US Surgeon General Advises on Link Between Alcohol and Cancer, Recommends Cancer Warnings on Alcohol Labels
On January 3, the US Surgeon General issued an advisory on the association between alcohol and the risk of cancer.
The advisory outlines current scientific literature and concludes that alcohol consumption is the third leading preventable cause of cancer in the United States. Among other things, the advisory recommends updating the “Government Warning” statement on alcohol beverage labels to warn consumers about the cancer risk.
Potential Changes to Mandatory Government Warning
Since 1988, federal law has required a “Government Warning” statement on every alcoholic beverage sold in the United States. Under existing law, the Government Warning must state that (1) pregnant women should not drink alcohol because of the risk of birth defects and (2) that alcohol may impair one’s ability to drive a car, operate machinery, and could cause health problems. It is also subject to strict formatting and placement requirements.
If enacted, the Surgeon General’s recommendation would require alcohol beverage suppliers to update the Government Warning statement for the first time since the statement became mandatory nearly four decades ago. Nonetheless, only Congress has the power to update existing federal law to require alcohol labels to warn of the risk of cancer. Therefore, alcohol beverage companies should continue to closely monitor congressional action for potential changes to the mandatory governmental warning.
Globally, the advisory notes that there are currently 47 countries that require alcohol warning labels related to health and safety. Of those, South Korea currently requires a cancer-specific warning, and Ireland will require the following cancer warning starting in 2026: “There is a direct link between alcohol and fatal cancers.”
Conclusion
While it would take an act of Congress to change the current mandatory Government Warning statement on alcohol beverage labels, the Surgeon General’s advisory is likely to increase scrutiny on the potential links between alcohol consumption and cancer risk. Additionally, this advisory may signal new regulatory requirements for alcohol beverage suppliers in the future.
Listen to this article
HUD’s Proposed ORCA Program – A New Option for Earlier Mortgagee Reimbursement
On December 19, 2024, the Fair Housing Administration (FHA) and the U.S. Department of Housing and Urban Development (HUD) published a draft Mortgagee Letter proposing a new Optional Reimbursement Claim Alternative (ORCA) program. ORCA is intended to allow mortgagees to seek reimbursement for property tax and insurance payments the mortgagee advances on behalf of forward mortgage borrowers before the final claim payment.
Overview of ORCA
As outlined in the draft Mortgagee Letter, ORCA enables mortgagees to file early claims for reimbursement of advances made toward property taxes, hazard insurance, and flood insurance on defaulted forward mortgages. Currently, these costs are reimbursed only after the final resolution of a claim to HUD, meaning mortgagees are required to incur significant upfront costs for an uncertain period of time. The draft Mortgagee Letter recognizes that in the current higher interest rate environment these upfront costs are potentially exacerbating mortgagee liquidity issues.
If enacted, ORCA will allow mortgagees to make multiple claims during a single default episode. The term “single default episode” is not defined, but given FHA’s definition of “default,” a “single default episode” would likely encompass the period in which a borrower is at least 30 days delinquent under the mortgage until the borrower cures the delinquency. For a single default episode, mortgagees can claim up to 48 months of payments for eligible expenses, provided they meet the following eligibility requirements:
All property taxes and insurance obligations are paid before the due date;
The escrow funds intended for these expenses “were exhausted and were inadequate to meet these obligations;”
The delinquency/default code accurately reflects that the relevant mortgage has been in default for at least six months; and
The maximum allowable ORCA claims have not already been filed for a particular default.
In addition to the eligibility requirements above, mortgagees should be aware that initial ORCA claims can be submitted six months from the initial date of default, with subsequent claims allowed “no less than six months from the date the previous ORCA was filed.” Additionally, mortgagees will be required to maintain copies of all ORCA claims, as well as detailed servicing and transaction histories supporting the amounts claimed. Mortgagees should be sure to review the draft Mortgagee Letter to get a better understanding of the detailed proposed changes to the FHA Single Family Housing Policy Handbook related to the implementation of the ORCA program.
Takeaways
ORCA appears to offer mortgagees a positive new avenue for FHA claims that will likely ease liquidity pressures during the mortgage servicing process. By facilitating earlier reimbursement, HUD seems to recognize the need to mitigate the financial burdens mortgagees face and better position them to effectively service FHA mortgages. In light of the potential impact ORCA could have, we encourage mortgagees and other industry participants to review the draft Mortgagee Letter announcement and to provide feedback by the response deadline of March 3, 2025.
Listen to this post
5 Trends to Watch: 2025 U.S. Data Privacy & Cybersecurity
Even More States Join the Party — By the end of 2024, almost half of all U.S. states had enacted modern data privacy legislation. That trend will likely continue, particularly since a national data privacy statute may not be a top priority for the incoming administration.
It’s Time for State Enforcement — Several states have begun “staffing up” with the goal of bringing more data privacy enforcement in 2025, and some no longer have mandatory cure periods. Putting aside California, early indications are that Texas and Connecticut may take the lead among the states in enforcement activity.
It’s All About the Servers — Advertising technology’s transition from browser-side tracking technologies (cookies) to server-side tracking technologies (application programming interfaces or APIs) slowed in 2024. Nonetheless, the transition to server-side technologies continues; we may see it become the dominant medium for tracking in 2025 as organizations continue to work on aligning their digital advertising practices with applicable privacy laws.
Sensitive Data Is Everywhere — Regulators and plaintiffs continue to focus their attention on the collection, use, and sharing of sensitive data types. That trend is expected to continue in 2025 with continued focus on companies that use or share geolocation or health information.
Focus on Data Protection Impact Assessments (DPIAs) — The first states started requiring DPIAs two years ago, but regulators were reticent to demand that companies produce them. That has changed—state regulators have started requesting them and will continue requesting that companies produce DPIAs for data-processing activities that mandate them, like targeted advertising.
DOJ Finalizes Rule Implementing EO 14117, Establishing New National Security Cross-Border Data Regulatory Regime
On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued a final rule (“Final Rule”) implementing Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“EO 14117”), which was published in the Federal Register on January 8, 2025. The Rule will go into effect on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations that will become effective on October 5, 2025. The program is intended to address the threat of foreign powers and state-sponsored threat actors using Americans’ sensitive personal data for malicious purposes, including intelligence collection, cyber attacks, repression and intimidation, and economic espionage.
The substance of the Final Rule is largely similar to the Notice of Proposed Rulemaking, which we covered in our previous post. As discussed in that post, the Final Rule establishes a new regulatory regime that either prohibits or restricts “covered data transactions,” which are certain transactions―namely, data brokerage, employment agreements, investment agreements and vendor agreements―that could result in access to bulk U.S. sensitive personal data or government-related data (1) by a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person.” The term “covered persons” is defined broadly to include, for example, entities with 50% or more ownership by a country of concern, entities that are organized or chartered under the laws of, or have their principal place of business in, a country of concern, and a foreign person that is an employee or contractor of an entity described above or a primary resident of a country of concern.
The two general categories of data regulated by the Final Rule are defined as follows:
“U.S. sensitive personal data” means precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, certain “covered personal identifiers” (i.e., certain combinations of “listed identifiers,” such as government-issued identification numbers, device-based or hardware-based identifier, demographic or contact data, and advertising identifier), or any combination thereof.
The Rule applies only to certain “bulk” thresholds of U.S. sensitive personal data, and those thresholds differ depending on the type of U.S. sensitive personal data at issue. For example, for precise geolocation data, the Rule applies if a covered data transaction results in access to such information of over 1,000 U.S. persons or devices by a country of concern or covered person. In contrast, for personal financial data or personal health data, the threshold is higher (i.e., more than 10,000 U.S. persons). The table below provides the relevant “bulk” threshold for category of U.S. sensitive personal data.
“Government-related data” means any precise geolocation data, regardless of volume, for any location within any area enumerated on the “Government-Related Location Data List” or any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former U.S. government employees or contractors, or former U.S. government senior officials.
The Rule prohibits U.S. persons from engaging in certain types of covered data transactions, most importantly, covered data transactions involving (1) data brokerage or (2) bulk human ’omic data. All other covered data transactions are “restricted,” meaning that U.S. persons must comply with certain compliance requirements before engaging in such transactions, including cybersecurity requirements published on January 8, 2025, by the Cybersecurity and Infrastructure Security Agency, data compliance program requirements, annual audits and recordkeeping requirements.
As noted above, the DOJ largely declined to make significant revisions to the preliminary version of the Rule in response to input received during the recent notice and comment period. That said, the Final Rule does include certain clarifying changes and provide additional commentary. For example, the DOJ made adjustments to certain key definitions, clarified that the Final Rule applies prospectively to transactions engaged on or after the effective date, even if the underlying agreements existed prior to the rule, and added three types of human ‘omic data to the definition of U.S. sensitive personal data (the preliminary version of the Rule already covered genomic data).
The DOJ plans to release further guidance on the Final Rule, engage with industry and other stakeholders as the program goes into effect, and publish information related to voluntary self-disclosure, advisory opinions and approval processes for otherwise prohibited or restricted transactions. In the meantime, companies should assess their readiness for the rapidly approaching enforcement date in April.
Legislative Update: 119th Congress Outlook on AI Policy
House Looks To Rep. Obernolte to Take Lead on AI
Representative Jay Obernolte (R-Calif.) has emerged as a pivotal figure in shaping the United States’ legislative response to artificial intelligence (AI). With a rare combination of technical expertise and political acumen, Obernolte’s leadership is poised to influence how Congress navigates both the opportunities and risks associated with AI technologies.
AI Expertise and Early Influence
Obernolte’s extensive background in AI distinguishes him among his congressional peers. Holding a graduate degree in AI and decades of experience as a technology entrepreneur, he brings firsthand knowledge to the legislative arena.
As the chair of a bipartisan House AI task force, Obernolte spearheaded the creation of a comprehensive roadmap addressing AI’s societal, economic, and national security implications. The collaborative environment he fostered, eschewing traditional seniority-based hierarchies, encouraged open dialogue and thoughtful debate among members. Co-chair Rep. Ted Lieu (D-Calif.) and other task force participants praised Obernolte’s inclusive approach to consensus building.
Legislative Priorities and Policy Recommendations
Obernolte’s leadership produced a robust policy framework encompassing:
Expanding AI Resource Accessibility: Advocating for broader access to AI tools for academic researchers and entrepreneurs to prevent monopolization of research by private companies.
Combatting Deepfake Harms: Supporting legislative efforts to address non-consensual explicit deepfakes, a growing issue affecting young people nationwide. Notably, he backed H.R. 5077 and H.R. 7569, which are expected to resurface in the 119th Congress.
Balancing Regulation and Innovation: Striving to create a regulatory environment that protects the public while fostering AI innovation.
National Data Privacy Standards: Advocating for comprehensive data privacy legislation to safeguard consumer information.
Advancing Quantum Computing: Supporting initiatives to enhance quantum technology development.
Maintaining Bipartisanship
Obernolte emphasizes the importance of bipartisan collaboration, a principle he upholds through relationship-building initiatives, including informal gatherings with task force members. His bipartisan approach is vital in developing durable AI regulations that endure beyond shifting political majorities. Speaker Mike Johnson (R-La.) recognized Obernolte’s ability to bridge divides, entrusting him with the leadership role.
Obernolte acknowledges the difficulty of balancing immediate GOP priorities, such as confirming Cabinet appointments and advancing tax reform, with the urgent need for AI governance. His strategy involves convincing leadership that AI policy proposals are well-reasoned and broadly supported.
Senate Republicans 119th Roadmap on AI
As the 119th Congress convenes under Republican leadership, Senate Republicans are expected to approach artificial intelligence (AI) legislation with a focus on fostering innovation while exercising caution regarding regulatory measures. This perspective aligns with the broader GOP emphasis on minimal government intervention in technology sectors.
Legislative Landscape and Priorities
During the 118th Congress, the Senate Bipartisan AI Working Group, which included Republican Senators Mike Rounds (R-S.D.) and Todd Young (R-Ind.), released a policy roadmap titled “Driving U.S. Innovation in Artificial Intelligence.” This document outlined strategies to promote AI development, address national security concerns, and consider ethical implications.
In the 119th Congress, Senate Republicans are anticipated to prioritize:
Promoting Innovation: Advocating for policies that support AI research and development to maintain the United States’ competitive edge in technology.
National Security: Focusing on the implications of AI in defense and security, ensuring that advancements do not compromise national safety.
Economic Growth: Encouraging the integration of AI in various industries to stimulate economic development and job creation.
Regulatory Approach
Senate Republicans generally favor a cautious approach to AI regulation, aiming to avoid stifling innovation. There is a preference for industry self-regulation and the development of ethical guidelines without extensive government mandates. This stance reflects concerns that premature or overly restrictive regulations could hinder technological progress and economic benefits associated with AI.
Bipartisan Considerations
While Republicans hold the majority, bipartisan collaboration remains essential for passing comprehensive AI legislation. Areas such as national security and economic competitiveness may serve as common ground for bipartisan efforts. However, topics like AI’s role in misinformation and election integrity could present challenges due to differing party perspectives on regulation and free speech.
Conclusion
In both the House and Senate, Republicans are approaching AI legislation with a focus on fostering innovation, enhancing national security, and promoting economic growth. Their preference leans toward industry self-regulation and minimal government intervention to avoid stifling innovation. Areas like national security offer potential bipartisan common ground, though debates around misinformation and election integrity may highlight partisan divides.
With House and Senate Republicans already working on a likely massive reconciliation package focused on top Republican priorities including tax, border security, and energy, AI advocates will be hard pressed to ensure their legislative goals find space in the final text.
The BR Privacy & Security Download: January 2025
Must Read! The U.S. Department of Health and Human Services Office for Civil Rights recently proposed an amendment to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cyber security protections for electronic protected health information. Read the full alert to learn more about the first significant update to HIPAA’s Security Rule in over a decade. Read More > >
STATE & LOCAL LAWS & REGULATIONS
Five New State Comprehensive Privacy Laws Effective in January with Three More to Follow in 2025: With the start of the new year, five new state comprehensive privacy laws have become effective. The comprehensive privacy laws of Delaware, Iowa, Nebraska, and New Hampshire became effective on January 1, 2025, and New Jersey’s law will come into effect on January 15, 2025. Tennessee, Minnesota, and Maryland will follow suit and take effect on July 1, 2025, July 31, 2025, and October 1, 2025, respectively. Companies should review their privacy compliance programs to identify potential compliance gaps with differences in the increasing patchwork of state laws.
Colorado Issues Proposed Draft Amendments to CPA Rules: The Colorado Attorney General announced the adoption of amendments to the Colorado Privacy Act (“CPA”) rules. The rules will become effective on January 30, 2025. The rules provide enhanced protections for the processing of biometric data as well as the processing of the online activities of minors. Specifically, companies must develop and implement a written biometric data policy, implement appropriate security measures regarding biometric data, provide notice of the collection and processing of biometric data, obtain employee consent for the processing of biometric data, and provide a right of access to such data. In the context of minors, the amendment requires that entities obtain consent prior to using any system design feature designed to significantly increase the use of an online service of a known minor and to update the Data Protection Assessments to address processing that presents heightened risks to minors. Entities already subject to the CPA should carefully review whether they may have heightened obligations for the processing of employee biometric data, a category of data previously exempt from the scope of the CPA.
CPPA Announces Increased Fines and Penalties Under CCPA: The California Privacy Protection Agency (“CPPA”), the enforcement authority of the California Consumer Privacy Act (“CCPA”), has adjusted the fines and monetary thresholds of the CCPA. Under the CCPA, in January of every odd-numbered year, the CPPA must make this adjustment to account for changes in the Consumer Price Index. The CPPA has increased the monetary thresholds of the CCPA from $25,000,000 to $26,625,000. The CPPA also increased the range of monetary damages from between $100 to $750 per consumer per incident or actual damages (whichever is greater) to $107 to $799. The range of civil penalties and administrative fine amounts further increased from $2,500 for each violation of the CCPA or $7,500 for each intentional violation and violations involving the personal information of children under 16 to $2,663 and $7,988, respectively. The new amounts went into effect on January 1, 2025.
Connecticut State Senator Previews Proposed Legislation to Update State’s Comprehensive Privacy Law: Connecticut State Senator James Maroney (D) has announced that he is drafting a proposed update to the Connecticut Privacy Act that would expand its scope, provide enhanced data subject rights, include artificial intelligence (“AI”) provisions, and potentially eliminate certain exemptions currently available under the Act. Senator Maroney expects that the proposed bill could receive a hearing by late January or early February. Although Maroney has not published a draft, he indicated that the draft would likely (1) reduce the compliance threshold from the processing of the personal data of 100,000 consumers to 35,000 consumers; (2) include AI anti-discrimination measures, potentially in line with recent anti-discrimination requirements in California and Colorado; (3) expand the definition of sensitive data to include religious beliefs and ethnic origin, in line with other state laws; (4) expand the right to access personal data under the law to include a right to access a list of third parties to whom personal data was disclosed, mirroring similar rights in Delaware, Maryland, and Oregon; and (5) potentially eliminate or curtail categorical exemptions under the law, such as that for financial institutions subject to the Gramm-Leach-Bliley Act.
CPPA Endorses Browser Opt-Out Law: The CPPA’s board voted to sponsor a legislative proposal that would make it easier for California residents to exercise their right to opt out of the sale of personal information and sharing of personal information for cross-context behavioral advertising purposes. Last year, Governor Newsome vetoed legislation with the same requirements. Just as last year’s vetoed legislation, the legislative proposal sponsored by the CPPA requires browser vendors to include a feature that allows users to exercise their opt-out right through opt-out preference signals. Under the CCPA, businesses are required to honor opt-out preference signals as valid opt-out requests. Opt-out preference signals allow a consumer to exercise their opt-out right with all businesses they interact with online without having to make individualized requests with each business. If the proposal is adopted, California would be the first state to require browser vendors to offer consumers the option to enable these signals. Six other states (Colorado, Connecticut, Delaware, Montana, Oregon, and Texas) require businesses to honor browser privacy signals as an opt-out request.
FEDERAL LAWS & REGULATIONS
HHS Proposes Updates to HIPAA Security Rule: The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). The NPRM proposes the first significant updates to HIPAA’s Security Rule in over a decade. The NPRM makes a number of updates to the administrative, physical, and technical safeguards specified by the Security Rule, removes the distinction between “required” and “addressable” implementation specifications, and makes all implementation specifications “required” with specific, limited exceptions.
Trump Selects Andrew Ferguson as New FTC Chair: President-elect Donald Trump has selected current Federal Trade Commission (“FTC”) Commissioner Andrew Ferguson to replace Lina Khan as the new FTC Chair. Ferguson is one of two Republicans of the five FTC Commissioners and has been a Commissioner since April of 2024. Prior to becoming an FTC Commissioner, Ferguson served as Virginia’s solicitor general. During his time as an FTC Commissioner, Ferguson dissented from several of Khan’s rulemaking efforts, including a ban on non-compete clauses in employment contracts. Separately, Trump also selected Mark Meador to be an FTC Commissioner. Once Meador is confirmed to give the FTC a Republican majority, a Republican-led FTC under Ferguson may deprioritize rulemaking and enforcement efforts relating to privacy and AI. In a leaked memo first reported by Punchbowl News, Ferguson wrote to Trump that, under his leadership, the FTC would “stop abusing FTC enforcement authorities as a substitute for comprehensive privacy legislation” and “end the FTC’s attempt to become an AI regulator.”
FERC Updates and Consolidates Cybersecurity Requirements for Gas Pipelines : The U.S. Federal Energy Regulatory Commission (“FERC”) has issued a final rule to update and consolidate cybersecurity requirements for interstate natural gas pipelines. Effective February 7, 2025, the rule adopts Version 4.0 of the Standards for Business Practices of Interstate Natural Gas Pipelines, as approved by the North American Energy Standards Board (“NAESB”). This update aims to enhance the efficiency, reliability, and cybersecurity of the natural gas industry. The new standards consolidate existing cybersecurity protocols into a single manual, streamlining processes and strengthening protections against cyber threats. This consolidation is expected to make it easier and faster to revise cybersecurity standards in response to evolving threats. The rule also aligns with broader U.S. government efforts to prioritize cybersecurity across critical infrastructure sectors. Compliance filings are required by February 3, 2025, and the standards must be fully adhered to by August 1, 2025.
House Taskforce on AI Delivers Report to Address AI Advancements: The House Bipartisan Task Force on Artificial Intelligence (the “Task Force”) submitted its comprehensive report to Speaker Mike Johnson and Democratic Leader Hakeem Jeffries. The Task Force was created to ensure America’s continued global leadership in AI innovation with appropriate safeguards. The report advocates for a sectoral regulatory structure and an incremental approach to AI policy, ensuring that humans remain central to decision-making processes. The report provides a blueprint for future Congressional action to address advancements in AI and articulates guiding principles for AI adoption, innovation, and governance in the United States. Key areas covered in the report include government use of AI, federal preemption of state AI law, data privacy, national security, research and development, civil rights and liberties, education and workforce development, intellectual property, and content authenticity. The report aims to serve as a roadmap for Congressional action, addressing the potential of AI while mitigating its risks.
CFPB Proposes Rule to Restrict Sale of Sensitive Data: The Consumer Financial Protection Bureau (“CFPB”) proposed a rule that would require data brokers to comply with the Fair Credit Reporting Act (“FCRA”) when selling income and certain other consumer financial data. CFPB Director Rohit Chopra stated the new proposed rule seeks to limit “widespread evasion” of the FCRA by data brokers when selling sensitive personal and financial information of consumers. Under the proposed rule, data brokers could sell financial data only for permissible purposes under the FCRA, including checking on loan applications and fraud prevention. The proposed rule would also limit the sale of personally identifying information known as credit header data, which can include basic demographic details, including names, ages, addresses, and phone contacts.
FTC Issues Technology Blog on Mitigating Security Risks through Data Management, Software Development and Product Design: The Federal Trade Commission (“FTC”) published a blog post identifying measures that companies can take to limit the risks of data breaches. These measures relate to security in data management, security in software development, and security in product design for humans. The FTC emphasizes comprehensive governance measures for data management, including (1) enforcing mandated data retention schedules; (2) mandating data deletion in accordance with these schedules; (3) controlling third-party data sharing; and (4) encrypting sensitive data both in transit and at rest. In the context of security in software development, the FTC identified (1) building products using memory-safe programming languages; (2) rigorous testing, including penetration and vulnerability testing; and (3) securing external product access to prevent unauthorized remote intrusions as key security measures. Finally, in the context of security in product design for humans, the FTC identified (1) enforcing least privilege access controls; (2) requiring phishing-resistant multifactor authentication; and (3) designing products and services without the use of dark patterns to reduce the over-collection of data. The blog post contains specific links to recent FTC enforcement actions specifically addressing each of these issues, providing users with insight into how the FTC has addressed these issues in the past. Companies reviewing their security and privacy governance programs should ensure that they consider these key issues.
U.S. LITIGATION
Texas District Court Prevents HHS from Enforcing Reproductive Health Privacy Rule Against Doctor: The U.S. District Court for the Northern District of Texas ruled that a Texas doctor is likely to prevail on her claim that HHS exceeded its statutory authority when it adopted an amendment to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule that protects reproductive health care information and enjoined HHS from enforcing the rule against her. The 2024 amendment to the HIPAA Privacy Rule prohibits covered entities from disclosing information that could lead to an investigation or criminal, civil, or administrative liability for seeking, obtaining, providing, or facilitating reproductive health care. The Court stated that the rule likely unlawfully interfered with the plaintiff’s state-law duty to report suspected child abuse in violation of Congress’s delegation to the agency to enact rules interpreting HIPAA without limiting any law providing for such reporting. The plaintiff argued that, under Texas law, she is obligated to report instances of child abuse within 48 hours, and that relevant requests from Texas regulatory authorities demand the full, unredacted patient chart, which for female patients includes information about menstrual periods, number of pregnancies, and other reproductive health information, among other reproductive health information.
Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement: A proposed settlement in the Clearview AI Illinois Biometric Information Privacy Act (“BIPA”) litigation is facing opposition from 22 states and the District of Columbia. The Attorneys General of each state argue that the settlement, which received preliminary approval in June 2024, lacks meaningful injunctive relief and offers an unusual financial stake in Clearview AI to plaintiffs. The settlement would grant the class of consumers a 23 percent stake in Clearview AI, potentially worth $52 million, based on a September 2023 valuation. Alternatively, the class could opt for 17 percent of the company’s revenue through September 2027. The AGs contend the settlement doesn’t adequately address consumer privacy concerns and the proposed 39 percent attorney fee award is excessive. Clearview AI has filed a motion to dismiss the states’ opposition, arguing it was submitted after the deadline for objections. A judge will consider granting final approval for the settlement at a hearing scheduled on January 30, 2025.
Federal Court Upholds New Jersey’s Daniel’s Law, Dismissing Free Speech Challenges: A federal judge affirmed the constitutionality of New Jersey’s Daniel’s Law, dismissing First Amendment objections raised by data brokers. Enacted following the murder of Daniel Anderl, son of U.S. District Judge Esther Salas, the law permits covered individuals—including active, retired, and former judges, prosecutors, law enforcement officers, and their families—to request the removal of personal details, such as home addresses and unpublished phone numbers, from online platforms. Data brokerage firms that find themselves on the receiving end of such requests are mandated by the statute to comply within ten (10) business days, with penalties for non-compliance including actual damages or a $1,000 fine for each violation, as well as potential punitive damages for instances of willful disregard. Notably, in 2023, Daniel’s Law was amended to allow claim assignments to third parties, resulting in over 140 lawsuits filed by a single consumer data protection company: Atlas Data Privacy Corporation. Atlas Data, a New Jersey firm specializing in data deletion, has emerged as a significant force in this litigation, utilizing Daniel’s Law to challenge data brokers on behalf of around 19,000 individuals. The court, in upholding Daniel’s Law, emphasized its critical role in safeguarding public officials while concurrently ensuring public oversight remains strong. Although data brokers contended that the law infringed on free speech and unfairly targeted their operations, the court dismissed these claims as lacking merit, instead placing significant emphasis on the statute’s relatively focused scope and substantial state interest at play. Although unquestionably a significant victory for advocates of privacy rights, the judge permitted an immediate appeal by the data brokers.
GoodRx Settles Class Action Suit Over Alleged Data Sharing Violations: GoodRx has agreed to a $25 million settlement in a class-action lawsuit alleging the company violated privacy laws by sharing users’ sensitive health data with advertisers like Meta Platforms, Google, and Criteo Corp. The settlement, if approved, would resolve a lawsuit filed in February 2023. The lawsuit followed an FTC action alleging that GoodRx shared information about users’ prescriptions and health conditions with advertising companies. GoodRx settled the FTC matter for $1.5 million. The proposed class in the class-action lawsuit is estimated to be in the tens of millions and would give each class member an average recovery ranging from $3.31 to $11.03. The settlement also allows the plaintiffs to use information from GoodRx to pursue their claims against the other defendants, including Meta, Google, and Criteo.
23andMe Data Breach Suit Settlement Approved: A federal judge approved a settlement to resolve claims that alleged 23andMe Inc. failed to secure the sensitive personal data causing a data breach in 2023. According to 23andMe, a threat actor was able to access roughly 14,000 user accounts through credential stuffing, which further enabled access to the personal information that approximately 6.9 million users made available through 23andMe’s DNA Relative and Family Tree profile features. Under the terms of the $30 million settlement, class members will receive cash compensation and three years of data monitoring services, including genetic services.
U.S. ENFORCEMENT
FTC Takes Action Against Company for Deceptive Claims Regarding Facial Recognition Software: The Federal Trade Commission (“FTC”) announced that it has entered into a settlement with IntelliVision Technologies Corp. (“IntelliVision”), which provides facial recognition software used in home security systems and smart home touch panels. The FTC alleged that IntelliVision’s claims that it had one of the highest accuracy rates on the market, that its software was free of gender or racial bias, and was trained on millions of faces was false or misleading. The FTC further alleged that IntelliVision did not have adequate evidence to support its claim that its anti-spoofing technology ensures the system cannot be tricked by a photo or video image. The proposed order against IntelliVision specifically prohibits IntelliVision from misrepresenting the effectiveness, accuracy, or lack of bias of its facial recognition technology and its technology to detect spoofing, and the comparative performance of the technology with respect to individuals of different genders, ethnicities, and skin tones.
FTC Settles Enforcement Actions with Data Brokers for Selling Sensitive Location Data: The FTC announced settlements with data brokers Gravy Analytics Inc. (“Gravy Analytics”) and Mobilewalla, Inc. (“Mobilewalla”) related to the tracking and sale of sensitive location data of consumers. According to the FTC, Gravy Analytics violated the FTC Act by unfairly selling sensitive consumer location data, by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses, and by selling data regarding sensitive characteristics such as health or medical decisions, political activities, and religious views derived from location data. Under the proposed settlement, Gravy Analytics will be prohibited from selling, disclosing, or using sensitive location data in any product or service, delete all historic location data and data products using such data, and must establish a sensitive data location compliance program. Separately, the FTC settled allegations against Mobilewalla stemming from allegations that Mobilewalla collected location data from real-time bidding exchanges and third-party aggregators, including data related to health clinic visits and visits to places of worship, without the knowledge of consumers, and subsequently sold such data. According to the FTC, when Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid. Under the proposed settlement, Mobilewalla will be prohibited from selling sensitive location data and from collecting consumer data from online advertising auctions for purposes other than participating in those auctions.
Texas Attorney General Issues New Warnings Under State’s Comprehensive Privacy Law: The Texas Attorney General issued warnings to satellite radio broadcaster Sirius XM and three mobile app providers that they appear to be sharing sensitive data of consumers, including location data, without proper notification or obtaining consent. The letter warnings did not come with a press release or other public statement and were reported by Recorded Future News, who obtained the notices through a public records request. The letter to Sirius XM stated that the Attorney General’s office found a number of violations of the Texas Data Privacy and Security Act by the Sirius XM privacy notice, including failing to provide reasonably clear notice of the categories of sensitive data being processed and processing sensitive data without appropriate consent. Similar letters were sent to mobile app providers stating that the providers failed to obtain consumer consent for data sharing or including information on how consumers could exercise their rights under Texas law.
Texas Attorney General Launches Investigations Into 15 Companies for Children’s Privacy Practices: The Texas Attorney General’s office announced it had launched investigations into Character.AI and 14 other companies including Reddit, Instagram, and Discord. The Attorney General’s press release stated that the investigations related to the companies’ privacy and safety practices for minors pursuant to the Securing Children Online through Parental Empowerment (“SCOPE”) Act and the Texas Data Privacy and Security Act (“TDPSA”). Details of the Attorney General’s allegations were not provided in the announcement. The TDPSA requires companies to provide notice and obtain consent to collect and use minors’ personal data. The SCOPE Act prohibits digital service providers from sharing, disclosing, or selling a minor’s personal identifying information without permission from the child’s parent or legal guardian and provides parents with tools to manage privacy settings on their child’s account.
HHS Imposes Penalty Against Medical Provider for Impermissible Access to PHI and Security Rule Violations: The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) announced that it imposed a $1.19 million civil penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“GCPC”) for violations of the HIPAA Security Rule arising from a data breach. GCPC’s former contractor had impermissibly accessed GCPC’s electronic medical record system to retrieve protected health information (“PHI”) for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information. OCR’s investigations revealed multiple potential violations of the HIPAA Security Rule, including failures to conduct a compliant risk analysis and implement procedures to regularly review records of activity in information systems and terminate former workforce members’ access to electronic PHI.
HHS Settles with Health Care Clearinghouse for HIPAA Security Rule Violations: OCR announced a settlement with Inmediata Health Group, LLC (“Inmediata”), a healthcare clearinghouse, for potential violations of the HIPAA Security Rule, following OCR’s receipt of a 2018 complaint that PHI was accessible to search engines like Google, on the Internet. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions, and other treatment information. OCR’s investigation also identified multiple potential HIPAA Security Rule violations including failures to conduct a compliant risk analysis and to monitor and review Inmediata’s health information systems’ activity. Under the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement with 33 states that included corrective actions that addressed OCR’s findings.
New York State Healthcare Provider Settles with Attorney General Regarding Allegations of Cybersecurity Failures: HealthAlliance, a division of Westchester Medical Center Health Network (“WMCHealth”), has agreed to pay a $1.4 million fine, with $850,000 suspended, due to a 2023 data breach affecting over 240,000 patients and employees in New York State. The breach at issue, which occurred between September and October 2023, was reportedly caused by a security flaw in Citrix NetScaler—a tool used by many organizations to optimize web application performance and availability by reducing server load—that went unpatched. Although HealthAlliance was made aware of the vulnerability, they were unsuccessful in patching it due to technical difficulties, ultimately resulting in the exposure of 196 gigabytes of data, including particularly sensitive information like Social Security numbers and medication records. As part of its agreement with New York State, HealthAlliance must enhance its cybersecurity practices by implementing a comprehensive information security program, developing a data inventory, and enforcing a patch management policy to address critical vulnerabilities within 72 hours. For more details, view the press release from the New York Attorney General’s office.
HHS Settles with Children’s Hospital for HIPAA Privacy and Security Violations: OCR announced a $548,265 civil monetary penalty against Children’s Hospital Colorado (“CHC”) for violations of the HIPAA Privacy and Security Rules arising from data breaches in 2017 and 2020. The 2017 data breach involved a phishing attack that compromised an email account containing 3,370 individuals’ PHI and the 2020 data breach compromised three email accounts containing 10,840 individuals’ PHI. OCR’s investigation determined that the 2017 data breach occurred because multi-factor authentication was disabled on the affected email account. The 2020 data breach occurred, in part, when workforce members gave permission to unknown third parties to access their email accounts. OCR found violations of the HIPAA Privacy Rule for failure to train workforce members on the HIPAA Privacy Rule, and the HIPAA Security Rule requirement to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.
INTERNATIONAL LAWS & REGULATIONS
Italy Imposes Landmark GDPR Fine on AI Provider for Data Violations: In the first reported EU penalty under the GDPR relating to generative AI, Italy’s data protection authority, the Garante, fined OpenAI 15 million euros for breaching the European Union’s General Data Protection Regulation (“GDPR”). The penalty was linked to three specific incidents involving OpenAI: (1) unauthorized use of personal data for ChatGPT training without user consent, (2) inadequate age verification risking exposure of minors to inappropriate content, and (3) failure to report a March 2023 data breach that exposed users’ contact and payment information. The investigation into OpenAI, which began after the Garante was made aware of the March 2023 breach, initially resulted in Italy temporarily blocking access to ChatGPT but eventually reinstated it after OpenAI made concrete improvements to its age verification and privacy policies. Alongside the monetary penalty, OpenAI is additionally mandated to conduct a six-month public awareness campaign in Italy to educate the Italian public on data collection and individual user rights under GDPR. OpenAI has said that it plans to appeal the Garante’s decision, arguing that the fine exceeds its revenue in Italy.
Australian Parliament Approves Privacy Act Reforms and Bans Social Media Use by Minors: The Australian Parliament passed a number of privacy bills in December. The bills include reforms to the Australian Privacy Act, a law requiring age verification by social media platforms, and a law banning social media use by minors under the age of 16. Privacy Act reforms include new enforcement powers for the Office of the Australian Information Commissioner that clarify when “serious” breaches of the Privacy Act occur and allow the OAIC to bring civil penalty proceedings for lesser breaches. Other reforms include requiring entities that use personal data for automated decision-making to include in their privacy notices information about what data is used for automated decision-making and what types of decisions are made using automated decision-making technology.
EDPB Releases Opinion on Personal Data Use in AI Models: In response to a formal request from Ireland’s Data Protection Commission asking for clarity about how the EU General Data Protection Regulation (“GDPR”) applies to the training of large language models with personal data, the European Data Protection Board (“EDPB”) released its opinion regarding the lawful use of personal data for the development and deployment of artificial intelligence models (the “Opinion”). The Irish Data Protection Commission specifically requested EDPB to opine on: (1) when and how an AI model can be considered anonymous, (2) how legitimate interests can be used as the legal basis in the development and deployment phases of an AI model, and (3) the consequences of unlawful processing in the development phase of an AI model on its subsequent operation. With respect to anonymity, the EDPB stated this should be analyzed on a case-by-case basis taking into account the likelihood of obtaining personal data of individuals whose data was used to build the model and the likelihood of extracting personal data from queries. The Opinion describes certain methods that controllers can use to demonstrate anonymity. With respect to the use of legitimate interest as a legal basis for processing, the EDPB restated a three-part test to assess legitimate interest from its earlier guidance. Finally, the EDPB reviewed several scenarios in which personal data may be unlawfully processed to develop an AI model.
Second Draft of General-Purpose AI Code of Practice Published: The European Commission announced that independent experts published the Second Draft of the General Purpose AI Code of Practice. The AI Code of Practice is designed to be a guiding document for providers of general-purpose AI models, allowing them to demonstrate compliance with the AI Act. Under the EU AI Act, providers are persons or entities that develop an AI system and place that system on the market. This second draft is based on the responses and comments received on the first draft and is designed to provide a “future-proof” code. The first part of the Code details transparency and copyright obligations for all providers of general-purpose AI models. The second part of the Code applies to providers of advanced general-purpose AI models that could pose systemic risks. This section outlines measures for systemic risk assessment and mitigation, including model evaluations, incident reporting, and cybersecurity obligations. The Second Draft will be open for comments until January 15, 2025.
NOYB Approved to Bring Collective Redress Claims: The Austrian-based non-profit organization None of Your Business (“NOYB”) has been approved as a Qualified Entity in Austria and Ireland, enabling it to pursue collective redress actions across the European Union (“EU”). Famous for challenging the EU-US data transfer framework through its Schrems I and II actions, NOYB intends to use the EU’s collective action redress system to challenge what it describes as unlawful processing without consent, use of deceptive dark patterns, data sales, international data transfers, and use of “absurd” language in privacy policies. Unlike US class actions, these EU actions are strictly non-profit. However, they do provide for both injunctive and monetary redress measures. NOYB intends to bring its first actions in 2025. Click here to learn more and read NOYB’s announcement.
EDPB Issues Guidelines on Third Country Authority Data Requests: The EDPB published draft guidelines on Article 48 of the GDPR relating to the transfer or disclosure of personal data to a governmental authority in a third country (the “Guidelines”). The Guidelines state that, as a general rule, requests from governmental authorities are recognizable and enforceable under applicable international agreements. The Guidelines further state that any such transfer must also comply with Article 6 with respect to legal basis for processing and Article 46 regarding legal mechanism for international data transfer. The Guidelines will be available for public consultation until January 27, 2025.
Irish DPC Fines Meta €251 Million for Violations of the GDPR: The Irish Data Protection Commission (DPC) fined Meta €251 million following a 2018 data breach that affected 29 million Facebook accounts globally, including 3 million in the European Union. The breach exposed personal data such as names, contact information, locations, birthdates, religious and political beliefs, and children’s data. The DPC found that Meta Ireland violated General Data Protection Regulation (GDPR) Articles 33(3) and 33(5) by failing to provide complete information in their breach notification and to properly document the breach. Furthermore, Meta Ireland infringed GDPR Articles 25(1) and 25(2) by neglecting to incorporate data protection principles into the design of their processing systems and by processing more data than necessary by default.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin
NYSERDA Issues Request for Information in Preparation for Sixth OREC Solicitation with Transmission Issues in the Forefront
As New York’s fifth Offshore Wind Renewable Energy Certificate (OREC) solicitation enters its final stages, the New York State Energy Research and Development Authority (“NYSERDA”) issued a Request for Information (“RFI”) on December 18, 2024, to solicit feedback concerning its next solicitation, which has been dubbed “NY6”.
While NYSERDA has requested feedback on a number of general concepts, including the structure, timeline and eligibility criteria for NY6, the RFI is notable for its focus on the relationship between generation and transmission. In particular, NYSERDA is seeking feedback on how to encourage applicants to optimize the coordination between offshore wind generation projects and ongoing or new transmission projects. The RFI builds on the New York State Public Service Commission’s (the “Commission”) Order Addressing Public Policy Requirements for Transmission Planning Purposes, issued June 22, 2023, (the “PPTN Order”).
In previous solicitations, NYSERDA sought radial offshore wind projects inclusive of generation, export infrastructure, and interconnection with the onshore grid. NY6 may mark an evolution in New York’s approach to offshore wind project infrastructure in which NYSERDA looks to separate transmission aspects of projects from generation aspects. Subject to Commission approval, in NY6, NYSERDA may elect to solicit “Generation-Only” proposals that would prioritize utilization of the transmission projects being developed and undertaken pursuant to the PPTN Order.
Respondents have until January 29, 2025 at 3 pm Eastern Standard Time to submit comments to the RFI. All comments should be emailed to [email protected], with the subject line “NY6 RFI Comments”.
Stay tuned for more on the Offshore Wind space, including additional insights into developments under the incoming Trump administration.
AFIDA Penalties Are Coming: Costs for Renewable Development May Be More Than You Think
When evaluating the all-in costs of a renewable development project, it is critical that costs associated with Agricultural Foreign Investment Disclosure Act (AFIDA) enforcement and compliance are considered. Since its enactment in 1978, AFIDA has provided for substantial penalties for the failure to file, or the late filing, of mandated reports on agricultural acreage held by an entity with an ultimate non-U.S. parent.
AFIDA reporting requirements are applicable to any non-U.S. based direct or indirect owner of agricultural land, which includes every company organized in the United States but in which a significant interest or substantial control (i.e., ten percent or more) is held by a non-U.S. parent.
A substantial percentage of renewable development in the United States is driven by companies that fall within the bounds of AFIDA’s reporting obligations, yet a small number of renewable developers appear to be current with their AFIDA reporting obligations.
Both the acquisition and disposition of agricultural land are required to be reported to the United States Department of Agriculture within 90 days of the acquisition or disposition. Stated another way, each executed lease or fee interest purchase of agricultural land, or the disposition of either, starts the clock ticking.
If AFIDA compliance reporting and potential penalties are not yet on your company’s diligence checklist, this may be about to change.
Penalties for failure to file or late-filing can be a substantial cost to renewable development. Federal regulations enable penalties of up to 25% of the fair market value of the land, as determined by the USDA.
Although penalties have been an option since AFIDA’s enactment, a review of the USDA’s annual report to Congress reveals that relatively few, and relatively small, penalties were assessed up until 2010. The USDA assessed only eight penalties for AFIDA violations between 2012-2022, although the number of filings dramatically increased during the same time period. AFIDA filings were made for 911 parcels of land in 2012, which jumped to 6,363 parcels in 2021. No penalties were assessed for AFIDA violations during the period 2015-2018 due to low levels of staffing in the office tasked with enforcing the law.
The number of AFIDA compliance and enforcement specialists at the USDA has doubled within the last year and a half, in part due to questioning of the gap in AFIDA enforcement by concerned members of the House. In response to this concern, the USDA responded by noting its increased staffing and its renewed commitment to assessing ex post penalties starting with late filings in the calendar year 2021 and going forward.
If your company acquires leasehold or fee interests in agricultural property and has a non-U.S. parent, it is very likely that Federal AFIDA reporting obligations apply. More than half of all states have similar reporting requirements as well.
If AFIDA is applicable to your business, it is critical that you engage counsel experienced in AFIDA matters to rectify any historical failures to report and establish a process for ongoing AFIDA compliance. Waiting until the final due diligence call to mention AFIDA compliance to counterparties is not your best strategy.
AFIDA in Brief:
Who Must Report?
Foreign investors who have significant interest or substantial control and acquire, dispose of, or hold an interest in U.S. agricultural land must report their holdings and transactions to the U.S. Department of Agriculture. Interests include land owned as well as land leased for ten years or more. This includes:
Foreign individuals.
Foreign organizations.
Foreign governments.
U.S. organizations – if a significant interest or substantial control is directly or indirectly held by foreign individuals, organizations, or governments.
How is Agricultural Land Defined by AFIDA?
Land exceeding 10 acres in the aggregate that has been used within the last 5 years for farming, ranching, forestry, or timber production.
Land exceeding 10 acres in which 10 percent is stocked by trees of any size, including land that formerly had such tree cover and will be naturally or artificially regenerated.
Landholding totaling 10 acres or less in the aggregate if producing annual gross receipts in excess of $1,000 from the sale of farm, ranch, forestry, or timber production.
Complying With the New “Open Banking” Regime: Primer and Fact Sheet
The Consumer Financial Protection Bureau (CFPB) finalized its “open banking” rule in late 2024. As required by Section 1033 of the Consumer Financial Protection Act, the CFPB promulgated the rule to require certain financial services entities to provide for the limited sharing of consumer data and to standardize the way in which that data is shared. The CFPB has stated that the open banking rule will “boost competition” by facilitating consumers’ ability to switch between banks and other financial service providers.
In general, the open banking rule:
Provides consumers with control over their data in bank accounts, credit card accounts, and other financial products, including mobile wallets and payment apps;
Allows consumers to authorize third-party access to consumers’ data including transaction information, account balance information, and information needed to initiate payments; and
Requires financial providers to make this information in accurate, machine-readable format and with no charge to consumers.
For more background on the history and policy of open banking, please review our prior alert.
Compliance Deadlines
Numerous comments to the proposed rule urged the CFPB to lengthen the period of time for businesses to comply with the rule. The CFPB responded to those comments by extending the original six month compliance date for the largest affected institutions to provide a 1.5 year implementation period. The table below summarizes the compliance schedule by which different sized entities must operate in compliance with the rule:
Compliance Timeline
Depository Institutions
Nondepository Institutions
1 April 2026 (~1.5 years)
At least US$250b total assets
At least US$10b in total receipts as of either 2023 or 2024
1 April 2027 (~2.5 years)
At least US$10b total assets, but less than US$250b total assets
Less than US$10b in total receipts in both 2023 and 2024 (this is the final compliance date for nondepository institutions)
1 April 2028 (~3.5 years)
At least US$3b total assets, but less than US$10b total assets
–
1 April 2029 (~4.5 years)
At least US$1.5b total assets, but less than US$3b total assets
–
1 April 2030 (~5.5 years)
Less than US$1.5b total assets, but more than US$850m (depositories holding less than US$850m are exempted from compliance)
–
Making Consumer Financial Data Available
Under the final rule, a “data provider” must provide, at the request of a consumer or a third party authorized by the consumer, “covered data” concerning a consumer financial product or service that the consumer obtained from the data provider. The rule defines data provider to include depository institutions, electronic payment providers, credit card issuers, and other financial services providers. The rule defines covered data to include transaction information, account balances, and other information to enable payments.
A data provider’s obligations regarding covered data arise only when holding data concerning a consumer financial product or service that the consumer actually obtained from that data provider. Notwithstanding third-party obligations, merely possessing data from another data provider does not implicate the rule. The CFPB revised the definition of covered data in a manner that offers some clarity for the consumer reporting agencies (CRAs), which typically gather data for other entities for consumer credit reports.
Electronic Payments
Credit Cards
Other Products and Services
Data Provider
A financial institution, as defined in Regulation E.
A card issuer, as defined in Regulation Z.
Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.
Covered Consumer Financial Product or Service
A Regulation E account.
A Regulation Z credit card.
Facilitation of payments from a Regulation E account or Regulation Z credit card.
Data Provider Interfaces
As part of the provision of data, data providers must create both consumer and developer interfaces to enable the efficient provision and exchange of consumer data. In addition to various technical requirements, data providers must also establish and maintain written policies and procedures to ensure the efficient, secure, and accurate sharing of consumer data. Data providers are prohibited from charging fees for providing this service.
Interface Requirements
Consumer Interface
Developer Interface
When to Provide Data
Data provider receives information sufficient to: (1) authenticate the consumer’s identity; and (2) identify the scope of the data requested.
Data provider receives information sufficient to: (1) authenticate the consumer’s identity; (2) authenticate the third party’s identity; (3) document the third party is properly authorized; and (4) identify the scope of the data requested.
Data Format
Machine-readable file
Standardized and machine-readable file
Interface Performance
Strict requirement to provide data
Minimum 95% success rate
Data Request Denials
Unlawful, insecure, or otherwise unreasonable requests may be denied
Unlawful, insecure, or otherwise unreasonable requests may be denied
Authorizing Third Parties
To lawfully access covered data, a third party must generally do three things, namely: (1) provide the consumer with an authorization disclosure; (2) certify that the third party complies with various restrictions on the use of the data; and (3) obtain the consumer’s express approval to access the covered data.
The rule prohibits three uses of data: (1) targeted advertising; (2) cross-selling of other products or services; and (3) selling covered data. While commenting on the proposed rule, several CRAs requested that the CFPB allow for use of covered data for internal purposes such as research and development of products. The CFPB found this reasonable and permitted “uses that are reasonably necessary to improve the product or service the consumer requested.”
Conclusion
The open banking rule establishes a robust framework for the exchange and transmission by certain entities regarding certain types of consumer data and the safeguarding of that data. Although the final rule extends the implementation deadlines beyond those originally proposed, implementation will require careful coordination among various functions of affected data providers’ businesses and by entities authorized to receive covered data.
Canada’s Competition Bureau Seeks Feedback on Proposed Environmental Claims Guidelines
Competition Bureau Canada (the Bureau) announced just before Christmas that it is seeking public comments on draft guidelines (the Guidelines) for assessing environmental claims for compliance with Canada’s Competition Act (the Act). The Act was amended in June 2024 by adding two specific provisions to existing general prohibitions for false and misleading representations and unsupported performance claims to address environmental claims. Under the recent amendments, marketing claims about the environmental benefits of a product must be based on “adequate and proper testing” conducted before the claim is made, and claims about the environmental benefits of a business or business activity must “be based on adequate and proper substantiation in accordance with an internationally recognized methodology.”
The proposed Guidelines are based on six high-level principles, aimed at ensuring that environmental claims comply with all of the Act’s provisions, including the recent amendments:
• Environmental claims should be truthful, and not false or misleading.• Environmental benefit of a product and performance claims should be adequately and properly tested.• Comparative environmental claims should be specific about what is being compared.• Environmental claims should avoid exaggeration.• Environmental claims should be clear and specific, not vague.• Environmental claims about the future should be supported by substantiation and a clear plan.
The principles outlined by the Bureau are consistent with generally accepted global principles for advertising, such as those reflected in the International Chamber of Commerce (ICC) Marketing and Advertising Commission’s Advertising and Marketing Communications Code (available at The ICC Advertising and Marketing Communications Code – ICC – International Chamber of Commerce). The Federal Trade Commission’s (FTC) Guides for the Use of Environmental Marketing Claims (the FTC Green Guides) reflect these same general principles. Similar to the FTC Green Guides, the Bureau’s proposed Guidelines are not enforceable regulatory provisions, but are intended to help businesses understand how the Bureau is likely to apply the Act to green claims.
However, the Bureau’s proposed Guidelines are more general than the FTC Green Guides and do not address specific green claims, such as “recyclable,” “compostable,” and the like. Illustrative examples in the Guidelines appear to focus on general substantiation principles (e.g., is substantiation suitable, appropriate, and relevant to a marketing claim) rather than specific thresholds (e.g., a “substantial majority” threshold (60%) for unqualified “recyclable” claims as in the FTC Green Guides). Unlike the EU directive on green claims adopted last spring (EU 2024/825), which prohibits certain “generic environmental benefit claims” (e.g., “green,” “eco-friendly,” “biodegradable”), neither the Guidelines nor the Act’s provisions bar specific claims or mandate independent certification of claims. And finally, like the FTC Green Guides, the Guidelines are intended to promote truthful advertising to foster a fair and competitive marketplace, not to advance environmental policy.
Importantly, the Guidelines are geared to promotional and marketing representations made to the public, not representations made exclusively for another purpose, such as representations to investors or shareholders. Where the same representations are made to the public and to investors or shareholders in Canada, however, the business must be mindful of the principles of the Guidelines. Businesses interested in sharing information to Canadians about the environmental benefits of their products, services, processes, and operations should be mindful of the Guidelines. For those who wish to weigh in on the draft Guidelines, the deadline for comments is February 28, 2025.
FDA Releases Draft Guidance for Low-Moisture Ready-to-Eat Foods
Earlier this week FDA published a draft guidance titled Establishing Sanitation Programs for Low-Moisture Ready-to-Eat Human Foods and Taking Corrective Actions Following a Pathogen Contamination Event. (See publication notice at 90 Fed. Reg. 1052 (January 7, 2025)). Examples of low-moisture, ready-to-eat (LMRTE) foods include powdered infant formula, peanut butter, nut butters, powdered drink mixes, chocolate, medical foods in powdered and paste forms, processed tree nuts, milk powders, powdered spices, snack foods such as chips and crackers, granola bars, and dry cereal.
The draft guidance is intended to help manufacturers/processers of LMRTE human foods comply with 21 CFR part 117 (Current Good Manufacturing Practice (CGMP), Hazard Analysis, and Risk-Based Preventive Controls (HARPC) for Human Food) and, in the case of infant formula manufacturers, the requirements in 21 CFR part 106. In particular, the draft guidance provides FDA’s current thinking regarding:
Establishing and implementing a sanitation program and environmental monitoring program
Conducting root cause investigations following a pathogen contamination event
Applying a sanitizing treatment when remediating a pathogen contamination event
Taking steps to identify affected food; and
The limitations of relying solely on a product testing program to verify that pathogen contamination has been eliminated
The draft guidance includes a discussion of CGMPs necessary to control pathogens in LMRTE foods. Controlling water and maintaining a dry production site is a key feature of FDA’s recommended approach. The draft guidance notes that cleaning— removing residue from a food contact surface (FCS) — is distinct from sanitizing treatments (designed to kill pathogens) and that in dry processing conditions, cleaning and sanitizing is usually done sequentially. The draft guidance cautions that “material flush techniques,” which clean a FCS by pushing product or other materials (e.g., hot oil) through the FCS, are ineffective methods to kill pathogens.
Among the points raised in its discussion of HARPC components applicable to a sanitation program, the draft guidance recommends the identification of Salmonella spp. as a hazard requiring a preventive control for products which are exposed to the environment before packaging and which are not treated. Similarly, the draft guidance recommends the identification of Cronobacter spp. as a hazard in the case of powdered infant formula products exposed to the environment before packaging that do not receive a kill step or other control measure.
In its discussion of preventive control step verification activities and root cause analysis, the draft guidance expresses a strong preference for identifying pathogens using whole genome sequencing (WGS) because of its much greater specificity and ability to discriminate between different pathogenic strains. Where WGS is not used, FDA recommends maintaining samples so that they can be characterized by WGS later if necessary (e.g., in a root cause investigation following a contamination event).
The draft guidance also indicates in several sections that finished product testing has limitations and should not be solely relied upon for verification of preventive controls or identifying affected food. Finished product testing will be particularly ineffective at identifying hazards which are present at low levels and which are unevenly distributed.
Comments to the draft guidance should be submitted by May 7, 2025.
FDA’s Fresh Take on Use of “Healthy” in Food Labeling
Overview
On December 19, 2024, the US Food and Drug Administration (FDA) issued a new final rule titled “Food Labeling: Nutrient Content Claims; Definition of Term ‘Healthy.’” The rule revises regulations that govern when food products may be labeled as “healthy” and when a derivative term (e.g., “health,” “healthful,” or “healthier”) may be used to make a claim about the product’s nutritional content. Broadly, the new final rule adopts the regulatory approach spelled out in the FDA’s September 29, 2022, proposed rule.
These amendments represent the first significant changes to “healthy” labeling requirements in 30 years. In its new scheme, the FDA attempts to bring labeling requirements in line with 21st century advances in nutrition science that have resulted in new federal dietary guidelines. To do so, the FDA places newfound emphasis on food products’ umbrella food groups as opposed to individual nutrients.
In addition to changes in nutrition science, changes in US culture and dietary patterns prompted the amendments. The FDA describes the changes as part of its contribution to a government-wide initiative to address the “ever-growing crisis of preventable, diet-related chronic diseases in the U.S.” (such as cardiovascular disease, diabetes, and obesity) that “requires immediate action.” The FDA states that the crisis disproportionately affects certain racial and ethnic minority groups and the disadvantaged. The FDA anticipates that the amendments will advance health equity by helping consumers identify foods that can be the foundation of a healthy diet. The updated criteria allow affordable, accessible, and nutrient-dense foods associated with disparate cultural traditions and found within varied food groups and subgroups to bear the “healthy” claim, including frozen, canned, dried, and other shelf-stable products.
The FDA will begin to enforce these new regulations in February 2028, but manufacturers can start using a “healthy” claim in accordance with the new requirements as soon as the rule enters into effect on February 25, 2025.
In Depth
BACKGROUND
In 1990, Congress enacted the Nutrition Labeling and Education Act, which had three primary objectives:
To enable consumers to make informed decisions about their dietary choices by providing them with relevant nutritional information.
To standardize definitions for claims related to food products’ nutritional content.
To encourage manufacturers to produce and market food products with greater nutritional value.
Acting in line with these objectives, the FDA adopted regulations in 1994 that created enforceable standards for manufacturers to follow when labeling their food products as “healthy” or a related derivative term (e.g., “health” or “healthful”). These regulations apply specifically to labeling that uses the term “healthy” or the like to imply that consumption of a food product comports with healthy dietary practices. These claims are distinct from those referring to a food product’s special dietary functions or effects on a consumer’s bodily structures.
The criteria established by the 1994 regulations focus on whether food products contain certain enumerated levels of nine individual nutrients, such as protein, cholesterol, and saturated fat. Although many stakeholders continue to support this approach, the FDA has concluded that it is difficult to reconcile with advances in nutrition science over the past three decades.
According to the FDA, nutrition science has evolved to take a more holistic view of diet, focusing on an individual’s consumption of synergistic, foundational food groups (foods that, because of their overall nutrition profiles, can be the “foundation” or “building blocks” of a healthy dietary pattern) – e.g., vegetables, fruits, whole grains, fat-free and low-fat dairy, lean game meat, and seafood with no added ingredients – rather than on pure nutrient intake. The FDA argues that under the 1994 regulations, foods that are now widely considered to be healthy cannot be labeled as such. For example, manufacturers have likely been unable to include “healthy” on a salmon food product’s packaging because of the fish’s high fat content. Similarly, some foods that could previously carry the “healthy” claim, such as white bread and heavily sweetened cereal and yogurt, will no longer qualify. In addition to salmon, newly qualifying foods will include nuts and seeds, olive oil, and some peanut butters and canned fruits and vegetables.
KEY CONCEPTS
In place of individual nutrients, the FDA has centered its new criteria on the five food groups recommended in the current federal dietary guidelines: vegetables, fruits, grains, fat free or low-fat dairy, and proteins (e.g., lean meat, seafood, eggs, beans, peas, lentils, nuts, and seeds). The FDA applies some nuances to these groups. Vegetable or fruit pastes, purees, and powders may qualify if they represent a mere change in the food product’s form. Likewise, the FDA intends to consider plant-based dairy alternatives as members of the dairy group when they have similar nutritional content to true dairy products.
Under the “food group equivalent” (FGE) system carried over from the 2022 proposed rule, a “healthy” nutrient content claim generally must contain a certain amount of food from at least one of the food groups or subgroups recommended by the federal dietary guidelines and also must fall below specific nutrient limits for added sugars, sodium, and saturated fat. For example, one FGE for a vegetable food is established as a half cup equivalent. The exact amount of a vegetable product that would satisfy this criterion may vary based on its preparation. To illustrate, both one cup of raw spinach and a half cup of cooked green beans equal half cup equivalents, and thus each would individually constitute one FGE.
These FGEs form the basis of the FDA’s new labeling criteria. In total, there are six scenarios where a food product may carry a “healthy” claim:
Single Ingredient Exception: Food products with only ingredients from the five food groups and water.
Individual Food: Consumed in quantities of greater than 50 grams, contains one or more FGE. Includes oil-based products and those less than 50 grams if they meet FGE and nutrient requirements per 50 grams.
Mixed Food Product: Contains one or more FGE, with at least one quarter FGE from two food groups. Example: one quarter vegetable FGE and three quarters protein FGE.
Main Dish Product: Serving contains two or more FGEs, with at least one half FGE from two food groups. FGEs can be aggregated.
Meal Product: Serving contains three or more FGEs, with at least one half FGE from three food groups. FGEs can be aggregated.
Low-Calorie Beverages: Coffee, tea, and water with fewer than five calories per serving. FDA may exercise discretion in labeling these as “healthy.”
Manufacturers that ultimately decide to make a “healthy” claim for a qualifying food product must also follow new bookkeeping requirements. The final rule establishes that in situations where a food’s ability to qualify under the “healthy” criteria is not obvious from its nutritional label, manufacturers must maintain written records establishing the same. The form these records take may vary based on a manufacturer’s preferences, but they must be kept for at least two years after a product’s introduction to the market.
The FDA stresses that manufacturers whose products fail to meet the above criteria still have an array of valid marketing options at their disposal. Indications of a product’s low sodium content, for example, would still be acceptable in a variety of circumstances. The FDA also intends to engage in consumer education efforts so that failure to meet the listed criteria is not equated to a product’s being “unhealthy.”
NEXT STEPS
Manufacturers can begin to use a “healthy” claim in accordance with the new requirements as soon as the rule enters into effect on February 25, 2025. The FDA intends to create and publish additional resources to aid manufacturers in determining FGE amounts before the regulation’s compliance date in February 2028. The FDA stated that these resources may include guidance documents, FAQs, direct responses to questions, or online webinars.
The agency also announced an intent to publish a proposed rule on front-of-package nutrition labeling, which may include a “healthy” symbol to designate qualifying food products.
Henry Fisher contributed to this article.