2025 New Jersey Employment Law Updates
The start of a new year is a great time for New Jersey employers to review their employee handbooks and policies and consider revisions based on changes in the law or best practices. This GT Alert summarizes some recent legal updates and changes on the horizon to help focus employers as they evaluate the compliance of their policies.
Pay Transparency
As set forth in a November 2024 GT Alert, New Jersey, like a number of other states, will soon enforce pay transparency requirements and mandate certain job posting disclosures. Effective June 1, 2025, New Jersey employers with 10 or more employees over 20 calendar weeks doing business or taking applications for employment within the state must disclose the hourly wage or annual salary range and general benefit information in all job postings for new positions and transfer opportunities. Covered employers must also post promotion opportunities to the entire affected department, with certain exceptions.
Remote Workers
The New Jersey Attorney General and New Jersey Division on Civil Rights (DCR) issued guidance on existing legal requirements applicable to workers employed with New Jersey companies who reside and work outside the state. The DCR published this update in the wake of recent case law holding that “a court would not apply New Jersey law to a multi-state dispute.” The DCR took the position that “[b]y its terms, the [New Jersey Law Against Discrimination (LAD)] does not protect only New Jersey residents. For instance, the LAD provides that ‘all persons shall have the opportunity to obtain employment . . . without discrimination.’” Thus, according to the DCR, the LAD protects all employees who work for a New Jersey employer “regardless of their residency or where they physically work, including those who work remotely full-time or part-time on a hybrid schedule.”
The DCR stated that it was providing guidance “to clarify and explain DCR’s understanding of existing legal requirements in order to facilitate compliance with the LAD.” However, it acknowledged that “[t]his guidance document does not impose any new or additional requirements that are not included in the LAD, does not establish any rights or obligations for any person, and will not be enforced by DCR as a substitute for enforcement of the LAD.” Although not law, employers should be aware of the DCR’s position to the extent it may impact decisions on charges of discrimination filed with the agency and potentially be viewed as persuasive by the courts.
Dress Codes (Employees and Patrons)
The New Jersey Attorney General and the DCR issued a consent decree stemming from a charge of discrimination against a New Jersey restaurant involving a gender-binary dress code for employees and patrons. The DCR’s press release stated that a non-binary individual was denied service because they purportedly failed to adhere to rules for men’s attire. The DCR took the position that the restaurant’s dress code policy violated the law because “New Jersey’s civil rights laws make it unlawful to discriminate based on gender identity. Those protections mean that places open to the public, including restaurants, can’t maintain gender-binary dress codes that exclude LGBTQ+ people.” Employers with dress code requirements for employees and/or the public should review their policies to ensure compliance.
The New Jersey Data Protection Act
Effective Jan. 15, 2025, the New Jersey Data Protection Act (NJDPA) imposes new protections for New Jersey consumers regarding personal data released to businesses. Personal data is defined as “information that is linked or reasonably linkable to an identified or identifiable person.” New Jersey residents now have the right to limit whether and how their personal data may be collected and used, the right to correct inaccuracies in their personal data, and the right to delete their personal data. The NJDPA also imposes new compliance obligations on businesses, including, but not limited to, responding to consumer requests not later than 45 days after receipt and providing certain information free of charge.
The NJDPA’s compliance obligations apply to New Jersey companies that operate as either “controllers” or “processors.” “Controllers” are individuals or legal entities that determine the purpose and means of processing personal data; processors are individuals or entities that collect, modify, and otherwise process personal data on behalf of a controller. The NJDPA applies to controllers conducting business in New Jersey or producing products or services targeted to the state’s consumers and that, during a calendar year, either (1) control or process personal data of at least 100,000 consumers, with certain exceptions; or (2) control or process the personal data of at least 25,000 consumers while deriving revenue, or receiving a discount on the price of any goods or services, from selling personal data.
The NJDPA also directs the Director of the Division of Consumer Affairs to promulgate regulations necessary to effectuate the purpose of this new law.
Retirement Plan Requirements
RetireReady NJ requires all New Jersey employers with 25 or more employees that do not offer a qualifying retirement plan for their employees to provide certain retirement benefits. Covered employers were required to register with the state by Sept. 15, 2024 (if 40 or more employees) or Nov. 15, 2024 (if between 25-39 employees), but the RetireReady NJ webpage appears to still be accepting registrations. Additionally, exempt employers that already provide retirement benefits must certify their exemption on the webpage. Employers who fail to comply with RetireReady NJ may be subject to penalties, ranging from a warning to monetary fines.
Employment Law Regulations Impacting New Jersey Residents
Private households in New Jersey employing domestic workers may now be considered employers and have important obligations under the Domestic Workers’ Bill of Rights (DWBR). The DWBR gives certain workers providing in-home services to private households—i.e., childcare, house cleaning, care for disabled or elderly individuals, and/or cooking—with the right to a contract, the right to minimum wage, as well as overtime compensation, break time, and privacy, safety, and discrimination protections. The law took effect July 1, 2024, and applies regardless of the immigration status of the worker.
Immigration Status Protections
Pursuant to S2869, signed into law in August 2024, employers may not coerce or attempt to coerce an employee based on the employee’s immigration status for the purpose of concealing purported violations of state wage, benefit, or tax laws. “Any employer that coerces or attempts to coerce an employee based on the employee’s immigration status, and in furtherance of violating the State’s labor laws, will be subject to penalties in addition to any penalties to which the employer may be subject due to employment violations.”
Wage and Hour
As previously announced by the New Jersey Department of Labor, effective Jan. 1, 2025, the minimum wage applicable to most employees increased to $15.49 per hour.
Employers should also consider reviewing other pay practices (such as timing of payment, calculation of premium pay, and commission plans), as well as employee exemption classifications.
Potential Developments for 2025
Employers should also be aware of the following pending legislation:
A.B. 3854 would regulate the use of automated employment decision tools (AEDTs) in hiring to “minimize employment discrimination that may result from the use of the tools.” Under this proposed legislation, employers using AEDTs would be subject to a number of requirements. This bill was referred to the Assembly Labor Committee in May 2024.
A.B. 3911 would require employers that use artificial intelligence to analyze applicant-submitted videos to abide by specific procedural requirements to safeguard the interview process. This bill was referred to the Assembly Science, Innovation and Technology Committee.
A.B. 3816 would provide bereavement leave for reproductive loss, such as miscarriage or stillbirth. This bill was referred to the Assembly Labor Committee in April 2024.
A.B. 3505 would allow employees to use paid family leave and/or paid sick leave for bereavement following the death of a family member. This bill was referred to the Senate Budget and Appropriations Committee.
FTC Finalizes Amendments to Rule Protecting Children’s Data: Regulatory Freeze Likely Signals Further Revisions
On January 16, 2025, the Federal Trade Commission (FTC) announced that it finalized changes to the COPPA Rule, which protects information collected online from children under the age of 13. The COPPA Rule imposes obligations on the operators of commercial websites and online services (including mobile apps and online games) that are directed to children under the age of 13 and that collect, use, or disclose children’s personal information. The COPPA Rule was last amended in 2013. For the purposes of this discussion, we will refer to the Rule, as amended, as the “new COPPA Rule” (although further changes are anticipated) in contrast to the “current COPPA Rule.”
Notably, the new COPPA Rule is pending further review following the January 20, 2025, Presidential Action instituting a Regulatory Freeze Pending Review.
The FTC’s new chair and then-commissioner, Andrew N. Ferguson, had previously issued a concurring statement on the new COPPA Rule. While he supported the enhanced measures improving children’s data privacy, Ferguson criticized the new COPPA Rule as being highly problematic in three major areas, adding unnecessary burdens to businesses. The Regulatory Freeze procedure means that Chair Ferguson or his designee will again review the new COPPA Rule.
Considering Ferguson’s prior criticism, businesses can expect that the new COPPA Rule will undergo further revisions before it is finalized. That said, businesses should be aware that measures such as requiring a separate and specific verifiable parental consent (VPC) for disclosure of children’s data to third parties, and identification of specific third-party recipients of such data, were noted with approval by Ferguson and are likely to ultimately pass. These measures encourage businesses to carefully select vendors with whom data may be shared, and to examine such vendors’ track record on privacy and security. The enhanced requirements to the information security program are likely here to stay. The pending review of the new COPPA Rule as a result of the Regulatory Freeze means businesses have a little more time to prepare to address additional compliance requirements.
Key Changes Introduced in the New COPPA Rule Expanded DefinitionsThe definition of “personal information” was expanded to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, with the definition listing examples of such identifiers. This amendment reflects the evolving concerns over more-recent data collection practices: biometric identifiers such as fingerprints or facial scans may be combined with persistent identifiers (such as IP addresses) that may uniquely and persistently identify a child.
The new COPPA Rule also contains a stand-alone definition of a “mixed audience” website or service, which means platforms that do not target children as their primary audience. The current COPPA Rule uses the term “mixed audience,” but does not expressly define it. A mixed-audience website or online service is a sub-category of child-directed websites and online services subject to the COPPA Rule. The new COPPA Rule clarifies that operators of mixed-audience websites and online services may use the exceptions to the VPC requirement set forth in §312.5(c) of the COPPA Rule, as is true for operators of online services targeting children as their primary audience. The definition of “online contact information” also was amended to include mobile telephone numbers, provided the operator uses them only to send text messages to a parent in connection with obtaining VPC.
New Examples of “Child-Directedness” FactorsThe determination of whether a website or a service is “child-directed” is based on factual analysis under both the current and the new COPPA Rule. The current COPPA Rule already requires that businesses pay attention to known indicators that children may be using their platform. See, for example, Yelp settlement and NGL Labs settlement. The current COPPA Rule features a non-exhaustive list of evidence that the FTC may consider in determining “child-directedness.” See COPPA Rule §312.2 (definition of “Web site or online service directed to children”).
The new COPPA Rule provides additional examples: (1) marketing or promotional materials or plans, (2) representations to consumers or third parties, (3) reviews by users or third parties, and (4) age of users on similar websites or services. Commenters on proposed amendments previously expressed concerns about the latter two factors, noting, for example, that this amendment would incentivize competitors or others to file false reviews, potentially trying to influence how a website or online service is categorized. In response to these comments, the FTC reiterated that child-directedness is determined on a totality of the circumstances, and that evidence such as reviews may receive little weight given that reviews may not always be representative, accurate, or genuine.
Separate Consent for Targeted AdvertisingThe new COPPA Rule will require a separate and specific VPC before any non-integral disclosure of children’s personal information to third parties, such as for third-party advertising. The amendment is meant to reduce the flow of children’s information to data brokers and discourage targeting children with personalized advertising, because the process of obtaining consent is an expensive and cumbersome process for businesses. This is one of the areas that Ferguson previously flagged as highly problematic.
Basically, the new COPPA Rule seems to suggest that every time a business decides to share children’s data with a third party, it is a material change requiring a separate consent. If so, given the operational costs of obtaining VPC, this requirement will greatly discourage businesses from switching from their existing third-party vendors. Ferguson noted that not every change to the identities of third parties should require a new consent, but only changes that would make a reasonable parent believe that the privacy and security of their child’s data is being placed at materially greater risk. Further clarifications from the FTC in this area are expected.
Additional Options to Collect VPCThe new COPPA Rule added three new methods for obtaining VPC, including via “text plus” (with requirements similar to the current “email plus” method), facial recognition, or by using knowledge-based authentication (using multiple-choice questions that are hard to guess and that children under 13 will have difficulty answering). Additionally, the payment transaction method for obtaining VPC was revised to remove the “monetary” requirement, meaning that consent may be obtained without receiving and then refunding a payment. Notably, the list of methods to obtain VPC is not exhaustive under either the current or the new COPPA Rule.
Collection Solely for Age Verification PurposesFerguson also criticized the new COPPA Rule for its failure to add an exception to the general prohibition on the unconsented collection of children’s data for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled. Currently, collection of age verification–related information, such as photographs or government-issued ID images, require VPC and discourage the use of age verification techniques that are more accurate than a self-declaration. Businesses can expect further changes to the Rule on this issue as well.
Data Retention and Deletion RequirementsThe current COPPA Rule provides that an operator may retain children’s data only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The new COPPA Rule provides that operators are expressly prohibited from indefinitely retaining children’s data. This is one of the areas that Ferguson flagged as seriously problematic, as it is likely to generate outcomes not favorable to users. For example, data such as digital diary entries, childhood photos, or emails may be erased, blindsiding a user who cherished such records and relied on the platform to preserve them. Ferguson further noted that the “indefinitely” requirement is meaningless given that a company may get around it by stating that data will be kept for “two hundred years.” Again, we expect to see further revisions on this topic.
WISP and Data Retention Policy RequirementsThe new COPPA Rule modifies operators’ obligations with respect to direct and online notices, information security, and deletion and retention protocols. Regarding information security, the current COPPA Rule states only that the operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
The new COPPA rule adds more prescriptive requirements to:
Designate at least one employee to coordinate the information security program
Conduct risk assessments at least annually
Design, implement, and maintain safeguards to control the risks identified through risk assessments
Regularly test and monitor the effectiveness of such safeguards
Evaluate and modify the operator’s information security program (WISP) at least annually to address identified risks.
Operators also must determine that their service providers and third parties are capable of maintaining the confidentiality, security, and integrity of the information and must obtain written assurances that such entities will employ reasonable measures to maintain the confidentiality, security, and integrity. With respect to data retention, the new COPPA Rule provides that at a minimum, the operator must establish, implement, and maintain a written data retention policy that sets forth the purposes for which children’s personal information is collected, the business need for retaining such information, and a timeframe for deletion of such information. This policy must be provided in the notice of information practices posted on the website or online service in accordance with § 312.4(d) of the COPPA Rule.
These requirements are broadly aligned with some of the requirements of the FTC Safeguards Rule and the FTC’s guidance to businesses on what constitutes a reasonable information security program. Commentary to the new COPPA Rule clarifies that a separate information security program and data retention policy is not needed for children’s data, but rather general programs and policies that encompass children’s data and otherwise meet the requirements of the COPPA Rule will be sufficient.
Enhanced Transparency for Safe Harbor ProgramsCOPPA Safe Harbor programs – self-regulatory initiatives approved by the FTC to implement COPPA protections – will now be required to publicly disclose membership lists and provide additional reports to the FTC. These changes aim to increase accountability and transparency within these programs.
SummaryOriginally, the new COPPA Rule was to take effect 60 days after its publication in the Federal Register, and covered businesses were to have one (1) year from the publication date to achieve full compliance with most amendments unless earlier compliance dates are specified. As discussed, however, the new COPPA Rule was not yet published and is considered withdrawn pursuant to the January 20, 2025, Regulatory Freeze Pending Review, until they can be reviewed by the FTC Chair or his delegates for this task. While further changes are anticipated, businesses that have knowledge of children using their online platforms should review the new COPPA Rule and be aware of its current compliance impacts. Now is the time to review and update information security practices and take a careful look at each vendor’s compliance.
ONE IS WORSE: The TCPA Has Two Primary Restrictions– Violating One Has Decidedly Greater Penalties (Do You Know Which One?)
Violating the Telephone Consumer Protection Act (TCPA) is always dangerous.
The TCPA governs most forms of telephone outreach–including calls and SMS messages–and provides protections against unwanted calls using regulated technology and unsolicited sales calls to numbers on the DNC.
The TCPA has two primary provisions– and violating either carries big penalties.
First, under 47 USC 227(b) a caller cannot use regulated technology (a term of art I coined years ago to describe the large number of restricted calling devices the statute covers) to place call to cellular phones and cannot use robocalls to contact landlines in most instances without the proper level of consent.
Second, under 47 USC 227(c) a caller cannot contact a residential number on the national DNC list with an unsolicited telemarketing call.
Again, penalties for violating either of these provisions are steep– but one is decidedly worse.
Do you know which?
The case of Watson v, Manhattan Luxury Autos, 2025 WL 306591 (S.D.N.Y. Jan 24, 2025) holds the answer.
In that case an auto dealership was going out of business and sold its customer list to another dealership. The second dealership began making calls encouraging customers to visit the new dealership for service. This was a big mistake as individuals on the DNC list cannot be contacted without an established business relationship with the caller– and the consumers receiving calls had no such relationship.
The Plaintiff asked the Court to enter judgment for $500.00 per call for each call but the Court refused– and this provides the answer to our question.
The Court correctly found that although a violation of 227(b)–the regulated technology provision–automatically carries a MINIMUM $500.00 penalty, a violation of 227(c)– the DNC provisions– carries a penalty of “up to” $500.00 per call.
Since the dealership violated the DNC provision–and not the regulated technology provision– the determination of just how much (up to $500.00) the dealership will owe to the consumers is a question that must be decided by the jury!
So there you go. Violating either provision of the TCPA is very dangerous. But the regulated technology provisions is decidedly worse.
$81,500.00 DAMAGE: Court Enters Default Judgment Against Easyrest in TCPA Suit
Telemarketing calls made using regulated technology that are made without prior express written consent violate the TCPA.
Period.
Just as Easyrest Adjustable Sleep Systems.
In Slate v. Healthy Spirit, LLC, dba Easyrest 2025 WL 326985 (D. Md. Jan. 28, 2025) a consumer sued Easyrest contending it made unwanted telemarketing calls to his phone without consent.
Easyrest apparently failed to show up to defend against the lawsuit. As such the Court entered a default judgment against it.
Finding up to 54 calls had been made without consent the Court awarded damages of $1,500.00 per call– a minimum $500.00 trebled to $1,500.00 based on a finding of willfulness– for a total award of over $80k.
The TCPA’s massive damage awards make it a major driver of frivolous litigation– but it also serves as a major deterrent to robocallers looking to clog up the nation’s phone lines.
Whether or not Easyrest was actually guilty here, its failure to show up and defend itself cost it big time.
Senate Banking Committee Announces Digital Asset Agenda
Under Chair Tim Scott (R-SC), the Senate Committee on Banking, Housing and Urban Affairs has announced several policy objectives favorable to the digital asset industry. We expect the Committee to take a more favorable view of the industry during the next Congress than in years past.
In announcing the Banking Committee’s priorities for the next Congress, Chair Scott noted that will be a key focus.
Under Chair Gensler, the SEC refused to provide clarity to the cryptocurrency industry, which has forced projects overseas. Moving forward, the committee will work to build a regulatory framework that establishes a tailored pathway for the trading and custody of digital assets that will promote consumer choice, education, and protection and ensure compliance with any appropriate Bank Secrecy Act requirements. The committee will also foster an open-minded environment for new innovative financial technologies and digital asset products, like stablecoins, that promote financial inclusivity.
To that end, the Committee announced the formation of the first ever Subcommittee on Digital Assets, to be chaired by Senator Cynthia Lummis (R-WY), an outspoken supporter of cryptocurrency innovation. The Subcommittee’s jurisdiction covers a wide range of issues, including:
Digital assets, including but not limited to cryptocurrencies and stablecoins; activities of digital asset issuers, trading and lending platforms, custody providers, and other intermediaries, when such activities are related to digital assets; regulatory activities of the Department of Treasury, the Federal Reserve System, OCC, FDIC, NCUA, SEC, to the extent they directly or indirectly exercise supervisory or regulatory authority over digital assets and digital asset intermediaries; and financial literacy in digital assets.
Chairman Scott also issued a press release trumpeting President Trump’s executive order on digital assets. Further, the Committee announced a hearing on February 5 to discuss possible “debanking” of certain industries, including digital assets.
New York Data Breach Notification Law Updated
New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”
Timing Requirements: Before the amendment, New York’s breach notification law required notification to affected New York residents “in the most expedient time possible and without unreasonable delay.” As of December 21, 2024, the law requires affected individuals to be notified no later than 30 days after discovery of the breach, except “for the legitimate needs of law enforcement.”
Additional Regulator Notice Requirements: Also effective December 21, 2024, the law now requires notice to the New York Department of Financial Services. Previously, the law required notice to the New York State Attorney General, the New York Department of State, and the Division of State Police.
Revised Definition of “Private Information:” Effective March 25, 2025, the definition of “private information” subject to the law’s notification requirements will include (1) medical information (i.e., any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional) and (2) health insurance information (i.e., an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history).
HIPAA Exemption: Pursuant to the law’s HIPAA exemption, a breach of protected health information would not trigger additional notification requirements to affected individuals. However, the law still requires notice to certain regulators, including the New York State Attorney General, the New York Department of State, and the Division of State Police. Notably, the HIPAA exemption was not amended and does not reflect the law’s new general requirement to notify the New York Department of Financial Services.
Transferring Employee Data From Canada to the United States: Key Considerations for Employers
As of September 22, 2024, the final provision of Law 25, An Act to modernize legislative provisions as regards the protection of personal information, will take effect, establishing a new right to data portability for individuals in both the private and public sectors. This right, integrated into the Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act) and the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, allows individuals to request that their personal information be communicated to them in a technological format.
Quick Hits
Provincial laws apply: Certain provinces in Canada and federally regulated businesses have specific laws governing data transfers abroad.
Transparency is key: Employers may want to inform employees about how and where their data is transferred to comply with applicable legislation.
Security safeguards: Data transfers may require agreements to ensure compliance with applicable legislation and security standards in Canada.
In Canada, several privacy laws govern the handling of personal information, including the Act Respecting the Protection of Personal Information in the Private Sector in Quebec, the Personal Information Protection Act (PIPA) in British Columbia, and Alberta’s Personal Information Protection Act (PIPA). Federally regulated organizations are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). These laws emphasize key principles, such as transparency and security, which are relevant when transferring employee data outside of Canada.
Transferring personal information internationally is permissible within the framework of these laws. Organizations may implement measures to ensure compliance with these principles and mitigate the risks associated with such transfers.
In Quebec, Section 17 of the Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act) addresses data transfers outside the province. Employers transferring personal information out of Quebec may be subject to this law. The law requires that organizations transferring data out of Quebec evaluate the sensitivity of the information, the jurisdiction receiving the data, and the measures in place to protect it. This evaluation may include conducting a Privacy Impact Assessment (PIA) and a Transfer Impact Assessment (TIA). The assessments provide an opportunity to analyze how personal information will be used, identify potential risks, and confirm whether the legal protections of the receiving jurisdiction align with Quebec’s privacy standards.
British Columbia’s and Alberta’s privacy laws, through their respective PIPA statutes, encourage transparency in data transfers. Employers can notify employees about the purpose of a transfer, the destination of the data, and how the data will be protected. For example, Section 34 of British Columbia’s PIPA, as well as Section 34 of Alberta’s PIPA, outlines the requirement to ensure reasonable safeguards are in place to protect personal information.
PIPEDA, which applies to federally regulated employers, also includes obligations related to transparency and accountability. Employers transferring data outside Canada must inform employees about the purpose of the transfer, the risks involved, and the measures in place to ensure data security.
Practical Steps for Employers
When transferring data out of Quebec, Alberta, British Columbia, or a federally regulated business, employers may want to take these steps into consideration:
Developing a Comprehensive Privacy Policy:Employers can think about outlining how data is collected, stored, and transferred. Employers may want to include specific references to cross-border transfers, the jurisdictions involved, and the safeguards in place in their privacy policies.
Conducting Privacy Impact and Transfer Impact Assessments:Particularly in Quebec, these assessments are mandatory under Section 17 of the Quebec Privacy Act. Employers may want to evaluate the risks, the sensitivity of the data, and the protections offered by the receiving jurisdiction.
Securing Robust Data Processing Agreements (DPAs) With Service Providers:Employers may want to enter into contracts with service providers that include clauses requiring compliance with Canadian privacy standards, breach notification protocols, and equivalent security measures.
Understanding the Jurisdiction:Employers may want to research the legal framework of the receiving country and mitigate risks accordingly. For instance, if transferring data to the United States, consider the impact of federal laws on data access.
Training Employees:Employers can work to equip employees with the knowledge to identify potential privacy risks. It is helpful if employees understand when to involve the data privacy officer and when to initiate a PIA or TIA.
While transferring data to jurisdictions such as the United States is possible, employers will want to consider implementing safeguards to comply with provincial and federal privacy laws in Canada. By prioritizing transparency, conducting thorough assessments, and securing robust agreements with service providers, employers can work toward ensuring that data transfers respect employee privacy and maintain compliance.
At Long Last – The FAR CUI Rule is Here!
The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.
History and Development of the FAR CUI Proposed Rule
This rule stems from Executive Order 13556, Controlled Unclassified Information (the “CUI Executive Order”) from November 2010, which sought to address the patchwork system of marking and handling unclassified information across executive branch agencies. On September 14, 2016, the National Archives and Records Administration (“NARA”) issued a final rule (81 FR 63324) to establish a uniform policy for agencies on CUI. This rule became effective on November 14, 2016, but the CUI Program still needed to be incorporated into the acquisition process via the FAR to establish contractual requirements for Federal contractors.
In January 2017, following release of NARA’s final rule, the FAR Council introduced FAR Case 2017-016, Controlled Unclassified Information, which served as the placeholder for the current FAR CUI Proposed Rule. We saw no real developments until just this month. In the meantime, the Department of Defense (“DoD”) implemented the CUI Program for its contractors through DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This provision requires “adequate security” for covered defense information; implements incident reporting, investigation, and preservation requirements; and includes a flow down requirement to subcontractors. The DFARS clause applies only to defense contractors and subcontractors, but serves as the model for the new FAR CUI Proposed Rule (although, as discussed below, there are significant differences).
The proposed rule has implications for all contractors that do business with the Federal government and provides guidance to clarify contractor obligations for safeguarding and handling CUI.
Key Updates and Impact on Federal Contractors
Defining and Safeguarding Controlled Unclassified Information
The proposed rule includes the standard definition of CUI as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Key here, the proposed rule further includes a list of information that is not CUI, which includes:
Classified information;
Covered Federal information;
Information a contractor possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency (see 32 CFR 2002.4); or
Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189.
The proposed rule further requires certain safeguarding requirements for CUI held in both federal and non-federal systems as follows:
Non-federal systems/contractor information systems must be compliant with NIST SP 800-171 Rev. 2;
Contractors must comply with agency-identified security requirements for Federal information systems (derived from NIST SP 800-53);
Cloud service providers must comply with FedRAMP Moderate requirements; and
Any additional special safeguarding requirements, as applicable.
Additionally, the proposed rule includes explicit training requirements. Contractors must ensure employees have completed training on properly handling CUI prior to doing so. Contractors are required to provide evidence of employee training upon request, though such requests are expected to be limited. For example, a Contracting Officer may inquire about training after an incident. Such evidence of CUI training may include the contractor’s system security plan and/or annual employee training certificates.
New Standard Form to Identify CUI Requirements for Contracts
The proposed rule introduces a new Standard Form (“SF XXX”) to be completed by agencies that will identify CUI and define relevant handling requirements for each contract. Of note, the proposed rule states that contractors will be required to safeguard only the CUI identified in the Standard Form and offerors and contractors will not be responsible for identifying or marking unmarked or mismarked CUI not already identified in the Standard Form. However, offerors are requested and contractors are required to notify the Contracting Officer within 8 hours of discovering any unmarked CUI, mismarked CUI, or any CUI that is not identified on the Standard Form, though this is expected to be rare.
Incident Reporting and Response Requirements
The proposed rule defines a “CUI incident” as “suspected or confirmed improper access, use, disclosure, modification, or destruction of CUI, in any form or medium.” This new definition is different from the definition of “cyber incident” in DFARS 252.204-7012. Notably, the rule specifies that unmarked or mismarked CUI is not considered a CUI incident unless the mismarking or lack of marking has resulted in the mishandling or improper dissemination of the information.
Per the proposed rule, contractors must report any suspected or confirmed “CUI incident” within 8 hours of discovery.
The proposed rule includes a statement that if a contractor is determined to be at fault for an incident (for example, due to not safeguarding CUI in accordance with contract requirements), the contractor may be financially liable for government costs incurred in the response and mitigation effort.
Defining Types of Information – Covered Federal Information
Another key update in the proposed rule is an overarching change in the FAR to use the term “covered Federal information” instead of “Federal contract information,” which currently is defined in FAR 52.204-21 and used in materials underlying the DoD’s CMMC program.
The updated definition for “covered Federal information” is “information provided by or created for the Government, when that information is other than—
Simple transactional information (such as that necessary to process payments);
Information already publicly released (such as on public websites), or marked for public release, by the Government;
Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189;
Controlled unclassified information (CUI); or
Classified information.”
Covered Federal information is not required to be marked or identified by the government. However, some administrative markings (such as “draft,” “deliberative process,” “pre-decisional,” or “not for public release”) can indicate that the information is covered federal information, within the meaning of the term.
Updates Relating to Treatment of Contractor Proprietary Information
The proposed rule addresses an issue contractors have struggled with when trying to interpret CUI requirements for their internal information or information they create. This rule provides that offerors or contractors should identify and mark their bid or proposal information, proprietary business information, and/or contractor-attributional information to ensure the information is adequately protected under the proposed rule. The government will determine whether such information provided by offerors or contractors is to be protected as CUI internally or is entitled to other protections. The Standard Form will identify any contractor CUI marking requirements under the contract.
New FAR Clauses
The proposed rule introduces a new FAR solicitation provision and two new FAR clauses. Contracting officers will add the following for all solicitations and contracts, except for procurements solely for commercially available off the shelf (COTS) products:
FAR 52.204-WW, Notice of Controlled Unclassified Information Requirements: A new solicitation provision that informs offerors of requirements on restricted use of Government-provided information, appropriately identifying sensitive offeror-provided information, and procedures to notify the Government of unmarked or mismarked CUI.
FAR 52.204-XX, Controlled Unclassified Information: A new FAR clause thatwill be inserted in solicitations and contracts where the government expects the contractor will handle CUI. The clause requires contractors to comply with applicable CUI safeguarding, training, and incident response requirements and must be flowed down to subcontractors.
FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information: A new FAR clause that will be inserted in solicitations and contracts where the agency indicates on the Standard Form that CUI is not involved in the performance of the contract. Even where CUI is not expected to be involved, contractors will have requirements to notify the government if they discover CUI during performance. This clause must be flowed down to subcontractors.
Conclusion & Next Steps
The rule is currently in the “proposed rule” phase, with a 60-day public comment period that is currently open and scheduled to close on March 17, 2025. Federal contractors, especially those not already subject to DFARS 252.204-7012 requirements, should prioritize reviewing this proposed rule and further consider submitting comments to address questions or concerns relating to these new requirements.
This proposed rule represents a significant step towards standardizing the protection of CUI across Federal agencies. All Federal contractors, beyond just those DoD contractors already subject to DFARS 252.204-7012, will be subject to these uniform cybersecurity standards. When preparing for these changes, it is crucial to stay informed and proactive in understanding the implications of the proposed rule to maintain compliance and secure contractual relationships. By doing so, Federal contractors can better navigate the evolving cybersecurity landscape and continue to fulfill obligations in a secure and efficient manner.
Sidney Howe also contributed to this article.
Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
The Incident
In a December 30, 2024 letter, Treasury Officials notified lawmakers of a “major incident” in which Chinese state-sponsored hackers stole Treasury documents. The letter explained that on December 8, 2024, the Treasury Department was notified by BeyondTrust, a CSP responsible for providing remote technical support to Treasury Departmental Offices (“DO”), that a threat actor had gained unauthorized access to a key used by BeyondTrust to secure its cloud service. With the stolen key, the threat actor was able to bypass security protocols to remotely access specific Treasury DO workstations, potentially exposing unclassified documents maintained by the users of those systems.
Interestingly, BeyondTrust holds a security authorization under the Federal Risk and Authorization Management Program (“FedRAMP”). FedRAMP is a government program designed to ensure that CSPs meet rigorous security requirements for the handling of federal data and includes similarly rigorous continuous monitoring and reporting requirements. BeyondTrust’s authorization indicates that it met these requirements.
However, this breach illustrates a critical point: meeting government security requirements does not guarantee invincibility to security incidents. Cybersecurity threats are constantly evolving, and no system—no matter how secure it may seem at a particular moment—can be completely free from risk. Companies must be continuously vigilant and proactive, even organizations that have been cleared through rigorous government-imposed security standards like FedRAMP.
Key Takeaways for Organizations Relying on Third-Party CSPs
Government Security Standards Are Not a Guarantee Against Breaches: While government security certifications such as FedRAMP provide an important benchmark for evaluating third-party vendors, they should not be seen as a one-and-done solution. Security threats are dynamic and evolve rapidly, meaning that entities must remain vigilant and continuously evaluate and update their security protocols. This particular incident serves as an important reminder that security is a continual process, not a final checkbox.
Thorough Vetting of Third-Party Providers Is Essential: The Treasury Department incident is also a reminder of the importance of thorough, ongoing vetting of third-party CSPs. Simply confirming a CSP’s compliance with FedRAMP (or other security standards) should not be the end of the due diligence process. Entities must assess whether their third-party providers have robust security measures in place, including continuous monitoring, rapid incident response protocols, and regular updates to their security infrastructure. This is especially important when the service provider holds access to critical systems or sensitive data.
Collaboration and Transparency Are Critical in the Event of a Breach: BeyondTrust’s prompt notification to the Treasury Department highlights the importance of transparency and communication between service providers and their clients when an incident occurs. Quick and clear communication can help mitigate the damage from a breach and allow organizations to respond more effectively. It also underscores the importance of ensuring that third-party vendors have comprehensive and well-practiced incident response protocols in place.
Conclusion
The recent breach of the Treasury Department’s technical support systems, facilitated by a compromised security key from BeyondTrust, serves as an important reminder of the ever-present risks in the cybersecurity supply chain. While third-party CSPs, such as BeyondTrust, may meet rigorous government standards, such actions reduce, but do not eliminate, risk.
Organizations must recognize that cybersecurity is not static, and the reliance on third-party providers necessitates thorough, ongoing risk assessments and proactive security measures. As cyber threats continue to evolve, so too must the strategies used to safeguard sensitive systems and data. Vetting CSPs should be a continuous process, and security should always be viewed as a shared responsibility between organizations and their third-party vendors.
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule
A 2023 Federal Communications Commission (FCC) Order interpreted the Telephone Consumer Protection Act as requiring that consumers provide specific one-to-one consent to receive robocalls. The purpose was to fill what the FCC called the “marketing partner” gap, which allowed marketers to obtain consent from consumers by checking a box applying to multiple, often unrelated, callers. The Order was to go into effect on January 27, 2025.
But on Friday, January 24, 2025, three days before the Order’s effective date, the Eleventh Circuit Court of Appeals stopped the FCC Order in its tracks. Perhaps signaling how Loper Bright will broadly affect federal agency regulations, the Court ruled that the 2023 Order exceeded the FCC’s statutory authority under the TCPA to interpret the phrase “prior express consent” beyond the plain meaning of the words.
In Insurance Marketing Coalition Limited v. Federal Communications Commission, — F.4th — (11th Cir. 2025), the Court held that while Congress gave the FCC the power to “implement” the TCPA, it did not give the FCC authority to add requirements to the statute that are not there; in this case, interpreting “prior express consent” to require that consent be given on a one-to-one basis, meaning that giving consent to a list of “marketing partners” would no longer be effective.
The 2023 FCC Order at issue interpreted “prior express consent” in the TCPA to include two new restrictions for telemarketing and advertising robocalls. The first declared that “consumers cannot consent to receive robocalls . . . from more than one entity at a time” – the one-to-one consent requirement. Insurance Marketing Coalition Limited, — F.4th —, at *4. The second restriction declared that “consumers cannot consent to receive robocalls whose subject matter is not logically and topically related to, for example, the website on which the consumer gives consent”; e.g., a consumer giving consent to receive calls concerning car loans does not consent to calls concerning loan consolidation. Id. The Insurance Marketing Coalition argued that the FCC exceeded its statutory authority under the TCPA because both of these requirements “impermissibly conflict with the ordinary statutory meaning of ‘prior express consent.’” Id. at *5. The Eleventh Circuit granted IMC’s petition for review, vacated the FCC’s requirements, and remanded for further proceedings.
Perhaps coincidentally, this ruling follows an FCC order, also entered on January 24, 2025, staying implementation of the 2023 Order to the shorter of (1) January 26, 2026, or (2) the Eleventh Circuit’s decision, discussed above. Given this ruling, it is likely the FCC will issue a supplemental order, staying implementation indefinitely. This ruling also follows recent jurisprudence under Loper Bright, which overturned Chevron deference and, as a result, has expanded the judiciary’s power to review and reject interpretations of statutes adopted by federal administrative agencies. The impact of Loper Bright is significant, with numerous similar regulatory challenges likely to come in the near future.
Most notably, while the Eleventh Circuit stated that one of the FCC’s foundational interpretations of the TCPA was “not at issue in this case,” see id. at n. 1, it’s hard to avoid the conclusion that the FCC’s 2012 regulation finding that for TCPA purposes, “prior express consent” meant, in the context of telemarketing or advertising, “prior express written consent,” is at serious legal risk of being overturned. 47 C.F.R. § 64.1200(a)(2), (3), In the Matter of Rules and Regulations Implementing the Tel. Consumer Prot. Act of 1991, 27 FCC Rcd. 1830, 1831 (2012) (italics added). There is a strong argument that if Congress had meant that “prior express consent” be in writing, it would have said so, and that this is another example of the FCC adding requirements that go beyond the “plain meaning” of the words in the statute. For better or worse, the Insurance Marketing Coalition opinion will provide substantial support to efforts to remove “written” from the consent requirement, easing the burden on telemarketers to prove consent in TCPA cases.
White House Temporarily Pauses Certain Federal Financial Assistance Programs But U.S. District Judge Pauses Pause Until February 3
On January 27, the White House ordered a temporary pause, via an internal memorandum, on certain grants and loans disbursed by the federal government in order for each federal agency to review their federal financial assistance programs to identify if any of those programs have been impacted by President Trump’s Executive Orders.1
OMB has stated that any program that is not implicated by the above-referenced Executive Orders is not subject to the funding freeze. The temporary pause was set to take effect January 28, 2025, at 5 PM EST, but was stayed by U.S. District Court Judge Loren AliKhan until February 3, 2025, at 5 PM EST. Judge AliKhan issued the stay in order to maintain the status quo while further litigation plays out. The original pause would have temporarily impacted the National Telecommunications and Information Administration’s (NTIA) Broadband, Equity, Access, and Deployment (BEAD) Program and the Federal Communications Commission’s (FCC or Commission) USF Programs, including the Lifeline Program while those programs are reviewed.
Bottom Line: The White House was set to temporarily paused federal financial assistance programs that are implicated by certain Executive Orders. However, U.S. District Court Judge AliKhan issued an administrative stay of the temporary pause until February 3, 2025, at 5 PM EST. As we await clarification from the FCC and NTIA, as well as the courts, it is unclear the extent to which this funding freeze will last if it is implemented after February 3. In the short term, it may temporarily impact the funding stream of the federal broadband programs such as the FCC’s USF Programs, the Secure Networks Act Reimbursement Program, and NTIA’s BEAD Program. But luckily for USF recipients, Universal Service Administrative Company (USAC) payments will be processed this Friday, January 31, 2025, before the temporary funding freeze is implemented. Federal agency reports are currently still due by February 10, 2025, but OMB has noted that the temporary pause for certain programs could be as short as a day depending on the agency’s ability to coordinate with OMB. Furthermore, OMB states that any payment required by law will be paid without interruption or delay.
Background
Since being sworn into office, President Trump has issued a series of executive orders covering various issues such as trade, immigration, U.S. foreign aid, energy, civil rights, and federal worker requirements, and health care. While some of the executive orders are more symbolic, others do have immediate policy impacts.
Federal Funding Freeze
The White House issued a temporary funding freeze on all federal financial assistance programs until federal agencies have determined the impact of President Trump’s Executive Orders on such programs, effective January 28, 2025, at 5 PM EST.2 Specifically, under the now-stayed White House memorandum, each federal agency is required to complete and submit a comprehensive analysis to the Office of Management and Budget (OMB) by February 10, 2025, identifying programs, projects and activities that may be implicated by any of President Trump’s Executive Orders, including “financial assistance for foreign aid, nongovernmental organizations, DEI, woke gender ideology, and the green new deal.” This temporary freeze would also apply to all activities associated with open Notices of Funding Opportunity, such as conducting merit review panels.
The White House memorandum explains that this temporary funding freeze will provide the Administration time to review federal agency programs and “best uses of the funding for those programs consistent with the law and the President’s priorities.” But before conducting their analysis, federal agencies must identify any legally mandated obligations for their assistance programs that will arise during the temporary pause and report such information to OMB. The funding freeze would remain intact for federal agencies until OMB has reviewed the submitted information and provided guidance to such agency.
Federal Agency Review
In conducting the comprehensive analysis, federal agencies for each federal financial assistance program must assign responsibility and oversight of the analysis to a senior political appointee to ensure that the financial assistance conforms to Administration priorities. In addition, each federal agency must: (1) review any currently pending programs to ensure that Administration priorities are addressed; (2) modify in accordance with Administration priorities any unpublished financial assistance announcements, subject to statutory authority; and (3) withdraw any announcements already published consistent with Administration priorities. Federal agencies have also been directed to initiate investigations when warranted to identify any underperforming federal financial assistance recipients and cancel awards that are in conflict with Administration priorities.
Exceptions
The memorandum states that OMB is allowed to grant exceptions to this temporary freeze, on a case-by-case basis, for federal agencies to issue new awards or take other actions. It is possible that the USF program and Secure Networks Act Reimbursement Program will fall under this exception. Furthermore, to the extent required by law, federal agencies would be allowed to continue certain activities such as the closeout of Federal awards, pursuant to 2 C.F.R. 200.344, or maintaining certain recording obligations.
Additional OMB Guidance
OMB issued additional guidance noting that any program not implicated by the following Executive Orders is not subject to the funding pause: (1) Protecting the American People Against Invasion (Jan. 20, 2025); (2) Reevaluating and Realigning United States Foreign Aid (Jan. 20, 2025); (3) Putting America First in International Environmental Agreements (Jan. 20, 2025); (4) Unleashing American Energy (Jan. 20, 2025); (5) Ending Radical and Wasteful Government DEI Programs and Preferencing (Jan. 20, 2025); (6) Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (Jan. 20, 2025); and (7) Enforcing the Hyde Amendment (Jan. 24, 2025). While reports are due to OMB by February 10, 2025, from each federal agency, OMB will continue to work with federal agencies to determine whether certain federal financial assistance programs are implicated by the above-referenced Executive Orders. Thus, funding pause for a particular program could be as short as a day. OMB has already approved an undisclosed number of federal financial assistance programs to continue their funding processes even before the pause would have gone into effect.
Administrative Stay of Funding Freeze
U.S. District Court Judge AliKhan has issued an administrative stay of the White House’s temporary funding freeze that was set to be effective January 28, 2025. However, Judge AliKhan’s administrative stay will expire on February 3, 2025, at 5 PM EST. Judge AliKhan reasoned that the administrative stay was necessary to maintain the status quo while further litigation on the White House’s funding freeze is ongoing.
Nonprofit and public health organizations had argued that the funding freeze could result in devastating outcomes for people who rely on federal funds and intruded on First Amendment rights by seeking to block funding for groups that engage in DEI programs. In response, the U.S. government argued that the organizations failed to show that they needed an immediate halt to the temporary pause on federal financial assistance and that the OMB’s additional guidance alleviated concerns about cutting off essential programs. Nonetheless, Judge AliKhan ruled that the temporary pause on federal financial assistance has a “specter of irreparable harm.”
Impact on Broadband-Related Programs
We note that after President Trump’s separate Executive Order titled Unleashing American Energy, which directed federal agencies to pause Inflation Reduction Act and Infrastructure Act funding related to the energy sector, OMB provided guidance on January 21, 2025 that this Executive Order only applies to certain energy projects, not broadband-related spending. We believe further guidance will also be forthcoming from OMB and the FCC. However, it appears that the DEI Executive Order will impact Infrastructure Act programs such as NTIA’s State Digital Equity Planning Grant Program, State Digital Equity Capacity Grant Program, and Digital Equity Competitive Grant Program which all have DEI elements.
Since the BEAD Program is separately funded under the Infrastructure Act from the broadband-related State Digital Equity programs, the DEI aspects of those programs will not impact the BEAD Program. But there are certain DEI initiatives required under the BEAD NOFO, such as requiring that states and territories coordinate with their local communities, Tribal governments, and worker organizations to ensure full representation by underrepresented communities throughout the planning and deployment process, that could be impacted by NTIA’s review. At the least during any temporary funding freeze, because States and Territories are not subject to the Executive Order, state and territory broadband offices should be able to continue conducting their BEAD Program-related processes until federal funding is needed to award selected broadband projects. It is also unclear whether other NTIA programs such as the Tribal Broadband Connectivity Program will be impacted by President Trump’s Executive Orders due to what may be characterized as DEI goals. Arguably, this program is geographic based and provides benefits to anyone living on Tribal land regardless of ethnicity.
Regarding the FCC’s federal financial assistance programs, without clarification from the Commission, it is unclear how President Trump’s Executive Orders will impact the FCC’s funding programs. It is especially unclear whether programs such as the Secure Networks Act Reimbursement Program will even be subject to the funding freeze as reimbursements do not clearly fall within the federal regulation’s definition of federal financial assistance.3 However, the temporary freeze could have delayed the receipt of funds for recipients of the FCC’s USF Programs that depend on frequent disbursements from USAC given that the next one is scheduled for January 31, 2025, but such recipients got a reprieve due to the temporary stay and lasting at least until Monday, February 3.
We will provide updates as they become available.
1The listed Executive Orders include Protecting the American People Against Invasion (Jan. 20, 2025), Reevaluating and Realigning United States Foreign Aid (Jan. 20, 2025), Putting America First in International Environmental Agreements (Jan. 20, 2025), Unleashing American Energy (Jan. 20, 2025), Ending Radical and Wasteful Government DEI Programs and Preferencing (Jan. 20, 2025) (“DEI”), Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (Jan. 20, 2025), and Enforcing the Hyde Amendment (Jan. 24, 2025).2The White House memorandum does note that this pause does not affect assistance programs that provide funds directly to individuals, such as Social Security, Medicare, Medicaid, and SNAP. In addition, funds for small businesses, farmers, Pell grants, Head Start, rental assistance, and other similar programs will not be paused.3See 2 C.F.R. 200.1 (“Federal financial assistance means: (1) Assistance that recipients or subrecipients receive or administer in the form of: (i) Grants; (ii) Cooperative agreements; (iii) Non-cash contributions or donations of property (including donated surplus property); (iv) Direct appropriations; (v) Food commodities; and (vi) Other financial assistance…”).
The Impact of AI Executive Order’s Revocation Remains Uncertain, but New Trump EO Points to Path Forward
On January 20, 2025, President Trump revoked a number of Biden-era Executive Orders, including Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“EO 14110”). We previously reported on EO 14110. The full impact of this particular revocation is still being assessed, but Trump’s newly published Executive Order on Removing Barriers to American Leadership in Artificial Intelligence (“Trump EO”), issued on January 23, specifically directs his advisors to “identify any actions taken pursuant to Executive Order 14110 that are or may be inconsistent with, or present obstacles to, the policy set forth in . . . this order.”
EO 14110, issued by President Biden in 2023, called for a plethora of evaluations, reports, plans, frameworks, guidelines, and best practices related to the development and deployment of “safe, secure, and trustworthy AI systems.” While much of the directive demanded action from federal agencies, it also directed private companies to share with the federal government the results of “red-team” safety tests for foundation models that pose certain risks.
Many EO 14110-inspired actions have already been initiated by both the public and private sectors, but it is unclear the extent to which any such actions should be or have already been halted. It is also unclear whether final rules based, even in part, on EO 14110’s directives—such as the Department of Commerce’s Framework for Artificial Intelligence Diffusion and Health & Human Services’ Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing—are or will be affected.
The as-yet unnumbered Trump EO, issued on January 23, directs the Assistant to the President for Science and Technology, the Special Advisor for AI and Crypto, and the Assistant to the President for National Security Affairs, to “review, in coordination with the heads of all agencies as they deem relevant, all policies, directives, regulations, orders, and other actions taken pursuant to the revoked Executive Order 14110 . . . and identify any actions taken pursuant to Executive Order 14110 that are or may be inconsistent with, or present obstacles to, the policy set forth in section 2 of this order.”
Section 2 of the Trump EO provides: “It is the policy of the United States to sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.” Hunton will continue to monitor for more specific indications associated with Executive Order 14110’s revocation and the Trump EO’s implementation and will share updates accordingly.