DOJ’s Data Security Program Final Rules Effective – Implications for Telecom Providers

On January 8, 2025, the U.S. Department of Justice (DOJ) issued its final rule to implement Executive Order 14117 aimed at preventing access to Americans’ bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela (Data Security Program or DSP). The regulations took effect on April 8, 2025, with additional compliance requirements for U.S. persons taking effect by October 6, 2025.
While the DSP includes an exemption for “telecommunications services” (as specifically defined in the rule), telecommunications providers must closely review their services involving data transactions with countries of concern or covered persons associated with those countries to ensure the particular service provided or transaction falls within the exemption. Non-compliance with the DSP can result in significant civil and criminal penalties, underscoring the importance for telecommunications providers to thoroughly understand and adhere to these rules, where applicable.
Scope and Applicability
The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The rules are designed to be national security regulations to address identified risks to U.S. national security, rather than privacy regulations designed to protect privacy or other individual interests.
The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons associated with those countries in specified ways. Countries of Concern currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, but this list is subject to future change. The DSP defines Covered Persons as entities or individuals associated with a Country of Concern, based on the following criteria:

An entity that is 50% or more owned by a Country of Concern
An entity that is organized or chartered under the laws of a Country of Concern
An entity that has its primary place of business in a Country of Concern
An entity that is 50% or more owned by a Covered Person
A foreign person, as an individual, who is an employee or contractor of a Country of Concern 
A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern
Any entity or individual that the Attorney General designates as a Covered Person subject to broad discretion set forth in the DSP

Covered Data involves two primary categories of data: U.S. sensitive personal data and U.S. government-related data. At a high level, the new rules prohibit, restrict, or exempt certain data transactions involving Covered Data that could give countries of concern or Covered Persons access to such data, and are triggered by bulk data transfers, which can include individual transfers that over time trigger specified volume thresholds. The rules also include specified record keeping and reporting requirements, as well as a process for obtaining approval of otherwise prohibited transfers. The rules also include enforcement mechanisms with the potential for civil and criminal penalties for non-compliance.
On April 11, 2025, DOJ issued a compliance guide, along with a list of Frequently Asked Questions (FAQs) to assist entities with understanding and implementing the DSP. DOJ also announced a 90-day limited enforcement period from April 8 to July 8, 2025, focusing on facilitating compliance rather than enforcement, provided that entities are making good faith efforts as outlined in the 90-day policy.By July 8, 2025, entities must be fully compliant with the DSP, as the DOJ will begin enforcing the provisions more rigorously. By October 6, 2025, compliance with all aspects of the DSP, including due diligence, audit requirements, and specific reporting obligations, will be mandatory.
For a more detailed discussion of the persons and transactions covered under the DSP and its applicability, including definitions, see our recent alert on Navigating the New DOJ Data Security Program Compliance.
Telecommunications Services Exemption
Of note for telecommunications providers is that the DSP, Rule Section 202.509, includes a “telecommunications services” exemption. This exemption for telecommunications services states that the DSP rules: “…do not apply to data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services,” as that term is defined under the rule. Specifically, Rule Section 202.252, the new DOJ rule definition of “telecommunications service” means:
the provision of voice and data communications services regardless of format or mode of delivery, including communications services delivered over cable, Internet Protocol, wireless, fiber, or other transmission mechanisms, as well as arrangements for network interconnection, transport, messaging, routing, or international voice, text, and data roaming.1

Of note, this exemption specifically applies to activities directly related to the technical and operational aspects of delivering telecommunications services and does not extend to ancillary services like marketing or data analytics. The Department also declined to expand the exemption to include data transactions related to IP addresses or cybersecurity services.
Importantly, the DOJ made clear the definition of telecommunications services for purposes of the DSP is unique to the DSP and is without reference to the definition in Section 153(53) of the Communications Act. The import of this is that the definition is apparently without reference to whether the service is a common carrier offering.
Examples of Exempt and Non-Exempt Transactions
Rule Section 202.509 provides examples of bulk data transfers incident to telecommunications services that fall within the exemption, and an example of a bulk data transfer by a telecommunications service provider that falls outside the exemption:
(1) Example 1. A U.S. telecommunications service provider collects covered personal identifiers from its U.S. subscribers. Some of those subscribers travel to a country of concern and use their mobile phone service under an international roaming agreement. The local telecommunications service provider in the country of concern shares these covered personal identifiers with the U.S. service provider for the purposes of either helping provision service to the U.S. subscriber or receiving payment for the U.S. subscriber’s use of the country of concern service provider’s network under that international roaming agreement. The U.S. service provider provides the country of concern service provider with network or device information for the purpose of provisioning services and obtaining payment for its subscribers’ use of the local telecommunications service provider’s network. Over the course of 12 months, the volume of network or device information shared by the U.S. service provider with the country of concern service provider for the purpose of provisioning services exceeds the applicable bulk threshold. These transfers of bulk U.S. sensitive personal data are ordinarily incident to and part of the provision of telecommunications services and are thus exempt transactions.
This example illustrates where the data sharing is integral to the core function of providing telecommunications services and facilitating international roaming, aligning with the exemption criteria.
(2) Example 2. A U.S. telecommunications service provider collects precise geolocation data on its U.S. subscribers. The U.S. telecommunications service provider sells this precise geolocation data in bulk to a covered person for the purpose of targeted advertising. This sale is not ordinarily incident to and part of the provision of telecommunications services and remains a prohibited transaction.
Here, the sale of geolocation data for advertising purposes is not directly related to the telecommunications service itself, placing it outside the scope of the exemption.
(3) Example 7. A U.S. company owns or operates a submarine telecommunications cable with one landing point in a foreign country that is not a country of concern and one landing point in a country of concern. The U.S. company leases capacity on the cable to U.S. customers that transmit bulk U.S. sensitive personal data to the landing point in the country of concern, including transmissions as part of prohibited transactions. The U.S. company’s ownership or operation of the cable does not constitute knowingly directing a prohibited transaction, and its ownership or operation of the cable would not be prohibited (although the U.S. customers’ covered data transactions would be prohibited). See 28 CFR § 202.305.
This example illustrates that while the infrastructure operation itself is not a prohibited transaction, the data transfers by customers using the international submarine cable are prohibited if they involve countries of concern. This would likely be a direct issue for the underlying customer rather than the telecommunications service provider, though providers might still consider whether it would make sense to ensure that their customer agreements include provisions insulating them from any potential exposure from such customer non-compliance.

The examples above focus on whether a particular bulk data transfer is “ordinarily incident to and part of the provision of” an exempt telecommunications service. So, for example, arrangements outside the actual provision of the service, such as the sale or sharing of customer data for marketing purposes or with application providers, would appear to be outside the scope of the exemption.
As one example, a number of major mobile carriers had location-based service programs, which were the subject of a series of FCC enforcement actions, that facilitated, through third party “location aggregators”, the sharing of user location data with application providers to enable location-based services.2 Example No. 2, above, would suggest that this type of service would not be “ordinarily incident to and part of the provision of” a carrier’s mobile data services (the telecommunications service under the DSP definition) and hence outside the exemption.
Challenges and Considerations
The harder question, however, and one that will undoubtedly be initially vexing for providers without further clarification from DOJ, is the actual scope of the “telecommunications services” definition in the rule. This is particularly true for integrated offerings by providers that clearly include telecommunications services, but also include integrated components which include bulk transfers, that standing alone might be outside the scope of the telecommunications services definition. Of significance, in adopting this definition, the DOJ stated that the definition is limited to the listed telecommunications services and does not reach services like cloud computing.
The recently issued FAQs also reinforce this point, stating the definition is “limited to communications services and does not include all internet-based services like cloud computing.” See Question 77. This begs the question of an offering by a telecommunications services provider that includes both cloud computing and associated transport services. Similarly, the provision of integrated applications offered by telecommunications services providers in conjunction with their telecommunications service offerings, would raise similar questions, particularly, as noted above, in connection with Example No. 2.
Providers should note that any data transaction not essential to the core function of telecommunications—such as partnerships involving user data for non-service-related purposes—may fall outside the exemption. Providers must differentiate between core telecommunications functions and ancillary services, ensuring that services like data analytics or marketing, which are not ordinarily incident to the core telecommunications services, are carefully evaluated for compliance.
Implications of Limitation to Telecommunications Service Exemption
While DOJ’s final rule appears to provide three straightforward examples, the issues arise about integrated service offerings such as telecommunications services that include a cloud computing or a data center component. While the telecommunications service aspect appears to be exempt, the data storage or cloud computing aspect would not be, at least if offered on a standalone basis. The same may be true for integrated application offerings in connection with application providers, most obviously, under Example No. 2 in connection with sharing location data. This necessitates a thorough review of service offerings, particularly those bundled with non-telecommunications services like cloud computing, data center services, and applications, to determine compliance with DSP regulations. Accordingly, telecommunications providers must closely examine the integrated services they provide, along with their data sharing arrangements with third parties, to determine whether the transaction may trigger prohibited or restricted data transactions involving countries of concern or Covered Persons.

1In adopting this definition, DOJ noted that commenters suggested that the definition of telecommunications services be expanded to include voice and data communications over the internet. DOJ agreed and instead of limiting the scope of “telecommunications services” to the definition in Communications Act, 47 U.S.C. 153(53) (which would have applied only to common carriers) the DOJ adopted its own definition of the term to cover present day communications for the purposes of the exemption. Under the Communications Act, telecommunications service means the offering of telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used.2See FCC Fines AT&T, Sprint, T-Mobile and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data (FCC News Release, Apr. 29, 2024); see also AT&T, File No. EB-TCD-18-00027704, Forfeiture Order at ¶¶ 8-10 (FCC 24-40, Apr. 29, 2024), vacated, AT&T v. FCC, No. 24-60223, Slip Op. at 5-6 (5th Cir. Apr. 17, 2025). 

Unprecedented Nullification of the Biannual Public Tender Formedicine Procurement

Following up on our March newsletter No. 5, on April 8, 2025, the Ministry for AntiCorruption and Good Government declared the nullity of the entire public tender forthe 2025–2026 consolidated procurement of medicines, coordinated by BIRMEX,and ordered the procedure to be restarted based on a new market investigation.
The resolution declaring nullity was based on irregularities detected by the Ministry,mainly due to breaches of the tender terms and formal errors during the process,including:

Inconsistencies in the minimum bid percentages established in the call andits annexes.
Improper fiscal and technical requirements imposed on participants.
Irregularities related to requirements involving exclusive rights or patents.

Additionally, the same resolution highlights that:

All previously issued supply orders will be honored, as well as requests forpurchase orders.
The rights of awarded companies will be respected, and institutions mustpay for all products that have been delivered and accepted.
In cases where no overpricing was identified, a new direct award will begiven to the previously selected supplier.
In cases involving pricing irregularities, a new bidding process will be carriedout to determine a new awardee.
Current contracts will be terminated early to allow for the new procedure.However, until such termination occurs, contracts must be fulfilled to avoidpenalties.
Awards made by direct assignment were not affected by this resolution.

The decision does not identify or sanction any specific company, nor does it affecttheir right to participate in future tenders. However, sanctions against governmentofficials or companies cannot be ruled out in the future.
Companies that consider themselves affected may challenge the resolution.However, as this is a general measure that impacts all awarded companies equally,legal challenges are considered unlikely to succeed.

Washington State Enacts Broad Antitrust Premerger Notification Law

On 4 April 2025, Washington became the first state to enact a broad, industry-agnostic merger control regime. Under the new law, parties submitting premerger notification filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (HSR) must simultaneously submit their HSR filings to the Washington attorney general (AG) if they meet certain local nexus requirements or are a healthcare provider or provider organization. The law will take effect on 27 July 2025.
While many states (including Washington) have recently established notification requirements for healthcare transactions, the new Washington law is unique in its broad application to deals in any sector. Together with the new HSR rules, which took effect in February 2025, the law could increase regulatory costs and antitrust scrutiny for reportable transactions, particularly for companies with a significant presence in the state. More broadly, the legislation continues a trend of heightened state-level merger review, and underscores that states remain an important factor in the US antitrust enforcement landscape.
Washington Premerger Notification Law
On 4 April 2025, Washington Governor Bob Ferguson signed into law the Uniform Antitrust Premerger Notification Act (the Act). The Act will take effect on 27 July 2025 and apply to any HSR filings made on or after that date.
Thresholds 
The Act requires any “person”1 submitting an HSR filing to contemporaneously file an electronic copy of the HSR form with the Washington AG if any of the following applies:

The person’s principal place of business is in Washington.
The person, or any entity it directly or indirectly controls, had annual net sales in Washington of goods or services involved in the transaction of at least 20% of the HSR filing threshold (under the current threshold of US$126.4 million, this would mean local annual net sales of at least US$25.28 million).
The person is a healthcare provider or provider organization (as defined in RCW 19.390.020) conducting business in Washington.

Documents
If the “principal place of business” threshold is met, or if the AG otherwise requests, then the filing party must also submit documentary attachments to the HSR form, including the transaction agreement and any other agreements between the parties, audited financials for the most recent year, and documents analyzing the transaction with respect to various competition issues.
Confidentiality
Under the Act, filings and related materials are confidential and exempt from public disclosure, other than in connection with certain administrative or judicial proceedings, subject to protective order. The AG may also disclose information to the Federal Trade Commission, US Department of Justice, or the AGs of other states that have adopted similar reciprocal legislation.
Penalties
Failure to submit filings required by the Act can trigger civil penalties of up to US$10,000 for each day of noncompliance.
Interplay With Washington Healthcare Notification Law
Like many states, Washington already has a premerger notification requirement on the books applicable to certain healthcare transactions. Under this law, both parties to “material change transactions” (mergers, acquisitions, or contracting affiliations) between two or more in-state hospitals, hospital systems, providers, or provider organizations must submit a written notice (Notice of Material Change) to the AG at least 60 days prior to closing.2 This requirement applies to transactions involving an in-state and out-of-state entity where the latter generates US$10 million or more in healthcare services revenues from patients residing in Washington. The law also states that any provider or provider organization that conducts business in Washington and files an HSR form must provide a copy of the filing to the AG’s office in lieu of a Notice of Material Change.
The Act has a much broader scope, capturing HSR-reportable transactions in any industry, not just healthcare. HSR filings submitted under the Act by providers and provider organizations will be sufficient to satisfy the requirements under the healthcare transactions notification law, which will remain on the books. Note, however, that the definitions for “provider” and “provider organizations” do not specifically include hospitals or hospital systems. Therefore, absent additional guidance from the AG, hospitals and hospital systems that meet the thresholds under the Act may need to submit a copy of the HSR form and a Notice of Material Change.
What Happens Next? Premerger Notification in Other States
The Act is based on model legislation from the Uniform Law Commission, which adopted the Uniform Antitrust Pre-Merger Notification Act in July 2024. Similar bills have been introduced in Colorado, Hawaii, Nevada, Utah, West Virginia, and the District of Columbia. One of the goals of the model legislation is to “facilitate early information sharing and coordination among state AGs and the federal antitrust agencies” and encourage reciprocal adoption by states. As state AGs assume an increasingly significant role in US antitrust enforcement—including in the M&A context—the new Washington law could signal the beginning of a trend of heightened, industry-agnostic, state-level merger control.
What Should I Do Now?
In light of the new requirements under the Act, dealmakers should consider the following:

Evaluating state-level merger control filings alongside HSR, global merger control, and foreign direct investment filing requirements as part of standard transaction diligence, as well as building these filing considerations into deal negotiations and documents, as appropriate.
If an HSR filing is required, assessing potential filings under the Act, particularly where companies have a significant nexus to the state of Washington (in terms of principal location or local revenues).
Closely monitoring developments in other states, including new regimes coming online or proposed amendments broadening the scope of existing requirements, and preparing for reciprocal sharing of filings between states with similar legislation.
Assessing the impact of filings that may be required under the Act with respect to budget, timing, and the potential for increased visibility into business operations by regulators. 
Assessing potential competitive impacts on local markets when evaluating transactions and how these effects are discussed in ordinary-course documents.

Footnotes

1 Under the Act, “person” means an individual; estate; business or nonprofit entity; government or governmental subdivision, agency, or instrumentality; or other legal entity. “Person” has a different definition under the rules implementing the HSR Act.
2 “In-state” entities are those that are licensed or operating in the state of Washington.

A Roadmap for Export Controls? Project 2025 and the Future of U.S. Exports – Part III

The second Trump administration has come flying out of the starting blocks on international trade policy actions—imposing and rescinding, shaping and reshaping tariffs, sanctions, and export controls. The executive orders and directives have come so thick and fast that it is not always simple for businesses to chart a consistent policy direction and develop their plans to account for what might be coming next.
However, there is in fact a pretty clear map that could indicate the U.S. policy direction with respect to export controls.
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) may well follow the map that was drafted by the same people who are now among the BIS leadership. The cartographers, as it were, are James Rockas and Robert Burkett. Rockas and Burkett now serve as the Deputy Under Secretary and Chief of Staff, respectively, at BIS. Both are listed as authors of the chapter on the Department of Commerce in the Project 2025 Mandate for Leadership publication by the Heritage Foundation.[1] Regardless of one’s views on Project 2025, the publication is a useful indicator of the future of U.S. export controls, among other policies.
In this article, we examine what the proposed “modernization” of the Export Administration Regulations (EAR) outlined in Project 2025 looks like, and analyze how the Project 2025 proposals could be implemented in future U.S. export regulations.
The Checklist
The section of Project 2025 dedicated to BIS presents a list[2] of key priorities for “EAR modernization” , as follows:
Featured Today

Eliminating the “specially designed” licensing loophole;
Redesignating China and Russia to more highly prohibitive export licensing groups (country groups D or E);
Eliminating license exceptions;
Broadening foreign direct product rules;
Reducing the de minimis threshold from 25 percent to 10 percent—or 0 percent for critical technologies;
Tightening the deemed export rules to prevent technology transfer to foreign nationals from countries of concern;
Tightening the definition of “fundamental research” to address exploitation of the open U.S. university system by authoritarian governments through funding, students and researchers, and recruitment;
Eliminating license exceptions for sharing technology with controlled entities/countries through standards-setting “activities” and bodies; and
Improving regulations regarding published information for technology transfers.

On first reading, some of these proposals may not seem to fit neatly within the familiar EAR framework. That might make it hard to picture how they will be implemented in regulations, much less to plan for them.
But that’s just the sort of picturing we propose to take on!
We have worked our way through the list above. We have asked ourselves how those broad, potentially seismic changes might actually be put into practice. Where is there real room for rewriting the regulations? Where is there precedent in export regulatory history? (Where what’s past be prologue, to borrow a phrase)?
Here we present our initial thoughts on what may be coming. We note that none of these points constitutes legal advice. But they may be useful for considering where your organization may wish to consider the possibility of future export control regulations.[3] And they may come fast, so get ready. As the poet said, defer no time. Delays have dangerous ends.
We present our findings in three parts (in three days), dividing the list to conquer it and to do so without overburdening our readers.
7. “Tightening the definition of “fundamental research” to address exploitation of the open U.S. university system by authoritarian governments through funding, students and researchers, and recruitment”
The Fundamental Research provisions of the EAR consider certain technology and software in mathematics, engineering, and science that are the result of research in universities to be in the public domain, and thus not controlled for export. One criterion for this exemption from control is that the research must be of the type that is normally published. Currently, the fundamental research exclusion provides for universities to allow students, regardless of nationality, to take part in research and to have access to certain technology and software that may otherwise be controlled.
However, universities have been under increasing scrutiny in cases where fundamental research exposes sensitive technology to students, professors, researchers, and even donors from countries of concern. Tightening the fundamental research exception could mean limiting the exception so that it does not apply to foreign persons affiliated with certain universities (such as those on the Specially Designated Nationals list), or even to all nationals of certain countries of concern. Alternatively, the rules could be tightened to allow U.S. government sponsors of research to place greater limits on access to sponsored projects based on nationality, or to require universities to waive the fundamental research exception altogether in their sponsorship agreements. Since the Fundamental Research exemptions are based in the First Amendment, there may be limits on how far that reform could be taken. But we have no doubt that the administration will look at how to restrict the Fundamental Research exemptions.
8. “Eliminating license exceptions for sharing technology with controlled entities/countries through standards-setting “activities” and bodies”
Currently, certain low-controlled technology or software is not subject to the EAR when it is being shared for the purpose of designing, developing, and/or implementing industry standard. The rule is designed for international cooperation.
Historically, the Trump administration has shown a disinclination to participate in multilateral activity (the Paris Climate Accord, UN Convention on Human Rights, Trans Pacific Partnership, NAFTA, Transatlantic Trade and Investment Partnership (TTIP), etc.). It would not be inconsistent with administration practice to narrow or eliminate exceptions that provide for free sharing of technolgoy with multilateral standards-setting groups.
Eliminating the exception would be a straightforward revision of the rule, which could potentially affect U.S. government and U.S. company relations with other governments, international organizations, international inspections under the Chemical Weapons Convention, and the International Space Station operations.
9. “Improving regulations regarding published information for technology transfers.”
Much like the fundamental research exception described above, adjusting the EAR-exception for published technology could potentially violate the First Amendment. One potential approach would be for the EAR to adopt an approach similar to the ITAR’s public domain exception. For example, public release, such as publishing, would only be permitted after approval from the U.S. Government. The proposal may also redefine what is considered “published” by introducing exceptions to the definition.
Conclusions and Early Indications
The second Trump administration has issued, rescinded, revised, and reissued a substantial number of tariffs, sanctions, and export control measures. Although it is easy to be overwhelmed by the volume of actions, some of the policy direction of the new administration is clear. And as outlined here, the Commerce Department chapter of the Project 2025 Mandate for Leadership provides strong indicators of the administration’s policy direction on export controls.
At the same time, developments outside the four corners of Project 2025 suggest that certain reforms may already be in motion. On April 10, 2025, Landon Heid—President Trump’s nominee for Assistant Secretary of Commerce for Export Administration—testified before the Senate Banking Committee and indicated that BIS may act “relatively quickly” to apply Entity List restrictions to subsidiaries of listed entities, drawing a parallel to OFAC’s 50% rule. If implemented, this shift would materially expand the scope of compliance obligations for exporters, reexporters, and technology providers by effectively capturing foreign subsidiaries and affiliates that have so far fallen outside the scope of licensing requirements.
Heid’s remarks also flagged broader enforcement priorities—particularly around China’s acquisition of artificial intelligence capabilities. He pointed to risks associated with transshipment through jurisdictions such as Hong Kong and suggested BIS may pursue tighter controls to curb diversion and illicit procurement of advanced technologies. Those developments, while not explicitly part of Project 2025, reflect an accelerating trajectory toward more expansive and aggressive export control enforcement.
Together, the Project 2025 blueprint and the emerging policy posture from BIS leadership offer a coherent preview of what the next phase of U.S. export regulation may look like. Companies would do well to monitor those signals and begin scenario planning for a regulatory environment in which the scope of control is broader, the tools are sharper, and the compliance expectations are higher.
FOOTNOTES
[1] Available at 2025_MandateForLeadership_CHAPTER-21.pdf.
[2] Id. at p.672.
[3] Additionally, we would be glad to kick these ideas around with others (I know my associates are tired of me talking about it to them). So if you have any comments, questions, or ideas to posit, please feel free to contact the authors directly.

FTC Publishes Final COPPA Rule Amendments

On April 22, 2025, the Federal Trade Commission published in the Federal Register final amendments to the Children’s Online Privacy Protection Act Rule (the “Rule”). The Rule will go into effect 60 days from publication, on or about June 21, 2025, with a compliance deadline of April 22, 2026. The Rule retains many of the proposed amendments first announced in January 2025 as a result of a Notice of Proposed Rulemaking issued by the FTC in 2024 (the “2024 NPRM”), with certain differences.
Key updates to the Rule include:

Updated definitions: The Rule adds or updates several defined terms, including:

Contact information: The Rule adds to the definition of “online contact information”: mobile phone numbers, “provided the operator uses it only to send a text message.” Under COPPA, operators can use a child or parent’s contact information to provide notice and obtain parental consent without first obtaining consent to the collection of the contact information. According to the FTC, the amendment was intended to give operators another way to initiate the process of seeking parental consent quickly and effectively.
Personal information: The Rule updates the definition of “personal information” to include:

Biometric identifier: The Rule adds to the definition of “personal information”: “a biometric identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints[.]” Notably, the Rule does not include “data derived from voice data, gait data, or facial data,” which is language that was proposed in the 2024 NPRM.
Government-issued identifier: The Rule adds to the definition of “personal information”: “[a] government-issued identifier, such as a Social Security, [S]tate identification card, birth certificate, or passport number[.]”

Mixed audience website or online service: The FTC first developed this category in the 2013 COPPA Rule amendments, as a subset of “child-directed” websites and online services, but did not define the term. The Rule defines the term as “a website or online service that is directed to children under the criteria set forth in paragraph (1) of the definition of website or online service directed to children, but that does not target children as its primary audience, and does not collect personal information from any visitor prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.” The updated definition further requires that “[a]ny collection of age information, or other means of determining whether a visitor is a child, must be done in a neutral manner that does not default to a set age or encourage visitors to falsify age information.”
Website or online service directed to children: The Rule expands the factors the FTC will consider with respect to whether a website or service is “directed to children,” to include marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties and the ages of users on similar websites or services.

Enhanced direct notice content requirements: The Rule expands the content required in an operator’s direct notice to parents for the purpose of obtaining parental consent where required under COPPA.

Use of personal information: The direct notice must disclose how the operator intends to use the child’s personal information (in addition to the existing requirements to include the categories of the child’s personal information to be collected and the potential opportunities for the disclosure of the child’s personal information).
Third-party disclosures: Where the operator discloses children’s personal information to third parties, the direct notice must specify: (1) the identities or specific categories of the third parties (including the public, if such data is made publicly available), (2) the purposes for such disclosure, and (3) that the parent can consent to the collection and use of the child’s personal information without consenting to the disclosure of such personal information to third parties, except to the extent such disclosure is integral to the website or online service.

Enhanced privacy notice content requirements: The Rule also expands the content required in an operator’s privacy notice displayed on the operator’s website.

Internal operations: The privacy notice must disclose: (1) the specific internal operations for which the operator has collected a persistent identifier and (2) how the operator ensures that such identifier is not used or disclosed to contact a specific individual or for any other purpose not permitted under COPPA’s “support for the internal operations” consent exception.
Audio files: If applicable, a description of how the operator collects audio files containing a child’s voice solely to respond to the child’s specific request and not for any other purpose, and a statement that the operator immediately deletes such audio files thereafter.

Verifiable parental consent methods: The Rule adds three approved methods for verifying a parent’s identity for purposes of obtaining parental consent:

Knowledge-based authentication, provided that (1) the authentication process uses dynamic, multiple-choice questions with an adequate number of possible answers and (2) the questions are difficult enough that a child under 13 could not reasonably accurately answer them.
Government-issued identification, provided that the photo ID is verified to be authentic against an image of the parent’s face using facial recognition technology (and provided that the ID and images are promptly deleted after the match is confirmed).
Text message to the parent coupled with additional steps to confirm the parent’s identity (e.g., a confirmation text to the parent following receipt of consent). (Note that this option is available only under certain enumerated circumstances).

Limited exception to parental consent for the collection of audio files containing a child’s voice: The Rule allows operators to collect audio files containing a child’s voice (and no other personal information) solely to respond to a child’s request without providing direct notice or obtaining parental consent. This exception applies only if the operator does not use the information for any other purpose, does not disclose it, and deletes the data immediately after responding to the request. This amendment codifies a 2017 FTC enforcement policy statement regarding the collection and use of children’s voice recordings.
Limits on data retention and publication of data retention policy: The Rule prevents operators from retaining children’s personal information indefinitely. The Rule specifies that operators may not retain children’s personal information for longer than necessary to fulfill the specific documented purposes for which the data was collected, after which the data must be deleted. Operators also must establish, implement and maintain a written data retention policy that specifies (1) the purposes for which children’s personal information is collected, (2) the specific business need for retaining such data, and (3) a timeline for deleting the data. The data retention policy must be published in the operator’s privacy notice required under COPPA.
Written information security program: The Rule requires operators to establish, implement and maintain a written information security program that contains safeguards appropriate to the sensitivity of the children’s personal information collected and the operator’s size, complexity, and nature and scope of activities. Specifically, operators must, in connection with the written information security program, (1) designate personnel to coordinate the program, (2) at least annually, identify and assess internal and external risks to the security of children’s personal information, (3) implement safeguards to address such identified risks, (4) regularly test and monitor the effectiveness of such safeguards, and (5) at least annually, evaluate and modify the information security program accordingly.
Vendor and third-party due diligence requirements: Before disclosing children’s personal information to other operators, service providers or third parties, the Rule requires operators to “take reasonable steps” to ensure that such entities are “capable of maintaining the confidentiality, security, and integrity” of such data. Operators also must obtain written assurances that such entities will use “reasonable measures to maintain the confidentiality, security, and integrity” of the information.
Increased Safe Harbor transparency: By October 22, 2025, and annually thereafter, FTC-approved COPPA Safe Harbor programs are required to identify in their annual reports to the Commission each operator subject to the self-regulatory program (“subject operator”) and all approved websites or online services, as well as any subject operator that left the program during the time period covered by the annual report. The Safe Harbor programs also must outline their business models in greater detail and provide copies of each consumer complaint related to a member’s violation of the program’s guidelines. The report also must describe each disciplinary action taken against a subject operator and a description of the process for determining whether a subject operator is subject to discipline. In addition, by July 21, 2025, Safe Harbor programs must publicly post (and update every six months thereafter) a list of all current subject operators and, for each such operator, list each certified website or online service. Further, by April 22, 2028, and every three years thereafter, Safe Harbor programs must submit to the FTC a report detailing the program’s technological capabilities and mechanisms for assessing subject operators’ fitness for membership in the program.

Expanded Definition of ‘Low-Wage’ Employees in Virginia Non-Compete Ban: Employers Need to Act Now

Takeaways

Effective 07.01.25, a new amendment to Virginia’s non-compete law expands the definition of “low-wage” employees to include employees classified as non-exempt under the FLSA.
The new definition will not apply retroactively to existing agreements.
Employers should audit their employee classifications and policies that contain non-compete provisions.

Related links

Virginia Enacts Wage Theft, Non-Compete Laws Amidst Flurry of New Employee Protections
SB1218, Covenants not to compete prohibited, low-wage employees, exceptions, civil penalty
Notice of the Average Weekly Wage for 2025

Article
Virginia is the most recent state to tighten restrictions on employment non-compete agreements. Governor Glenn Youngkin signed a bill expanding the definition of low-wage employees under the state’s existing prohibition on covenants not to compete, Va. Code Ann. § 40.1-28.7:8. Effective July 1, 2025, the statute will prohibit employers from entering into non-compete agreements with employees classified as non-exempt under the Fair Labor Standards Act (FLSA).
Existing Law
As enacted in 2020, Va. Code Ann. § 40.1-28.7:8 broadly defined a “low-wage employee” as an employee whose average weekly earnings were less than $1,137 (or $59,124 a year), the average weekly wage of employees in the Commonwealth of Virginia.
On Dec. 10, 2024, the Virginia Department of Labor and Industry announced the 2025 average weekly wage for determining who is a “low-wage employee” is $1,463.10 (or $76,081.14 a year).
Amendment
Effective July 1, the definition of “low-wage employee” will include employees entitled to receive overtime pay under the FLSA, otherwise known as “non-exempt employees.” The amendment will not affect employees who meet the requirements for an exemption as set forth by the FLSA and U.S. Department of Labor, such as executive, administrative, or professional employees.
In effect, employers will no longer be able to enter into non-compete agreements with non-exempt employees. The updated law will not affect existing non-compete agreements or those entered into before the July 1, 2025, effective date.
As amended, the law retains expressed exclusions for any employee who derives their earnings in whole or in predominant part from sales commissions, incentives, or bonuses paid. Similarly, the enforcement provisions remain unchanged. In addition to allowing employees to bring private causes of action against employers who enter into, enforce, or threaten to enforce a non-compete agreement with any low-wage employee, the statute authorizes the Virginia Department of Labor and Industry to issue civil penalties of $10,000 as well as other penalties to employers who fail to satisfy posting requirements.
Takeaways for Employers
In preparing for the amendment to take effect, Virginia employers should audit their workforce and ensure that all exempt employees are correctly classified under the FLSA. Employers should also review any existing employment and restrictive covenant agreements, and planned revisions to them, to assess the amendment’s impact on their workforce. Finally, employers who address the use of non-compete agreements in offer letters, severance agreements, employee handbooks, and other employee policies should review these documents before July 1, 2025, and ensure compliance with the amendment.

A Roadmap for Export Controls? Project 2025 and the Future of U.S. Exports – Part II

The second Trump administration has come flying out of the starting blocks on international trade policy actions—imposing and rescinding, shaping and reshaping tariffs, sanctions, and export controls. The executive orders and directives have come so thick and fast that it is not always simple for businesses to chart a consistent policy direction and develop their plans to account for what might be coming next.
However, there is in fact a pretty clear map that could indicate the U.S. policy direction with respect to export controls.
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) may well follow the map that was drafted by the same people who are now among the BIS leadership. The cartographers, as it were, are James Rockas and Robert Burkett. Rockas and Burkett now serve as the Deputy Under Secretary and Chief of Staff, respectively, at BIS. Both are listed as authors of the chapter on the Department of Commerce in the Project 2025 Mandate for Leadership publication by the Heritage Foundation.[1] Regardless of one’s views on Project 2025, the publication is a useful indicator of the future of U.S. export controls, among other policies.
In this article, we examine what the proposed “modernization” of the Export Administration Regulations (EAR) outlined in Project 2025 looks like, and analyze how the Project 2025 proposals could be implemented in future U.S. export regulations.
The Checklist
The section of Project 2025 dedicated to BIS presents a list[2] of key priorities for “EAR modernization,” as follows:
Featured Today 

Eliminating the “specially designed” licensing loophole;
Redesignating China and Russia to more highly prohibitive export licensing groups (country groups D or E);
Eliminating license exceptions;
Broadening foreign direct product rules;
Reducing the de minimis threshold from 25 percent to 10 percent—or 0 percent for critical technologies;
Tightening the deemed export rules to prevent technology transfer to foreign nationals from countries of concern;
Tightening the definition of “fundamental research” to address exploitation of the open U.S. university system by authoritarian governments through funding, students and researchers, and recruitment;
Eliminating license exceptions for sharing technology with controlled entities/countries through standards-setting “activities” and bodies; and
Improving regulations regarding published information for technology transfers.

On first reading, some of these proposals may not seem to fit neatly within the familiar EAR framework. That might make it hard to picture how they will be implemented in regulations, much less to plan for them.
But that’s just the sort of picturing we propose to take on!
We have worked our way through the list above. We have asked ourselves how those broad, potentially seismic changes might actually be put into practice. Where is there real room for rewriting the regulations? Where is there precedent in export regulatory history? (Where what’s past be prologue, to borrow a phrase)?
Here we present our initial thoughts on what may be coming. We note that none of these points constitutes legal advice. But they may be useful for considering where your organization may wish to consider the possibility of future export control regulations.[3] And they may come fast, so get ready. As the poet said, defer no time. Delays have dangerous ends.
We present our findings in three parts (in three days), dividing the list to conquer it and to do so without overburdening our readers.
4. “Broadening foreign direct product rules”
Foreign Direct Product Rules (FDPRs) extend U.S. export controls to cover foreign manufactured items that are the direct product of certain U.S.-origin technology, software, or equipment.[4] In 2020, the FDPRs were broadened significantly to cover foreign made items destined for the Chinese telecommunications equipment maker Huawei and certain of its affiliates, and a handful of other Chinese and Chinese-owned companies. In general, there are two pieces to an FDPR, the Product Scope (what the control applies to), and the Destination Scope (at what countries or companies the control is aimed).
Since BIS brought the FDPR hammer out of the toolbox, it has found plenty of nails. There are now ten separate FDPRs applicable to Product Scopes such as Supercomputers and semiconductor manufacturing equipment, or to Destination Scope targets such as the Russian and Belarusian militaries. In terms of writing regulations, it is likely easiest for the U.S. government to aim a broad product scope control at a narrow target, singling out a company or group of companies. However, recent EAR amendments have placed broad controls on artificial intelligence by defining a set of AI model weights that may be subject to controls globally.
We fully expect new FDPRs to contain broader Product Scope to cover technologies the administration considers critical (e.g., semiconductor manufacturing, autonomous vehicles, or AI). Likewise, we expect new FDPRs may contain several new companies in the Destination Scope, as the administration develops new targets over time.
5. “Reducing the de minimis threshold from 25 percent to 10 percent—or 0 percent for critical technologies”
Currently, a product made outside the United States may be subject to U.S. export controls if it incorporates more than a de minimis amount of U.S.-origin controlled content by value. That is, if you make a computer in France, but the hard drive is U.S.-origin and incorporated into your French computer, then the value of that hard drive may account for more than the de minimis amount of value of that computer. As a result, that computer may be controlled by U.S. export controls, even as it is exported from France as a French-made item.
For most countries, the de minimis threshold of U.S. content is 25% of the value of the foreign-made item. However, for certain countries (e.g., Iran) it is 10%, and for others (e.g., Cuba), it is 0%. In cases where the threshold is 0%, the de minimis rule operates like the ITAR see-through rule: any U.S.-origin controlled content in the foreign made item will trigger U.S. controls for export to the country with a 0% de minimis level.
It follows that a reduction of the de minimis level would significantly expand the extraterritorial jurisdiction of BIS. It would give BIS control of a broad swath of foreign made products that would be exported to the country with the lower de minimis threshold.
6. “Tightening the deemed export rules to prevent technology transfer to foreign nationals from countries of concern”
When a person discloses controlled technology to a foreign person, the release of that technology is considered an export to the home country of that foreign person. That is the case regardless of where the release occurs, even if both persons are in the United States. The release of technology—through a discussion, through visual inspection, or through written communication—is “deemed” to be an export to the foreign person’s country of nationality. Similarly, a release of U.S.-controlled technology in a foreign country by a person authorized to have that technology to a person of a third-country nationality, is a deemed reexport to that person.
So when an engineer in Denmark is collaborating with his U.S. colleagues on controlled technology development, the technology is exported to Denmark. If he discusses the technology with his Chinese colleague in Denmark, that discussion may be considered a deemed reexport to China. However, in certain cases, if the Chinese national is an employee of the same company and the company is authorized to receive the technology, the technology may be shared with the Chinese national without any further licensing.[5]
That scenario presents a tempting target for a BIS looking to tighten controls on technology going to China. The rule could simply be changed so that a person from China (or Russia or any other country of concern) could not receive the controlled technology without further licensing. Alternatively, export licenses might be written to include provisos prohibiting certain deemed reexports, e.g., to China.
In either case, as a Danish (or EU or other third-country) employer, you may need to consider whether you can hire that graduate student from a country of concern or whether you can staff certain projects with persons with certain nationalities. At the same time, non-U.S. companies aiming to comply when hiring employees from U.S. countries of concern will need to balance that compliance against any local employment laws on hiring decisions made on the basis of national origin.
Conclusions and Early Indications
The second Trump administration has issued, rescinded, revised, and reissued a substantial number of tariffs, sanctions, and export control measures. Although it is easy to be overwhelmed by the volume of actions, some of the policy direction of the new administration is clear. And as outlined here, the Commerce Department chapter of the Project 2025 Mandate for Leadership provides strong indicators of the administration’s policy direction on export controls.
At the same time, developments outside the four corners of Project 2025 suggest that certain reforms may already be in motion. On April 10, 2025, Landon Heid—President Trump’s nominee for Assistant Secretary of Commerce for Export Administration—testified before the Senate Banking Committee and indicated that BIS may act “relatively quickly” to apply Entity List restrictions to subsidiaries of listed entities, drawing a parallel to OFAC’s 50% rule. If implemented, this shift would materially expand the scope of compliance obligations for exporters, reexporters, and technology providers by effectively capturing foreign subsidiaries and affiliates that have so far fallen outside the scope of licensing requirements.
Heid’s remarks also flagged broader enforcement priorities—particularly around China’s acquisition of artificial intelligence capabilities. He pointed to risks associated with transshipment through jurisdictions such as Hong Kong and suggested BIS may pursue tighter controls to curb diversion and illicit procurement of advanced technologies. Those developments, while not explicitly part of Project 2025, reflect an accelerating trajectory toward more expansive and aggressive export control enforcement.
Together, the Project 2025 blueprint and the emerging policy posture from BIS leadership offer a coherent preview of what the next phase of U.S. export regulation may look like. Companies would do well to monitor those signals and begin scenario planning for a regulatory environment in which the scope of control is broader, the tools are sharper, and the compliance expectations are higher.
FOOTNOTES
[1] Available at 2025_MandateForLeadership_CHAPTER-21.pdf.
[2] Id. at p.672.
[3] Additionally, we would be glad to kick these ideas around with others (I know my associates are tired of me talking about it to them). So if you have any comments, questions, or ideas to posit, please feel free to contact the authors directly.
[4] We recognize that the term in the regulations is not “equipment,” but, rather “plant or major component of a plant.” But boy is that longer phrase ungainly, so we will use “equipment” as a shorthand here and trust that it sufficiently conveys the message.
[5] However, there would be some administrative steps involved in making that release lawful.

FTC Antitrust Enforcement Under the Second Trump Administration

During the first week of April, the Annual ABA Spring Meeting wrapped up, and there was much conversation about the future of antitrust enforcement. The Spring Meeting panel discussions and an analysis of recent FTC statements and enforcement actions shed light on where antitrust enforcement may be headed over the next four years.
As of this posting, the Federal Trade Commission (“FTC”) how three Republican commissioners. President Trump fired the two Democratic commissioners, Rebecca Slaughter and Alvaro Bedoya, on March 18, and Mark Meador was sworn in as the third Republican Commissioner on April 16, 2025. Removal of an FTC commissioner by a President has happened only once before. In 1933, President Franklin D. Roosevelt wrote Republican FTC Commissioner William E. Humphrey a letter removing him from his position. See Humphrey’s Executor v. United States, 295 U.S. 602 (1935) (holding the President’s removal unlawful because it was not for a cause under the FTC Act).
Commissioners Slaughter and Bedoya swiftly filed a lawsuit seeking declaratory and injunctive relief to serve out the remainder of their terms. Slaughter et al. v. Trump, No. 1:25-cv-00909 (D.D.C. Mar. 27, 2025). This case is likely headed to the Supreme Court to revisit the Court’s view of the scope of Humphry’s Executor. Now, with only three FTC Commissioners, some question whether the agency is operating lawfully pursuant to the text of the FTC Act, which states the Commission there in “shall be composed of five Commissioners” with no more than three from the same political party. 15 U.S.C. § 41. Yet, according to Rule 4.14, a quorum is a “majority of members” who are “not recused from participating in a matter.” 16 CFR § 4.14. Further, there is precedent the FTC voting to authorize a complaint with only two commissioners voting. During part of the first Trump Administration in 2017 to 2018, the FTC was comprised of two commissioners (Maureen Ohlhausen (R) and Terrell McSweeney (D)), and the FTC voted to challenge five mergers.
Commissioners Slaughter and Bedoya’s firings have resulted in uncertainty for pending FTC enforcement actions. Most recently, the removal of Slaughter and Bedoya caused the FTC to put an administrative complaint filed in September 2024 against pharmacy benefit managers (“PBMs”) on hold for 105 days because there were no sitting commissioners available to participate. Commissioners Ferguson and Holyoak were recused from the case, and former Chair Lina Khan resigned at the transition of Administrations. On April 3, 2025, Chair Ferguson issued a statement that after consultation with the FTC’s Designated Agency Ethics Official, he will no longer recuse himself from the matter “to ensure that the case can continue.”[1] Commissioner Holyoak issued a statement on April 4, 2025 stating that she would remain recused.[2]
Despite the FTC’s makeup being in flux, continuity in enforcement of certain topics from the Biden Administration to the Trump Administration likely exist, particularly in merger enforcement and in the healthcare and labor markets. However, the FTC’s approach to the Robinson-Patman Act (“RPA”) and the agency’s attitude toward private equity in merger challenges are likely to change under Chair Ferguson.
Merger Enforcement
Merger enforcement will likely see continuity going forward. Chair Ferguson has publicly supported the 2023 versions of the Merger Guidelines[3] (along with DOJ Assistant Attorney General for the Antitrust Division, Gail Slater[4]) and the revised HSR Rules.[5] Further, Chair Ferguson and Commissioner Holyoak voted with the Democratic commissioners to bring merger challenges in the past, including:

Tapestry, Inc.’s Acquisition of Capri Holdings Limited: In April 2024, the FTC brought an enforcement action seeking to block Tapestry’s acquisition of Capri alleging the acquisition may substantially lessen competition or tend to create a monopoly in the market for “accessible luxury” handbags in the US. The acquisition would have combined Tapestry’s Coach and Kate Spade brands with Capri’s Michael Kors brand. The district court granted the FTC’s motion for preliminary injunction, and the parties subsequently abandoned the transaction.
Tempur Sealy’s Acquisition of Mattress Firm: In July 2024, the FTC brought an enforcement action seeking to block the vertical merger alleging the consummation may substantially lessen competition or tend to create a monopoly in the market for premium mattresses in the US. Commissioner Holyoak issued a statement saying that many vertical mergers are procompetitive or benign but in this case, the facts warranted enforcement action.[6] The FTC sought a preliminary injunction in the District Court for the Southern District of Texas to halt the closing of the acquisition, which was denied mainly as a result of the court rejecting the FTC’s relevant market definition of the “premium” mattress market priced over $2,000.
GTCR BC Holdings, LLC’s Acquisition of Surmodics, Inc.: In March 2025, the FTC brought an enforcement action seeking to block private equity firm GTCR’s acquisition of Surmodics alleging the consummation may substantially lessen competition in outsourced hydrophilic coatings marketed in the US.

There may also be some shifts in the FTC’s enforcement approach, such as the FTC’s attitude and views towards private equity (“PE”). Former Chair Khan and former DOJ Assistant Attorney General for the Antitrust Division Jonathan Kanter publicly voiced hostility towards PE firms.[7] And, recently in a concurring statement[8] on the FTC’s enforcement action against GTCR’s acquisition of Surmodics, Commissioners Slaughter and Bedoya issued a statement highlighting the fact that the acquirer, GTCR, is a PE firm. By contrast, Chair Ferguson and Commissioner Holyoak stated in a concurring statement regarding a settlement with PE firm Welsh Carson that it was irrelevant that Welsh Carson was a PE firm, and “the antitrust analysis would be the same if Welsh Carson were, for an example, an individual or institutional investor.”[9] It is therefore unlikely going forward that PE firms will be under the same microscope in merger enforcement matters as they were under the Biden Administration.
As for the merger review process, Chair Ferguson has stated publicly that if the FTC does not see competitive issues with mergers during the initial review, the FTC will “get out of the way” to allow the majority of M&A activity to proceed. The FTC has also reinstated issuing early terminations (“ETs”) which had been put on hold during the Biden Administration. The FTC has granted nine ETs in March of 2025.[10]
Additionally, the FTC and DOJ will likely be more open to entering into merger remedies rather than challenging mergers outright, even if the merging companies have offered a settlement. Commissioner Holyoak has stated that the FTC should be “pragmatic” with remedies, contrasting Chair Khan’s dogmatic “approach” that favored litigation instead of remedies.[11] Recently, Chair Ferguson stated he would take a less aggressive approach to merger enforcement than his predecessor by being more willing to entertain remedies.[12] DOJ antitrust chief Gail Slater echoed the Republican FTC member’s sentiment towards remedies.[13]
Robinson-Patman Act (“RPA”) & Price Discrimination
The Robinson-Patman Act saw new life when the FTC brought enforcement actions against Southern Glazer and Pepsi in December 2024 and January 2025, respectively. The last RPA enforcement action brought by the FTC was in 2000 and resulted in settlement.[14] The RPA prohibits sellers from (1) charging different prices to competing buyers for the same or similar products (“price discrimination”) or (2) favoring customers in the provision of advertising, promotional, or merchandising allowances to assist in the resale of products.
Chair Ferguson and Commissioners Holyoak and Meador have all stated that the RPA should be enforced in the proper situation.[15] Particularly, Meador is a proponent of bringing “RPA cases where it has evidence that consumers are harmed by price discrimination.”[16] Yet, the cases against Southern Glazer and Pepsi were not proper, according to Commissioners Ferguson and Holyoak, who dissented in both actions. Thus, it would not be surprising if the FTC dismissed the RPA enforcement actions against Southern Glazer and Pepsi. Commissioner Ferguson’s dissent in Southern Glazer’s action stated that the Commission is “unlikely to prevail even on its own theory of the [RPA], and it would be an imprudent use of the Commission’s enforcement resources even if it were likely to prevail.”[17]
Antitrust Enforcement in Healthcare and Labor Markets
Enforcement in the healthcare and labor markets over the last four years, will likely see continuity from the previous Administration’s enforcement focuses. In February, Chair Ferguson appointed Daniel Guarnera as the Director of Bureau of Competition. In highlighting Guarnera’s experience with antitrust enforcement to promote competition in the healthcare and labor market, Chair Ferguson stated those were two of his top priorities.[18]
The FTC is likely to continue focusing on noncompete agreements, but the FTC’s rule prohibiting all noncompetes on a nationwide basis is likely dead. Commissioner Ferguson and Commissioner Holyoak dissented in the FTC’s vote to issue the final rule on noncompetes in June 2024.[19] The dissent authored by Commissioner Ferguson and joined by Commissioner Holyoak, stated that such sweeping lawmaking by an administrative agency offends Article I’s constitutional designation of legislative power to Congress.[20] The Commissioners noted that in banning all employee noncompete agreements, the Non-Compete Clause Rule invalidated 30 million existing contracts, preempted the law of 46 states, and categorically prohibited a business practice that had been lawful for centuries.[21] Two federal courts—one in Texas and one in Florida—enjoined the Final Rule in August 2024. The FTC appealed that to the Fifth Circuit and Eleventh Circuit, respectively, but the FTC recently requested a 120-day stay of both appeals[22] (prior to the firings of Commissioners Slaughter and Bedoya).
Chair Ferguson and Commissioner Holyoak are not categorically against addressing noncompete agreements. Both have stated that certain noncompetes should be prosecuted on a case-by-case basis, and noncompete agreements were highlighted by Chair Ferguson in his February 2025 memo announcing the Directive to stand up a Labor Markets Task Force.[23] This follows the FTC’s 5-0 vote to bring an enforcement action against certain “no-hire” agreements for building services contractors that operate in New York City and Northern New Jersey.[24] Further, Commissioner Meador testified during his confirmation hearing in front of the Senate Commerce Committee that noncompetes “have been overused and abused,” and that the FTC could use “traditional enforcement powers to address those harms.”[25] 
The Hunton team will continue to monitor the antitrust enforcement actions taken by the FTC as well as updates on the composition of the FTC commissioners, including whether other individuals are nominated to fill the two vacant seats and the status of the litigation over the removal of Commissioners Slaughter and Bedoya.
[1] @AFergusonFTC, X (Apr. 3, 2025, 4:38 PM).
[2] Statement on the Recusal of Comm’n Melissa Holyoak, In the Matter of Caremark, Rx, LLC, FTC Dkt. No. 9437 (Apr. 4, 2025).
[3] Memorandum from Andrew Ferguson, Merger Guidelines, FTC (Feb. 18, 2025).
[4] Abigail Slater, Responses to Written Questions of Senator Peter Welch for Hearing on “Nominations,” submitted February 17, 2025 (“[FTC] Chairman [Andrew] Ferguson has explained that the Merger Guidelines work best when there is stability across administrations, though he has also indicated that there may be some aspects he would be open to reforming. He further explained that much of what is in the current merger guidelines simply restates longstanding law.’ I agree with him. It is critical to the Antitrust Division’s law enforcement mission that its guidelines reflect the original meaning of the applicable statutory text as interpreted by the binding rules of the courts. The merger guidelines have been revised periodically when time and experience suggest changes are necessary, but when revisions are undertaken a careful and transparent process should be used to ensure our guidelines maintain the stability needed for rules of the road to serve their purpose.”).
[5] Concurring Statement of Commissioner Andrew N. Ferguson, In the Matter of Amendments to the Premerger Notification and Report Form and Instructions, and the Hart-Scott-Rodino Rule 16 C.F.R. Parts 801 and 803, FTC Matter No. P239300 (Oct. 10, 2024).
[6] Statement of Comm’n Melissa Holyoak In the Matter of Tempur Sealy Int’l, Inc. & Mattress Firm Grp. Inc., FTC Matter No. 2310016 (July 2, 2024).
[7] Remarks by Chair Lina M. Khan as Prepared for Delivery Private Capital, Public Impact Workshop on Private Equity in Healthcare, FTC (Mar. 5, 2024).
[8] Statement of Comm’n Rebecca Kelly Slaughter Joined By Comm’n Alvaro M. Bedoya In the Matter of GTCR BC Holdings/SurModics, FTC Matter No. 2410095 (Mar. 7, 2025).
[9] Concurring Statement of Comm’n Andrew N. Ferguson Joined by Comm’n Melissa Holyoak In the Matter of US Anesthesia Partners/Guardian Anesthesia, FTC Matter No. 2010031 (Jan. 17, 2025).
[10] See FTC Legal Library: Early Termination Notices.
[11] Sulaiman Abdur-Rahman, “We Should Be Pragmatic”: Meet the Possible Next FTC Chair, Nat’l L. J. (Nov. 14, 2024, 7:01PM).
[12]FTC’s Ferguson, DOJ’s Slater Signal Less Aggressive Merger Approach Than Biden Predecessors, Openness to Remedies, Vol. 13, No. 257, The Capitol Forum (Apr. 2, 2025).
[13] Id.
[14] FTC Press Release, World’s Largest Manufacturer of Spice and Seasoning Products Agrees to Settle Price Discrimination Charges (Mar. 8, 2000).
[15] See Dissenting Statement of Comm’r Ferguson, In the Matter of Southern Glazer’s Wine and Spirits, LLC, FTC Matter No. 211-0155 (Dec. 12, 2024); Dissenting Statement of Comm’r Holyoak, In the Matter of Southern Glazer’s Wine and Spirits, LLC, FTC Matter No. 211-0155 (Dec. 12, 2024); Dissenting Statement of Comm’r Ferguson In the Matter of Non-Alcoholic Beverages Price Discrimination Investigation, FTC Matter No. 2210158 (Jan. 17, 2025); Dissenting Statement of Comm’r Holyoak In the Matter of PepsiCo, Inc., FTC Matter No. 2210158 (Jan. 17, 2025); Mark Meador, Not Enforcing the Robinson-Patman Act is Lawless and Likely Harms Consumers, The Federalist Society (July 9, 2024).
[16] Mark Meador, Not Enforcing the Robinson-Patman Act is Lawless and Likely Harms Consumers, The Federalist Society (July 9, 2024).
[17] Dissenting Statement of Comm’r Ferguson, In the Matter of Southern Glazer’s Wine and Spirits, LLC, FTC Matter No. 211-0155 (Dec. 12, 2024).
[18] FTC Press Release, FTC Chairman Ferguson Appoints Daniel Guarnera as Director of Bureau of Competition (Feb. 10, 2025).
[19] Dissenting Statement of Comm’n Andrew N. Ferguson Joined by Comm’n Melissa Holyoak in the Matter of the Non-Compete Clause Rule, FTC Matter No. P201200 (June 28, 2024).
[20] U.S. Const. Art. I, § 1 (“All legislative Powers herein granted shall be vested in a Congress of the United States,”).
[21] Dissenting Statement of Comm’n Andrew N. Ferguson Joined by Comm’n Melissa Holyoak in the Matter of the Non-Compete Clause Rule, FTC Matter No. P201200 (June 28, 2024).
[22] Jared Foretek, FTC Wants Pause on Noncompete Appeals, Pending Decision, Law360 (Mar. 10, 2025, 8:24 PM EDT).
[23] Memorandum from Chairman Andrew N. Ferguson, Directive Regarding Labor Markets Task Force, FTC (Feb. 26, 2025).
[24] FTC Press Release, FTC Orders Building Service Contractors to Stop Enforcing a No-Hire Agreement (Jan. 6, 2025).
[25] Nominations Hearing for Michael Kratsios to Lead the Office of Science and Technology Policy and Mark Meador to Serve as a Federal Trade Commissioner, at 1:30:20 (Feb. 25, 2025).

Overview of Section 232 Tariffs on Steel and Aluminum: What Importers Need to Know

The implementation of new 25% Section 232 duties on steel, aluminum, and certain derivatives, effective March 12, 2025, which are in addition to any special rate of duty otherwise applicable, are affecting importers globally. Here is a breakdown of what these new tariffs entail:
1. Nature of Section 232 Tariffs and Interaction with Reciprocal Tariffs
On March 12, 2025, President Trump implemented 25% tariffs on steel and aluminum under Section 232 of the Trade Expansion Act of 1962. These duties, applied in addition to any existing special rates, aim to address national security concerns by bolstering domestic production. The additive nature of these tariffs has significantly raised the cost of imported steel and aluminum products, impacting budgets and pricing strategies for businesses reliant on these materials.
Subsequently, on April 5, 2025, the Trump Administration imposed a 10% baseline tariff on all imports to the United States, invoking the International Emergency Economic Powers Act (IEEPA) to address the national emergency posed by the persistent trade deficit. Building on this, the United States applied country-specific reciprocal tariffs as determined by the United States Trade Representative (USTR) which has been paused until July 9, 2025.
In its executive order, the Trump Administration explicitly excluded products already subject to Section 232 measures from the baseline and reciprocal tariff regime. Consequently, while Section 232 duties have increased the costs of imports like steel and aluminum, these products do not face additional tariffs under the reciprocal system as of this writing.
2. Immediate application and elimination of exemptions
These duties apply to imports made from March 12, 2025, onward. Notably, the new tariffs eliminate previous country exemptions and tariff-rate quota agreements, and they terminate the product exclusion process. Consequently, no new exclusion requests will be accepted, and existing exclusions will expire without renewal.
For those reasons, imports from countries previously subject to country exemptions are now subject to these tariffs (i.e., Australia, Canada, Mexico, the EU, the UK, Japan and South Korea).
However, we might see some country-specific bilateral trade agreements in due course that could exempt certain countries from these duties.
3. Exemptions from Derivative Articles – No Duty Drawback
Critically, the additional duties on derivative steel articles would exclude steel articles that are processed in a third country from steel that was melted and poured in the United States. The same exemption applies to derivative aluminum articles. This applies to all the listed derivative HTS codes to which the new Section 232 tariffs would otherwise apply, so businesses need to start mapping their suppliers’ supply chains for products in those codes to identify US content if they have not already done so.
Unfortunately, no duty drawback is available for these duties. Businesses that would reexport the listed products from the United States to third countries should consider rearranging their shipping so that listed products ultimately destined for third countries are shipped there directly and not imported first into the United States.
4. Expansion of Previous Proclamations
This trade action, via presidential proclamation, is an expansion of President Trump’s previous proclamations from 2018, now covering all products and derivatives from the original proclamations plus additional derivative products. The 2025 proclamations rely on definitions of steel and aluminum articles from the 2018 proclamations.
For ease of reference, we provide all such descriptions and HTS codes of steel products and derivatives listed or linked below:

Steel Products Subject to the 2018 (and thus 2025) 232 Tariffs

Proclamation 9705 (Mar. 8, 2018) defined steel articles at the Harmonized Tariff Schedule (HTS) 6-digit level as: 7206.10 through 7216.50, 7216.99 through 7301.10, 7302.10, 7302.40 through 7302.90, and 7304.11 through 7306.90.
Proclamation 9980 (Jan. 24, 2020) defined derivative steel articles as an article in which:

steel accounted for, on average, at least two-thirds of the product’s total material cost; and where
import volumes of such derivative article increased year to year in comparison to import volumes the preceding two years; and
import volumes of such derivative article exceeded the 4 percent average increase in the total volume of goods imported.

Those proclamations also included the following HTS codes:

HTS Heading
Product Type
Description
Source

7208, 7209, 7210, 7211, 7212, 7225, 7226
Steel Product
Flat-rolled products
Proclamation 9705

7213, 7214, 7215, 7227, 7228
Steel Product
Bars and rods
Proclamation 9705

7216 (except subheadings 7216.61.00, 7216.69.00 or 7216.91.00)
Steel Product
Angles, shapes and sections of iron or nonalloy steel
Proclamation 9705

7217, 7229
Steel Product
Wire
Proclamation 9705

7301.10.00
Steel Product
Sheet piling
Proclamation 9705

7302.10
Steel Product
Rails
Proclamation 9705

7302.40.00
Steel Product
Fish-plates and Sole plates
Proclamation 9705

7302.90.00
Steel Product
Other products of iron or steel
Proclamation 9705

7304, 7306
Steel Product
Tubes, pipes and hollow profiles
Proclamation 9705

7305
Steel Product
Tubes and pipes
Proclamation 9705

7206, 7207, 7224
Steel Product
Ingots, other primary forms and semi-finished products
Proclamation 9705

7218, 7219, 7220, 7221, 7222, 7223
Steel Product
Products of stainless steel
Proclamation 9705

7317.00.30
Derivative Steel Product
Nails, tacks (other than thumb tacks), drawing pins, corrugated nails, staples (other than those of heading 8305) and similar articles of iron or steel, whether or not with heads of other materials (excluding such articles with heads of copper), suitable for use in powder-actuated handtools, threaded
Proclamation 9980

7317.00.5503, 7317.00.5505, 7317.00.5507, 7317.00.5560, 7317.00.5580, 7317.00.6560 only and not in other numbers of subheadings 7317.00.55 and 7317.00.65
Derivative Steel Product
Nails, tacks (other than thumb tacks), drawing pins, corrugated nails, staples (other than those of heading 8305) and similar articles of iron or steel, whether or not with heads of other materials (excluding such articles with heads of copper), of one piece construction, whether or not made of round wire
Proclamation 9980

8708.10.30
Derivative Steel Product
Bumper stampings of steel, the foregoing comprising parts and accessories of the motor vehicles of headings 8701 to 8705
Proclamation 9980

8708.29.21
Derivative Steel Product
Body stampings of steel, for tractors suitable for agricultural use
Proclamation 9980

Additional Derivative Steel Products Subject to the 2025 232 Tariffs

The exact HTS codes of additional derivative steel products subject to the new tariffs are provided in pages 12-14 of Proclamation 10896 (Feb. 10, 2025).
For any derivative steel article identified in Annex I of Proclamation 10896 that is not in Chapter 73 of the HTSUS, the additional ad valorem duty shall apply only to the steel content of the derivative steel article.

5. Calculating Section 232 Tariffs on Steel and Derivative Steel Products
The calculation of these tariffs involves determining the value of the steel or aluminum content, which is:

The total price paid or payable for the steel or aluminum content itself, excluding any costs related to transportation, insurance, and other services associated with the shipment from the country of exportation to the country of importation.
This value is typically reflected in the invoice that the buyer pays to the seller for the steel or aluminum content.

Here are some scenarios considering the HTS codes above:
SCENARIO 1–If an article is identified in Proclamation 9705 or 9980, the Section 232 tariff will apply to the entire merchandise value.

Example: A steel body stamping classified under HTS 8708.29.21 and thus classified under Proclamation 9980, has a value of $100. The Section 232 tariff will be $25.

SCENARIO 2– If the article is identified in new Proclamation 10896 and is in Chapter 73, the tariff again applies to the entire merchandise value.

Example: A stainless steel pan classified under HTS 7323.93.00 has a value of $100. Because the pan is identified by new Proclamation 10896 and is classified in Chapter 73, the value of the entire merchandise is subject to the 25% duty. Thus, the Section 232 tariff will be $25.

SCENARIO 3– If the article is identified in new Proclamation 10896 but is not in Chapter 73, the tariff applies only to the steel content value.

Example: A passenger elevator part classified under HTS 8431.31.00, with a steel content valued at $75 out of a total $100, will incur a tariff of $18.75, because only the value of the steel content is subject to the 25% duty.

The implementation of these new Section 232 duties introduces significant changes for importers of steel and aluminum products. Understanding the details of these tariffs and their implications is essential for businesses consider strategic adjustments within their supply chains to mitigate the impact of these new duties.

Threat Actors Use AI to Launch Identity Theft Scams

Identity theft will continue to rise in 2025. According to the Better Business Bureau of Missouri (BBB), it received over 16,000 identity theft complaints in the past three years. Scammers are “increasingly using advanced tactics such as artificial intelligence to exploit victims.”
The BBB notes that threat actors are taking over social media accounts to solicit money and “impersonating individuals to rent apartments or open credit cards.”
According to Which?, fraud prevention service Cifas reports the continuing rise of identity theft and fraud, and artificial intelligence (AI) is “fuelling [the] identity fraud increase.” Cases of account takeover “drastically increased by 76% in 2024.” Over half of these cases involved threat actors hijacking mobile telephone accounts, and SIM swap fraud increased by a whopping 1,055%. Threat actors use AI more frequently in cases of false applications, where it assists “with the speed, sophistication and scale of false documentation, as well as aiding the ability to pass verification checks.”
Identity theft will continue to rise, so preventative measures, such as those outlined by the BBB, Identitytheft.org, and the FTC, will hopefully prevent victimization. If you become a victim, the FTC has free helpful resources to consider.

FTC Settles With accessiBe For Misleading Statements About WCAG Compliance

The Federal Trade Commission (FTC) announced on April 22, 2025, that it has approved a settlement entered into a Final Order with accessiBe, which claimed its plug-in product, accessWidget, “can make any website compliant with Web Content Accessibility Guidelines (WCAG).” The settlement includes the payment of $1 million and requires accessiBe to refrain from “making misleading claims.” The Commission unanimously approved the Final Order 3-0.
The FTC had filed a complaint against accessiBe Ltd alleging that “despite the company’s claims, accessWidget did not make all user websites WCAG-compliant and these claims were false, misleading, or unsubstantiated.” The complaint further alleged that it “deceptively formatted third-party articles and reviews to appear as if they were independent opinions.”
The settlement reinforces the FTC’s continued focus on misleading claims, and companies should check the accuracy of representations made on websites.

Privacy Tip #441 – Identity Theft Statistics Increasing in 2025

Unfortunately, identity theft continues to increase, and according to Identitytheft.org, the statistics are going to get worse in 2025. Some of the statistics cited by Identitytheft.org include:

1.4 million complaints of identity theft were received by the Federal Trade Commission
Total fraud and identity theft cases have nearly tripled over the last decade
Cybercrime losses totaled $10.2 billion
The median loss to fraud victims is $500
There is an identity theft case every 22 seconds
33% of Americans faced some form of identity theft at some point in their lives
Consumers aged 30-39 were the most victimized by identity theft
Georgia ranked #1 for identity theft and fraud cases

Identitytheft.org concludes:
“Identity theft has been a growing problem in the U.S. for the past few years. It is difficult for victims to deal with these issues because theft methods are becoming even more sophisticated with time. Citizens must safeguard their personal information by utilizing technology such as antivirus protection software, password managers, identity theft protection, and VPNs if they want to avoid identity theft scenarios in 2025.”
These are helpful tips to consider.