Category: civil rights

The BR Privacy & Security Download: April 2025

STATE & LOCAL LAWS & REGULATIONS
Virginia Governor Vetoes AI Bill: Virginia Governor Glenn Youngkin vetoed the Virginia High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). The Act was similar to the Colorado AI Act and would have required developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would have been required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The governor stated that the Act’s “rigid framework fails to account for the rapidly evolving and fast-moving nature of the AI industry and puts an especially onerous burden on smaller firms and startups that lack large legal compliance departments” and that the Act “would harm the creation of new jobs, the attraction of new business investment, and the availability of innovative technology” in the state. The governor also noted that existing state laws “protect consumers and place responsibilities on companies relating to discriminatory practices, privacy, data use, libel, and more” and that an executive order issued by the governor in 2024 established safeguards and oversight for AI use.
CPPA Advances Regulations for Data Broker Deletion Mechanism: The California Privacy Protection Agency (“CPPA”) advanced proposed California Delete Act regulations through the establishment of the Delete Request and Opt-Out Platform (“DROP”). These regulations would create an accessible mechanism for consumers to request the deletion of all their non-exempt personal information held by registered data brokers via a single request to the CPPA. The proposed rules also clarify the definition of a “direct relationship” with a consumer, specifying that simply collecting personal information directly from a consumer does not constitute a direct relationship unless the consumer intends to interact with the business. This revision could bring more businesses, such as third-party cookie providers, under the definition of data brokers. Consumers will likely be able to access DROP by January 1, 2026, and data brokers will be required to access it by August 1, 2026.
Virginia Enacts Reproductive Privacy Law: Virginia enacted amendments to the Virginia Consumer Data Protection Act to prohibit the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health data without consent. “Reproductive or sexual health information” is defined under the law as “information relating to the past, present, or future reproductive or sexual health of an individual,” including: (1) efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies; (2) reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex; (3) reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy; (4) use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients; (5) bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels; (6) any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described in 1 through 5; and (7) any information described in 1 through 6 that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data. “Reproductive or sexual health information” does not include protected health information as defined by HIPAA.
Oregon Attorney General Releases Enforcement Report on Oregon’s Consumer Privacy Act: The Oregon Attorney General released a six-month report on the enforcement of Oregon’s comprehensive privacy law, the Consumer Privacy Act (“OCPA”), which took effect on July 1, 2024. The report provides that, as of the beginning of 2025, the Privacy Unit within the Civil Enforcement Division at Oregon’s Department of Justice (“Privacy Unit”) received 110 complaints. Most of these complaints were about online data brokers. In the last six months, the Privacy Unit initiated and closed 21 matters after sending cure notices (the OCPA provides for a 30-day cure period, which sunsets on January 1, 2026) and broader information requests. Some of the most common deficiencies identified were the lack of requisite disclosures or confusing privacy notices (e.g., not listing the OCPA rights or not naming Oregon in “your state rights” section), and lacking or burdensome rights mechanisms (e.g., the lack of a webpage link for consumers to submit opt-out requests).
Utah Becomes First State to Enact Legislation Requiring App Stores to Verify Users’ Ages:Utah has enacted the App Store Accountability Act, which mandates that major app store providers must verify the age of every user in the state. For users under 18, the law requires verifiable parental consent before any app can be downloaded, including free apps, or any in-app purchases can be made. App stores must also confirm a user’s age category (adult, older teen (16-17), younger teen (13-15), or child (under 13)). When a minor creates an account, it must be linked to a parent’s account. App store providers are responsible for building systems to verify ages, obtain parental consent, and share this data with app developers. They must also provide sufficient disclosure to parents about app ratings and content and notify them of significant changes to apps their children use, requiring renewed consent. Violations of the law will be considered deceptive trade practices, and the act creates a private right of action for harmed minors or their parents. The core requirements for age verification and parental consent are set to take effect on May 6, 2026.
Michigan Legislative Committee Advances Judicial Privacy Bill: The Michigan Senate Committee on Civil Rights, Judiciary, and Public Safety provided a favorable recommendation for a judicial privacy bill that would allow state and federal judges to request the deletion of their personal information from public listings. The Michigan bill would create a private right of action with mandatory recovery of legal fees for any entity that fails to respond to a valid deletion request. The purpose of the bill is to protect against a significant uptick in threats against judicial officers and their families. The bill is based on Jersey’s Daniel’s Law, which has sparked a wave of class action lawsuits against data brokers and online listing companies. If passed, businesses that receive a valid request from a member of the judiciary or their immediate family members under the proposed bill would have to remove from publication any covered information pertaining to the requestor.
Virginia Legislature Passes Consumer Data Protection Act Amendments Restricting Minors’ Use of Social Media; Governor Declines to Sign: The Virginia Legislature unanimously passed a bill to amend the Virginia Consumer Data Protection Act to limit minors’ use of social media to one hour per day. Specifically, the bill would require that any social media platform operator to (1) use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor younger than 16 years of age and (2) limit any such minor’s use of such social media platform to one hour per day, per service or application, and allow a parent to give verifiable parental consent to increase or decrease the daily time limit. Virginia Governor Glenn Youngkin declined to sign the bill as passed, recommending several changes to strengthen the bill. These recommendations include raising the age of covered users from 16 to 18 and requiring social media platform operators to disable infinite scroll features and auto-playing videos unless the operator has obtained verifiable parental consent. 

FEDERAL LAWS & REGULATIONS
Lawmakers Reintroduce COPPA 2.0 to Strengthen Children and Teens’ Online Privacy:U.S. Senators Bill Cassidy (R-LA) and Edward Markey (D-MA) have reintroduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”), aiming to update online data privacy rules to better protect children and teenagers. The bill seeks to address the youth mental health crisis by stopping data practices that contribute to it. COPPA 2.0 proposes several key measures, including a ban on targeted advertising to children and teens and the creation of an “Eraser Button,” allowing users to delete personal information. It also establishes data minimization rules to limit the excessive collection of young people’s data and revises the “actual knowledge” standard to prevent platforms from ignoring children on their sites. Furthermore, the legislation would require internet companies to obtain consent before collecting personal information from users aged 13 to 16. Previous versions of COPPA 2.0 have advanced in Congress, passing the Senate and a House committee in the past.
White House Seeks Stakeholder Input for Trump Administration’s AI Action Plan:The White House Office of Science and Technology Policy issued a Request for Information to gather public input on the administration’s AI Action Plan. This AI Action Plan intends to define priority policy actions to enhance America’s position as an AI powerhouse and prevent unnecessary regulations from hindering private sector innovation. The focus is on promoting U.S. competitiveness in AI, limiting regulatory burdens, and developing safeguards that support responsible AI advancement. Stakeholders, including academia, industry groups, and private sector organizations, were encouraged to share their policy ideas on topics such as model development, cybersecurity, data privacy, regulation, national security, innovation, and international collaboration. The submitted comments will be used to inform future regulatory proposals.
Congresswoman Issues RFI for Input on U.S. Privacy Act Reform: Congresswoman Lori Trahan (D-MA) announced her effort to reform the Privacy Act of 1974, aiming to protect Americans’ data from government abuse. The proposed reforms seek to address outdated provisions in the act and enhance privacy protections for individuals in the digital age. Trahan emphasized the importance of updating the act to reflect modern technological advancements and the increasing amount of personal data collected by government agencies. The initiative includes measures to ensure greater transparency, accountability, and oversight of data collection practices. Trahan highlights the urgency of the issue as a result of access by the Department of Government Efficiency staff to personal data held by several agencies and calls for legislative action to protect citizens’ privacy rights and prevent government overreach.

U.S. LITIGATION
Court Blocks Enforcement of California Age-Appropriate Design Code: Industry group NetChoice scored yet another victory over the California Age-Appropriate Design Code Act, obtaining a second preliminary injunction temporarily blocking its enforcement. The act was passed unanimously by the California legislature in 2022 and—if enforced—would place extensive new requirements on websites and online services that are “likely to be accessed by children” under the age of 18. NetChoice won its first preliminary injunction in September 2023 on the grounds that the act would likely violate the First Amendment. In August 2024, the Ninth Circuit partially upheld this injunction, finding that NetChoice was likely to succeed in demonstrating that the act’s data protection impact assessment provisions violated the First Amendment. However, the Ninth Circuit remanded the case for determination of the constitutionality of the remaining provisions as well as whether any unconstitutional provisions could be severed from the remainder of the act. On remand, Judge Beth Labson Freeman again granted NetChoice’s motion for preliminary injunction finding that the act regulates protected speech, triggering a strict scrutiny review. Judge Freeman concluded that although California has a compelling interest in protecting the privacy and well-being of children, this interest alone is not sufficient to satisfy a strict scrutiny standard. This ruling is likely to strengthen NetChoice’s opposition of similar acts, such as the Maryland Age-Appropriate Design Code Act.
Court Rejects Allegheny Health Network’s Attempt to Force Arbitration over Meta Pixel Tracking:The U.S. District Court for the Western District of Pennsylvania ruled that Allegheny Health Network (“AHN”) cannot compel arbitration in a class action lawsuit filed by a patient under a pseudonym. The patient alleged that AHN unlawfully collected and disclosed his confidential health information to Meta Platforms. AHN initially sought to compel arbitration based on an arbitration provision within their website’s Terms of Service. However, the court denied this motion, finding that the patient did not have actual or constructive notice of the arbitration agreement. The court found that the link to the AHN’s Terms of Service, a “browsewrap” agreement, was not sufficiently conspicuous, as it was located at the bottom of the homepage among numerous other links and in a less visible footer on its “Find a Doctor” page. Additionally, the court found AHN failed to prove the patient had seen the specific Terms of Service containing the arbitration provision that was added to the website.
Supreme Court Declines Review of Sandhills Medical Data Breach Suit:The U.S. Supreme Court has declined to review a Fourth Circuit decision that ruled Sandhills Medical Foundation Inc. (“Sandhills Medical”), a federally funded health center, cannot use federal immunity to shield itself from a data breach lawsuit. The lawsuit was brought by Joann Ford following a data breach at Sandhills Medical. Sandhills Medical argued it was entitled to federal immunity under 42 U.S.C. § 233(a), which protects federally funded health centers from lawsuits related to the performance of medical, surgical, dental, or related functions. The Fourth Circuit, however, interpreted “related functions” narrowly, stating it did not cover data protection. Sandhills Medical, in its petition to the Supreme Court, contended that this ruling created a circuit split with the Ninth and Second Circuits, which have taken a broader view of the immunity. Sandhills Medical warned that the Fourth Circuit’s “unnaturally cramped” reading of the statute needed correction. Despite these arguments, the Supreme Court denied Sandhills Medical’s petition, meaning the health center will now face the lawsuit in South Carolina District Court.
Utah Attorney General Seeks Reinstatement of Utah Minor Protection in Social Media Act: Utah has requested a federal appeals court to reinstate a law that imposes restrictions on social media platforms. The Utah Minor Protection in Social Media Act (the “Act”), passed in 2024, was previously blocked by a lower court. The act aims to protect minors from harmful content and requires social media companies to verify the age of users and obtain parental consent for minors. Utah’s Attorney General argues that the law is necessary to safeguard children from online dangers and prevent exploitation. Previously, tech industry group NetChoice successfully sued to block the law, arguing it infringes on First Amendment rights and imposes undue burdens on businesses. 
Court Holds Sharing of IP Address Insufficient to Prove Harm in CIPA Case: Judge Edgardo Ramos of the Southern District of New York granted defendant Insider, Inc.’s (“Insider”) motion to dismiss claims that its use of Audiencerate’s website analytics tools constituted an unlawful ‘pen register’ in violation of California’s Invasion of Privacy Act (“CIPA”). Plaintiffs argued that Insider invaded their privacy when it installed a tracker on their browsers, sending their IP addresses to a third party, Audiencerate, without their consent. However, Judge Ramos found that this collection and disclosure of IP addresses was insufficient to establish harm for purposes of Article III standing. He found that unlike a Facebook ID, which can be used to track or identify specific individuals, an IP address cannot be used to identify an individual and can only provide geographic information “as granular as a zip code.” Therefore, disclosure of an IP address would not be highly offensive to a reasonable person. Judge Ramos further emphasized that this “conclusion is consistent with the general understanding that in the Fourth Amendment context a person has no reasonable expectation of privacy in an IP address.” Despite this ruling, CIPA class actions and demands are likely to remain a constant threat to business with California-facing websites.
Periodical Publisher Unable to Dismiss VPPA Class Action: Judge Lewis J. Liman of the Southern District of New York denied defendant Springer Nature America’s (“Nature”) motion to dismiss claims that its use of Meta Pixel violated the Video Privacy Protection Act (“VPPA”). The VPPA prohibits videotape service providers from knowingly disclosing personally identifiable information about their renters, purchasers, or subscribers. Despite being drafted to address information collected through physical video stores, the VPPA has become a potent tool in the hands of the plaintiffs’ bar to challenge websites containing video content. Although Nature is primarily a research journal publication, Judge Lewis found that it could qualify as a videotape service provider as defined under the VPPA in part because of the video content on its website and its subscription-based business model. Relying on the recent Second Circuit decision in Salazar v. National Basketball Association, Judge Liman also found that the plaintiff had alleged a concrete injury sufficient to confer standing because the disclosure of information about videos viewed was adequately similar to the public disclosure of private facts. This ruling should remind companies whose websites contain significant video content to carefully review their cookie usage and consent management capabilities.

U.S. ENFORCEMENT
CPPA Requires Data Broker to Shut Down: As part of its public investigative sweep of data broker registration compliance, the CPPA reached a settlement agreement with Background Alert, Inc. (“Background Alert”) for failing to register and pay an annual fee as required by California’s Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. As part of the settlement, Background Alert must shut down its operations for three years for failing to register between February 1 and October 8, 2024. If Background Alert violates any term of the settlement, including the requirement to shut down its operations, it must pay a $50,000 fine to the CPPA.
New York Attorney General Settles with App Developer for Failure to Protect Students’ Privacy: The New York Attorney General settled with Saturn Technologies, the developer of the Saturn app, for failing to protect students’ privacy. Saturn allows high school students to create a personal calendar, interact with other users, share social media accounts, and know where other users are located based on their calendars. The New York Attorney General’s investigation found that unlike what Saturn Technologies represented, the company failed to verify users’ school email and age to ensure only high school students from the same high school interacted. The investigation also found that Saturn Technologies used copies of users’ contact books even when the user changed their phone settings to deny Saturn’s access to their contact book. Under the settlement, Saturn Technologies must pay $650,000 in penalties and change its verification process, provide enhanced privacy options for students under 18, and prompt users under 18 to review their privacy settings every six months.
New York Attorney General Sues Insurance Companies for Back-to-Back Data Breaches: The New York Attorney General sued insurance companies National General and Allstate Insurance Company for back-to-back data breaches, which exposed the driver’s license numbers of more than 165,000 New Yorkers. In 2020, attackers took advantage of a flaw on two of National General’s auto insurance quoting websites, which displayed consumers’ full driver’s license numbers in plain text. The complaint alleges that National General failed to detect the breach for two months and failed to notify consumers and the appropriate state agencies. The complaint also alleges that National General continued to leave driver’s license numbers exposed on a different quoting website for independent insurance agents, resulting in another data breach in 2021. This action is the New York Attorney General’s latest effort to hold auto insurance companies accountable for failing to protect consumers’ personal information against an industry-wide campaign by attackers targeting online auto insurance quoting applications.
California Attorney General Announces Investigative Sweep of Location Data Industry: The California Attorney General announced an ongoing investigative sweep into the location data industry. The California Attorney General sent letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). The enforcement sweep is intended to ensure that businesses comply with their obligations under the CCPA with respect to consumers’ rights to opt out of the sale and sharing of personal information and limit the use of sensitive personal information, which includes precise geolocation data. The letters sent by the California Attorney General notify recipients of potential violations of the CCPA and request additional information regarding how the recipients offer and effectuate such CCPA rights. Location data has become an enforcement priority for the California Attorney General given the federal landscape affecting California’s immigrant communities and reproductive and gender-affirming healthcare.
CPPA Settles with Auto Manufacturer for CCPA Violations: The CPPA settled with American Honda Motor Co. (“Honda”) for its alleged CCPA violations. The CPPA alleged that Honda (1) required consumers to verify themselves and provide excessive personal information to exercise their rights to opt out and limit; (2) used an online privacy management tool that failed to offer consumers their CCPA rights in a symmetrical way; (3) made it difficult for consumers to authorize agents to exercise their CCPA rights on their behalf; and (4) shared personal information with ad tech companies without contracts containing CCPA-required language. As part of the settlement, Honda must pay $632,500, implement new and simpler methods for submitting CCPA requests, and consult a user experience designer to evaluate its methods, train its employees, and ensure the requisite contracts are in place with third parties with whom it shares personal information. This action is a part of the CPPA’s investigative sweep of connected vehicle manufacturers and related technologies.
OCR Settles with Healthcare Provider for HIPAA Violations: The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) settled with Oregon Health & Science University (“OHSU”) over potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule’s right of access provisions. The HIPAA Privacy Rule requires covered entities to provide individuals or their personal representatives access to their protected health information within thirty days of a request (with the possibility of a 30-day extension) for a reasonable, cost-based fee. OCR initiated an investigation against OHSU for a second complaint OCR received in January 2021 from the individual’s personal representative. OCR resolved the first complaint in September 2020, when OCR notified OHSU of its potential noncompliance with the Privacy Rule for only providing part of the requested records. However, OHSU did not provide all of the requested records until August 2021. As part of the settlement, OHSU must pay $200,000 in penalties.
Democratic FTC Commissioners Fired by Trump Administration: The Trump administration fired the Federal Trade Commission’s (“FTC”) Democratic Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter. Their removal leaves the FTC with no minority party representation among the agency’s five commissioner bench. Slaughter was originally nominated by Trump in 2018 and was serving her second term. Bedoya was in his first term as commissioner. Bedoya and Slaughter indicated in public statements that they would take legal action to challenge the firings. Among potential privacy impacts of the firings is how the lack of minority party representation may affect the enforcement of the EU-U.S. Data Privacy Framework (“DPF”), which is used by many businesses to legally transfer personal data from the EU to the United States. The DPF is intended to be an independent data transfer mechanism, and the removal may heighten concerns about the independence of agencies tasked with enforcing the DPF. The move at the FTC follows the prior removal of democrats from the U.S. Privacy and Civil Liberties Oversight Board, which is charged with providing oversight of the redress mechanism for non-U.S. citizens under the DPF. 
CFPB Drops Suit Against TransUnion: The Consumer Financial Protection Bureau (“CFPB”) voluntarily dismissed with prejudice its lawsuit against TransUnion in which it alleged that TransUnion engaged in deceptive marketing practices in violation of a 2017 consent order. The CFPB provided no explanation for its decision and each party agreed to bear its own litigation costs and attorneys’ fees.

INTERNATIONAL LAWS & REGULATIONS
CJEU Rules Data Subject Is Entitled to Explanation of Automated Decision Making: The Court of Justice of the European Union (“CJEU”) ruled that a controller must describe the procedure and principles applied in any automated decision-making technology in a way that the data subject can understand what personal data was used, and how it was used, in the automated decision making. The ruling stemmed from an Austrian case where a mobile telephone operator refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria. The court also stated that the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation. In order to meet the requirements of transparency and intelligibility, it may be appropriate to inform the data subject of the extent to which a variation in the personal data would have led to a different result. Companies will have to be creative in assessing what information is required to ensure the explainability of automated decision-making to data subjects.
European Parliament Publishes Report on Potential Conflicts Between GDPR and EU AI Act: The European Parliament published a report on the interplay of the EU AI Act with the EU General Data Protection Regulation (“GDPR”). One of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment, and use of “high-risk AI systems.” To achieve this, the EU AI Act allows “special categories of personal data” to be processed, based on a set of conditions (e.g., privacy-preserving measures) designed to identify and to avoid discrimination that might occur when using such new technology. The report concludes that the GDPR, which imposes limits on the processing of special categories of personal data, might prove restrictive in the circumstances under which the GDPR allows the processing of special categories of personal data. The paper recommends that GDPR reforms of further guidelines on how the GDPR works with the EU AI Act would help address any conflicts.
Norwegian and Swedish Data Protection Authorities Release FAQs on Personal Data Transfers to United States: The Norwegian and Swedish data protection authorities issued FAQs on Personal Data Transfers to the United States in response to the dismissal of several members of the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”). The PCLOB is responsible for providing oversight of the redress mechanism for non-U.S. citizens under the U.S.-EU Data Protection Framework (“DPF”), which is one legal mechanism available to transfer EU personal data to the U.S. under the GDPR. Datatilsynet, the Norwegian data protection authority, stated that it understands that the intent is to appoint new PCLOB members in the future and that, even without a quorum, the PCLOB can perform some tasks related to the DPF. Accordingly, Datatilsynet stated that issues would only arise in the adequacy decision underpinning the DPF as a result of the removal of the PCLOB members if the appointment of new members takes a long time. The Swedish data protection authority, Integritetsskydds myndigheten (“IMY”) also cited confusion of the European business community following the dismissal of several members of the PCLOB. The IMY stated that the Court of Justice of the European Union has the authority to annul the DPF adequacy decision but has not taken such action. As a result, the DPF is still a valid mechanism for data transfer according to the IMY. Both data protection authorities indicated they would continue to monitor the situation in the U.S. to determine if anything occurred that affected the DPF and its underlying adequacy decision.
OECD Releases Common Reporting Framework for AI Incidents: The OECD Organization for Economic Co-operation and Development (“OECD”) released a paper titled “Towards a Common Reporting Framework for AI Incidents.” The paper outlines the need for a standardized approach to reporting AI-related incidents. It emphasizes the importance of transparency and accountability in AI systems to ensure public trust and safety. The report proposes a framework that includes guidelines for identifying, documenting, and reporting incidents involving AI technologies. The paper specifically identifies 88 potential criteria for a common AI incident reporting framework across 8 dimensions. The 8 dimensions are (1) incident metadata, such as date of occurrence, title, and description of the incident; (2) harm details focusing on severity, type, and impact; (3) people and planet, describing impacted stakeholders and associated AI principles; (4) economic context describing the economic sectors where the AI was deployed; (5) data and input, which includes a description of the inputs selected to train the AI system; (6) AI model providing information related to the model type; (7) task and output, describing the AI system tasks, automation level, and outputs; and (8) other information about the incident to catch any complementary information reported with respect to an incident. 
China Issues Draft Measures for Financial Institutions to Report Cybersecurity Incidents and for Data Compliance Audits: The People’s Bank of China (“PBOC”) released draft administrative measures for reporting cybersecurity incidents in the financial sector (“Draft Measures”). The Draft Measures provide guidelines for identifying, reporting, and managing cybersecurity incidents by financial institutions regulated by the PBOC. Reporting requirements and timing vary according to type of entity and classification of incidents. Incidents would be classified as one of four categories – especially significant, significant, large, and average. Separately, the Cyberspace Administration of China (“CAC”) issued administrative measures on data protection audit requirements (“Data Protection Audit Measures”). The Data Protection Audit Measures provide (1) the conditions under which an audit of a data handler’s compliance with relevant personal information protection legal requirements would be required; (2) selection of third-party compliance auditors; (3) frequency of compliance audits; and (4) obligations of data handlers and third-party auditors in conducting compliance audits. The Data Protection Audit Measures include guidelines setting forth the specific factors that data handlers must evaluate in an audit, including the legal basis for processing personal information, whether the data handler has complied with notice obligations, how personal information is transferred outside of China, and the technical security measures employed by the data handler to protect personal information, among other factors.
European Commission Releases Third Draft of General-Purpose AI Code of Practice: The European Commission announced the publication of the third draft of the EU General-Purpose AI Code (“Code”). The first two sections of the draft Code detail transparency and copyright obligations for all providers of general-purpose AI models, with notable exemptions from the transparency obligations for providers of certain open-source models in line with the AI Act. The third section of the Code is only relevant for a small number of providers of most advanced general-purpose AI models that could pose systemic risks, in accordance with the classification criteria in Article 51 of the AI Act. In the third section, the Code outlines measures for systemic risk assessment and mitigation, including model evaluations, incident reporting, and cybersecurity obligations. A final version of the General-Purpose AI Code of Practice is due to be presented and published to the European Commission in May.
 
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.

Understanding the U.S. Embassy Paris Certification Requirement

Last week, the U.S. Embassy in Paris issued a letter and certification form to multiple French companies requiring companies that serve the U.S. Government to certify their compliance with U.S. federal anti-discrimination laws. This certification request was issued in furtherance of President Trump’s Executive Order 14173 on Ending illegal Discrimination and Restoring Merit-Based Opportunities, issued on January 21, 2025. This Order addresses programs promoting Diversity, Equity and Inclusion (DEI) and requires that government contractors’ employment, procurement and contracting practices not consider race, color, sex, sexual preference, religion or national origin in ways that violate the United States’ civil rights laws.
Certification Contents

The certification requires U.S. Government contractors to certify that they comply with all applicable U.S. federal anti-discrimination laws and do promote DEI in violation of applicable U.S. federal anti-discrimination laws.
While the letter was issued by the U.S. Embassy in Paris and is arguably limited to contractors serving that embassy, the requirement under the Executive Order extends to all contractors doing business with any U.S. Government agency.
Any company submitting the certification with knowledge that it is false will be deemed to have violated the U.S. False Claims Act, which imposes liability on individuals and companies who defraud governmental programs.

Implications for French Companies

This letter raises questions about the extraterritorial application of U.S. laws to foreign companies and their reach. In particular, while the Executive Order clearly applies to companies (irrespective of nationality) that directly supply or provide services to the U.S. Government, it is unclear whether, for example, the French parent of a U.S. subsidiary providing services to the U.S. Government would be subject to the certification.
The issue is complicated by the fact that French law in some ways conflicts with the provisions of the Executive Order – for instance, requiring that mid-sized and large companies have a minimum percentage of women sitting on their boards.
Neither the Executive Order nor the documents mention any exemptions or carve-outs for suppliers and service providers.

Conclusion
The U.S. Embassy’s certification requirement underscores the current complexities faced by international businesses in dealing with the U.S. Government. French companies should consider carefully assessing their DEI programs and overall compliance with U.S. federal laws while continuing to adhere to their own legal obligations, striking a careful balance as best they can.

New EEOC Guidance Creates DEI Compliance Considerations for Employers

On March 19, 2025, the U.S. Equal Employment Opportunity Commission (“EEOC”), together with the U.S. Department of Justice (“DOJ”), issued a press release cautioning employers against discrimination arising from diversity, equity and inclusion (“DEI”) programs. More specifically, the EEOC and DOJ warned that such initiatives “may be unlawful if they involve an employer or other covered entity taking an employment action motivated – in whole or in part – by an employee’s or applicant’s race, sex, or another characteristic.” The press release incorporated new guidance from the EEOC regarding DEI-related discrimination in the workplace: (i) a one-page technical assistance document titled “What To Do If You Experience Discrimination Related to DEI at Work” (the “Guidance”); and (ii) a longer set of frequently asked questions titled “What You Should Know About DEI-Related Discrimination at Work” (the “FAQs”). Both documents demonstrate the Trump Administration’s commitment to cracking down on corporate DEI initiatives, and represent a sea change from Biden-era EEOC’s enforcement priorities. This article outlines the Guidance and the FAQs, and suggests compliance measures for employers to consider in light of their content.
The Guidance
The Guidance outlines the EEOC’s perspective on employer DEI programs and ways in which they may run afoul of Title VII of the Civil Rights Act of 1964 (“Title VII”), which protects “employees, potential and actual applicants, interns, and training program participants.” While the Guidance acknowledges that the term “DEI” is undefined, it cautions that DEI initiatives “may be unlawful if they involve an employer or other covered entity taking an employment action motivated – in whole or in part – by an employee’s race, sex, or other protected characteristic.” The Guidance then provides a non-exhaustive list of actions that may constitute “DEI-related discrimination,” including, but not limited to:

Implementing “quotas” or “otherwise ‘balancing’ a workforce by race, sex, or other protected traits;”
Excluding individuals from training, fellowships, mentoring or sponsorship programs on the basis of their protected characteristics;
Selecting candidates for interviews, including placement on candidate slates, based on their protected characteristics;
Limiting membership in workplace groups, such as employee resource groups (“ERGs”) to certain protected groups; and
Separating employees into groups based on protected characteristics when “administering DEI or other trainings, or other privileges of employment, even if the separate groups receive the same programming content or amount of employer resources.”

The Guidance further states that “DEI training” may constitute “a colorable hostile work environment claim,” and advises employers that “[r]easonable opposition to a DEI training” may constitute protected activity giving rise to a retaliation claim so long as “the employee provides a fact-specific basis for his or her belief that the training violates Title VII.”
The FAQs
Like the Guidance, the FAQs are aimed at shedding light on what may constitute “DEI-related discrimination” in the workforce. Initially, the FAQs confirm that Title VII protects all workers, not just those who are “part of a minority group,” and instructs readers on how they may file a charge of discrimination to oppose DEI-related discrimination. The FAQs further clarify that the EEOC will not require a higher showing of proof for so-called “reverse discrimination” claims, or claims that an employer has discriminated against a majority group; indeed, the FAQs go on to state that, in the EEOC’s view, “there is no such thing as ‘reverse’ discrimination, there is only discrimination.”
The FAQs, like the Guidance, fail to define “DEI,” but provide examples of “DEI initiatives, policies, programs or practices” that may be unlawful under Title VII. Such actions include disparate treatment in: (i) hiring, firing, promotion, demotion, compensation, fringe benefits, job duties, and/or work assignments; (ii) access to or exclusion from training, including training characterized as leadership development programs; (iii) access to mentoring, sponsorship, or workplace networking; (iv) internships, including those labeled as “fellowships” or “summer associate” programs; and (v) selection for interviews, including placement or exclusion from a candidate “slate” or pool. According to the FAQs, actions that limit, segregate or classify employees based on their protected characteristics – such as limiting membership in ERGs, business resource groups, or employee affinity groups to certain protected groups – may also violate Title VII. The FAQs state that employers may not legally justify any of the foregoing actions (or other forms of DEI-related discrimination) based on business necessity, “an interest in diversity,” or client, customer, or co-worker preference.
Last, the FAQs address employer DEI training, which the EEOC states may constitute workplace harassment when it is “discriminatory in content, application, or context.” To the extent that such training is discriminatory in “design, content, or execution,” it may give rise to a hostile work environment claim. While the FAQs do not provide concrete examples of DEI training content that may violate Title VII, they state in a footnote that “unconscious bias training” may be problematic. Finally, the FAQs echo the Guidance’s confirmation that opposing unlawful DEI training (or other DEI-related discrimination) may constitute protected activity that gives rise to a claim for retaliation.
What Should Employers Do Now?
The Guidance and FAQs represent a dramatic shift from past EEOC priorities, and create new compliance concerns for employers. While both documents leave many questions unanswered (such as the meaning of “DEI” and precise actions that may violate Title VII), their meaning is clear: the EEOC will no longer tolerate most employer efforts to promote DEI in the workplace. Employers who wish to comply with the EEOC’s new approach should thoroughly examine their current programs, trainings, and employee group policies and make necessary changes to ensure that they do not run afoul of the EEOC’s directives. Such efforts may include, but not be limited to: (i) opening programs, fellowships, mentorship arrangements, and/or networks to all employees or applicants, without regard to their protected characteristics; (ii) eliminating diversity requirements for interview slates or roles; (iii) ensuring that ERGs or similar groups are open to all workers; and/or (iv) ensuring that DEI training does not contain “unconscious bias” principles. We will continue to monitor the EEOC’s enforcement priorities and scrutiny of DEI-related initiatives as they develop.

The DEI Dilemma: New EEOC Guidance on DEI Initiatives

On March 20, 2025, the Equal Employment Opportunity Commission (“EEOC”) issued two key pieces of guidance: What To Do If You Experience Discrimination Related to DEI at Work and What You Should Know About DEI-Related Discrimination at Work. This guidance provides insights into the issues the EEOC will be monitoring regarding employers’ Diversity, Equity, and Inclusion (“DEI”) policies.
What Are Considered “DEI Policies”?
DEI consists of programs and policies that seek to promote the fair treatment and full participation in the workplace. Traditionally thought of as a remedial measure, DEI policies have focused on balancing the workplace by establishing organizational frameworks and initiatives, such as putting a spotlight on hiring and retaining members of particular groups who may have historically been underrepresented or subject to discrimination, including women, racial and religious minorities, and persons with disabilities.
Identifying Potential DEI Discrimination
Title VII of the Civil Rights Act of 1964 (“Title VII”), a statute enforced by the EEOC, prohibits employment discrimination based on protected characteristics such as race and sex. Different treatment based upon any characteristic protected by Title VII can be unlawful discrimination, no matter which employees are harmed; Title VII’s protections apply equally to all religious, racial, ethnic, and national origin groups, and regardless of sex. The EEOC’s position is that “there is no such thing as ‘reverse’ discrimination; there is only discrimination.” As noted by the guidance, “DEI policies, programs, or practices may be unlawful if they involve an employer or other covered entity taking an employment action motivated, in whole or in part, by an applicant’s or employee’s race, sex, or another protected characteristic.”
The EEOC’s guidance cautions that DEI initiatives could violate Title VII if they result in disparate treatment in the terms, conditions, or privileges of employment—including intangible terms such as exclusion from mentoring or sponsorship programs or workplace networking events, exclusion from training or fellowships, and selection preferences for interviews. Prohibited DEI conduct includes actions that may limit, segregate, or classify individuals based on a protected characteristic; examples provided in the guidance include limiting membership in workplace groups (such as affinity groups) to certain protected groups, and separating employees into groups based on a protected characteristic when administering DEI or other trainings—even if the separate groups receive the same programming content. Even if affinity groups or programs aren’t created or maintained by the employer, making company time, facilities, or premises available, and other forms of official or unofficial encouragement or participation may be seen by the EEOC as the employer “sponsoring” those activities, thus making the company liable for any prohibited exclusion by those groups.
According to the EEOC, “[d]epending on the facts, DEI training may give rise to a colorable hostile work environment claim.” If an individual is subjected to unwelcome remarks or conduct based upon race, sex, or other protected characteristics and it either (i) results in an adverse change to a term, condition, or privilege of their employment, or (ii) it is so frequent or severe that a reasonable person would consider it intimidating, hostile, or abusive,  those circumstances may constitute a Title VII violation. Further, an employee’s “[r]easonable opposition to DEI training may constitute protected activity if the employee provides a fact-specific basis for his or her belief that the training violates Title VII.”
Potential Risks
Employees and applicants who have been subjected to unlawful discrimination or retaliation under Title VII are entitled to recover back- and front-pay damages, compensatory damages up to between $50,000 and $300,000 (depending upon the employer’s size), punitive damages, and attorneys’ fees. In cases involving intentional age discrimination, or in cases involving intentional sex-based wage discrimination under the Equal Pay Act, individuals cannot recover compensatory or punitive damages but can recover liquidated damages if the discrimination is found to be especially malicious or reckless.
An individual alleging discrimination based on an employer’s generally applicable policy also has a basis to join with others who have been negatively affected by that policy, creating a significant risk an employer may face a collective action with a nationwide class of employees.
Practical Advice for Employers
To avoid potential issues under Title VII (and potentially applicable state laws), employers should take the following action:

Review workplace policies, employee handbook, and training materials to ensure they comply with the EEOC’s recent guidance. Consider whether the EEOC would view them as violative of Title VII, such as by indicating a preference for particular races or sex. Ensure that any employee affinity groups are open to all employees. A “Working Mothers” group or “Minority Mentorship” program that is not open to everyone, for example, may violate Title VII in the EEOC’s view.
Provide training to all employees. Ensure your managers and employees are aware of Title VII’s protections against harassment, discrimination, and retaliation. Ensure that such training is inclusive and respectful of all employees, and includes discussion of how employees can report suspected violations.

If in doubt, contact legal counsel. The law and agency guidance around DEI and equal employment policies can be complicated, and the legal landscape—both at the federal and local levels—shifts frequently. Experienced employment counsel can help clients navigate these issues, ensuring the company and employees’ and applicants’ rights are protected.

It’s the End of Diversity, Equity and Inclusion (DEI) Programs as We Know It?

As promised in his campaign for the presidency of the United States, on January 21, 2025, President Trump issued Executive Order 14172 “Ending Illegal Discrimination and Restoring Merit-Based Opportunity.” (Emphasis added).
The President’s Executive Order states that illegal diversity, equity and inclusion (“DEI”) policies violate the text and spirit of federal civil-rights laws.
Accordingly, the President ordered all federal agencies to enforce civil rights laws and to “combat illegal private-sector DEI preferences, mandates, policies, programs, and activities.” The President further ordered the Attorney General to submit a report with recommendations for enforcing federal civil rights laws and “taking other appropriate measures to encourage the private sector to end illegal discrimination and preferences, including DEI.”
Additionally, the President revoked Executive Order 11246 of September 24, 1965 (Equal Employment Opportunity). Executive Order 11246 prohibited discrimination and required affirmative action be taken by federal contractors.
There have been several federal court challenges to these Executive Orders. On February 5, 2025, an employer group filed a constitutional challenge to portions of Executive Order 14172. Most recently, on March 6, 2025, the American Civil Liberties Union (ACLU) of Rhode Island filed a lawsuit on behalf of an employer seeking a preliminary injunction regarding the government contractor portions of these Executive Orders. For now, however, these Executive Orders are in place, with challenges pending.
Enforcement of the President’s Executive OrderOn February 5, 2025, Attorney General Pam Bondi issued a memorandum to all Department of Justice employees with the subject heading: “Ending Illegal DEI and DEIA Discrimination and Preferences.”
In the memorandum, the Attorney General wrote “[a]s the United States Supreme Court recently stated, “[e]liminating racial discrimination means eliminating all of it.” Students for Fair Admissions, Inc. v. President & Fellows of Harvard Coll., 600 U.S. 181, 206 (2023). The Attorney General also stated,
“[t]o fulfill the Nation’s promise of equality for all Americans, the Department of Justice’s Civil Rights Division will investigate, eliminate, and penalize illegal DEI and DEIA preferences, mandates, policies, programs, and activities in the private sector and in educational institutions that receive federal funds.”

Notably, the Attorney General’s memorandum includes a footnote that states that it “does not prohibit educational, cultural, or historical observances—such as Black History Month, International Holocaust Remembrance Day, or similar events—that celebrate diversity, recognize historical contributions, and promote awareness without engaging in exclusion or discrimination.”
So, What is “Illegal” DEI? The EEOC Speaks on March 19, 2025Note that all of the above statements include the word “illegal” when referencing the ending of DEI. The fact is that racial- and gender-based preferences in hiring and promotion have been unlawful for decades. However, the EEOC has been tasked with focusing on what they are calling “DEI-related discrimination” and has issued a technical assistance document setting forth explaining how DEI programs can run afoul of Title VII. The guidance states that “unlawful discrimination includes any consideration of race, sex or any other protected characteristic under Title VII.” According to EEOC, “[a]n employment action still is unlawful even if race, sex, or another Title VII protected characteristic was just one factor among other factors contributing to the employer’s decision or action.”
EEOC stated, “Title VII of the Civil Rights Act of 1964 (Title VII) prohibits employment discrimination based on protected characteristics such as race and sex.” Therefore, “under Title VII, DEI initiatives, policies, programs, or practices may be unlawful if they involve an employer or other covered entity taking an employment action motivated—in whole or in part—by an employee’s or applicant’s race, sex, or another protected characteristic.”
Further, “Title VII also prohibits employers from limiting, segregating, or classifying employees or applicants based on race, sex, or other protected characteristics in a way that affects their status or deprives them of employment opportunities. In the context of DEI programs, unlawful segregation can include limiting membership in workplace groups, or other employee affinity groups, to certain protected groups.”
EEOC gave direction to employers by stating employers should instead provide “training and mentoring that provides workers of all backgrounds the opportunity, skill, experience, and information necessary to perform well, and to ascend to upper-level jobs.” Employers also should ensure that “employees of all backgrounds … have equal access to workplace networks.”
Coupled with the prohibition on DEI programs, EEOC also issued guidance on their position involving “reverse” discrimination claims. There is not a requirement of a higher showing of proof in reverse discrimination claims, as there is only discrimination. The EEOC applies the same standard of proof to all race discrimination claims, regardless of the victim’s race.
What Should Employers Do Now?

Recognize that DEI is not in and of itself illegal. With thoughtfulness, employers can still promote an inclusive and supportive workplace with various initiatives and programs without them being labeled by the federal government as problematic. For example, inclusive programs making mentoring available to all employees regardless of protected status can be effective to foster diversity and inclusivity.
Review Programs and Policies. Employers should review their employment practices to determine if there are any initiatives, policies, programs, or practices that could be considered “illegal” DEI pursuant to the EEOC guidance. For example, hiring program elements with preferences or quotas based on protected status should be analyzed to avoid disparate treatment based on protected status. However, key features of most DEI programs have been and continue to be legal. For example, using interview panels to help reduce bias in the interview process; ensuring that hiring criteria is standardized and focuses on skills, and fine-tuning recruitment efforts to attract a larger pool of candidates and varying backgrounds are all acceptable program features. Employee resource groups also continue to be legal, but like before, they cannot exclude membership based on race or gender or other protected class. It is also permissible to focus on ensuring that interview processes accommodate individuals with disabilities.
Act Methodically. Not everything that employers are doing to encourage a diverse, equitable, or inclusive workplace culture will be considered illegal. As the Attorney General noted, there are educational, cultural, or historical observances, or similar events that celebrate diversity, recognize historical contributions, and promote awareness without engaging in exclusion or discrimination. Because “diversity, equity, and inclusion” have become controversial buzzwords, focusing on programs that promote “access” and “opportunity” may be helpful.
Educate Supervisors. Ensure supervisors understand EEOC’s guidance and reaffirm organizational commitments to legal compliance with anti-discrimination laws.
Monitor Developments. Without a doubt, the federal government is transforming very quickly. Judicial involvement in the executive action affects this transformation. Employers should continue monitoring legal developments and remain flexible and nimble to address this changing environment.

Federal Judge Restrains Liability for Alleged False DEI Certifications

President Trump’s January 21 Executive Order targeting Diversity, Equity, and Inclusion Programs (DEI) (the “January 21 Executive Order”) and, specifically, § 3(b)(iv)) (the Certification Provision) cannot be the basis for liability — at least for one proactive litigant in the Northern District of Illinois. The holding could have broader implications for False Claims Act (FCA) defendants concerned about evolving certification requirements.
On January 20 and 21, 2025, President Trump issued two executive orders targeting Diversity, Equity, and Inclusion programs (titled, “Ending Radical and Wasteful Government DEI Programs and Preferencing” and “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” respectfully). The January 21 Executive Order included a direction to agencies (the “Certification Provision”) to require federal grant recipients to certify they do not “operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws” and to “agree that its compliance in all respects with all applicable Federal anti-discrimination laws is material to the government’s payment decisions for purposes of [the FCA].” Immediately, this provision raised concerns that the Trump Administration may use the Certification Provision to bring FCA cases against grant recipients who do not comply. The threat of FCA litigation is paused for now, at least for Chicago Women in Trades (CWIT).
In February 2025, CWIT sued the Trump administration arguing, among other things, the Certification Provision violates its First Amendment Right to free speech because it “effectively regulates CWIT’s conduct outside of the contours of the federal grants.” (See Chicago Women in Trades v. Trump et al., Case No.1:25-cv-02005, N.D. Ill.)In response, the government argued the Certification Provision only implicates “illegal” DEI programs and no one has a constitutional right to violate the law. On March 27, 2025, U.S. District Court Judge Matthew Kennelly granted CWIT’s motion for a Temporary Restraining Order, preventing the Department of Labor from enforcing the Certification Provision and the Government from “initiat[ing] any False Claims Act enforcement against CWIT pursuant to the Certification Provision.”
In its Order, the court held the Certification Provision’s definition of what is an illegal DEI program is “left entirely to the imagination.” In the court’s view, the government has emphasized that conduct violating anti-discrimination laws has changed, and the government also has been “unwilling to in (in its briefs or at argument) define how it has changed.” This uncertainty put CWIT (and other grantees) in a difficult position — they must either decline to make a certification and lose federal grant money or risk making a certification that is later deemed to be false because the meaning of an illegal DEI program is unknown, subjecting “the grantee to liability under the False Claims Act.”[1]
While the Order restricts the Government specifically with respect to CWIT and the Certification Provision, lawsuits like CWIT’s will force federal courts across the country to determine what the Certification Provision means for FCA litigation going forward.
If you have questions about President Trump’s January 21 Executive Order or the False Claims Act, contact the authors or your Foley relationship lawyer.

[1] The court also said even if the government did define an illegal DEI program, the January 21 executive order still reads as an “express reference to First Amendment-protected speech and advocacy.”

EEOC/DOJ Joint DEI Guidance, EEOC Letters to Law Firms, OFCCP Retroactive DEI Enforcement [Video] [Podcast]

This week, we highlight new guidance from the Equal Employment Opportunity Commission (EEOC) and Department of Justice (DOJ) on diversity, equity, and inclusion (DEI)-related discrimination.
We also examine the Acting EEOC Chair’s letters to 20 law firms regarding their DEI practices, as well as the Office of Federal Contract Compliance Programs (OFCCP) Director’s orders to retroactively investigate affirmative action plans.
EEOC and DOJ Warn DEI Policies Could Violate Title VII 
The EEOC and the DOJ jointly released guidance on discrimination in DEI policies at work, warning that these policies could violate Title VII of the Civil Rights Act of 1964. Although the guidance does not define DEI, it provides clarity on the EEOC’s focus moving forward.
Acting EEOC Chair Targets Law Firms
Acting Chair Andrea Lucas sent letters to 20 law firms warning that their employment policies intended to boost DEI may be illegal. 
OFCCP Plans Retroactive DEI Enforcement
A leaked internal email obtained by The Wall Street Journal reveals that newly appointed OFCCP Director Catherine Eschbach has ordered a review of affirmative action plans submitted by federal contractors during the prior administration. These reviews will be used to help determine whether a federal contractor should be investigated for discriminatory DEI practices.

Navigating the Termination of CHNV Parole Programs: Insights on I-9 Reverification and INA Compliance for Employers

On March 25, 2025, the Department of Homeland Security (DHS) announced the termination of the parole processes for citizens or nationals of Cuba, Haiti, Nicaragua, and Venezuela (CHNV parole programs). This decision will affect employers who must navigate the employment eligibility of affected individuals while ensuring compliance with anti-discrimination provisions outlined in the Immigration and Nationality Act (INA). The termination of these programs means that any parole status and employment authorization derived through CHNV parole programs will end by April 24, 2025. Employers must take steps to manage the reverification of affected employees’ employment eligibility without engaging in discriminatory practices.
Understanding the Challenges
As part of the CHNV parole programs, employment authorization documents (EADs) issued to beneficiaries bear the category code (C)(11). However, this code is not exclusive to CHNV beneficiaries, making identification difficult. Additionally, some CHNV beneficiaries may have updated their Forms I-9 with EADs that have validity dates extending beyond April 24, 2025. Employers who wish to ensure compliance face a complex challenge: how to identify affected employees for reverification without inadvertently violating the INA’s anti-discrimination provisions.
Employers who complete and retain paper I-9 forms, do not keep copies of identity and employment authorization documents, and do not participate in E-Verify may find the process particularly challenging. Sorting and extracting Forms I-9 based on “Foreign Passport and Country of Issuance” in Section 1, or by identifying Forms I-9 listing EADs in Section 2, may result in List A displaying overly broad findings, as these methods may capture individuals who are not CHNV beneficiaries and who hold valid employment eligibility.
Legal Compliance Considerations
The INA’s anti-discrimination provisions, particularly 8 USC § 1324b(a)(1)(A) and (a)(6), prohibit employers from treating employees differently based on citizenship, immigration status, or national origin. Employers are also prohibited from requesting additional or different documentation from employees based on these factors. The Department of Justice’s Immigrant and Employee Rights (IER) Section, formerly the Office of Special Counsel (OSC), has emphasized that employers should avoid making employment decisions—including reverification processes—based on an employee’s citizenship, immigration status, or national origin.
In the meantime, employers should consider:

Maintaining thorough records of the reverification process to demonstrate compliance with federal requirements and anti-discrimination provisions.
Conducting internal audits to ensure that no employees are treated differently based on citizenship, immigration status, or national origin during the reverification process.
Providing training to HR personnel and compliance teams on how to handle reverification without violating INA provisions, emphasizing the importance of treating all employees consistently and fairly.
Tracking the expiration dates of employees whose employment eligibility needs to be reverified.
Notifying affected employees of their upcoming need to provide updated documentation, regardless of their citizenship or immigration status. Do not request specific documents or additional information beyond what is required.

Key Takeaways
This issue represents new territory which has not been thoroughly analyzed or reviewed to date by authorities. IER technical guidance may be forthcoming on what U.S. employers should do if a particular classification of employment eligibility is suddenly terminated by the government, but some beneficiaries in that classification have updated their Forms I-9 with employment authorization validity dates that go beyond the termination date (April 24, 2025).

Reproductive Health Under Trump: What’s New and What’s Next

Overview

Over the past two months, the second Trump administration has shifted federal policies and priorities regarding abortion, in vitro fertilization (IVF), contraception, and other reproductive-health-related matters – and it is expected to continue to do so. In addition to the federal policy agenda, many developments related to reproductive health likely will continue to occur at the state level. The Dobbs decision shifted policymaking in these areas toward the states, and lawmakers and advocates have expressed their intentions to either adhere to or protect against the new administration’s policies and agenda items. This article discusses some of the major recent trends in women’s health and reproductive health, and what is likely to come next under the new administration.

In Depth

THE TRUMP ADMINISTRATION WILL CONTINUE TO WEAKEN BIDEN-ERA POLICIES THAT PROTECT REPRODUCTIVE HEALTH
The Hyde Amendment
During its first month, the second Trump administration signed several executive orders (EOs) and otherwise signaled its approach to certain reproductive health measures that were previously in place. For instance, in the first week of his presidency, US President Donald Trump signed an EO entitled “Enforcing the Hyde Amendment,” which called for an end to federal funding for elective abortions and revoked two previous EOs that permitted such funding. The EO charged the Office of Management and Budget with providing guidance around implementing the mandate. While the EO was not a surprise, it referred to the Hyde Amendment and “similar laws,” leaving some ambiguity in its scope and the way in which it will be implemented in practice (e.g., it could be used to target federal funds for abortion and perhaps related services by other federal agencies, such as the US Departments of Defense, Justice, and State). In response to this EO, federal agencies could revoke Biden-era policies and reinstate or expand upon Trump administrative policies. Such efforts may include recission of Biden-era regulations that authorized travel for reproductive-health-related needs for servicemembers and their families and permitted abortion services through the US Department of Veterans Affairs.
The Comstock Act
Although we have not seen activity in this respect to date, the new administration will likely rescind the Comstock Act Memo, which was published by the US Department of Justice (DOJ) Office of Legal Counsel. This memo was issued in December 2022 by the Biden administration following the Dobbs decision. The Comstock Act is a federal criminal statute enacted in 1873 that prohibits interstate mailing of obscene writings and any “article or thing designed, adapted, or intended for producing abortion.” Violations of the Comstock Act are subject to fines or imprisonment. The Comstock Act Memo sets forth the opinion of the DOJ Office of Legal Counsel that the Comstock Act does not prohibit mailing abortion-inducing medication unless the sender explicitly intends for it to be used unlawfully. If the new administration revokes this memo or attempts to apply the Comstock Act to the mailing of abortion-inducing medication (and, perhaps, any abortion-inducing implements, which could have even wider-reaching implications) regardless of intent, it could become very difficult for patients to obtain abortion-inducing medication. Such actions also could lead to complications related to the provision of such medications via the mail (and potentially in person, depending on the attempted interpretation). At the time of publication, the DOJ website still included the Comstock Act Memo, noting that 18 U.S.C. § 1461 does not prohibit the mailing of abortion-inducing medication when the sender does not intend for the recipient to use the drugs unlawfully.
The 2024 HIPAA Final Rule on Access to Reproductive Health Records and Related State Activity
In 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) published a Health Insurance Portability and Accountability Act (HIPAA) final rule to support reproductive healthcare privacy (2024 final rule). The 2024 final rule prohibits a covered entity or business associate from disclosing protected health information (PHI) for conducting an investigation into or imposing liability on any person for seeking, obtaining, providing, or facilitating reproductive healthcare where the reproductive healthcare is lawful. The 2024 final rule also prohibits disclosure of PHI to identify any person for the purpose of conducting an investigation or imposing liability. The enforcement mechanism of the 2024 final rule includes an attestation component under which a requesting party must certify that the use of the PHI is not prohibited when requested for health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners under 42 C.F.R. § 164.512. The Trump administration likely will not enforce (and may reverse) protections around reproductive health data under the 2024 final rule, which would leave a bigger gap for the states to potentially fill, as evidenced by the EO regarding enforcement of the Hyde Amendment and rollback of other Biden-era reproductive health protections.
In response to increased scrutiny of reproductive healthcare, several states have enacted laws protecting healthcare providers, patients, and others involved in providing or receiving reproductive healthcare. Although these laws vary from state to state, they generally prohibit disclosure of data and other information related to reproductive healthcare that was lawfully obtained by a patient and provided by a healthcare provider. These laws can provide a certain level of comfort to providers that provide care to patients who travel across state lines to receive care that may be unavailable to them in their home state but is accessible and lawfully provided in another state. States that do not have such laws may seek to enact similar protections under the new administration as federal protections become less certain, particularly if the layer of protection afforded by the 2024 final rule is revoked or otherwise diminished.
ABORTION POLICY WILL CONTINUE TO BE LARGELY DICTATED BY STATES AND MAY EXPAND INTO NEW AREAS OF FOCUS
Following the Dobbs decision, many states quickly took action to enshrine abortion protections in their laws and constitutions. Some states, such as Michigan, moved to overturn old, unenforced abortion bans on their books. Michigan further implemented laws, executive actions, and eventually a ballot measure to amend its state constitution. This trend has continued; in the November 2024 presidential election, seven states passed ballot measures to protect abortion access. However, the 2024 election also marked the first three abortion protection ballot referendums that failed to pass. Voters in South Dakota and Nebraska rejected proposed constitutional amendments, and a measure in Florida received only 57% of the vote where a 60% majority was required.
In the years since Dobbs, new laws and court cases have largely sorted the states into two categories: states that are more protective and states that are more restrictive regarding abortion. However, the law remains unsettled in a few states, such as Georgia and Wisconsin, where pending court cases, legislative action, and gubernatorial executive action may result in different outcomes. In the 2024 election, Missouri voters passed a ballot initiative to overturn the state’s strict ban on abortion and enshrine reproductive rights in the state constitution, effectively switching the state from more restrictive to more protective. More constitutional ballot measures could come in states such as Pennsylvania, New Mexico, Virginia, and New Hampshire, where abortion rights are currently supported under state law but not enshrined in state constitutions. Abortion advocates may also focus on Iowa, South Carolina, and Florida, where recent court decisions have largely settled the law, but further litigation is possible. Restrictive states also continue to legislate additional restrictions on access to abortion.
The majority of states can be expected to continue on their current trajectory: more protective states may continue to enact abortion protections, and more restrictive states may continue to enforce existing bans and expand prohibitions. In 2025, the focus of both protective and restrictive laws likely will continue to expand. The initial wave of post-Dobbs policymaking primarily focused on a healthcare provider’s ability to perform an abortion and a patient’s right to receive an abortion. New laws and proposals now focus on topics such as assisting others in obtaining an abortion, telehealth prescribing of abortion medications, abortion funding, abortion rights of minors, and patient data privacy.
Trump administration policies and initiatives may impact more protective states’ abilities to provide abortion services. For instance, if the Comstock Act Memo is revoked, abortion-inducing medication may become scarce or difficult to obtain through the mail, even from a provider in a protective state to a patient in another protective state. If interpreted even more broadly by the administration, the Comstock Act could serve as a catalyst for a national abortion ban, which would almost certainly face legal challenges. While the Trump administration has not yet asked Congress for a national abortion ban, the EO that Trump signed recognizing two sexes includes personhood language regarding life beginning “at conception,” signaling that additional changes may be proposed at both the federal and state policy levels regarding fetal personhood and attendant rights. Such changes would likely result in legal challenges in federal and state courts.
IVF SERVICES WILL CONTINUE TO EXPAND BUT MAY FACE FRICTION WITH ABORTION PROHIBITIONS AND CERTAIN TRUMP ADMINISTRATION PRIORITIES
State abortion laws have somewhat solidified following Dobbs, but many laws remain unclear as to their impact on IVF providers. Many states have abortion prohibitions that predate IVF, some of which define “unborn child” from the moment of fertilization or conception. Other laws are ambiguous but contain language that arguably protects a fetus at any stage of development. Since Dobbs, state attorneys general in Arkansas, Oklahoma, Wisconsin, and other states have indicated that they will not pursue IVF providers using state abortion bans, and the Trump administration has issued an EO calling for expanded access to IVF. However, the state-level laws remain ambiguous, and there is a risk that courts may interpret such laws to apply to embryos or otherwise impact IVF access. Moreover, the EO raising the issue of fetal personhood may create friction for efforts to expand access to IVF.
In February 2024, the Alabama Supreme Court became the first state supreme court to definitively rule that “unborn children” includes cryogenically frozen IVF embryos. The court held an IVF clinic liable under the state’s wrongful death statute after an incident in which frozen IVF embryos were destroyed. The decision initially caused several IVF providers in the state to pause services until two weeks later, when the legislature passed a specific exception to the statute for IVF providers. Even though the status quo was quickly restored, both providers and patients were significantly impacted by the period of uncertainty. In 2025 and beyond, other states could face similar test cases. In response to public support for reproductive technology, some restrictive states have proposed legislation to address, for example, the use of assistive reproductive technology and selective reduction.
At the same time, insurance coverage for IVF and other fertility treatments has expanded and will likely continue to do so in 2025. Approximately 22 states now mandate that insurance plans provide some combination of fertility benefits, fertility preservation, and coverage for a number of IVF cycles. After July 1, 2025, all large employers in California must provide insurance coverage for fertility treatments, including coverage for unlimited embryo transfers and up to three retrievals. 2025 will also bring expanded IVF coverage options for federal employee insurance plans.
THE RIGHT TO CONTRACEPTION WILL REMAIN VULNERABLE TO STATE LAWMAKING AND COURT CHALLENGES
Although the Dobbs majority opinion states that the “decision concerns the constitutional right to abortion and no other right,” and that “nothing in [the Dobbs] opinion should be understood to cast doubt on precedents that do not concern abortion,” doubt remains as to other women’s health rights. In his concurrence in Dobbs, Justice Clarence Thomas expressed interest in revisiting prior Supreme Court of the United States decisions upholding rights other than the right to abortion, such as the right to contraception upheld in Griswold v. Connecticut.
In response to the Thomas concurrence, the federal Right to Contraception Act was introduced. The act would have enshrined a person’s statutory right to contraception and a healthcare provider’s right to provide contraception. The act passed the US House of Representatives, but the US Senate version was unable to overcome a filibuster in June 2024. Federal efforts to protect the right to contraception are unlikely to pass in the new Congress.
Although federal action is unlikely, certain states have already protected the right to contraception under state law. Approximately 15 states and the District of Columbia currently have some form of protection for the right to contraception either by statute or under the respective state’s constitution. Under the new administration, state legislative action likely will increase with respect to the right to access contraception. Certain states with restrictive abortion policies, such as South Carolina, have proposed modifications to their abortion restrictions to explicitly protect the use of contraceptives.
WHAT STEPS SHOULD STAKEHOLDER CONSIDER TAKING?
Any company whose services touch on reproductive health or women’s health should engage in a risk assessment of their business and the ways in which the Trump administration may affect their ability to operate without complications. Although the first two months of EOs and other actions from the administration have not drastically altered the landscape for reproductive health across the country, access to reproductive and women’s health is likely to evolve over the next four years. We are closely monitoring these developments and will continue to forecast the ways in which this could impact stakeholders in the industry.

Virginia Governor Vetoes AI Bill As States Struggle to Approve Regulations

Virginia Governor Glenn Youngkin vetoed an artificial intelligence (“AI”) bill on March 24 that would have regulated how employers used automation in the hiring process. While the veto relieves employers of a new layer of regulation, the bill represented one of several state-level efforts to prevent potential harmful uses of AI in the employment context.
The Virginia General Assembly passed the “High-Risk Artificial Intelligence Developer and Deployer Act” during the 2025 legislative session. The bill would have regulated both creators and users of AI technology across multiple use cases, including employment. It defined “high-risk artificial intelligence” to cover any AI systems intended to make autonomous consequential decisions, or serve as a substantial factor in making consequential decisions. As relevant to the employment context, “consequential decisions,” included decisions about “access to employment.” 
The law would have required Virginia employers to implement safeguards to prevent potential harm from “high-risk” AI, including adopting a risk management policy and conducting an impact assessment for the use of the technology. It also would have required users of covered AI systems to disclose their use to affected consumers, including employment applicants. The bill called for enforcement by the Virginia Attorney General only, with designated civil penalties for violations and no private right of action. But it also specified that each violation would be treated separately, so it created the potential for significant penalties if, for example, an employer failed to disclose its use of AI to a large group of applicants, resulting in a $1,000 penalty for every applicant impacted.
Youngkin said he vetoed the bill because he feared it would undermine Virginia’s progress in attracting AI innovators to the Commonwealth, including thousands of new tech startups. He also said existing laws related to discrimination, privacy and data use already provided necessary consumer protections related to AI. Had the bill avoided the governor’s veto pen, Virginia would have joined Colorado as the first two states to approve comprehensive statutes specifically governing the use of AI in the employment context. The Colorado law, passed in 2024, will become effective on February 1, 2026 and has many similarities to the bill Youngkin vetoed, including requirements that users of high-risk AI technology exercise reasonable care to prevent algorithmic discrimination. 
Other states have laws that touch on AI-related topics, but lack the level of detail and specificity contained in the Colorado law. In several more states, attempts to regulate the use of AI in the employment context are meeting similar fates to Virginia’s law. For example, Texas legislators recently abandoned efforts to pass an AI bill modelled after the Colorado legislation. Similar bills have failed or appear likely to fail in Georgia, Hawaii, Maryland, New Mexico and Vermont. And even in states with more employment-related regulations like Connecticut, Democratic Governor Ned Lamont has resisted efforts by lawmakers to push through AI regulations. The exception to the trend may be California, where legislators are continuing to pursue legislation – A.B. 1018 – that closely resembles both the Colorado and Virginia bills with even steeper penalties. 
In all, states remain interested in regulation of emerging AI tools, but have yet to align on the best way to handle such regulation in the employment context. Still, employers should use caution when using automated tools or outsourcing decision-making to third parties that use such technology. Existing laws, including the Fair Credit Reporting Act and Title VII of the Civil Rights Act, still apply to these new technologies. And while momentum for new state-level AI regulation seems stalled, employers should monitor state level developments as similar proposed laws proceed through state legislatures.

Disability Discrimination Charges Involving Neurodivergence Are Rising, According to EEOC Data

As diagnoses of neurodiversity become more common, employers are facing more disability discrimination complaints from neurodivergent workers, according to recent data from the U.S. Equal Employment Opportunity Commission (EEOC).

Quick Hits

EEOC data shows a rise in disability discrimination charges related to neurodiversity in recent years.
The federal Americans with Disabilities Act (ADA) covers certain conditions associated with neurodivergence.
It is unlawful to discriminate, harass, or retaliate against workers with disabilities related to neurodivergence.

Neurodiversity generally refers to medical conditions that cause the brain to function differently than the typical pattern. These conditions include autism, attention-deficit hyperactivity disorder (ADHD), dyslexia, sensory processing disorder, and Tourette’s syndrome. In many cases, people with those conditions meet the ADA definition of disability. The ADA covers physical and mental impairments that substantially impair a major life activity, such as sleeping, eating, speaking, and reading.
EEOC merit resolutions related to autism more than doubled from 0.4 percent of total merit resolutions in 2016 to 1.5 percent of total merit resolutions in 2023. Likewise, merit resolutions related to “other neurological impairments” accounted for 4.2 percent of total merit resolutions in 2023, up from 3.2 percent in 2016.
The increase in EEOC charges may reflect societal trends as Americans became more aware of neurodiversity, and more children and adults received diagnoses related to neurodiversity in recent years.
About 11 percent of U.S. children aged three to seventeen years had ever been diagnosed with ADHD in 2022, up from 8 percent in 2008, according to the U.S. Centers for Disease Control and Prevention (CDC). The percentage of children diagnosed with autism more than quadrupled from 0.006 percent in 2000 to 0.028 percent in 2020, according to the CDC.
A variety of reasonable accommodations could be helpful for a neurodivergent worker, depending on the symptoms, the severity of the condition, and the type of job. Employers can use the interactive process to identify accommodations that would be suitable for the individual without being an undue hardship for the employer.
If an employee has an ADA-qualified disability involving neurodivergence, it is illegal to discriminate or harass that employee because of the employee’s condition. It is also unlawful to retaliate against that employee for reporting an ADA violation.
10 Tips for Accommodating Employees With Autism
Employers may wish to review their written policies and practices to ensure that they are adequate to prevent discrimination, harassment, and retaliation against workers who have an ADA-qualified disability related to neurodivergence.
Regarding employees with autism, employers can consider a variety of reasonable accommodations, depending on the individual needs and the nature of the job. Here are ten possibilities to consider:
1. Flexible Work Schedules: Allowing adjustments to start/end times or offering part-time options can help reduce stress and accommodate sensory or routine preferences.
2. Quiet Workspaces: Providing a low-noise area, noise-canceling headphones, or a private office can minimize sensory overload.
3. Clear Communication: Offering written instructions, checklists, or visual aids alongside verbal directions can improve understanding and task completion.
4. Structured Environment: Maintaining consistent routines, predictable schedules, and advance notice of changes can help reduce anxiety.
5. Sensory Adjustments: Modifying lighting (e.g., reducing fluorescent lights), allowing comfortable clothing, or minimizing strong odors can address sensory sensitivities.
6. Job Coaching or Mentorship: Assigning a supportive supervisor or peer to provide guidance and feedback can help employees learn job tasks and workplace norms.
7. Breaks as Needed: Permitting short, scheduled breaks to recharge can help manage fatigue or prevent becoming overwhelmed.
8. Task Modification: Breaking tasks into smaller steps, focusing on strengths (e.g., detail-oriented work), or adjusting nonessential duties can enhance productivity.
9. Assistive Technology: Tools like speech-to-text software, organizational apps, or timers can support focus and communication.
10. Social Support: Offering training for coworkers on autism awareness or excusing noncritical social events can ease interpersonal pressures.