HHS OCR Imposes $1.5 Million Civil Penalty Against Warby Parker
On February 20, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced it had issued a $1.5 million fine against HIPAA covered entity Warby Parker, an eyewear manufacturer and online retailer headquartered in New York City. OCR began its investigation into Warby Parker following receipt of a breach report filed with OCR by the company.
The breach report detailed that an unauthorized third party accessed Warby Parker customer accounts through the use of “credential stuffing” attacks, in which usernames and passwords previously exposed in unrelated breaches are used to gain access to user accounts. According to Warby Parker’s OCR breach report, 197,986 individuals were affected by the breach, which compromised names, mailing addresses, email addresses, payment card information and eyewear prescription information.
OCR’s investigation into Warby Parker revealed evidence of three alleged violations of the HIPAA Security Rule, including failure to conduct an accurate and thorough risk analysis, failure to implement sufficient security measures, and failure to implement procedures to regularly review information system activity records.
OCR initially issued a Notice of Proposed Determination in September of 2024, seeking to impose a civil monetary penalty, which Warby Parker did not contest. Accordingly, OCR issued a Notice of Final Determination to Warby Parker in December of 2024.
In its press release announcing the penalty, OCR Acting Director Anthony Archeval stressed that “protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
New Section 232 Investigation on Imports of Copper, Scrap Copper and Derivative Products
On February 25, 2025, President Trump signed an executive order directing the Secretary of Commerce (Secretary) to initiate an investigation under Section 232 of the Trade Expansion Act of 1962 (Section 232) to determine whether imports of copper, scrap copper and copper derivative products threaten to impair national security. This investigation could impact copper availability in the U.S. in the short term, while potentially leading to new investments in U.S. smelting long-term.
In the order, the President noted that a single foreign producer controls over 50% of global copper smelting capacity and owns four of the top five largest refining facilities. U.S. smelting and refining capacity lags significantly behind despite ample domestic copper reserves.
The investigation will focus on the effects on national security of imports of copper in all forms, including but not limited to: (1) raw mined copper; (2) copper concentrates; (3) refined copper; (4) copper alloys; (5) scrap copper; and (6) derivative products. For the investigation, the Secretary will assess the factors set forth in 19 U.S.C. § 1862(d) such as domestic production needed for projected national defense requirements, the capacity of domestic industries to meet such requirements, and the availability of the resources essential to the national defense. In addition to those statutory factors, the executive order further directs the Secretary to evaluate the following nine (9) factors:
The current and projected demand for copper in United States defense, energy and critical infrastructure sectors;
The extent to which domestic production, smelting, refining and recycling can meet demand;
The role of foreign supply chains, particularly from major exporters, in meeting United States demand;
The concentration of United States copper imports from a small number of suppliers and the associated risks;
The impact of foreign government subsidies, overcapacity and predatory trade practices on United States industry competitiveness;
The economic impact of artificially suppressed copper prices due to dumping and state-sponsored overproduction;
The potential for export restrictions by foreign nations, including the ability of foreign nations to weaponize their control over refined copper supplies;
The feasibility of increasing domestic copper mining, smelting and refining capacity to reduce import reliance; and
The impact of current trade policies on domestic copper production and whether additional measures, including tariffs or quotas, are necessary to protect national security.
Within 270 days of the date of the executive order (i.e., by November 22, 2025), the Secretary will submit a report to the President that incorporates findings on whether U.S. dependence on copper imports threatens national security and recommendations for mitigating such threats and strengthening the U.S. copper supply chain. The Administration will subsequently determine appropriate action, if any.
Section 232 continues to be a preferred import adjustment tool for the Trump Administration. Under President Trump’s first term he revived the long-dormant statute, conducting eight (8) Section 232 investigations on imports such as steel, aluminum and uranium ore. Of these various investigations, only the investigations of steel and aluminum imports resulted in new tariffs – but, those tariffs remain in place today, nearly seven years after issuance.
The U.S. Department of Commerce typically invites interested parties to submit written comments or information relevant to the products subject to Section 232 investigations.
The Trump Administration: Developments in Environmental Policy
From the outset, key goals of the incoming Trump Administration have been: supporting fossil fuel development, ending incentives for renewable energy and energy transition, removing “burdensome” environmental regulations and policies, and stepping back action on climate change and environmental justice initiatives. In his first week in office, President Trump rescinded several Biden Administration executive orders regarding action on climate change and environmental justice and issued executive orders seeking to boost fossil fuel development rather than renewable energy. Actions have continued in these particular areas indicating that the Trump Administration’s focus and goals remain consistent.
On February 4, 2025, new EPA Administrator Lee Zeldin announced the EPA’s “Powering the Great American Comeback” Initiative. The announcement outlined five key pillars, all of which focus on the EPA’s role of supporting American industry consistent with Trump’s campaign goals and reiterated by Administrator Lee Zeldin in his confirmation hearing. The five pillars are:
Clean Air, Land, and Water for Every American;
Restore American Energy Dominance;
Permitting Reform, Cooperative Federalism, and Cross-Agency Partnership;
Make the United States the Artificial Intelligence Capital of the World; and
Protecting and Bringing Back American Auto Jobs.
These goals highlight the Trump Administration’s goals of having the EPA take a supporting role in American industry and fossil fuel growth while working with states and across agencies to find efficiencies.
Another important action taken by the Trump Administration is a January 30 memo that temporarily froze all federally driven environmental litigation to allow for review and potential reconsideration by the new administration. In addition, an EPA spokesperson said in an email that there is a hold on new (not yet effective) and pending (not yet published) regulations, and that, “most major decisions are undergoing a quick review process to ensure transparency and accountability to the American people.” For companies dealing with the EPA on the resolution of ongoing matters, whether in litigation or on compliance matters, this will likely lead to delays, if it has not already.
President Trump’s day one executive order “Unleashing American Energy” targeted climate action taken by the Biden Administration, barred agencies from using methodologies such as the social cost of carbon in their environmental analyses, and ordered that the disbursement of funds appropriated through the Inflation Reduction Act (IRA) and the Infrastructure Investment and Jobs Act (IIJA) be paused, and ending the electric vehicle subsidy specifically. Funds from IRA and IIJA programs remain frozen despite court orders lifting the freeze from U.S. District Court Judges Loren AliKhan and John McConnell. Both judges have now ruled that the Trump Administration has defied the courts’ early orders lifting the spending freeze, but the issue remains unresolved. Companies and projects relying on IRA and IIJA grants, funds, or incentives should continue to watch this space as the legal considerations continue to play out over the upcoming months.
Consistent with general federal employee cuts and the Trump Administration’s goals, the administration has placed 168 employees in the EPA’s Office of Environmental Justice and External Civil Rights on leave and called for the elimination of any office or position involving environmental justice. President Trump also rescinded a number of President Biden’s environmental justice executive orders on January 24, including the rescission of EO 14096 which incorporated environmental justice into all executive branch decision making, and EO 14008 which, amongst other things, established the Climate & Economic Justice Screening Tool to help to identify disadvantaged communities.
Consistent with the Trump Administration’s disagreement with the Biden Administration’s stance towards climate action and environmental justice, the climate change sections of several government websites have been taken offline, including the White House’s climate change page and climate change section on the Department of State website. In addition, the EPA’s EJScreen tool, a tool to map community vulnerabilities and identify areas experiencing disproportionate exposure to environmental hazards and impacts, has also been taken offline. Companies and organizations relying on climate and environmental justice data for their sustainability work or when conducting due diligence on new projects will need to find alternatives. A number of universities and projects like the Public Environmental Data Project have worked to keep this data available to the public.
The funding freeze has impacted renewable energy and infrastructure projects, and all stakeholders involved in these projects from contractors and construction businesses to renewable energy companies, finance parties, as well as state and local governments and tribes.
Communities and businesses undertaking federally funded environmental projects have also been impacted by the funding freeze, as have farmers who were making use of the USDA’s many grant programs. The USDA made billions of funds available for the Climate-Smart Practices program and other conservation programs like the Environmental Quality Incentives Program, but farms relying on these funds are stuck in limbo until the funding freeze is resolved.
The loss of federal resources for environmental justice will also impact project developers. While disadvantaged communities will suffer from the loss of environmental justice resources, grants, and expertise, the loss of forecasting tools like EJScreen makes it more difficult for developers to make informed decisions about the communities they would like to operate in.
Health-e Law Episode 16: Crossroads of Care: Navigating Executive Orders with Jonathan Meyer, former DHS GC and Partner at Sheppard Mullin [Podcast]
Welcome to Health-e Law, Sheppard Mullin’s podcast exploring the fascinating health tech topics and trends of the day. In this episode, Jonathan Meyer, a partner at Sheppard Mullin and Leader of the firm’s National Security Team, joins us again to discuss the early days of the new Trump administration and what might be on the horizon in terms of cybersecurity and data privacy.
What We Discussed in This Episode:
What can we expect from the new administration in relation to cybersecurity and data protection?
How do these concerns translate to healthcare, both in terms of managing our care and protecting our data?
What is Sheppard Mullin’s executive actions tracker, why it matters, and how can listeners use it?
How is healthcare struggling with privacy and immigration, and how does this impact national security?
Click Here to Read Transcript
Exploring DORA: Potential Implications for EU and UK Businesses
On Jan. 17, 2025, EU Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) became applicable in the EU.
DORA focusses on risk management and resilience testing, with a strong focus on vendor risk management, incident management and reporting, and resilience testing of key systems.
DORA applies to financial institutions that are authorized to provide financial services in the EU and is designed to strengthen their IT security and operational resiliency.
It is worth noting, particularly for UK financial institutions, that DORA does not apply directly to organizations, including UK organizations, that are providing non-regulated services in the EU financial services industry. However, if a UK organization is providing any IT related services to an EU financial institution, it may be classified as an information and communication technology (ICT) third-party service provider under DORA. Depending on the nature of the organization and its services, it could be designated as a critical ICT third-party service provider, in which case it would have direct compliance obligations under DORA (which would include implementing a comprehensive governance and control framework to manage IT and operational resiliency risk).
As a high-level summary, financial institutions subject to DORA must:
Create and maintain a register of vendors (ICT third-party service providers) and report relevant information from the register to financial authorities annually.
Implement comprehensive security incident reporting obligations, requiring initial notification four hours after the incident is classified as major and a maximum of 24 hours after becoming aware. Follow-up obligations will also be required.
Implement post ICT-related incident reviews after a major ICT-related incident disrupts core activities.
Implement and maintain a sound, comprehensive, and well-documented ICT risk management framework, which must include appropriate audits.
Establish and maintain a sound and comprehensive digital operational resilience testing program, which for critical functions must involve penetration testing.
Clearly allocate, in writing, the financial entity’s rights and obligations when engaging with ICT third-party service providers, including mandatory DORA contractual provisions.
Adopt and maintain a strategy on ICT third-party risk.
As discussed above, ICT third-party service providers delivering services to financial entities will also be subject to DORA obligations. The nature of these obligations, and whether the ICT third-party service provider falls directly under DORA, will depend on various factors, including how critical the ICT service provider is to the EU financial services eco system, the nature of functions being supported, and services being provided. With that said, all ICT third-party service providers will be subject to contractual obligations resulting from the requirement for in-scope financial entities to flow down certain obligations to their service providers under DORA.
In light of the above, UK organizations providing services in the EU should carefully consider whether they fall directly under DORA in their capacity as a financial institution, and/or whether their services may cause them to be considered an ICT third-party service provider.
Summary of 2025 Immigration-Related Executive Orders
The Trump administration has issued a number of executive orders since taking office that impact immigration. While these do not directly target employers or address business immigration, they nevertheless may impact employers and their workforce.
Click here to continue reading.
Trump Administration Makes First Round of Cartel Foreign Terrorist Organization Designations with Focus on Mexico and Venezuela
The US State Department has made its first round of designations pursuant to Executive Order 14157, “Designating Cartels and Other Organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists,” identifying eight international cartels and transnational organizations as Foreign Terrorist Organizations (FTOs) and Specially Designated Global Terrorists (SDGTs).
As Bracewell discussed earlier this month, these designations create criminal exposure for any entity — US or foreign — determined to have provided “material support” to one of these organizations. An entity may be found liable for providing “material support” to one of these organizations if it provides any property (tangible or intangible) or services, including currency, financial services, lodging, personnel and transportation.
To avoid unwittingly doing business with or providing material support to these newly designated FTOs and SGDTs, it is imperative that companies conduct renewed due diligence on their counterparties and supply chains, and reassess their anti-corruption controls and compliance measures.
The newly designated FTOs and SDGTs, and their leadership as alleged by US law enforcement, include:
Tren de Aragua (TdA). Key leadership includes: Hector Rusthenford Guerrero Flores, a/k/a “Niño Guerrero,” [1] Yohan Jose Romero, a/k/a “Johan Petrica,”[2] and Giovanny San Vicente, a/k/a “Giovanni.”[3]
La Mara Salvatrucha (MS-13). Key leadership includes: Edenilson Velasquez Larin, a/k/a “Agresor,” “Saturno,” “Tiny,” “Erick,” and “Paco;” andHugo Diaz Amaya, a/k/a “21” and “Splinter.”[4]
Cártel de Sinaloa. Key leadership includes: Ismael Zambada-Garcia, a/k/a “El Mayo,” and Joaquin Guzman Lopez, son of “El Chapo” Guzman.[5]
Cártel de Jalisco Nueva Generación (CJNG). Key leadership includes: Nemesio Rubén Oseguera Cervantes, a/k/a “El Mencho.”[6]
Cártel del Noreste (CDN). Key leadership includes: Juan Gerardo Trevino-Chavez, a/k/a “Huevo.”[7]
La Nueva Familia Michoacana (LNFM). Key leadership includes: Johnny Hurtado Olascoaga, a/k/a “El Pez,” and Jose Alfredo Hurtado Olascoaga, a/k/a “El Fresa.”[8]
Cártel del Golfo (CDG). Key leadership includes: Jose Alfredo Cardenas-Martinez, a/k/a “El Contador.”[9]
Cártel Unidos (CU).
In addition to international cartels that operate primarily in Mexico, this list includes two transnational organizations mentioned specifically in E.O. 14157: TdA, which originated in Venezuela but is also active in parts of South America, including Chile, Colombia and Peru; and MS-13, which originated in Los Angeles but is also active in Mexico and parts of Central America, including El Salvador, Guatemala and Honduras.
Companies conducting business in the countries listed above should beware of the organizations’ infiltration of legitimate industries. La Nueva Familia Michoacana and Cártel Unidos, for example, are heavily involved in the agricultural landscape of Michoacán, Mexico, particularly in the production of avocados. US law enforcement alleges that the Cártel de Jalisco Nueva Generación ran an elaborate time share fraud scheme that targeted US owners of time shares in Mexico.[10] Many cartels also operate legitimate businesses in order to launder money.
For more information, see “Guiding Your Company Through Trump’s New Latin America Enforcement Policy” or reach out to Bracewell’s government enforcement and investigations team for guidance.
[1] https://www.state.gov/reward-for-information-hector-rusthenford-guerrero-flores
[2] https://www.state.gov/reward-for-information-yohan-jose-romero/
[3] https://www.state.gov/reward-for-information-giovanny-san-vicente/
[4] https://www.justice.gov/usao-edny/pr/two-national-ms-13-gang-leaders-and-other-ms-13-members-and-associates-indicted
[5] https://www.ice.gov/about-ice/hsi/news/hsi-insider/notorious-sinaloa-cartel-leaders-arrested
[6] https://www.state.gov/nemesio-ruben-oseguera-cervantes-el-mencho-2
[7] https://www.ice.gov/news/releases/leader-cartel-del-noreste-arrested-following-ice-hsi-investigation
[8] https://ofac.treasury.gov/media/929446/download?inline
[9] https://www.ice.gov/news/releases/head-gulf-cartel-indicted-following-ice-hsi-federal-partner-assisted-investigation
[10] https://home.treasury.gov/news/press-releases/jy2465
Claims Court Breathes Life into Another Path to Protest OTAs
On Monday, February 24, 2025, the Court of Federal Claims (“COFC”) released the public version of a February 13 decision declining to dismiss Raytheon Company’s protest of a $648.5 million award under the Missile Defense Agency’s (“MDA”) interceptor development program. Judge Armando O. Bonilla held that the award was within the court’s jurisdiction over Other Transaction Authority agreements (“OTAs”).
Unsuccessful offerors have had difficulty finding a tribunal with jurisdiction over post-award protests involving OTAs. Under COFC and U.S. General Accountability Office (“GAO”) precedent, an offeror’s ability to protest an OTA award is limited. OTAs are not considered procurement contracts. They are considered non-traditional acquisitions usually involving innovative research and development or prototyping services. They are not based on the Federal Acquisition Regulation (“FAR”) or Defense Federal Acquisition Regulation Supplement (“DFARS”) and are not subject to the Competition in Contracting Act (“CICA”). Under CICA and the GAO’s Bid Protest Regulations, GAO’s bid protest jurisdiction is limited to protests concerning alleged violations of federal agency procurement statutes or regulations in the award or proposed award of contracts for the procurement of goods and services, and solicitations leading to such awards. Under the COFC’s Tucker Act bid protest jurisdiction, COFC’s review is limited to protests “in connection with a procurement or a proposed procurement.” Disappointed OTA competitors also have been unsuccessful seeking relief in U.S. Federal District Courts.
Judge Bonilla’s decision in Raytheon navigates COFC precedent to find jurisdiction over a post-award OTA based on what the judge coined a “working definition.” Judge Bonilla found that the COFC can hear disputes over non-traditional acquisition deals if they are “intended to provide the government with a direct benefit in the form of products or services.” Judge Bonilla crafted his “working definition” of the COFC’s Tucker Act bid protest jurisdiction based on COFC decisions going back to 2019. According to the judge, these decisions “charted a more direct and interlinked path” from initial OTA award leading to a government purchase, and show that jurisdiction turns on the agency’s “immediate endgame.”
Judge Bonilla found that the $648.5 million MDA missile interceptor development OTA protested by Raytheon and earlier OTAs awarded by MDA provided for research and development services leading to production and delivery. According to Judge Bonilla, it did not matter that MDA “had not yet formally committed to purchasing an end product.” MDA’s intent to purchase was enough. MDA’s actions and communications regarding the interceptor program showed it intended to award a follow-on contract contemplated in the protested OTA if the awardee demonstrated its proposed solution works.
Judge Bonilla’s “working definition” will likely be challenged on appeal to the Federal Circuit. Thus, we do not know whether the expansion of COFC’s post-award protest jurisdiction over OTAs is here to stay.
Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?
After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.)
Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.
If the CPPA proposes new changes to the Proposed Regulations, a new 15-day comment period follows. During the 15-day period, new comments must relate only to the CPPA’s newly proposed changes. This process repeats until the CPPA submits its final rulemaking package to the OAL. The OAL has up to 30 business days to review and approve the CPPA’s final rulemaking package. Once the OAL approves, the effective date of the Proposed Regulations (Effective Date) is determined by § 11343.4(b)(3) of the California Government Code.
We are hopeful that the CPPA and OAL will issue final regulations by this summer. Once final, some requirements apply as of the Effective Date and others phase-in for up to 24 months after the Effective Date. This means that, even though the CPPA could further modify the Proposed Regulations, the immediate effectiveness of parts of the Proposed Regulations calls for businesses to start their preparations now.
We addressed the notable amendments to the existing CCPA regulations in a prior post. We offer a quick summary of the new requirements and compliance timing, as well as a checklist to help jump-start the compliance process below. All references to section numbers and compliance dates relate to the Proposed Regulations. (Privacy World will consider the requirements for insurance companies in a future post.)
For more detailed guidance on complying with the current CCPA regulations and the Proposed Regulations, Squire Patton Boggs Services Ireland, Limited, Ankura Consulting Group, LLC and Exterro, Inc. have developed assessment templates, checklists and comparison charts that are available for license as non-legal services.[1]
What Are the 2025 Proposed Regulations? How Do They Compare to Other States’ Obligations?
When Do We Need to Comply With Which Parts of the Proposed Regulations?
The Proposed Regulations amend the existing regulations and add new requirements covering automated decision-making technology (ADMT), profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments.
Many states regulate profiling, but none has done so as robustly as the CPPA proposes. Most states have whole or partial exemptions for insurance businesses. While assessment requirements are included in most of the other state consumer privacy laws, the Proposed Regulations exceed the other states’ requirements in operational and reporting requirements. The cybersecurity audit requirements in the Proposed Regulations are unique to California. Also, only California regulates personal information in business-to-business and human resources contexts, which makes the scope of the Proposed Regulations broader than in other states’ consumer privacy laws.
Assessment requirements under other state consumer privacy laws include:
● Virginia – Assessments are required for processing activities conducted or generated after January 1, 2023.
● Colorado, Connecticut and Florida – Assessments are required for processing activities conducted or generated after July 1, 2023. (The Colorado consumer privacy law prescribes detailed requirements on how to conduct and document assessments.)
● New Hampshire, Oregon, Tennessee[2] and Texas – Assessments are required for processing activities created or generated after July 1, 2024.
● Montana – Assessments are required for processing activities that occur on or after January 1, 2025.
● Nebraska – Assessments are required as of the effective date of the law, January 1, 2025.
● New Jersey – Assessments are required for processing activities that involve personal information acquired on or after January 15, 2025.
● Delaware – Assessments are required for processing activities conducted or generated on or after July 1, 2025.
● Minnesota – Assessments are required as of the effective date of the law, July 31, 2025.
● Maryland – Assessments are required for processing activities that occur on or after October 1, 2025.
● Indiana – Assessments are required for processing activities created or generated after December 31, 2025.
● Rhode Island – Assessments are required for processing activities that occur on or after January 1, 2026.
● Kentucky – Assessments are required for processing activities created or generated on or after June 1, 2026.
Despite some material differences, the Proposed Regulations are like the assessment requirements in the Colorado Privacy Act but other state consumer privacy laws do not have as detailed assessment requirements. Businesses may wish to consider the assessment requirements in the California or Colorado consumer privacy laws – or even the European Data Protection Board guidelines under GDPR (which seem to have influenced Colorado and California) – as benchmarks.
REQUIREMENTS THAT APPLY AS OF THE EFFECTIVE DATE
Notice of Use of ADMT● A business must provide a “Pre-use Notice” before the business processes a consumer’s personal information:(1) using ADMT for a “significant decision” (§ 7200(a)(1)) or for “extensive profiling” (§ 7200(a)(2)), or(2) for training uses of ADMT that is capable of use (a) for a significant decision, (b) to establish individual identity, (c) for physical or biological identification or profiling, or (d) for the generation of a “deepfake.” § 7220(a)(3).● A business that uses ADMT to make certain a significant decision adverse to a consumer must provide the consumer with notice of the consumer’s “right to access ADMT” (§ 7001(vv)) as soon as feasibly possible but no later than 15 business days after the date of the adverse significant decision. § 7222(k).
Request to Opt-Out of ADMT● If a consumer submits a “request to opt-out of ADMT” before the business has initiated that processing, the business must not initiate the processing. § 7221(m).● If a consumer submits a request to opt-out of ADMT after the business has initiated that processing, and none of the Opt-out Exceptions (defined below) apply, then the business must cease processing the consumer’s personal information as soon as feasibly possible but no later than 15 business days after the date of receipt of the consumer’s request (which is the same timing as the opt-out of sale/sharing). § 7221(n).● Opt-Out Exceptions include security, fraud prevention, and safety; certain admission, acceptance, or hiring decisions, assignment of work and compensation decisions, educational profiling, and a method provided by the business for a consumer to appeal the ADMT decision to a qualified human reviewer who has the authority to overturn the decision (among others). § 7221(b).
Request to Access ADMT and Right to Appeal ADMT● No later than 10 business days after receipt of either a “request to access ADMT” (§ 7001(vv)) or a “request to appeal ADMT” (§ 7001(nn)), a business must confirm receipt of the request. (The request to appeal ADMT applies only if the business is providing the human appeal right instead of the ADMT opt-out right.) § 7021(a). ● No later than 45 calendar days after receipt of the request, a business must respond to a request to access ADMT and a request to appeal ADMT, subject to a 45-calendar-day extension. § 7021(b).● These timing requirements are the same as for requests to delete, correct and know.
Evaluation and Policy Requirements for Physical or Biological Identification or Profiling● When a business uses “physical or biological identification or profiling” (PBIP) (§ 7001(gg)) for a significant decision or for extensive profiling, the business must evaluate the PBIP to ensure that the technology works as intended for the business’s proposed use and does not discriminate based on protected classes. § 7201(a)(1).● The business also must implement policies, procedures and training to ensure that the PBIP works as intended for the business’s proposed use and does not discriminate based on protected classes. § 7201(a)(2).
REQUIREMENTS THAT PHASE IN UP TO 24 MONTHS AFTER THE EFFECTIVE DATE
Cybersecurity Audits● A business has up to 24 months after the Effective Date to complete its first cybersecurity audit. § 7121(a). ● A cybersecurity audit is required if a business’s processing presents “significant risk to consumers’ security.” § 7120(b).
Risk Assessments● For any processing activity requiring an assessment that the business initiated prior to the Effective Date and continues after the Effective Date, the business must conduct and document a risk assessment within 24 months after the Effective Date. § 7155(c).● For processing activities conducted after the Effective Date, a business has 24 months to make its first submission of the risk assessment materials (compliance certificates and assessment summaries) to the CPPA. § 7157(a)(1).● A risk assessment is required when a business’s processing “presents significant risk to consumers’ privacy” § 7150(a).
CHECKLIST
The high-level checklist below is for educational purposes to help you prepare for the Proposed Regulations.
I. Automated Decision-making Technology and Related Processing
Consider whether the following apply if the business is engaging in ADMT or PBIP for a significant decision or extensive profiling:
If using ADMT (i) for a significant decision; (ii) for extensive profiling; or (iii) for training uses of ADMT that is capable of being used for a significant decision, to establish individual identity, for PBIP; or for the generation of a deepfake (§ 7200):
Provide consumers with a Pre-use Notice or a consolidated Pre-use Notice (i.e., a Pre-use Notice that addresses the use of ADMT for multiple purposes, or the use of multiple ADMTs) that meets the content requirements of § 7220(b)-(d).
Update the business’s privacy policy to provide consumers the new right to opt-out of ADMT.
If using ADMT for (i) a significant decision or (ii) extensive profiling: Update the business’s privacy policy to provide consumers the notice of the right to access ADMT. If ADMT is used solely for training uses of the ADMT, then the business is not required to respond to a request to access ADMT, but the business still must comply with a consumer’s request to know (per §7204.) § 7222(a).
If providing a right to appeal ADMT to a qualified human reviewer instead of a right to opt-out: Update the business’s privacy policy to provide consumers the right to appeal ADMT. § 7221(b)(2).
Establish procedures to (1) confirm the business’s receipt of a request to access ADMT or request to appeal ADMT within 10 business days after receipt of the request and provide information about how the business will process the request, (2) respond to a request to access or appeal ADMT within 45 calendar days, or 90 calendar days if the business properly extends its response period, and (3) provide all information required by § 7222 to consumers who request to access ADMT, which includes the purpose(s) for using ADMT, outputs of ADMT, how the business used outputs and the logic (i.e., operational details) of the ADMT.
Ensure that the business stops processing a consumer’s personal information for ADMT within 15 business days after the date that the consumer’s request to opt-out is received unless an Opt-out Exception applies. (A business must always provide the right to opt-out for use of ADMT for profiling for behavioral advertising or for training uses of ADMT). § 7221(b)(6).
Conduct the required evaluation of PBIP used for a significant decision or for extensive profiling and implement all required policies, procedures, and trainings to ensure that the PBIP works as intended for the business’s proposed use and does not discriminate based on protected classes (n.b., this evaluation requirement is different from a risk assessment and is not subject to the 24 month phase-in.) § 7201.
Conduct a full risk assessment (see Section II below) if the business uses ADMT for a significant decision or extensive profiling or processes personal information to train ADMT or AI that is “capable of being used” (a) for a significant decision, (b) to establish individual identity, (c) for PBIP, (d) for the generation of a deepfake or (e) for operation of “generative models.” § 7150(b).
II. Risk Assessments
Determine whether a risk assessment is needed because the processing of personal information “presents significant risk to consumers’ privacy” (§ 7150(a) – (b)), which means:
“Selling” or “sharing” personal information
Processing sensitive personal information
Using ADMT for a significant decision
Using ADMT for extensive profiling
Processing personal information to train ADMT or AI for any of the following uses: for a significant decision, PBIP, generation of a deepfake, operation of “generative models,” or to establish individual identity
Conduct and document risk assessments as of the Effective Date within 24 months after the Effective Date. § 7155(c).
Ensure that internal and external stakeholders contribute to or review the risk assessment according to their level of involvement with the data processing. § 7151(a).
Ensure that the risk assessment meets all of the relevant content requirements set forth in § 7152, including:
Purpose(s) for processing consumers’ personal information
Categories of personal information, including sensitive personal information, to be processed and other information about the quality of personal information as discussed in § 7152(a)(2)
Operational elements of the data processing, including the seven elements identified in § 7152(a)(3), such as the ADMT’s “built-in” assumptions, limitations, parameters and other elements of the “logic”
Benefits of the data processing to the business, the consumer, other stakeholders and the public, as well as the negative impacts to consumers’ privacy (consider the nine examples provided in § 7152(a)(5))
Safeguards that the business will implement to address the negative impacts to consumers’ privacy, considering the four examples provided in § 7152(a)(6)(A) and specific questions related to use of ADMT in § 7152(a)(6)(B)
Whether the business will initiate the data processing subject to the risk assessment (i.e., do the benefits outweigh the risks as mitigated by the safeguards?)
All contributors to the risk assessment and dates of review and approval
All additional inquiries related to processing to train ADMT or AI, as per § 7153
Within 24 months after the Effective Date (unless an exemption applies), complete each required risk assessment (“first submission”) and submit to the CPPA’s website the first annual certification of conduct and abridged risk assessment (on a form to be provided by the CPPA). § 7157(b).
Prepare to provide an unabridged version of each risk assessment due within 24 months after the Effective Date within 10 days after a request from the CPPA or California Attorney General. § 7157(d).
Review and update each risk assessment at least once every three years or when a material change to the data processing is planned. § 7155.
III. Cybersecurity Audits
Determine if the business’s processing of personal information presents significant risk to consumers’ security and complete a cybersecurity audit if the business (i) derived 50 % or more of its revenues in the preceding calendar year from selling or sharing California residents’ personal information, or (ii) in the preceding calendar year, had global gross annual revenue of over US$25 million (as adjusted by the CCPA for inflation) and either (a) processed the personal information of 250,000 or more California residents or households, or (b) processed the sensitive personal information of 50,000 or more California residents. § 7120(b).
Complete a cybersecurity audit using a qualified, objective and independent auditor within 24 months after the Effective Date and annually thereafter. § 7121, § 7122.
Ensure that the cybersecurity audit contains the required content. § 7122(d)-(i), § 7123.
Starting two years after the Effective Date, submit to the CPPA each calendar year a written certification that the business completed a compliant cybersecurity audit. § 7121(a), § 7124(a).
In addition to the compliance steps outlined above, meeting the consumer rights, evaluation and assessment obligations in the Proposed Regulations also will require careful diligence of, and contracting with, technology providers and processors, particularly for recruitment and employment practices that are most likely to generate significant decisions and risks, and these upcoming requirements are under the radar of many HR departments.
The authors are grateful for the assistance of Mary Aldrich, Paralegal (New York).
[1] DISCLAIMER — PRIVACY POWERED BY SQUIRE PATTON BOGGS:™ (1) Provided as educational reference material and not legal advice; and (2) There is no attorney-client relationship with Squire Patton Boggs unless a written attorney-client engagement agreement is entered into with Squire Patton Boggs. Use of licensed materials is subject to the terms of the license between the end user and licensor Squire Patton Boggs Services Ireland, Limited, including limiting access and use to the licensee. Consult legal counsel with regard to use of the materials. ©2025 Squire Patton Boggs Services Ireland, Limited. All rights reserved.
While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
[2] The Tennessee law is effective July 1, 2025, but assessment obligations are for activities commencing July 1, 2024.
FTC Requests Public Comments on Technology Platform Censorship
In one of its first actions after establishing new leadership, the United States Federal Trade Commission has issued a request for public comment “to better understand how technology platforms deny or degrade (such as by ‘demonetizing’ or ‘shadow banning’) users’ access to services based on the content of users’ speech or their political affiliations, including activities that take place outside the platform.” The request for comment is open now and closes on May 21, 2025.
The request, which expressly inquires about policies of platforms including social media, video sharing, ride sharing, event planning, and other internet services, follows an Executive Order (EO) entitled “Restoring Freedom of Speech and Ending Federal Censorship.” The EO responds to concerns raised about alleged pressure placed by the Biden Administration during COVID and other political events allegedly to coerce popular internet platforms into suppressing content with which they disagreed. In a June 2024 decision, however, the US Supreme Court rejected a legal claim brought by two states and seven individuals alleging that they were banned from social media platforms due to undue governmental influence.
The FTC’s request seeks to resurrect these claims by soliciting evidence that the platforms implemented either express or tacit political judgments in their decisions to restrict users’ access to certain content. Although it seems quite clear that platforms may implement contractual terms of service banning certain kinds of speech, it would be potentially problematic if those platforms changed the rules midstream by surreptitiously engaging in what is commonly called “shadow banning.” Shadow banning refers to the alleged practice of platforms downgrading or restricting access to putatively controversial posts – often without informing the original poster. This can cause the poster, who thinks their post is “live,” to see reduced engagement or reach, which can negatively impact their business prospects.
The truth is that social media platforms have created a new class of entrepreneurs who are compensated based on how many platform visitors see and engage with their original content. The more controversial the content, the more views it is likely to generate – and in the social media algorithms, this will typically cause the content to be elevated. For example, testimony and evidence in the Sandy Hook parents’ lawsuit against Alex Jones purportedly showed that his revenues increased by about 500% after he aired a show claiming that the Sandy Hook massacre was a hoax.
The platform will sell and place advertising alongside the more engaging content, promising advertisers that this will net greater viewership and, presumably, higher conversion rates. The platforms may compensate high-engagement-achieving posters. When a platform bans (either expressly or silently) their posts, however, this can harm their “business” of creating engagement.
Whether shadow banning actually happens is hard to pinpoint. No platform currently admits that it engages in the practice, even though this might be a less destructive way to handle inflammatory content than outright de-platforming. What the FTC is clearly after here, however, is evidence from the field regarding this practice and the entry of orders that would reverse such policies if they exist. Part 1 consists of gathering evidence – a prerequisite to further action. Part 2 may target the platforms.
The EO and FTC request are likely overzealous in their references to “censorship.” Speech bans that violate the First Amendment are typically governmental, not private. What this request seems to focus on, however, are possibly undisclosed restrictions on speech that are nevertheless imposed upon users without warning – a classic “unfair” practice if they actually contradict the contracts embodied in the terms of service or written platform policies. Thus, the FTC is looking more to fairness in contract implementation than to speech per se. The request for comment is likely to generate substantial interest from disgruntled, social media entrepreneurs who believe they were subject to unfair actions by the platforms.
Backwards Down the Number Line: Assessing the State of Alabama’s Medical Cannabis Program Four Years After Its Enactment
Ronald Reagan famously asked voters, on the eve of the 1980 presidential election, to ask themselves whether they were better off than they were four years ago. It was a powerful question that asked Americans to take stock of how they saw their lives at that time versus four years before.
When it occurred to me recently that almost four years have passed since the enactment of Alabama’s medical cannabis program, it took me back. I decided to scroll through the pictures on my phone from the Spring of 2021 – seeing pictures of my family in earlier times with different haircuts and different perspectives on life – and I found myself feeling like the Kodak executives must have felt when Mad Men’s Don Draper (played perhaps in only the way Jon Hamm could play him) first introduced them to The Carousel.
“Nostalgia,” Don said, “literally means ‘the pain from an old wound… It’s delicate, but potent… It takes us to a place where we ache to go.”
So perhaps this is my meditation on nostalgia, through the lens of the Alabama medical cannabis program.
Where Are We Now?
So here we are, four years later. And I ask myself whether Alabama’s medical cannabis program is better off than it was four years ago. The easy answer is, of course, no. After all, not one Alabamian has received legal medical cannabis in that time. How, one could reasonably ask, is that possible?
I’m reminded of the lyrics from the title of this post:
Laughing all these many years
We’ve pushed through hardships, tasted tears
We made a promise one to keep
I can still recite it in my sleep
While many might find it hard to find laughter in what has transpired over these years (unless you have a particularly perverse sense of humor, in which case the author requests the privilege of a beer soon), we have certainly pushed through hardships and likely shed tears. But there are many of us committed to keeping a certain promise, one that I can recite in my sleep: Alabama will provide medical cannabis to patients with qualifying conditions who can benefit from that medicine.
How Did We Get Here?
To determine where we are, we need to know where we came from. Ah, the salad days of 2021. The sky was the limit. Patients were going to finally access medicine they had sought for years. Operators saw opportunities to help (and make a dime at the same time). Lawyers, including the author, were in high demand, and the conversations were cutting edge and exciting. Heady times, indeed.
Alabama became the 36th state to allow cannabis for medical use when Gov. Kay Ivey signed into law the Darren Wesley ‘Ato’ Hall Compassion Act on May 17, 2021. The act established a process through which applicants would compete for a limited number of licenses in the following categories: (1) cultivator; (2) processor; (3) dispensary; and (4) “integrated facility” (which can cultivate, process, transport, and dispense medical cannabis under one license), as well as a to-be-determined number of licenses for secure transporters and testing laboratories. A Medical Cannabis Commission was established to license and regulate the medical cannabis program, with input from the Alabama Department of Agriculture and Industries on cultivation matters.
Many assumed – based on the statutory requirements that the commission accept licenses by September 1, 2022, and that the commission make a decision within 60 days – that licenses would be awarded late that year. Others, including the author, assumed that licenses would be awarded by the commission in early 2023. I’m wrong about things probably every day of my life, but I might not have been more wrong in my life than I was about that assumption.
Rather than require applications to be submitted on September 1, 2022, the AMCC set out a detailed timeline for the application and license awarding processes. The key takeaways:
Applicants could “request” a “License Application Form” from the commission between September 1 and October 17.
The deadline for submitting applications was December 30.
The commission intended to issue licenses on July 10, 2023.
All 94 applicants who submitted an application by the December 30, 2022, deadline received a deficiency notice of some kind, and applicants were provided an opportunity to cure those deficiencies. The University of South Alabama was assigned with the responsibility of leading the efforts to grade the applications.
On June 12, the AMCC announced its intent to issue 21 licenses to cultivators, processors, dispensaries, secured transporters, laboratory testing facilities, and integrated facilities.
In a shocking development, only four days later, the Alabama Medical Cannabis Commission voted to stay all proceedings related to the current offering of medical cannabis business licenses. The stay was issued because of the commission’s discovery of potential inconsistencies in the tabulation of scoring data and the commission’s need for additional time to seek an independent review of all scoring data.
In August 2023, the AMCC announced new awards. The results were largely the same as the June 12 awards, but they differed in a couple of ways. First, three additional cultivation licenses were awarded and one of the secure transportation licenses that received an award in June was not awarded a license in August. Second, there was a significant change in the integrated facility category: Verano Alabama, which scored highest in the University of South Alabama’s grading in both June and August, was removed from the list of awardees, replaced by INSA Alabama, which finished seventh in the August scoring but was nevertheless awarded an integrated license.
Care to guess what happened next? Yep, lawsuits. I probably qualify for medical cannabis based on the PTSD I experienced during this period, but I’ll summarize:
Many applicants argued that the AMCC violated the Open Meetings Act when it retired to executive session and engaged, according to the challengers, in improper deliberations and a secret ballot in violation of Alabama law. The logic of the balloting is fairly straightforward. Challengers point out that (1) there must have been deliberations about the applicants in order to lead to the changes in the scoring, particularly in the integrated facility category, and (2) the “nominating” process essentially ensured that the nominations made in executive session would dictate the award of licenses because those receiving the most nominations were essentially ensured of receiving the most votes and the voting stopped before other applicants were considered. The AMCC denies that deliberations occurred and points to the fact that commissioners could have changed their nominations at any point, including before submitting the nominations to AMCC staff in public session.
Applicants have challenged the process by which rules, regulations, and decisions made by the AMCC violated the Alabama Administrative Procedures Act. These claims go to the heart of the entire licensing process and, if successful according to challengers, call for the process to essentially begin again. Several other applicants have raised challenges to the manner in which applications were scored and whether the AMCC requirement that dissatisfied applicants pay the entire license fee (ranging from $30,000 to $50,000) in order to seek an administrative appeal of the AMCC’s decision violates due process.
Verano Alabama has argued that the AMCC lacked the authority to stay its June 12 awarding of licenses and that it should be awarded a license. In prior hearings the court has expressed skepticism about this argument, but it remains a live issue.
As these lawsuits were filed, the court held a number of hearings. At each opportunity, the court expressed its strong preference that the AMCC work with challengers to find a path forward that would allow for the awarding and issuance of licenses. The court concluded that the applicants had established a prima facie case that the commission had violated the Open Meetings Act and stated that it would enter a temporary restraining order preventing the issuance of licenses while the court conducted an evidentiary hearing on the alleged violations of the act.
In October 2023, in an effort to turn things around (and avoid more litigation), the AMCC adopted new regulations and changes to existing regulations:
An emergency rule creating additional application procedures;
An almost-identical permanent rule that is due for public comment; and
A set of technical changes to current rules.
The new rules created new procedures for:
Re-submitting any exhibits that existed on December 30, 2022, but which were adversely affected by the 10-megabyte file size limit on portal submissions;
Reducing the amount of material that is redacted in each application and opening the applications for additional public comment;
Any applicant who failed a pass/fail item to show cause why they should not have their application rejected;
Applicants to present their application to the AMCC and advocate for themselves in person;
Disclosing certain scoring and grading information; and
Considering, voting on, and awarding licenses in an open meeting, which the public can attend.
Finally, it seemed, we came to an end game as 2023 neared its close. We detailed the complex process – which was the result of a mediated settlement among some, but not all, litigants in the Montgomery County case – here, but the gist was that applicants would each have the opportunity to plead their case in an open hearing of the AMCC, and the AMCC would render its decision shortly thereafter.
Those hearings occurred and the AMCC awarded a third round of licenses. And everyone lived happily ever after, right? Not so fast my friend. Almost immediately, the court enjoined the issuance of dispensary and integrated licenses.
Those injunctions remain in place today, more than a year later. Applicants, advocates, and other stakeholders have been stuck in a sort of limbo since the final week of 2023. I can’t believe what I just wrote and how many lives have been impacted in the meantime. What a mess.
So Now What?
It’s hard not to become cynical observing this process play out. To pull from another Phish song:
The packaging begins to breakAnd all the points I tried to makeAre tossed with thoughts into a binTime leaks out, my life leaks in
But, as I have written recently, I believe that we have made progress – painfully slow and halting to be sure – and may well be on the precipice of getting this program off the ground:
But somehow in the face of years of advising clients and potential patients going through the hell that can be waiting on lawmakers, regulators, and courts to get a medical cannabis program off the ground, I became an optimist. At first, I’m sure it was little more than putting on a brave face for disappointed, frustrated, and even angry folks wondering why they couldn’t simply get resolution to their dreams. Perhaps this was the “fake it ‘til you make it” phase of my journey, but over time I actually became optimistic that Alabama would be able to launch a medical cannabis program that could provide relief to Alabamians so desperate for a different kind of therapy for what ails them.
Conclusion
I asked for a crystal ball for Christmas, but instead I got a bunch of quarter-zip sweaters (not the most perfect styling for a self-professed cannabis lawyer), so I can’t promise you what is going to happen. What I can promise you is that, while there are certainly those who seem committed to watching the whole structure burn down if they aren’t awarded a license, there are more on the side of making this work. More people looking to the court system – and particularly the appellate courts giving direction to the trial court – to bring some closure to this process. I remain optimistic this is the path forward.
If we can do that, we can stand up a medical cannabis program with integrity, decency, and empathy that Alabama can be proud of. Wouldn’t that be nice? That is a place where I ache to go.
U.S. Shifts AI Policy, Calls for AI Action Plan
Highlights
The U.S.’s cautious approach to AI policy and regulation is signaled by declining to enter a foreign agreement and the withdrawal of previous framework
A new request for information requests broad input from industry, academia, governmental, and other stakeholders
The U.S. has taken significant steps to reshape its artificial intelligence (AI) policy landscape. On Jan. 20, 2025, the administration issued an order revoking Executive Order 14110, originally signed on Oct. 30, 2023. This decision marks a substantial shift in AI governance and regulatory approaches. On Feb. 6, 2025, the government issued a request for information (RFI) from a wide variety of industries and stakeholders to solicit input on the development of a comprehensive AI Action Plan that will guide future AI policy.
As part of this initiative, the government is actively seeking input from academia, industry groups, private-sector organizations, and state, local, and tribal governments. These stakeholders are encouraged to share their insights on priority actions and policy directions that should be considered for the AI Action Plan. Interested parties must submit their responses by 11:59 p.m. ET on March 15, 2025.
Executive Order 14110 was designed to establish a broad regulatory framework for AI, emphasizing transparency, accountability, and risk mitigation. The revoked order required organizations engaged in AI development to adhere to specific reporting obligations and public disclosure mandates. The order affected a wide range of stakeholders, including technology companies, AI developers, and data center operators, all of whom had to align with the prescribed compliance measures. With the Jan. 23 Executive Order 14179, organizations must now reassess their compliance obligations and prepare for potential new frameworks that could take the place of the previous Executive Order 14110.
However, given the RFI, there is an opportunity to participate in the formation of new AI policies and regulations. The new order and the RFI seek input into AI policies and regulations directed towards maintaining U.S. prominence in AI development. Consequently, potentially burdensome requirements seem unlikely to emerge in the near term.
On the international front, the U.S. administration’s decision not to sign the AI Safety Declaration at the recent AI Action Summit in Paris further avoids potential international barriers to AI development in the U.S. This, together with the issuance of the RFI, seems to signal caution in development of an AI Action Plan that will drive policy through stakeholder engagement and regulatory adjustments.
The AI Action Plan is intended to establish strategic priorities and regulatory guidance for AI development and deployment. It aims to ensure AI safety, foster innovation, and address key security and privacy concerns. The scope of the plan is expected to be broad, covering topics such as AI hardware and chips, data centers, and energy efficiency.
Additional considerations will include AI model development, open-source collaboration, and application governance, as well as explainability, cybersecurity, and AI model assurance. Data privacy and security throughout the AI lifecycle will also be central to discussions, alongside considerations related to AI-related risks, regulatory governance, and national security. Other focal areas include research and development, workforce education, intellectual property protection, and competition policies.
Takeaways
Given these policy indications, organizations should take proactive steps to adapt to, and potentially contribute to, the evolving AI regulatory landscape. It is essential for businesses to remain aware of developments policies and engage in the opportunities to help shape forthcoming AI policies. Furthermore, monitoring international AI governance trends will be crucial, as these developments may affect AI operations within the U.S.