairness; and (3) efficiency.” He also directed the Criminal Division’s Corporate Whistleblower Awards Pilot Program be amended to reflect these priority areas of focus.[2]
Emphasis on Individuals and Leniency Toward Corporations
Galeotti emphasized the Criminal Division’s focus on prosecuting individuals and the need to further take into account the efforts put forth by corporations to remediate the actions of individual bad actors. Galeotti promised the Criminal Division would “investigate these individual wrongdoers relentlessly to hold them accountable” and directed the revision of the Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) to provide more opportunities for leniency where it is determined corporate criminal resolutions are necessary for companies that self-disclose and fully cooperate. These revisions include shorter terms for non-prosecution and deferred prosecution agreements, reduced corporate fines, and limited use and terms of corporate monitors.[3] Galeotti specifically has directed the review of terms of all current agreements with companies to determine whether they should be terminated early. DOJ has already begun terminating agreements it determined have been fully met.
Streamlining Corporate Investigations
Finally, Galeotti emphasizes the need to minimize the unnecessary cost and disruption to U.S. businesses due to DOJ’s investigations and to “maximize efficiency.”
More Efficient Investigations
While acknowledging the complexity and frequent cross-border nature of the Division’s investigations, prosecutors are instructed to “take all reasonable steps to minimize the length and collateral impact of their investigation, and to ensure that bad actors are brought to justice swiftly and resources are marshaled efficiently.” The Assistant Attorney General’s office will, along with the relevant Section, track investigations to ensure they are “swiftly concluded.”
Limitation on Corporate Monitorships
DOJ will impose compliance monitorships only when it deems them necessary and has directed that those monitorships, when imposed, should be “narrowly tailored.” Building upon a previous administration’s memorandum,[4] DOJ issued a May 12 Memorandum on Selection of Monitors in Criminal Division Matters, which provides factors for considering whether a monitorship is appropriate and guidelines to ensure a monitorship is properly tailored to address the “risk of recurrence” and “reduce unnecessary costs.” In considering the appointment of a monitor, prosecutors are to consider the:

Risk of recurrence of criminal conduct that significantly impacts U.S. interests;
Availability and efficacy of other independent government oversight;
Efficacy of the compliance program and culture of compliance at the time of the resolution; and
Maturity of the company’s controls and its ability to independently test and update its compliance program

The chief of the relevant section, as well as the Assistant Attorney General, must approve all monitorships, and the memo lays out additional details regarding the monitor’s appointment and oversight as well as the monitor selection process.
Takeaways
DOJ’s current hiring freeze and recent personnel reductions/reassignments should not be taken as a sign that white collar crime will be permitted to flourish under the current administration. Rather, Galeotti’s May 12 memo further solidifies the enforcement policies and priorities the DOJ has been previewing since day one of the Trump administration and provides more clarity on what to expect when engaging with the Criminal Division and where it will be focusing its now-more-limited resources. Companies should familiarize themselves with this memo and corresponding updates related to whistleblowers, corporate enforcement and self-disclosures, and monitorships to ensure companies are appropriately assessing their risk profile, addressing potential misconduct, and meeting government expectations.

[1] See, e.g., Executive Order 14157, Designating Cartels and Other Organizations as Foreign Terrorist
Organizations and Specially Designated Global Terrorists (Jan. 20. 2025) (Cartels Executive Order);
Memorandum from the Attorney General, Total Elimination of Cartels and Transnational Criminal
Organizations (Feb. 5, 2025) (Cartels and TCOs AG Memorandum) Executive Order 14209, Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security (Feb. 10, 2025); Cartels and TCOs AG Memorandum.
2 See “DOJ Criminal Division Updates (Part 2): Department of Justice Updates its Corporate Criminal Whistleblower Awards Pilot Program”
[3] See “DOJ Criminal Division Updates (Part 3): New Reasons for Companies to Self-Disclose Criminal Conduct”
[4] March 7, 2008 Craig Morford Memorandum (addressing selection and responsibilities of a corporate monitor).

California Privacy Protection Agency Releases Updated Regulations: What’s Next?

This month, the California Privacy Protection Agency (CPPA) Board discussed updates to the California Consumer Privacy Act (CCPA) draft regulations related to cybersecurity audits, risk assessments, automatic decision-making technology (ADMT), and insurance.
The CPPA received comments on the first draft of the regulations between November 22, 2024, and February 19, 2025, and the feedback was provided at last month’s board meeting.
Based on the discussions at last month’s meeting, the CPPA made further revisions to the draft, which include the following:

Definition of ADMT: ADMT will no longer include technology that ONLY executes a decision or substantially facilitates human decision-making; the definition will only include technology that REPLACES or substantially replaces human decision-making.
Definition of Significant Decision: Risk assessments and ADMT obligations are triggered by certain data processing activities that lead to “significant decisions” that affect a consumer; the updated draft no longer includes decisions that determine “access” to certain services as triggering events. However, financial or lending, housing, education, employment, and independent contracting services constitute services that implicate whether a significant decision is being made about a consumer; insurance, criminal justice services and essential goods and services were removed from the list of services in the latest draft.
First-Party Advertising: Under the updated draft, companies are not required to conduct risk assessments or comply with the ADMT obligations simply because they profile consumers for behavioral advertising (i.e., first-party advertising does not trigger these requirements under the new draft).
ADMT Training and Personal Information: Companies will only be required to conduct a risk assessment if they process personal information to train ADMT for specific purposes.
Sensitive Location Profiling: Companies will not be required to conduct a risk assessment simply because they profile consumers through systematic observation in publicly accessible spaces; they will only have to adhere to the risk assessment requirement if the company profiles a consumer based on the individual’s presence in a “sensitive location” (i.e., healthcare facilities, pharmacies, domestic violence shelters, food pantries, housing or emergency shelters, educational institutions, political party offices, legal services offices, and places of worship).
Artificial Intelligence: The updated draft does not refer to “artificial intelligence” (AI) and AI terminology has been removed. However, AI systems would fall under the definition of ADMT and be subject to the other requirements under the updated regulations.
Cybersecurity Audits: If a company meets the risk threshold, the first cybersecurity audit must be completed as follows:

April 1, 2028, if the business’s annual gross revenue for 2026 is more than $100 million.
April 1, 2029, if the business’s annual gross revenue for 2027 is at least $50 million but no more than $100 million.
April 1, 2030, if the business’s annual gross revenue for 2028 is less than $50 million.

Thereafter, if a company meets the risk thresholds under the law, it must conduct a cybersecurity audit annually, irrespective of gross annual revenue.

Submission of Risk Assessments: Under the updated draft, companies no longer have to submit their risk assessments to the CPPA; alternatively, the company must provide an attestation and a point of contact for the company. Such documentation is due to the CPPA by April 1, 2028, for risk assessments completed in 2026 and 2027; after 2027, the documentation must be submitted by April 1 of the year following any year the risk assessment was conducted.

So, what’s next?

The CPPA initiated another public comment period, ending on June 2, 2025.
The CPPA MUST finalize the draft regulations by November 25, 2025:

If the CPPA files the final regulations by August 31, 2025, then the updates will take effect on October 1, 2025;
If the CPPA files the final regulations AFTER August 31, 2025, then the updates will take effect on January 1, 2026.

Utah Enacts AI Amendments Targeted at Mental Health Chatbots and Generative AI

Utah is one of a handful of states that has been a leader in its regulation of AI. Utah’s Artificial Intelligence Policy Act[i] (“UAIPA”) was enacted in 2024 and requires disclosures relating to consumer interaction with generative AI with heightened requirements on regulated professions, including licensed healthcare professionals.
Utah recently passed three AI laws (HB 452, SB 226 and SB 332), all of which became effective on May 7, 2025, and either amend or expand the scope of the UAIPA. The laws govern the use of mental health chatbots, revise disclosure requirements for the deployment of generative AI in connection with a consumer transaction or provision of regulated services, and extend the repeal date of the UAIPA.
HB 452
HB 452 creates disclosure requirements, advertising restrictions, and privacy protections for the use of mental health chatbots. [ii] “Mental health chatbots” refer to AI technology that (1) uses generative AI to engage in conversations with a user of the mental health chatbot, similar to communications one would have with a licensed therapist, and (2) a supplier represents, or a reasonable person would believe, can provide mental health therapy or help manage or treat mental health conditions. “Mental health chatbots” do not include AI-technology that only provides scripted output (such as guided meditations or mindfulness exercises).
Disclosure Requirements
A mental health chatbot must clearly and conspicuously disclose that the mental health chatbot is an AI technology and not human. The disclosure must be made (1) before the user accesses features of the mental health chatbot, (2) at the beginning of any interaction with the user, if the user has not accessed the mental health chatbot within the previous 7 days, and (3) if asked or prompted by the user whether AI is being used.
Personal Information Protections
Mental health chatbot suppliers may not sell or share with any third party the individually identifiable health information (“IIHI”) or user input of a user. The prohibition does not apply to IIHI that (1) a health care provider requests with the user’s consent, (2) is provided to a health plan upon the request of the user, or (3) is shared by the supplier as a covered entity to a business associate to ensure effective functionality of the mental health chatbot and in compliance with the HIPAA Privacy and Security Rules.
Advertising Restrictions
A mental health chatbot cannot be used to advertise a specific product or service to a user in a conversation between the user and the mental health chatbot, unless the mental health chatbot clearly and conspicuously (1) identifies the advertisement as an advertisement and (2) discloses any sponsorship, business affiliation or agreement with a third party to promote or advertise the product or service. Suppliers of mental health chatbots may not use a user’s input to (1) determine whether to display advertisements to the user unless the advertisement is for the mental health chatbot itself, (2) customize how advertisements are presented, or (3) determine a product, service or category to advertise to the user.
Affirmative Defense
HB 452 establishes an affirmative defense to violations of the law which requires, among other items, creating, maintaining and implementing a policy for the mental health chatbot that meets specific requirements outlined in the law and filing such policy with the Utah Division of Consumer Protection.
Penalties
Violation of the law may result in administrative fines up to $2,500 per violation and court action by the Utah Division of Consumer Protection.
SB 226
SB 226 pares back UAIPA’s disclosure requirements applicable to a supplier that uses generative AI in a consumer transaction to when (1) there is a “clear and unambiguous” request from an individual to determine whether an interaction is with AI, rather than any request, and (2) an individual interacts with generative AI in the course of receiving regulated services that constitute a “high-risk” AI interaction, instead of any generative AI interaction in the provision of regulated services.[iii]
Disclosure Requirements
If an individual asks or prompts a supplier about whether AI is being used, a supplier that uses generative AI to interact with an individual in connection with a consumer transaction must disclose that the individual is interacting with generative AI and not a human. While this requirement also existed under the UAIPA, SB 226 clarifies that disclosure is only required when the individual’s prompt or question is a “clear and unambiguous request” to determine whether an interaction is with a human or AI.
The UAIPA also requires persons who provide services of a regulated occupation to prominently disclose when a person is interacting with generative AI in the provision of regulated services, regardless of whether the person inquires if they are interacting with generative AI. Under SB 226, such disclosure is only required if the use of generative AI constitutes a “high-risk artificial intelligence interaction.” The disclosure must be provided verbally at the start of a verbal conversation and in writing before the start of a written interaction. “Regulated occupation” means an occupation that is regulated by the Utah Department of Commerce and requires a license or state certification to practice the occupation, such as nursing, medicine, and pharmacy. “High-risk AI interaction” includes an interaction with generative AI that involves (1) the collection of sensitive personal information, such as health or biometric data and (2) the provision of personalized recommendations, advice, or information that could reasonably be relied upon to make significant personal decisions, including the provision of medical or mental health advice or services.
Safe Harbor
A person is not subject to an enforcement action for violation of the required disclosure requirements if the person’s generative AI clearly and conspicuously discloses at the outset of and throughout an interaction in connection with a consumer transaction or the provision of regulated services that it is (1) generative AI, (2) not human, or (3) an AI assistant.
Penalties
Violation of the law may result in administrative fines up to $2,500 per violation and a court action by the Utah Division of Consumer Protection.
SB 332
SB 332 extended the repeal date of the UAIPA from May 1, 2025 to July 1, 2027.[iv]
Looking Forward
Companies that offer mental health chatbots or generative AI in interactions with individuals in Utah should evaluate their products and processes to ensure compliance with the law. Furthermore, the AI regulatory landscape at the state level is rapidly changing as states attempt to govern the use of AI in an increasingly deregulatory federal environment. Healthcare companies developing and deploying AI should monitor state developments.
FOOTNOTES
[i] S.B. 149 (“Utah Artificial Intelligence Policy Act”), 65th Leg., 2024 Gen. Session (Utah 2024), available here.
[ii] H.B. 452, 66th Leg., 2025 Gen. Session (Utah 2025), available here.
[iii] S.B. 226, 66th Leg., 2025 Gen. Session (Utah 2025), available here.
[iv] S.B. 332, 66th Leg., 2025 Gen. Session (Utah 2025), available here.
Listen to this article