TikTok Ban Upheld By SCOTUS– Is TCR Next?
So the US Supreme Court today upheld a law requiring that abysmal TikTok app to either by sold or face a nationwide ban.
The basis for the law is TikTok’s foreign ownership and the massive amount of data available to the Chinese government as a result.
I’m a huge fan of the ban, but mostly because I’m a geezer that thinks kids these days spend too much time staring at their phones.
Still, the national security concerns are very legitimate and resonate well beyond TikTok– for instance The Campaign Registry is still tracking most every 10DLC SMS campaign in the country and is still foreign owned.
I suspect new FCC Chairman Carr–with his focus on national security– and Olivia Trusty (Trump’s new FCC pic) will take a very dim view of TCR’s foreign ownership and I suspect a similar sale or ban ruling may be in the cards.
We’ll see.
What Happens Next When a Company Declines to Follow an NAD Decision? Off to the FTC it Goes
We have written here about the work of the NAD, the National Advertising Division of BBB National Programs. The NAD offers independent self-regulation and dispute resolution services for members of the national advertising community. NAD examines advertising to determine whether the evidence provided by the advertiser fully supports the advertising claims at issue in an NAD review. NAD’s findings and recommendations are detailed in a final written decision and outlined in an accompanying press release.
Participation in NAD proceedings is voluntary, and advertiser compliance with an NAD decision is generally quite high. If the NAD finds against an advertiser, the company is given the opportunity to confirm whether it intends to comply with the decision or to appeal it. If the advertiser refuses to comply, NAD will refer the matter to the appropriate regulatory agency, most often the Federal Trade Commission. Such referrals are announced by the NAD in its press release reporting the decision.
Two recent matters out of NAD highlight the jeopardy a company can find itself in when it refuses to comply with a NAD decision. The first involves a challenge against Larose Industries LLC, operating under the names Roseart and Cra-Z-Art. Larose claimed its pencils were “Proudly Made in USA,” displaying its products alongside American-themed imagery in ads. According to the challenger, Larose’s pencils are made from components sourced from China and involve foreign manufacturing and assembly. Larose refused to participate in the NAD proceedings; accordingly, the NAD referred the matter to the FTC for review and potential enforcement action. The NAD also indicated in its press release that it would notify the platforms with whom NAD has a reporting relationship to assess compliance with platform standards. The second case involves Relish Labs LLC, doing business as Home Chef, which has been before the NAD on several occasions. This round, the NAD investigated Home Chef for its “#1 in Customer Satisfaction” claims. Home Chef declined to make the changes NAD requested, prompting NAD to refer the matter to the FTC. And as in the Larose decision, NAD also indicated it would notify the various platforms of its decision.
The FTC has been a vocal supporter of the NAD process, prioritizing referrals it receives. When an NAD case is referred to the FTC, the FTC will first encourage the advertiser to go back to the NAD to participate in the self-regulatory process. At that point, many companies agree that reengaging with the NAD makes more sense than facing FTC scrutiny. If the company declines, FTC staff will undertake a more substantive review, applying its own applicable legal standards. In some instances, this review leads to formal law enforcement action; in others, the FTC may exercise its discretion (based on resources and priorities) not to open an investigation. In any event, once the FTC’s review is completed, the agency publicizes on its website the resolution of all referrals received from the NAD.
A decision to decline to follow NAD’s recommendations is highly specific to each company under investigation and is rarely made lightly. Businesses that do so can expect additional attention from, and engagement with, the FTC as the agency considers how to proceed.
SHE BELONGS!: Trump’s New FCC Pick Olivia Trusty Appears Incredibly Well Qualified– and Even Had a Hand Drafting the TRACED Act
Usually when there is a nomination to the FCC the individual nominated is at least somewhat within the Czar’s orbit.
Truthfully, Ms. Trusty is not. Other than being connected on LinkedIn–not even sure how that happened– I don’t recall running across Ms. Trusty, but her career as a Congressional staffer appears to have been quite impactful (impressive.)
Some quick notes about her background.
She’s an athlete–love that– and was a member of the Tar Heels gymnastics team back in the early 2000s. (She was even the “Gymnast of the Week” back in January, 2004.)
Her passion for athletics undoubtedly lead her to assist with the EMPOWERING OLYMPIC AND AMATEUR ATHLETES ACT OF 2019, where she had a significant role assisting Senator Wicker in moving the bill forward. The bill arose following the conviction of Dr. Nassar who had abused Olympians, and resulted in 18 months of interviews with athlete survivors and 4 subcommittee hearings before the law emerged.
Nearer and dearer to TCPAWorld reader’s hearts–Trusty was on the team that developed the Traced Act.
As we reported a while back, Senator Thune–who is credited as one of the chief architects of the Traced Act–is now the ranking Republican in the Senate. I do not view it as a coincidence that Trusty now finds herself headed to the FCC after helping to craft that statute–which is easily the most impactful telecom law to pass in a decade.
In the words of Thune himself, Ms. Trusty “worked tirelessly to help develop and advance [the TRACED Act.]”
So.. yeah. Trusty knows her way around the TCPA.
And that is no surprise since she was the Republican policy director for the Senate Commerce, Science and Transportation Committee Communications, Media and Broadband Subcommittee (Jan. 2019- Dec. 2022). That’s just the Subcommittee with jurisdiction over all sectors of communications phone calls and the internet.
And then before that was a senior consultant in Verizon’s Government Relations team and a Senior Policy Representative for Qwest Communications.
So… yeah.
Trusty feels like a no-brainer. But there’s even more to her background that is interesting.
Check out this bullet point on her resume:
Senate Armed Services Committee Cybersecurity Subcommittee (Jan. 2023-), Staff Lead, Republican
Yeah. She helped lead the subcomittee on cybersecurity. And now she’s teaming up with Chairman Carr who has stated a key focus of the FCC should be national security. (I wonder how she’s going to feel about foreign-owned TCR collecting all that data about American text practices?)
And no surprise, Trusty also had a hand in crafting the National Defense Authorization Act, addressing a broad range of issues, from strategic competition with China and Russia to countering threats to Iran, North Korea and violent extremists. Most importantly, the bill authorized record level investments in key technologies– including artificial intelligence.
Trusty is also exceptionally well traveled. According to the Congressional Foreign Travel Financial Reports Ms. Trusty has visited Australia, New Zealand, Switzerland, Argentina, Chile, Egypt, Jordan, Singapore, Japan, South Korea, Taiwan and Israel in just the last couple of years–probably in furtherance of her efforts supporting the Senate Armed Services committee.
So yeah.
Trusty Trusty (as you can expect to hear me call her from now on) is a VERY solid candidate. But also the sort of institutionalist I am surprised (but glad) Trump went with.
I am impressed. Top to bottom. Look forward to working with her office– assuming she is formally nominated and approved, which seems very likely given her background and the Senate composition.
(Special thanks to our new clerk Gabby for the great investigation work here– nice job!)
Massachusetts Pay Transparency Law: What Employers Need to Know Before February
Last July, Massachusetts joined a growing number of states mandating that employers provide pay transparency to employees. The Massachusetts pay transparency law also includes a wage data reporting component that requires covered employers to submit EEO-1 reports to the Commonwealth on an annual basis. As the Feb. 3, 2025, deadline to file EEO-1 reports nears, the Executive Office of Labor and Workforce Development has released frequently asked questions (FAQs) to help employers comply with the wage data reporting aspect of the new law.
Key Takeaways
The Massachusetts pay transparency law was drafted to mirror the Equal Employment Opportunity Commission’s (EEOC’s) reporting requirements, including a prior wage data reporting obligation that entailed submitting W-2 income earnings by race/ethnicity, sex, and job category. Significantly, the EEOC has not required the wage data reporting component since 2018. Thus, the FAQs confirm that the Commonwealth will still accept EEO-1 reports and will not require any additional information at this time.
Only employers with at least 100 employees in the Commonwealth at any time during the prior calendar year are subject to the reporting requirement (the threshold drops to 25 for the disclosure of pay ranges in job postings).
The statute provides that the initial wage data report is due by Feb. 1, 2025, and annually on the same date thereafter. If the deadline falls on a weekend or holiday, however, it will be extended to the next business day. Since Feb. 1 falls on a Saturday this year, reports will be accepted until Monday, Feb. 3, 2025. The other EEO reports are due by the same deadline but on a biennial basis: EEO-3 and EEO-5 this year, and EEO-4 next year.
Employers must submit the report in PDF, JPG, or PNG format to the Secretary of State’s office through the web portal: EEO Wage and Workforce Data Reports.
By June 1, 2025, the Executive Office of Labor and Workforce Development will publish the inaugural wage and workforce data report.
In addition to the impending wage data reporting deadline, employers should continue to prepare for the pay disclosure requirements that go into effect in October 2025.
Employers should be reviewing (or implementing pay ranges) for various job categories and evaluating whether employees are properly compensated within the established pay ranges. We expect additional guidance on the pay disclosure requirements.
DORA Becomes Applicable in the EU
On January 17, 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”) becomes applicable in the EU.
DORA intends to strengthen the IT security and operational resiliency of financial entities and to ensure that the financial sector in the EU is able to stay resilient in the event of severe operational disruption. DORA applies to financial entities engaging in activities in the EU. Traditional financial entities, such as banks, investment firms, insurers, and credit institutions, and non-traditional entities, like crypto-asset service providers and crowdfunding platforms, are all within scope.
Financial entities under DORA will be required to comply with new requirements in the areas of (1) risk management, (2) third-party risk management, (3) incident management and reporting, and (4) resilience testing. Key obligations include:
Create and maintain a register of ICT service providers and, on an annual basis, report relevant information from the register to financial authorities.
Comprehensive incident reporting obligations requiring initial notification in 4 hours after the incident is classified as major and a maximum of 24 hours after becoming aware. Follow-up notifications will be required, at least, in 72 hours and one month. Entities under scope will be required, without undue delay, to notify their clients where a major incident occurs and has a financial impact on their interests. For significant cyber threats, entities under scope should, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking.
Maintain a sound, comprehensive and well-documented ICT risk management framework. The financial entities’ management bodies should define, approve, oversee and take responsibility for the implementation of the ICT risk management framework. In addition, appropriate audits must be conducted with respect to the ICT risk management framework.
Implement post ICT-related incident reviews after a major ICT-related incident disrupts core activities.
Establish and maintain a sound and comprehensive digital operational resilience testing program.
Clearly allocate, in writing, the rights and obligations of the financial entity when engaging with ICT service providers, including mandatory DORA contractual provisions.
Adopt, and regularly review, a strategy on ICT third-party risk.
In addition to financial entities, ICT service providers providing services to financial entities will also have a level of exposure to DORA. This level of exposure will vary in accordance with how critical the ICT service provider is in the sector. All ICT service providers will be subject to indirect obligations resulting from the requirements that their customers (i.e., in-scope financial entities) will be subject to under DORA (e.g., mandatory contractual provisions). In addition, ICT service providers designated as “critical” will be subject to direct obligations and specific oversight mechanisms under DORA.
Read the full text of DORA.
CFPB Issues Order for Financial Data Exchange to Issue Standards under CFPB’s Personal Financial Data Rights Rule
On January 8, 2025, the Consumer Financial Protection Bureau (CFPB) issued an order recognizing Financial Data Exchange, Inc. (FDX) as a standard-setting body under the CFPB’s Personal Financial Data Rights rule. The order of recognition is the first to be issued under the rule. The Personal Financial Data Rights rule, released in October 2024, requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. The CFPB established a formal application process outlining the qualifications to become a recognized industry standard-setting body, which can issue standards that companies can use to help them comply with the CFPB’s rules. The CFPB also issued updated procedures for companies seeking special regulatory treatment, such as through “no-action letters.”
FDX is a standard-setting organization operating in the United States and Canada. It has over 200 member organizations, including depository and non-depository commercial entities, data providers and recipients, data aggregators, service providers to open banking participants, trade and industry organizations, and other non-commercial members, including consumer groups. FDX’s stated primary purpose is to develop, improve and maintain a common, interoperable standard for secure consumer and business access to financial records.
In September 2024, the CFPB received the application for recognition from FDX. CFPB published the application from FDX for public comment later that month. The application was then the first to be published for public comment.
The CFPB approved the application, subject to several conditions. In June 2024, the CFPB finalized a rule outlining the qualifications to become a recognized industry standard-setting body. The rule issued in June identifies the five key qualifications that standard-setting bodies must demonstrate to be recognized by the CFPB, including openness, transparency, balanced decision-making, consensus, and due process and appeals.
The order recognizes FDX as an industry standard-setting body for five years. The CFPB continues to evaluate other applications for recognition.
Breaking News: U.S. Supreme Court Upholds TikTok Ban Law
On January 17, 2024, the Supreme Court of the United States (“SCOTUS”) unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act (the “Act”), which restricts companies from making foreign adversary controlled applications available (i.e., on an app store) and from providing hosting services with respect to such apps. The Act does not apply to covered applications for which a qualified divestiture is executed.
The result of this ruling is that TikTok, an app which is owned by Chinese company ByteDance and qualifies as a foreign adversary controlled application under the Act, will face a ban when the law enters into effect on January 19, 2025. To continue operations in the United States in compliance with the Act, the law requires that ByteDance sell the U.S. arm of the company such that it is no longer controlled by a company in a foreign adversary country. In the absence of a divestiture, U.S. companies that make the app available or provide hosting services for the app will face enforcement under the Act.
It remains to be seen how the Act will be enforced in light of the upcoming changes to the U.S. administration. TikTok has 170 million users in the United States.
Bondi and Bessent Affirm Support for Whistleblowers in Confirmation Hearings
During their Senate confirmation hearings, both Pam Bondi, nominee for Attorney General, and Scott Bessent, nominee for Treasury secretary, affirmed their support for whistleblowers in response to questions from Senator Chuck Grassley.
Bondi Promises to Defend Constitutionality of False Claims Act
During Bondi’s confirmation hearing on January 15, Senate Grassley asked if she believed that the False Claims Act is constitutional and if she would commit to continuing the Department of Justice’s defense of its constitutionality. Grassley spoke about how, thanks in large part to “patriotic whistleblowers,” the False Claims Act has resulted in over $78 billion in collections for the government since 1986.
“I would defend the constitutionality of course of the False Claims Act,” Bondi stated. “The False Claims Act is so important, especially by what you said with whistleblowers.”
The constitutionality of the False Claims Act’s qui tam provisions have faced challenges recently. In September, the U.S. District Court for the Middle District of Florida ruled that the qui tam provisions are unconstitutional because they violate the Appointments Clause of Article II. The court ruled that by filing a qui tam lawsuit alleging Medicare fraud, whistleblower Clarissa Zafirov was granted “core executive power” without any “proper appointment under the Constitution.”
The U.S. government is urging the Eleventh Circuit to reverse the district judge’s “outlier ruling,” noting in a brief that “other than the district court here, every court to have addressed the constitutionality of the False Claims Act’s qui tam provisions has upheld them.”
Under the False Claims Act’s qui tam provisions, individuals may file lawsuits alleging government contracting fraud on behalf of the United States. The government then has the ability to intervene and take over the case, intervene and dismiss the case, or not intervene and let the whistleblower proceed with the suit. In successful qui tam cases, regardless of whether the government intervenes, whistleblowers are eligible to receive between 15 and 30% of the settlement or judgment.
Since the False Claims Act’s qui tam provisions were amended in 1986, the government has recovered over $78 billion, with more than $55 billion stemming from qui tam whistleblower suits. Striking down the constitutionality of qui tam would thus cripple the most important law protecting taxpayer funds from fraud.
Bessent States He will Support IRS Whistleblower Program
During Bessent’s confirmation hearing on January 16, Senator Grassley brought up the importance of the Internal Revenue Service (IRS) Whistleblower Program, noting that since it was established in 2006 ““it’s brought $6 billion back into the federal treasury.”
“This program could raise billions more if the IRS would use it to its full potential,” Grassley stated. “So I hope I can count on you, if you’re confirmed, to be supportive of this whistleblower program and work to ensure its full use to its full potential.”
“Senator Grassley, we are in complete alignment on this program,” Bessent said in response.
Through the IRS Whistleblower Program, qualified whistleblowers, individuals who voluntarily provide original information that leads to a successful IRS action, are eligible to receive monetary awards of 15-30% of the money collected thanks to their disclosure.
The program, which revolutionized tax enforcement by incentivizing insiders to come forward and disclose hard-to-detect misconduct, has struggled in recent years as delays have grown and payouts to whistleblowers have dropped. While recent administrative reforms have strengthened the program, advocates believe that it has even more potential.
Treasury Department and IRS Release Final Regulations for Section 45V Clean Hydrogen Production Tax Credit
On January 3, 2025, the Treasury Department and the Internal Revenue Service issued final regulations under Internal Revenue Code (Code) Section 45V (the Final Regulations) with respect to credits for the production of clean hydrogen (the 45V Credit). The Final Regulations generally retain the requirements set forth in the proposed regulations under Code Section 45V (the Proposed Regulations)[1] with respect to the “three pillars” (incrementality, temporal matching and deliverability) for hydrogen produced using clean power but provide leniency with respect to each pillar. The Final Regulations also provide critical new guidance on hydrogen produced using methane reformation technologies. Taxpayers may rely on the Final Regulations as of January 10, 2025.
Background
Code Section 45V provides a tax credit for the production of clean hydrogen at a qualified clean hydrogen production facility for 10 years beginning on the date the facility is placed in service. The 45V Credit is technology agnostic in that qualification for the credit is not dependent on how the clean hydrogen is produced. The 45V Credit is generally calculated as the product of the kilograms of qualified clean hydrogen produced at a qualified clean hydrogen production facility and the applicable rate. The applicable rate is based on the lifecycle greenhouse gas (GHG) emissions rate of the hydrogen production process. Taxpayers qualify for an increased 45V Credit amount if the construction, alteration and repair of the qualified clean hydrogen production facility complies with the prevailing wage and apprenticeship requirements.
Electricity Used in Hydrogen Production
The Final Regulations generally retain the requirements of the three pillars set forth in the Proposed Regulations regarding the utilization of energy attribute certificates (EACs) to establish a GHG emissions rate. As compared to the Proposed Regulations, the Final Regulations provide leniency with respect to each pillar.
Incrementality. The incrementality requirement is met if the electricity generating facility that produced the electricity has a commercial operation date, or increase in rated nameplate capacity, no more than 36 months before the relevant hydrogen production facility was placed in service. The Final Regulations include three new sources of electricity generation that will be considered incremental regardless of whether the 36-month requirement is satisfied: (i) electricity generated at certain nuclear facilities (with a cap of 200 megawatt-hours per operating hour per reactor); (ii) electricity generated in states with GHG emissions policies meeting certain criteria (such as California and Washington); and (iii) electricity generated at a facility that added carbon capture and sequestration (CCS) equipment within 36 months prior to the date the hydrogen production facility is placed in service.
Temporal Matching. The temporal matching requirement is met if the electricity is generated (i) until 2030, in the same year as, or (ii) beginning in 2030, in the same hour as, the taxpayer’s hydrogen production facility uses electricity to produce hydrogen. The Proposed Regulations provided that hourly matching described in clause (ii) would be required beginning in 2028.
Deliverability. The deliverability requirement is met if the electricity is generated by a facility in the same region as the hydrogen production facility. The Final Regulations provide flexibility for demonstrating certain electricity transfers between regions and allow taxpayers to import clean power from other regions under certain circumstances.
Methane Used in Hydrogen Production
The Final Regulations provide rules for how taxpayers can claim the 45V Credit for hydrogen produced using methane reformation technologies, including those using CCS, renewable natural gas (RNG) and fugitive sources of methane (e.g., from wastewater, animal waste, landfill gas and coal mine operations). The Final Regulations provide rules on how to calculate lifecycle GHG emissions from these sources.
Alternative Fate Standard. The Final Regulations do not include a “first productive use” requirement contemplated by the Proposed Regulations, which would require hydrogen produced using RNG and coal mine methane systems to originate from the first productive use. Instead, the Final Regulations take into account the “alternative fate” of feedstocks.
Gas EACs. The Final Regulations introduce the “gas energy attribute certificate” (Gas EAC), which is defined as a tradeable contractual instrument, issued through a qualified Gas EAC registry or accounting system, that represents the attributes of a specific unit of RNG or coal mine methane. Hydrogen producers using RNG or coal mine methane will be able to acquire and retire Gas EACs as a mechanism for establishing such sources were used in the production of clean hydrogen.
Temporal matching and deliverability requirements similar to those described in the context of hydrogen produced using electricity apply to Gas EACs. The Final Regulations require monthly matching for a Gas EAC to satisfy the temporal matching requirement, and require geographic matching within the contiguous United States to satisfy the deliverability requirement.
Book-and-Claim. The Final Regulations endorse a book-and-claim framework for hydrogen produced using RNG or coal mine methane systems. Book-and-claim systems will enable taxpayers to claim use of RNG or coal mine methane despite the absence of a direct exclusive pipeline connection to a facility that generates RNG or from which fugitive methane is being sourced. Taxpayers will be able to begin using book-and-claim systems no earlier than in 2027, after the Secretary of Treasury determines when a system meets the requirements set forth in the Final Regulations.
GREET Model
The Final Regulations require that lifecycle GHG emissions be measured “well-to-gate” as determined under the most recent Greenhouse gases, Regulated Emissions, and Energy use in Technologies (GREET) model. Well-to-gate emissions are the aggregate lifecycle GHG emissions related to the hydrogen produced at the hydrogen production facility during the taxable year through the point of production. Well-to-gate emissions include emissions associated with feedstock growth, gathering, extraction, processing and delivery to a hydrogen production facility.
The Final Regulations allow hydrogen producers to use the version of the 45VH2-GREET model that was in effect when the hydrogen production facility began construction for the duration of the credit. This provision enhances investment certainty by ensuring that hydrogen producers are not subject to unexpected changes to the 45VH2-GREET model over the credit period.
The Final Regulations provide that upstream methane leakage rates will be based on default national values in the 45VH2-GREET model. Future releases of the 45VH2-GREET model, however, are expected to incorporate facility-specific upstream methane leakage rates based on data provided by the Environmental Protection Agency.
[1] We discussed the Proposed Regulations in a previous client alert.
Annual Adjustment of HSR Thresholds Comes at a Time of Uncertainty
There is a lot of uncertainty in the Hart-Scott-Rodino Act (HSR) world. The new rules on what must be included in an HSR filing have been issued and are due to take effect on February 10, 2025, but that could be derailed or delayed. Either the new administration could issue a freeze on federal regulations that have not yet gone into effect, or implementation could be delayed by a recently filed lawsuit alleging that the new rules exceed the statutory authority of the Federal Trade Commission (FTC).
But one bit of certainty in this uncertain landscape is the new HSR thresholds that are released every year around this time.
The HSR requires that transactions over a certain value be reported at least 30 days prior to closing to the FTC and U.S. Department of Justice Antitrust Division (DOJ) (collectively, the “Agencies”). The FTC adjusts the HSR reporting thresholds annually based on the change in gross national product. In 2025, the new threshold to keep in mind for transactions is $126.4 million (which is up from $119.5 million in 2024). There are additional considerations when acquiring or selling voting securities, non-corporate interests in a business (such as interests in an LLC or partnership) or assets valued over $126.4 million.
When determining whether an HSR filing is necessary, the following questions must be considered:
What is the Value of the Transaction and the Size of the Parties?
The HSR rules are complex, and whether the size-of-the-transaction threshold is met depends on a number of details such as the transaction’s structure and whether any HSR exemptions apply. Additionally, one important preliminary question is, if the transaction exceeds the $126.4 million threshold, are the parties large enough to warrant further assessment of HSR filing? If the transaction is valued at or above $124.6 million but less than $505.8 million, then the size of the parties must be considered. If one party to the deal (and all of that party’s parents, affiliates and subsidiaries) has sales or assets over $252.9 million, and if the other party has sales or assets over $25.3 million, then the transaction might be reportable, and the HSR filing analysis should continue. All non-exempt transactions valued over $505.8 million are reportable, regardless of the size of the parties.
Do Any Exemptions Apply?
The HSR rules contain several exemptions that can reduce the transaction value or eliminate the obligation to make a filing altogether. For example, the HSR rules do not apply to certain acquisitions of non-U.S. entities or assets, acquisitions made solely for the purpose of investment or certain real estate acquisitions.
How Much Will it Cost for an HSR Filing?
The HSR filing fees remain relatively unchanged from last year, except for some minor increases for larger transactions:
What Will the FTC or DOJ Do After the Filing is Made?
During the 30-day waiting period, the parties cannot close the transaction, which allows the Agencies to review whether the transaction could adversely impact competition in the market for any particular product or service. One potential change under the new administration is the return of early termination of the waiting period for deals that have no significant antitrust issues. For deals with competitive overlaps, and in light of the Merger Guidelines issued in 2023, if the parties compete in the same market or industry and/or the deal will add to a portfolio of assets in the same market or industry, it is critical that antitrust counsel be engaged early in the process to determine how the transaction might affect competition and the likelihood that the Agencies may oppose or challenge the transaction.
Finally, ignoring the HSR threshold can lead to reputational and financial harm. Failure to submit a required HSR filing can draw penalties of $51,744 for each day of noncompliance.
Environmental Developments to Watch in California in 2025
Contaminants of Concern
Perfluoroalkyl and polyfluoroalkyl substances (PFAS)
In September 2024, California’s legislature enacted two new bills restricting the use of PFAS in consumer products.
AB 347 – This statute gives California’s Department of Toxic Substances Control (DTSC) enforcement authority over existing PFAS restrictions on textile articles (AB 1817), juvenile products (AB 652), and cookware and food packaging (AB 1200) (the “covered products” under the “covered PFAS restrictions”). AB 347 also requires manufacturers of covered products to submit a registration to DTSC by July 1, 2029, pay a registration fee, and submit a statement of compliance to DTSC confirming that each covered product complies with the covered PFAS restriction on the sale or distribution of the product that contains regulated PFAS. DTSC will begin enforcing this legislation after July 1, 2030. Given DTSC is the enforcement authority for the above-mentioned covered products, we expect DTSC to release guidance on interpreting AB 1817, AB 652, and AB 1200 in the future.
AB 2515 – This statute prohibits companies from manufacturing, selling, or distributing menstrual products that contain regulated PFAS. “Regulated PFAS” means PFAS “intentionally added to a product” as of January 1, 2025, and will mean “PFAS in a product at or above a limit determined by the department” beginning January 1, 2027. Like AB 347, AB 2515 requires manufacturers to register with DTSC by July 1, 2029, pay a registration fee, and submit a statement of compliance confirming that menstrual products do not contain regulated PFAS.
We expect DTSC to initiate the rulemaking process for both statutes, which would include regulations regarding accepted testing methods for PFAS levels in menstrual products and third-party laboratory accreditations, and regulations to implement, interpret, and enforce the statutes. Both statutes require DTSC to adopt these regulations before January 1, 2029.
Proposition 65
California’s Safe Drinking Water and Toxic Enforcement Act of 1986, Health & Safety Code Section 25249.5 et seq. (“Proposition 65”) prohibits persons in the course of doing business from knowingly and intentionally exposing individuals to certain listed chemicals above a safe harbor level, where one exists, without first providing a “clear and reasonable” warning to such individuals. (Health & Safety Code § 25249.6). The law applies to consumer product exposures, occupational exposures, and environmental exposures that occur in California. Presently, there are approximately 900 listed chemicals known by the State of California to cause cancer, reproductive harm, or both.
In 2025, we will continue to see developments in the implementation and enforcement of this law, of which manufacturers and retailers selling products in California should be aware.
Vinyl Acetate
On December 19, 2024, the Office of Environmental Health Hazard Assessment’s (OEHHA) Carcinogenic Identification Committee (CIC) voted to list vinyl acetate as a carcinogen under Proposition 65. Vinyl acetate is primarily used in glues, plastics, paints, paper coatings, and textiles. Exposure to the chemical can occur through dermal contact, inhalation, or ingestion.
Vinyl acetate was listed despite industry groups claiming that none of the recognized Proposition 65 authoritative bodies consider the chemical to be a carcinogen. OEHHA published evidence of the carcinogenicity of vinyl acetate, which was used by the CIC to support the listing.
Once listed, businesses have 12 months to provide any required warnings.
Warning Labels
Safe harbor regulations provide examples of long-form and short-form warnings deemed “clear and reasonable,” which, if followed, offer businesses an affirmative defense in the event of enforcement. On December 6, 2024, OEHHA amended Proposition 65 to require companies to add at least one chemical name—or the name of two chemicals, if the warning covers both cancer and reproductive toxicity, unless the same chemical is listed for both endpoints—to the short-form warning on the product label for products manufactured and labeled after January 1, 2028. For example:
“[the warning symbol] WARNING: Cancer risk from exposure to [name of chemical]. See www.P65Warnings.ca.gov.”
OEHHA has authorized the continued used of the earlier short-form warning template (that does not name the chemical) for products manufactured and labeled before January 1, 2028:
“[the warning symbol] WARNING: Cancer – www.P65Warnings.ca.gov.”
Manufacturers and retailers selling products in California containing listed chemicals should review their product labeling protocols, as non-compliance may result in an enforcement action. Some manufacturers have employed generic short-form warnings to forestall enforcement actions without determining whether their products actually exposed consumers to listed chemicals. This practice will not be effective after 2027.
Amended Acrylamide Warning Label
On January 1, 2025, OEHHA’s amendments to acrylamide warning label requirements took effect. The new regulation provides:
Warnings must now contain either:
“WARNING”
“CA WARNING”; or
“CALIFORNIA WARNING.”
The warning must be followed by either:
“Consuming this product can expose you to acrylamide;” or
“Consuming this product can expose you to acrylamide, a chemical formed in some foods during cooking or processing at high temperatures.”
The warning must also be followed by at least one of the following:
“The International Agency for Research on Cancer has found that acrylamide is probably carcinogenic to humans;”
“The United States Environmental Protection Agency has found that acrylamide is likely to be carcinogenic to humans;” or
“The United States National Toxicology Program has found that acrylamide is reasonably anticipated to cause cancer in humans.”
The warning may be followed by one or more of the following:
“Acrylamide has been found to cause cancer in laboratory animals”;
“Many factors affect your cancer risk, including the frequency and amount of chemical consumed”’ or
“For more information including ways to reduce your exposure, see www.P65Warnings.ca.gov/acrylamide.”
The newly amended warning language comes after years of ongoing litigation alleging that the previous warning mandate violated the First Amendment (California Chamber of Commerce v. Rob Bonta (2:19-cv-2019 DJC JDP)). Challengers allege that the warning remains unconstitutional as the state has failed to show that the warnings are purely factual and uncontroversial. As described below, the First Amendment is proving to be an effective defense in some circumstances.
Litigation Update: The Personal Care Products Council vs. Rob Bonta
In recent years, the First Amendment has served as a powerful tool for companies subject to Proposition 65 labeling requirements. A 2025 ruling in The Personal Care Products Council vs. Rob Bonta (2:23-cv-01006) will determine the legality of warning labeling requirements regarding titanium dioxide in consumer products. In 2025, the U.S. District Court for the Eastern District of California is poised to rule on the parties’ motions in the case. If the Court grants the Personal Care Products Council’s (PCPC) summary judgment motion, the ruling will have far-reaching impacts on the enforcement of Proposition 65, bolstering the First Amendment defense to Proposition 65 claims where there is a reasonable scientific debate about the hazards of the listed chemical.
The action was brought in 2023 by PCPC a non-profit association of businesses in the cosmetic and personal care products industry, which sued California Attorney General Rob Bonta in his official capacity.
On June 12, 2024, the District Court issued an Order granting PCPC’s request for a preliminary injunction enjoining Bonta and all private enforcers of Proposition 65 from filing new lawsuits to enforce the law’s warning requirement for exposures to titanium dioxide. The District Court agreed with PCPC that the “Prop 65 warning requirements for Listed Titanium Dioxide are not purely factual because they tend to mislead the average consumer” since the warnings may convey a “false and/or misleading message that Listed Titanium Dioxide causes cancer in humans or will increase a consumer’s risk of cancer.” This, according to the District Court, renders PCPC likely to prevail on the merits of its First Amendment claim under Zauderer v. Off. of Disciplinary Couns. of Supreme Ct. of Ohio, 471 U.S. 626 (1985) (government may compel commercial speech so long as it is reasonably related to substantial governmental interest, purely factual, noncontroversial, and not unjustified or unduly burdensome).
PCPC’s pending summary judgment motion was filed on September 10, 2024. If granted, this will be the third case successfully challenging Proposition 65 warnings on First Amendment grounds, with previous cases involving designated glyphosate and acrylamide. See Nat’l. Assoc. of Wheat Growers v. Bonta, 85 F.4th 1263 (9th Cir. 2023); Cal. Chamber of Comm. v. Bonta, 529 F. Supp. 3d 1099 (E.D. Cal. 2021).
Here, the District Court’s June 12, 2024 ruling dramatically halted the prosecution of countless pending claims against cosmetic companies and retailers of cosmetics. A favorable ruling for PCPC in 2025 may embolden companies subject to Proposition 65 requirements to bring an array of constitutional challenges with respect to other designated chemicals, specifically businesses selling products containing a designated chemical where the underlying scientific basis for its designation is controversial. The District Court’s language strongly casts doubt on the constitutionality of “misleading” Proposition 65 labels that lack an adequate scientific basis.
Extended Producer Responsibility (EPR) and Recycling
California continues to pave the way for EPR laws that affect various products. Rulemaking efforts will continue through 2025.
AB 863 – Carpets
Governor Newsom approved AB 863 on September 27, 2024, governing carpet recycling in California. California enacted its first carpet stewardship law in 2010 and has since amended it multiple times. The latest law maintains several basic facets and updates the governance structure of California’s current carpet stewardship program but nominally converts it to a carpet producer responsibility program following the expiration of the current 2023-2027 five-year carpet stewardship plan. The new law punts many specifics of the new program to the discretion of CalRecycle, including performance standards and metrics, key definitions, deadlines, and grounds for approving or revoking an approved plan. CalRecycle must adopt implementing regulations effective no earlier than December 31, 2026. The law purports to deem CalRecycle’s adopted “performance standards” as immune from judicial review under the California Administrative Procedure Act. The law also calls for certain amendments to the existing carpet stewardship plan to be proposed and adopted sooner.
The new law requires all carpet producers doing business in California to form and register with a single producer responsibility organization (PRO). The law requires the PRO to develop a producer responsibility plan for the collection, transportation, recycling, and safe and proper management of covered products in California, along with related public outreach regarding the plan; review the plan at least every five years after approval; and submit annual reports to CalRecycle. An approved plan must be in place within 24 months of the effective date of CalRecycle’s regulations under the new law, which may result in a deadline as early as December 31, 2028. All reports and records must be provided to CalRecycle under penalty of perjury. The law restricts public access to certain information collected for the purpose of administering this program.
The PRO must establish and provide a covered product assessment to be added to the purchase price of a covered product sold in the state by a producer to a California retailer or wholesaler or otherwise sold for use in the state. Each retailer and wholesaler is then required to add the assessment to the purchase price of all covered product sold in the state. This assessment of carpet sales in California parallels existing law. The new law does not specify any other available funding methods for implementing its requirements. The new law also requires the PRO to pay fees to CalRecycle, not to exceed CalRecycle’s actual and reasonable regulatory costs to implement and enforce the program. It further newly requires all carpet sold in California to contain 5% of post-consumer recycled carpet content by 2028, and grants CalRecycle authority to set new rates for 2029 and beyond.
Additionally, the new law requires carpet producers to provide additional information to CalRecycle regarding California carpet sales and compliance with the requirements of an approved plan. CalRecycle must post on its website a list of producers that are in compliance with the requirements of the program. The existing carpet stewardship plan must be amended to allocate 8% of collected assessments to unions for apprenticeship program grants. Compared to current law, penalties for violations increase from $5,000 per day to $10,000 per day, and from $10,000 per day to $25,000 per day if the violation is intentional, knowing, or negligent. CalRecycle may audit a carpet stewardship organization and individual producers annually The law also clarifies that a carpet stewardship organization cannot delegate decision-making responsibility regarding a carpet stewardship plan to a person who is not a member of the organization’s board.
SB 707 – Textiles
In September 2024, California’s legislature enacted the first, and only current, statewide EPR textile program in the U.S. with the Responsible Textile Recovery Act of 2024. The Act requires qualified producers of apparel or textile articles to form and join a PRO that CalRecycle will approve by March 1, 2026. All eligible producers must join the PRO by July 1, 2026. Once formed, the PRO must submit a statewide plan for the collection, transportation, repair, sorting, recycling, and the safe and proper management of covered clothing and textiles to CalRecycle for review. Once the plan is approved, retailers, importers, distributors, and online marketplaces will not be permitted to sell, distribute, offer for sale, or import a covered product into the state unless the producer of the covered product is listed as in compliance. The PRO will charge each participant-producer annual fees for its operation.
By July 1, 2030, or upon approval of the plan, whichever occurs first, noncompliant producers of covered products will be subject to administrative civil penalties up to $50,000 per day.
The Act directs CalRecycle to adopt regulations to implement its provisions with an effective date of no earlier than July 1, 2028. The rulemaking process will be carried out in accordance with California’s Administrative Procedure Act, which provides opportunities for the public, including industry representatives, to shape the policy going forward. Rulemaking efforts associated with SB 707 are not yet listed on CalRecycle’s website, but given the short deadlines imposed by the Act, we can expect updates in the near future.
AB 187 – Mattresses
California’s legislature established the Used Mattress Recovery and Recycling Act (Mattress EPR Act) in 2013 and most recently updated it in 2019. The Mattress EPR Act, which CalRecycle administers, applies to manufacturers, renovators, distributors, and retailers that sell, offer for sale, or import a mattress into California. At least once every five years, the mattress recycling organization reviews the plan for the recovery and recycling of used mattresses and determines whether amendments are necessary. Each year, CalRecycle, through the Mattress Recycling Council, posts lists of compliant manufacturers, renovators, and distributors on its website. If the manufacturer, brand, renovator, or distributor is not on this list, no retailer or distributor may sell a mattress in the state until the department affirms they are in compliance.
CalRecycle may impose an administrative civil penalty of not more than $500 per day on any manufacturer, mattress recycling organization, distributor, recycler, renovator, or retailer violating the Mattress EPR Act. However, if the violation is intentional, knowing, or reckless, the department may impose an administrative civil penalty of not more than $5,000 per day.
SB 551 – Beverage Containers
SB 551, or the California Beverage Container Recycling and Litter Reduction Act, took effect on September 29, 2024 as an urgency statute, necessary for the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the California Constitution. Plastic beverage containers sold by a beverage manufacturer must contain a specified average percentage of post-consumer recycled plastic per year. Manufacturers of beverages sold in a plastic beverage container subject to the California Redemption Value fee must report to CalRecycle certain information about the amounts of virgin plastic and post-consumer recycled plastic used for those containers for sale in California in the previous calendar year. The law authorizes certain beverage manufacturers to submit a consolidated report to CalRecycle with other beverage manufacturers, in lieu of individual reports, if those beverage manufacturers share rights to the same brands or the products of which are distributed, marketed, or manufactured by a single reporting beverage manufacturer. This consolidated report must be submitted under penalty of perjury and pursuant to standardized forms prescribed by CalRecycle.
SB 54 – Plastics and Packaging
At the start of this year, CalRecycle was required to adopt any necessary regulations to implement and enforce its Plastic Pollution Prevention and Packaging Producer Responsibility Act (SB 54). SB 54 imposes EPR on “producers” of packaging materials for achieving the source reduction, recyclability or composability, and recycling rates for their products. Producers may comply with SB 54’s requirements by either joining the Circular Action Alliance (CAA), the PRO selected by the state to administer SB 54, or through assuming individual responsibility for compliance.
CalRecycle met its regulation deadline under SB 54 by publishing the Source Reduction Baseline Report on December 31, 2024, followed by updates to the list of Covered Material Categories regulated by SB 54 on January 1, 2025. The updates to the Covered Material Categories include an increase in materials considered to be “recyclable” or “compostable” while the Source Reduction Baseline Report establishes a baseline measurement for the Department and CAA to define source reduction targets, develop plans and budgets, and the track progress of SB 54’s implementation.
On January 1, 2025, SB 54’s prohibition on the sale, distribution, or importation of expanded polystyrene (EPS) food service items—unless the producer can demonstrate that all EPS used in the state meets a recycling rate of least 25%—went into effect. EPS food service producers may now be subject to notices of violation from CalRecycle and enforcement of penalties for noncompliance of up to $50,000 per violation, per day. Recycling rate mandates for plastic-covered materials do not go into effect until 2028.
SB 1143 – Paint
In September 2024, California enacted SB 1143, which expands the state’s existing Architectural Paint Recovery Program to include a wider range of paint products. “Paint product” is now defined to include interior and exterior architectural coatings, aerosol coating products, nonindustrial coatings, and coating-related products sold in containers of five gallons or less for commercial or homeowner use.
The law tasks CalRecycle with administering the program and approving a stewardship plan for the newly covered paint products. Retailers, importers, distributors, and online marketplaces will be prohibited from selling, offering for sale, or importing these products in California unless the producers are in compliance with the stewardship plan. Producers may comply with SB 1143 requirements by either joining PaintCare, the only recognized paint stewardship organization representing paint manufacturers in California, or through assuming individual responsibility for compliance.
All eligible products must comply with the new requirements by January 1, 2028, or an earlier date set by an approved stewardship plan. By July 1, 2030, or upon approval of the plan, whichever comes first, noncompliant producers will face administrative civil penalties up to $50,000 per day.
Climate Regulation
SB 261 and SB 253
After a year of uncertainty driven by budget constraints, California seems poised to implement its climate disclosure laws (SB 261 and SB 253) that were first passed in 2023. In September 2024, the Legislature passed SB 219, which granted the California Air Resources Board (CARB) a 6-month extension to issue the requisite rules that must be adopted by no later than July 1, 2025. CARB is responsible for administering SB 261 and SB 253.
On December 16, 2024, CARB posted an Information Solicitation that calls for public comments on the implementation of the laws and related issues. The Information Solicitation also invites input on key aspects of the climate disclosure framework that have been subject to speculation since the laws were enacted, such as the definition of “entity that does business in California” (clarifying the cohort within the scope of the laws); the methods for measuring and reporting scope 1, scope 2, and scope 3 emissions; and third-party verification and assurance requirements. The deadline to submit comments through CARB’s website is February 14, 2025.
Cal Chamber v. CARB
On January 30, 2024, the U.S. Chamber of Commerce and other business groups filed Chamber of Commerce of the United States of America et al. v. California Air Resources Board (CARB) et al., No. 2:24-cv-00801 (C.D. Cal. 2024) challenging SB 253 and SB 261 for violation of the First Amendment, the Supremacy Clause, and the U.S. Constitution’s limitations on extraterritorial regulation, including the dormant Commerce Clause.
Regarding the First Amendment facial challenge, the Plaintiffs alleged the laws “compel companies to publicly express a speculative, noncommercial, controversial, and politically-charged message that they otherwise would not express.” Concerning the Supremacy Clause, they argued that by requiring companies to make speculative public statements about emissions and climate-related financial risk, the laws enable “activists and policymakers to single out companies,” pressuring them to reduce emissions within and outside California. As for the constitutional claims, the Plaintiffs alleged that California lacks authority to regulate greenhouse gas emissions outside of the state and that the laws are invalid under the U.S. Constitution’s limitations on extraterritorial regulation because they heavily intrude on Congress’s authority to regulate interstate and foreign commerce.
To expedite the District Court’s ruling, the Plaintiffs moved for summary judgment on the First Amendment challenge. Simultaneously, CARB moved to dismiss the Plaintiffs’ Supremacy Clause and extraterritorial regulation claims. On November 5, 2024, the District Court denied the Plaintiffs’ motion. The Court held that the First Amendment applied to SB 253 and 261; however, it concluded that the constitutional challenge involves factual questions that go beyond pure legal analysis and thus, completing a “fact-driven task” was necessary to decide which of the laws’ applications violate the First Amendment. It held that further discovery is required to complete this “fact-driven” task.
The District Court indicated that it would address CARB’s motion to dismiss in a separate order. That motion is pending as of the date of this publication.
SB 1383 – Organic Waste & Food Collection
Since CalRecycle adopted regulations implementing SB 1383, California communities have made progress in diverting and reducing the disposal of organic waste and thereby reducing the amount of methane emissions from landfills. According to California’s Short-Lived Climate Pollutant Reduction Strategy, 93% of jurisdictions with requirements for collection reported having residential organics collection, and 100% of California communities expanded programs to send still-fresh, unsold food to Californians in need, reducing the waste large food businesses send to landfills every year. Through SB 619, 126 jurisdictions have been granted additional time to comply with SB 1383 regulations.
While progress has been made, local jurisdictions continue to struggle to meet the law’s mandates (namely, reduce organic waste disposal by 75% and reduce edible food waste by 20% by 2025). Rather than revising those mandates or pausing the implementation of SB 1383 to ensure jurisdictions weren’t sanctioned for missing implementation deadlines, the legislature enacted a number of laws to address some of the concerns raised by the regulated community. These include SB 2902, AB 2346, and SB 1046.
SB 2902 extends the rural jurisdiction exemption to comply with organics collection and procurement requirements until January 1, 2027. AB 2346 allows jurisdictions to count specified compost products toward their goals and adopt a five-year procurement target instead of annual goals, and SB 1046 directs CalRecycle to create a programmatic environmental impact report for small to medium composting facilities, aiding local governments and composters by streamlining permitting.
Although CalRecycle initiated formal enforcement actions in 2024, there is no indication that the agency has fined or sanctioned any jurisdiction for non-compliance. As the 2025 target date has now passed, expect enforcement efforts to increase in the months and years ahead.
Energy Efficiency Standards
As covered in our December 10, 2024 news alert, manufacturers and sellers of consumer products in California should be aware that the California Energy Commission continues to bring more enforcement actions and assess large civil penalties for violations of its Title 20 Appliance Efficiency Program. At a time when federal appliance efficiency standard enforcement is expected to recede due to the recent presidential election and imminent transition, California enforcement is likely to continue to grow. Regulated businesses, therefore, should pay increasing attention to Title 20 compliance, not only to avoid large fines but also to ensure continued access to their products in the lucrative California market.
Stationary Source Regulation
AB 1465 – Air Quality Management Districts (AQMDs) Granted Authority to Seek Triple Penalties
For years, the penalty ceilings in California’s Health & Safety Code have limited the ability of California’s regional AQMDs to collect civil penalties for rule violations. Starting January 1, 2025, AB 1465 tripled these ceilings. For example, the typical maximum penalty for strict liability violations—previously $12,090 per violation—has escalated to $36,270 per violation. The new law also requires that air districts (or a court) consider items like health impacts and community disruptions when evaluating penalty amounts (in addition to other factors required to be considered by law). These elevated ceilings only apply to stationary sources that have a Federal Clean Air Act Title V permit and emit certain defined compounds. How air districts will wield this new authority has yet to be seen, but we expect to see increasing penalties for many sources as a result.
Indirect Source Rules Will Continue to be a Hot Topic
While regional air districts are generally limited in their legal authority to regulate mobile sources (that authority is reserved for California’s state air regulator, CARB), indirect source rules (regulation of stationary sources that attract emissions from mobile sources) have received renewed attention as a means by which air districts seek to curb air pollution. With the incoming Trump administration signaling its intent to limit California’s ability to regulate mobile sources, air districts will likely be incentivized to find creative ways to indirectly regulate mobile sources within their districts.
In 2024, the South Coast AQMD received U.S. Environmental Protection Agency (EPA) approval to include such an indirect source rule (ISR) for warehouses as part of its state implementation plan. South Coast AQMD also adopted an ISR in 2024 applicable to rail yards and has been working on a rule applicable to ports for years, which it promises to bring before its board for approval in 2025.
Perhaps observing the South Coast AQMD’s recent ISR adoptions, the Bay Area AQMD also included an ISR in its 2025 rulemaking forecast. However, exactly what such a rule for this district might look like or what source it might seek to regulate remains to be seen.
New National Ambient Air Quality Standard for PM 2.5 Will Likely Drive Rulemaking Activity
California’s major regional air quality districts (the Bay Area AQMD, the South Coast AQMD, and the San Joaquin Valley Air Pollution Control District) have jurisdiction over areas considered to be in non-attainment of national standards regarding particulate matter (PM) 2.5. Areas in persistent non-attainment status risk federal sanctions and the loss of federal highway funding. In early 2024, EPA tightened the PM 2.5 standards even further. As a result, some air districts may consider rulemakings designed to reduce PM2.5 pollution within their jurisdictions. Given that mobile sources are a major contributor of this pollutant, ISR options may become even more appealing in 2025 and beyond.
Mobile Source Regulation
The Clean Air Act preempts states from adopting their own emission standards for new motor vehicles and new motor vehicle engines. However, Section 209 of the Clean Air Act allows California to set its own emissions standards if EPA grants a waiver from the federal preemption or EPA authorizes California to enforce its own standards despite the preemption. In the past year, CARB submitted requests for waiver or authorization for several regulations.
Advanced Clean Fleets Regulation – This regulation applies to trucks performing drayage operations at seaports and railyards; fleets owned by State, local, and federal government agencies; and high-priority fleets that are entities that own, operate, or direct at least one vehicle in California and that have either $50 million or more in gross annual revenue, or that own, operate, or have common ownership or control of a total of 50 or more vehicles. The regulation imposes restrictions on purchasing internal combustion engines, requires fleet owners to phase in zero-emission vehicles (ZEVs) or near-ZEVs beginning in 2024, and imposes reporting and recordkeeping requirements on fleet owners and operators. On January 13, 2025, CARB withdrew the request for waiver and authorization. In a response letter, EPA stated that it, therefore, “considers the matter closed.”
In-Use Locomotive Standards – The regulation has four primary, interrelated components: (1) imposes restrictions on the operation of any locomotive that is “23 years or older” from the original engine build date unless the locomotive exclusively operates in zero-emission configuration within California; (2) requires railroads to make annual deposits into a “Spending Account” based on the locomotive’s emissions in California in the prior year and imposes restrictions on the use of funds in the “Spending Account”; (3) imposes idling requirements that would regulate a locomotive’s function and maintenance; and (4) imposes registration, reporting, and recordkeeping requirements, including the requirement to annually report emissions information for non-zero emissions locomotives. On January 13, 2025, CARB withdrew the request for waiver and authorization. By response letter, EPA stated it therefore “considers this matter closed.”
Amendments to the Small Off-Road Engines Regulations – The amendments include improvements to evaporative emissions certification procedures, revise the compliance testing procedure, update the evaporative emissions certification test fuel to represent commercially available gasoline, and align aspects of the regulation requirements with the corresponding federal requirements. EPA granted the authorization request on December 19, 2024.
The “Omnibus” Low NOx Regulation – The regulation establishes the next generation of exhaust emission standards for nitrogen oxides (NOx), PM, and other emission-related requirements for new 2024 and subsequent model year on-road medium- and heavy-duty engines and vehicles. EPA granted the authorization request on December 17, 2024.
Advanced Clean Cars II Program – The regulations amend the Zero-emission Vehicle Regulation to require an increasing number of ZEVs and amends the Low-emission Vehicle Regulations to include increasingly stringent particulate matter, Nox, and hydrocarbon standards for gasoline cars and heavier passenger trucks to continue to reduce smog-forming emissions. EPA granted the authorization request on January 6, 2025.
Amendments to California’s In-Use Off-Road Diesel-Fueled Fleets regulation – The amendments will require fleets to phase out use of the oldest and highest polluting offroad diesel vehicles in California, prohibit the addition of high-emitting vehicles to a fleet, and require the use of R99 or R100 renewable diesel in off-road diesel vehicles. EPA granted the authorization request on January 3, 2025.
If the current EPA administration does not grant the pending waiver requests, then it is unclear how EPA under the Trump administration will decide on the waiver requests. Our November 6, 2024 news alert discusses these waiver issues in more detail.
CARB also enacted the zero-emission forklift regulation on August 2, 2024. The regulation accelerates the transition towards zero-emission forklifts by restricting fleet operators/owners from owning, possessing, and operating Large Spark Ignition (LSI) forklifts starting on January 1, 2026, and requiring fleet operators to phase out Class IV LSI forklifts of any rated capacity, as well as Class V LSI Forklifts with rated capacity less than 12,000 pounds according to the compliance schedule in the Regulation. These forklifts will need to be phased out by January 1, 2038.
Cal/OSHA Developments
Cal/OSHA Lead Exposure Regulations
The California Division of Occupational Safety and Health’s (Cal/OSHA) updated lead standards, which were approved on February 15, 2024, and went into effect on January 1, 2025. These apply to both general and construction worksites and replace standards that are decades old, based on data from over 40 years ago. The amended standards modify the permissible exposure limit (PEL), action level (AL), workplace hygiene practices, and medical surveillance requirements relating to lead in the workplace.
The reduction of the PEL and AL is significant; the threshold that triggers various regulatory requirements is now considerably lower. Many new industries will likely be covered. The PEL is now 10 µg/m3 (8-hour-time weighted average), an 80% reduction from the earlier PEL (50 µg/m3). The AL is now 2 µg/m3, a 93% drop from the prior AL (30 µg/m3).
Regulations for General Industry now define certain tasks as “Presumed Significant Lead Work” (PSLW). Until employers perform an employee exposure assessment, they are required to provide employees performing PSLW with interim protections.
For the construction industry, the regulations also define various “trigger tasks” levels, which assume a certain level of employee exposure. These “triggers” require protective measures for employees performing these tasks until an employee exposure assessment is completed.
Cal/OSHA Silica Emergency Temporary Standard
Cal/OSHA stated that California is experiencing a “silicosis epidemic” among artificial stone fabrication workers. In December 2023, the Occupational Safety and Health Standards Board (OSHB) approved the Emergency Temporary Standard (ETS) on Respirable Crystalline Silica (RCS) in response to these circumstances. The ETS intends to protect employees working with artificial and natural stone containing more than 10% crystalline silica. Additional protections apply to workers performing “high exposure trigger tasks.”
On December 19, 2024, OSHB voted unanimously to make the Silica ETS permanent. The decision is a step towards making these emergency measures permanent. The current proposal continues the protections the ETS has introduced, with some changes. These include a new medical removal subsection and updates to the medical surveillance subsection.
The proposed medical removal provisions provide protections to employees when a physician or other licensed healthcare professional (PLHCP) recommends that they be removed from a job assignment or that the job be modified to reduce exposure to RCS. The proposed updates to the medical surveillance provisions include specific medical procedures to be conducted for the required initial and periodic examinations. PLCHPs and specialists would also be required to submit certain information to the California Department of Public Health for each silica medical examination conducted.
The Office of Administrative Law has 30 days to approve or deny the proposal. We expect a decision in mid-January 2025.
Cal/OSHA Increases Staffing for Its Bureau of Investigations Unit
In August 2024, Cal/OSHA announced that it had increased staffing for its Bureau of Investigations (BOI) unit. Cal/OSHA says this would “allow BOI to tackle more cases and ensure that the most negligent of employers are held accountable.”
The BOI is responsible for investigating employee fatality and serious injury cases, and preparing and referring cases to local and state prosecutors for criminal prosecution. Cal/OSHA was criticized in early 2024 for the short-staffed status of BOI. Given the recently enhanced staffing, employers should expect that BOI investigations will likely increase in 2025.
Bird Flu
On December 18, 2024, Governor Newsom declared a state of emergency for Avian influenza (H5N1) (“bird flu”) in California. On December 27, 2024, the Division of Workers’ Compensation (DWC) advised employers and healthcare professionals to look for occupational cases of bird flu. There have been no cases of human-to-human transmission in California—nearly all affected persons had exposure to infected cattle. In light of DWC’s recommendations, employers should nevertheless review Cal/OSHA’s guidance on bird flu for employers.
Water Rights, Tribal Issues, Public Lands, Endangered Species
Threatened Species Listing of Monarch Butterfly
On December 12, 2024, the U.S. Fish and Wildlife Service (FWS) proposed listing the monarch butterfly as a threatened species with a special section 4(d) rule under the Endangered Species Act (ESA). The special 4(d) rule would provide very narrow exemptions to the ESA’s broad prohibition on unauthorized take for certain types of activities that may otherwise impact the species. FWS also proposed designating nearly 4,500 acres in California as critical habitat that would extend from the California Bay Area’s Marin County down the state’s western coast to Ventura County north of Los Angeles.
If finalized as proposed, this listing would stand as the largest listing decision in ESA history, affecting the entire lower forty-eight states. FWS is receiving public comment through March 12, 2025.
Central Valley Project and State Water Project
The U.S. Bureau of Reclamation (Reclamation)’s Central Valley Project (CVP), which is operated jointly with the California Department of Water Resources’ State Water Project (SWP), manages the collection, storage, and transport of many millions of acre-feet of water through the Central Valley for delivery to irrigators and municipalities and to meet state and federal ecological and species requirements. In 2018, California finalized revisions to its Water Quality Control Plan for the San Francisco Bay and San Joaquin-Sacramento River Delta (Bay-Delta) to require that more flows from the San Joaquin and Sacramento Rivers would reach the Bay-Delta for water quality and fish and wildlife enhancement, accordingly reducing water supplies for agricultural irrigators. In 2019, the previous Trump administration responded by committing to increasing CVP water supplies for agricultural users through changes to long-term operations of the CVP, pursuant to a 2019 ESA biological opinion or “BiOp.”
These ESA changes were promptly challenged by California and environmental organizations as insufficiently protective of Bay-Delta salmon and smelt populations, habitats, and spawning activities. They were first enjoined by federal court and later remanded to the National Marine Fisheries Service (NMFS) and FWS under the Biden administration. The cases were stayed during NMFS and FWS’s reconsideration of new CVP and SWP operating rules, in favor of an interim operations plan (IOP), which was extended through December 2024 to allow for the issuance of new CVP and SWP BiOps. See March 28, 2024 Order in Pacific Coast Federation of Fishermen’s Associations v. Raimondo, Civ. Nos. 20-00426, -00431 (E.D. Cal.). On December 20, 2024, on the verge of another change in administration, Reclamation issued its Record of Decision for the “Long-Term Operation of the Central Valley Project and State Water Project” based on 2024 BiOps, to mixed reviews from environmentalists and water users alike. It is likely that these new “California water rules” will spark new rounds of both litigation challenges and regulatory reconsideration in 2025.
Yurok Tribe v. Klamath Water Users Association
In this appeal before the Ninth Circuit (Nos. 23-15499 and 23-15521, consolidated), the Klamath Water Users Association (KWA) and Klamath Irrigation District (KID) sought review of a 2023 federal district court decision holding that an Oregon Water Resources Department (OWRD) order prohibiting Reclamation from releasing stored water subject to adjudicated irrigation rights from Upper Klamath Lake to protect and restore endangered fish species was preempted by the ESA. KWA and KID had sought declaratory relief that the ESA does not authorize Reclamation to release water from Upper Klamath Lake, arguing that the case does not involve any issue of preemption, because Reclamation does not have authority under its enabling act to appropriate rights to use water in violation of Oregon law, and the ESA does not expand these Reclamation authorities. OWRD subsequently withdrew its order.
The Ninth Circuit heard oral argument on June 12, 2024, but the court, just prior to the hearing, indicated that it perceived potential jurisdictional issues due to the OWRD withdrawal having mooted the initial challenge to its order. At oral argument, KID urged the court to certify key questions to the Oregon Supreme Court concerning Reclamation’s authority to use and control the use of water under Oregon law, arguing that Oregon’s water rights and laws governing the use and control of water in Upper Klamath Lake were established long before the ESA was enacted, that Section 8 of the Reclamation Act mandates compliance with state water law and water rights, and that controlling precedent makes clear that state law governs whether Reclamation has authority or discretion to meet its ESA obligations using stored irrigation water subject to adjudicated water rights. Therefore, these state law questions should be addressed independently of the federal question of Reclamation’s ESA obligations and their preemptive consequences. Briefing on KID’s motion for certification continued into December 2024, so a Ninth Circuit ruling on the merits, or as to whether the questions will proceed for now in state or federal court, can be expected in 2025.
Water
On November 20, 2024, EPA Region 9 published in the Federal Register its Final Designation of formerly unregulated stormwater discharges from commercial, industrial, and institutional (CII) properties for required National Pollutant Discharge Elimination System (NPDES) stormwater permitting. The designation applies to CII facilities consisting of five or more acres of impermeable surfaces (in the case of unpermitted facilities) or five or more total acres (in the case of unpermitted portions of facilities already holding a NPDES permit and no exposure certificate, and in the case of non-notice of non-applicability (NONA) covered portions of facilities with a NONA) in two watersheds in the Los Angeles County area. This expansion of stormwater regulation is a joint effort between EPA Region 9 and the Los Angeles Regional Water Quality Control Board. The Water Board prepared the corresponding draft CII General Permit and is expected to hold a public hearing on the draft permit now that EPA’s designation is final.
The incoming Trump administration may reevaluate the Final Designation and consider rescinding it, but it may take some time for new EPA staffers to address this action. In the interim, it will be critical for parties adversely affected by the Final Designation to expeditiously seek judicial review—and a stay or preliminary injunction—to protect their interests.
Additional Authors: Gary J. Smith, Patrick J. Redmond, Leticia E. Duarte, Sara M. Eddy, Gabriela Espir, Jeremy D. Faulkner, Nicole L. Garson, Ragini Gupta, Lauren M. Lankenau, Sharon Mathew, Claire S. McLeod Ruiz, Lauren M. Murvihill, and Megan V. Unger
Transferring U.S. Data Overseas? Consider Whether the DOJ’s Bulk Data Regulations or PADFA May Apply to Your Organization
Though attempts to pass comprehensive federal consumer privacy legislation again stalled in 2024, efforts targeted at addressing national security-related privacy concerns had more success. Along with the Protecting Americans from Foreign Adversary Controlled Applications Act, Congress passed the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”) as part of a sweeping foreign aid bill, which was subsequently signed into law by President Biden on April 23, 2024. PADFA, which went into effect on June 24, 2024, followed President Biden’s Feb. 2024 Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO”), under which the Department of Justice was directed to establish and implement regulations (initially reported by SPB here). The DOJ’s rulemaking process, which began in late fall of last year, culminated in the issuance of a final rule (“Bulk Data Regs”) on December 27, 2024, and publication of the same in the Federal Register on January 4, 2025. The Bulk Data Regs largely become effective 90 days after publication in the Federal Register, on April 4, with certain provisions going into effect 270 days following publication.
Below, we provide a discussion of various key aspects of PADFA and the Bulk Data Regs and key considerations to bear in mind, including with respect to the scope of application, covered data, service provider/vendor transfers, security requirements, downstream transfer and diligence obligations, and important exemptions provided under each. Further below, we provide a table for handy reference with select definitions and information from each legal regime.
At first blush, given their focus on national security and sensitive data, PADFA and the Bulk Data Regs would appear to apply to a limited slice of companies in the U.S. that do business with certain foreign adversaries or countries of concern, or persons or companies related to them. However, upon a deeper look, these regimes provide extremely broad definitions of “sensitive” data and offer potential applicability to any U.S. business transferring data overseas (the Bulk Data Regs in particular), including multi-national companies that transfer data between and among affiliated companies throughout the world. As a result, U.S.-based and multi-national companies that do business or transfer U.S. data overseas, whether to adversarial countries like China and Russia or elsewhere, should carefully review PADFA and the Bulk Data Regs to understand whether and to what extent these legal regimes may apply to their organizations.
If you have any questions, please reach out to the author or your SPB relationship partner.
Scope of ApplicationPADFA only applies to “data brokers” that transfer “personally identifiable sensitive data” to certain foreign adversaries or persons located in, or controlled by, foreign adversaries, namely China, Russia, Iran, and North Korea. The Bulk Data Regs potentially apply to any U.S. entity that transfers “government-related data” or “bulk” “sensitive personal data” overseas, including other than to countries of concern or “covered persons.” A “covered person” under the Bulk Data Regs includes a foreign entity that is 50% owned, directly or indirectly, by an entity that is organized/chartered under the laws of, or has a principal place of business in, a country of concern. (This definition is broader and more nuanced but squarely covers entities that are majority-owned by individuals/entities in China or other countries of concern. See table below.) The Bulk Data Regs’ countries of concern consist of China (incl. Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Under PADFA, “data broker” is provided a similar definition to those found under U.S. state data broker laws, covering entities that collect and sell or otherwise make available data regarding individuals from whom the entity did not collect directly (see the table below for the definition). On the other hand, the Bulk Data Regs’ concept of “data brokerage” focuses on the lack of a direct relationship between the data subject and the entity receiving the data from the U.S. entity.
Covered DataBoth PADFA and the Bulk Data Regs are incredibly far-reaching when it comes to their respective covered data definitions, providing “sensitive” data terms that are much broader than those found in state consumer privacy laws. As to the Bulk Data Regs’ “sensitive personal data”, certain thresholds must be met (e.g., 1,000 devices for precise geolocation data, 100,000 individuals for “covered identifiers”) to invoke its requirements, which may serve to exclude from its scope companies making incidental transfers of certain sensitive data. However, it is worth noting that the definition of “bulk” is somewhat contrary to the common notion of the term since, for some types of data, the threshold is quite low (e.g., 1,000 data subjects for precise geo, biometric, and human ‘omic data). In any event, the thresholds may not help companies in data-intensive industries such as advertising technology in avoiding the reach of the Bulk Data Regs. The Bulk Data Regs’ thresholds do not apply to “government-related data” such that any transfer of such data to countries of concern or covered persons falls within its scope.
Transfers to Service Providers and Vendors; Security RequirementsPADFA exempts transfers to “service providers” from its scope of restricted transfer. The definition of “service provider” includes entities that would typically qualify as service providers and processors under other legal schemes, namely entities that receive data from or on behalf of a data controller and that collect, process, or transfer data on behalf of, and at the direction of, the data controller (provided that the data controller is not a foreign adversary country or controlled by a foreign adversary country) (see the service provider definition in the “exemptions” section of the table below).
The Bulk Data Regs explicitly prohibit transfers of certain data made pursuant to “vendor agreements,” subject to an exemption where the U.S. entity imposes specific security requirements on the vendor. Notably, this exemption does not apply to transfers of bulk “human ‘omic data”. The security requirements exemption also applies to covered data transactions involving employment agreements and investment agreements. The applicable security requirements were promulgated in parallel by the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the U.S. Department of Homeland Security. PADFA does not require entities to impose security requirements on service providers.
Downstream Transfer and Diligence ObligationsIn addition to the restrictions on certain transfers to countries of concern and covered persons, the Bulk Data Regs require U.S. entities to contractually restrict “foreign person”-recipients of covered data in “data brokerage” transactions from transferring such data to countries of concern and covered persons, and to implement a diligence and reporting program for violations of recipients’ obligations. As a result, this aspect of the Bulk Data Regs may impose compliance obligations, including ongoing diligence on overseas data transfers, on a broad swath of U.S. entities, even if they do not do business with countries of concern or covered persons. PADFA does not impose similar obligations.
ExemptionsThe Bulk Data Regs provide a number of exemptions for various transactions or transfers, including those related to official business of the U.S. government, transactions “ordinarily incident to and part of the provision of financial services”; corporate group transactions; “Transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law”; investment agreements subject to a CFIUS action”; and transactions “ordinarily incident to and part of the provision of telecommunications services”. While many of these exemptions may necessitate a deeper look for various companies, U.S. companies that are subsidiaries of companies in China or other countries of concern, or U.S. companies that otherwise have affiliates in such countries, should carefully consider the corporate group transaction exemption. This provision exempts from much of the regulations’ scope data transactions between U.S. entities and subsidiaries or affiliates located in or otherwise subject to the ownership, direction, jurisdiction, or control of a country of concern and that are ordinarily incident to and part of administrative or ancillary business operations (including HR, payroll and other corporate financial activities, sharing data with advisors for regulatory compliance, business travel, employee benefits, and employee communications).
PADFA does not have similar exemptions, though there are a number of activities that exclude entities from the definition of data broker, including transfers to service providers as discussed above, as well as data-level exemptions such as those for certain publicly available information. These are laid out further in the table below.
Key Concepts and Definitions
Bulk Data Regs
PADFA
Prohibited Activities
The Bulk Data Regs make it illegal to knowingly engage in a covered data transaction involving data brokerage with a country of concern or covered person.
Covered Data TransactionA covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:(1) Data brokerage;(2) A vendor agreement;(3) An employment agreement; or(4) An investment agreement.
Under PADFA, it is unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to–(1) any foreign adversary country; or (2) any entity that is controlled by a foreign adversary.
Data broker definition
“Data brokerage” means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. (There is no definition of “data broker.”)
A “data broker” is defined as an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.
Covered Data
The Bulk Data Regs regulate covered transactions involving government-related data and bulk sensitive personal data.
Government-Related Data(1) Any precise geolocation data, regardless of volume, for any location enumerated on the “Government-Related Location Data List” in the Bulk Data Regs.(2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.
Sensitive Personal DataThe term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.
Covered Personal IdentifiersThe term covered personal identifiers means any listed identifier: (1) In combination with any other listed identifier; or (2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data. (b) Exclusion. The term covered personal identifiers excludes: (1) Demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and (2) A network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifier, account-authentication data, or call detail data as necessary for the provision of telecommunications, networking, or similar service.
Listed IdentifierThe term listed identifier means any piece of data in any of the following data fields: (a) Full or truncated government identification or account number (such as a Social Security number, driver’s license or State identification number, passport number, or Alien Registration Number); (b) Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company; (c) Device-based or hardware-based identifier (such as International Mobile Equipment Identity (“IMEI”), Media Access Control (“MAC”) address, or Subscriber Identity Module (“SIM”) card number); (d) Demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers); (e) Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (“MAID”)); (f) Account-authentication data (such as account username, account password, or an answer to security questions); (g) Network-based identifier (such as Internet Protocol (“IP”) address or cookie data); or (h) Call-detail data (such as Customer Proprietary Network Information (“CPNI”)).
Personal Financial DataThe term personal financial data means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report” (as defined in 15 U.S.C. 1681a(d)).
Personal Health DataThe term personal health data means health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.
Human ‘Omic DataThe term human ‘omic data means human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets.
BulkThe term bulk means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person: (a) Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons; (b) Biometric identifiers collected about or maintained on more than 1,000 U.S. persons; (c) Precise geolocation data collected about or maintained on more than 1,000 U.S. devices; (d) Personal health data collected about or maintained on more than 10,000 U.S. persons; (e) Personal financial data collected about or maintained on more than 10,000 U.S. persons; (f) Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or (g) Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (g) of this section, or that contains any listed identifier linked to categories in paragraphs (a) through (e) of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.
ExclusionsThe term sensitive personal data, and each of the categories of sensitive personal data, excludes: (1) Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a “trade secret” (as defined in 18 U.S.C. 1839(3)) or “proprietary information” (as defined in 50 U.S.C. 1708(d)(7)); (2) Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories); (3) Personal communications; and (4) Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.
(5) Personally identifiable sensitive data -The term `personally identifiable sensitive data” means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual. This is much broader than the Bulk Data Regs, in part because it does not require a certain volume of data.
(7) Sensitive data. — The term “sensitive data” includes the following:• (A) A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.• (B) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.• (C) A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.• (D) Biometric information.• (E) Genetic information.• (F) Precise geolocation information.• (G) An individual’s private communications such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.• (H) Account or device log-in credentials, or security or access codes for an account or device.• (I) Information identifying the sexual behavior of an individual.• (J) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.• (K) A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.• (L) Information revealing the video content requested or selected by an individual.• (M) Information about an individual under the age of 17.• (O) Information identifying an individual’s online activities over time and across websites or online services.• (P) Information that reveals the status of an individual as a member of the Armed Forces.(Q) Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in subparagraphs (A) through (P).
Covered data recipients
The term covered person means: (1) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in paragraph (a)(2) of this section; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern; (2) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraphs (a)(1), (3), (4), or (5) of this section; (3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (a)(1), (2), or (5) of this section; (4) A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or (5) Any person, wherever located, determined by the Attorney General: (i) To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.
Countries of concern = China (incl. Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
“Person” means an individual or entity.
“Foreign person” means any person that is not a U.S. person.
“U.S. person” means any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.
“Foreign adversary” = China, Russia, Iran, and North Korea.
The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is– (A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country; (B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or (C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
Notable Exemptions
The Final Rule provides a number of exemptions:• Personal communications;• Information or informational materials;• Travel;• Official business of the U.S. government;• Transactions “ordinarily incident to and part of the provision of financial services”;• Corporate group transactions;• “Transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law”;• Investment agreements subject to a CFIUS action”;• Transactions “ordinarily incident to and part of the provision of telecommunications services”;• “Drug, biological product, and medical device authorizations”; and• “Other clinical investigations and post-marketing surveillance data.”
(B) Exclusion.–The term “data broker” does not include an entity to the extent such entity–(i) is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual, (ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service; (iii) is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest; (iv) is reporting, publishing, or otherwise making available news or information that is available to the general public–(I) including information from–(aa) a book, magazine, telephone book, or online directory; (bb) a motion picture; (cc) a television, internet, or radio program; (dd) the news media; or (ee) an internet site that is available to the general public on an unrestricted basis; and (II) not including an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); or (v) is acting as a service provider.
(8) Service provider.–The term “service provider” means an entity that– (A) collects, processes, or transfers data on behalf of, and at the direction of– (i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or (ii) a Federal, State, Tribal, territorial, or local government entity; and (B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.
Enforcement and Penalties
The Bulk Data Regs are enforced by the Dept. of Justice, and allow for the imposition of both civil and criminal penalties.
Current maximum civil penalties are not to exceed the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed.
Potential criminal fines and imprisonment are available for willful violations of the regulations. In particular, a maximum of $1,000,000 fine and imprisonment of not more than 20 years, or both, are available in the event of willful violations.
A violation of [PADFA] shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
The Federal Trade Commission is provided with enforcement authority under PADFA. Remedies for violation of Section 18(a)(1)(B) of the FTC Act include civil penalties of up to $50,120 per violation and various forms of equitable relief (e.g., disgorgement, injunctions, etc.).