Waffles, Passports and Trustee Directors – Part Two

Part one of this blog covered the new requirement for company directors (including trustee directors) and persons with significant control to verify their identity with Companies House. They will be able to do this voluntarily from 25 March 2025 (the week during which national cocktail-making day, national cleaning week and international waffle day will be celebrated in the US). This requirement is part of measures introduced under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). But are these measures proportionate? Surely there can’t be that many companies in England and Wales registered for fraudulent purposes?
In 2023, the BBC reported that between June and September of that year alone, over 80 companies had been set up using the residential addresses of unsuspecting people living in the same street in Essex. Experts speculated that these companies had been registered in order to launder money or to take out bank loans before closing down the companies and disappearing.
In another case in March 2024, one individual managed to file 800 false documents at Companies House in a short space of time, which recorded the false satisfaction of charges registered by lenders against a total of 190 different companies. Having an accurate register of charges at Companies House is important because it governs the order of priority of payment of debts and, if a company is in financial difficulties, it influences the route by which administrators are appointed and to whom notice must be given.
Meanwhile, Tax Policy Associates, a not for profit company, has published details of its many investigations into fraudulent entities that have been able to set up and use UK registered companies as cover. The investigations it has carried out provide a fascinating insight into the magnitude of the problem. In a few quick steps, Tax Policy Associates demonstrates on its website how it was able to identify a £100 trillion fake company registered at Companies House. It has also highlighted a new scam letter being sent to directors of newly incorporated UK companies from “Company Registry” requiring them to pay a fee, which is one of the ways in which your personal data, published by Companies House, is being used by criminals.
If all this talk of fraud, and the ready availability of personal data filed at Companies House, is making you feel a bit uncomfortable then there is some potentially good news.
An individual whose residential address is/has been used as a registered office address in the past (whether knowingly or unknowingly) can apply to have their residential address supressed on Companies House records.
From summer 2025, individuals will be able to apply to have their date of birth appearing in documents that were filed before 10 March 2015 supressed. (Since 10 March 2015, Companies House has only ever published the month and year of birth.) Documents containing personal data, such as directors’ appointment forms, continue to be publicly available even after you have ceased to act as a director of a company.
In a similar vein, from summer 2025, individuals will also be able to request that their business occupation and signature are supressed in documents appearing at Companies House.
We do not have the detail around this yet, so it may be that the process and costs involved with redacting public documents might prove disproportionate for the majority of people. By way of example, the process for seeking to suppress a residential address involves identifying each document that needs to be redacted, completing a form and paying a £30 fee for each document that you want to get amended. Nor can you submit a subject access request to Companies House asking it to identify all documents that contain your personal data, because Paragraph 5 of Schedule 2 Part 1 of the Data Protection Act 2018 would likely exempt Companies House from this requirement. You would need to do the trawl yourself through a company’s filing history at Companies House.
It is to be hoped that in the not too distant future, there will be some sort of AI tool that will facilitate this process, meaning that submission of one request would result in the redaction of all sensitive personal data from Companies House publicly available records. Until then, however, it might prove a bit of a challenge if you are seeking to suppress any personal data published at Companies House, even once that facility becomes available. If you are interested in pursuing this, or would like further information or assistance, please speak with your usual SPB contact.
So, what will you be doing during the third week in March? Perhaps you will be celebrating the first anniversary of TPR’s general code of practice, which came into force on 28 March 2024. 

EUROPE: National Regulators Announce Digital Operational Resilience Act Reporting Windows

EU national supervisory authorities will collect the Register of Information (ROI) pursuant to the EU’s Digital Operational Resilience Act (DORA) from in scope financial entities in April 2025, with the reference date set as 31 March 2025. ROIs are reports by in-scope EU financial entities on all contractual arrangements on the use of information and communication technology (ICT) services provided by ICT third-party service providers. The financial entity must differentiate between providers who are not critical and providers who are considered critical/important.
The Irish Central Bank has announced that it will collect the ROIs between 1-4 April 2025. The German BaFin has set 11 April as the deadline. In-scope financial entities across the EU should expect that there will be a similar process locally.
Under the Implementing Technical Standards on the Register of Information, information to be collected includes:
• Identification of ICT third-party service providers (will need to have either a valid LEI code or EU-ID for the files to pass validation);• Detail on the nature of the ICT services provided;• Detail on contractual arrangements;• Risk classification;• Monitoring and oversight mechanisms;• Sub-outsourcing arrangements; and• ICT-related incidents.
The European Supervisory Authorities have provided useful information on how to prepare to report the ROI which is available online. In Ireland, the Central Bank will publish a system guide to submitting the ROI in March 2025. The German BaFin has provided information here (in German).

Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers Released for Public Comment

On January 3, 2025, the Cyberspace Administration of China (the “CAC”) released the Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers (the “Draft Measures”) for public comment. Following the Implementation Rules for Personal Information Protection Certification (the “Implementation Rules”) and the Cybersecurity Standards Practice Guidelines – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A) in 2022, the Draft Measures provides additional details with respect to key aspects of the certification process, including its applicability, evaluation criteria, implementation process, use of certification results, and post-certification supervision. 
Under China’s Personal Information Protection Law (“PIPL”), to transfer personal information (“PI”) abroad in a compliant manner requires the relevant data processor to (1) obtain certification; (2) conduct security assessment; or (3) execute standard contract in accordance with the requirements of the PIPL. The Draft Measures outlines details of the certification process. The Security Assessment for Cross-Border Data Transfers (effective September 2022) provides guidelines for conducting the security assessment. The Standard Contract for Cross-Border Transfers of Personal Information (effective June 2023) presents forms of the standard contract.
Below is a brief overview of the key provisions of the Draft Measures.
1. When a Data Processor Should Obtain Certification
According to Article 4 of the Draft Measures, if the following conditions are met, a data processor can transfer PI abroad in a compliant manner by obtaining certification:

The data processor is not a critical information infrastructure operator (the “CIIO”);
The data being transferred does not involve important data;
Since January 1 of the current year, the cumulative volume of PI transferred overseas:

exceeds 100,000 individuals but is less than 1 million (excluding sensitive PI); or
involves less than 10,000 individuals of sensitive PI.

 A notable addition in the Draft Measures is the explicit inclusion of foreign personal information processors under Article 3(2) of PIPL as eligible entities for the certification mechanism. This means when a foreign entity collects PI directly from individuals within China and wants to transfer and store such PI overseas, it can apply for the certification. Specifically such entity can authorize a designated representative or establish a specialized entity in China to assist with the certification process.
However, the Draft Measures do not clarify the specific requirements for these designated representatives or specialized entities, such as whether they must be an affiliate of the foreign PI processor.
We have prepared the following table to help a data processer/ exporting entity to determine which one of the three mechanism it needs to undergo to stay compliant when transferring PI overseas:

2. Certification Standards and Rules
Article 7 of the Draft Measures stipulates that CAC, in coordination with relevant authorities, will formulate standards, technical rules, and assessment procedures for PI protection certification for cross-border data transfers.
According to the Implementation Rules, currently such standards and technical rules include:

Information Security Technology—Personal Information Security Specification (GB/T 35273-2020)
Cybersecurity Standards Practice Guidelines – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A)

3. Key Certification Requirements 
Article 10 of the Draft Measures outlines the key assessment criteria for PI protection certification for cross-border data transfers. These criteria fall into three categories: 

Compliance of Cross-Border PI Transfers – Evaluating whether the transfer of PI aligns with applicable laws and regulations. 
PI Protection Level of Overseas Processors and Recipients – Assessing the data protection capabilities of overseas PI processors and recipients, as well as the legal, policy, and cybersecurity environment in their respective countries or regions. 
Legally Binding Agreements and Organizational Safeguards – Reviewing the legally binding agreements between the PI processor and the overseas recipient, as well as their organizational structure, management systems, and technical measures to ensure PI protection. 

4. Certification Bodies 
Under Article 8 of the Draft Measures, professional certification bodies that meet the required qualifications to conduct PI protection certification for cross-border data transfers must complete a record-filing procedure with CAC. 
Currently, China Cybersecurity Review, Certification and Market Regulation Big Data Center (the “CCRC”) is the only officially recognized PI protection certification body in China. However, as the regulatory framework continues to develop, more certification bodies may become available in the future. 
According to a report issued by CCRC, as of February 2025, CCRC had received over 100 certification applications and had issued PI protection certification certificates to 7 entities. [i]
The Draft Measures are still open for public comment. We will continue monitoring regulatory developments with respect to the certification mechanism.
FOOTNOTES
[i] https://www.isccc.gov.cn/xwdt/tpxw/12/909546.shtml

California’s Proposed Location Privacy Act: A Potential Game-Changer for Tracking Location of Individuals

Businesses that track the geolocation of individuals—whether for fleet management, sales and promotion, logistics, risk mitigation, or other reasons—should closely monitor the progress of California Assembly Bill 1355 (AB 1355), also known as the California Location Privacy Act. If passed, this bill would impose significant restrictions on the collection and use of geolocation data, requiring many businesses to overhaul their location tracking policies and procedures.
California has long been at the forefront of data privacy regulation, particularly in the area of location tracking. Section 637.7 of the California Penal Code, for example, provides that no person or entity in California may use an electronic tracking device to determine the location or movement of a person. Notably the law does not apply when the registered owner, lessor, or lessee of a vehicle has consented to the use such a device with respect to that vehicle.
More recently, the California Consumer Privacy Act of 2018 (CCPA) established a comprehensive privacy and security framework for personal information of California consumers, which includes granting consumers rights over their personal information. Under the CCPA, consumers have the right, subject to some exceptions, to limit the use of their “sensitive personal information,” a defined term which includes geolocation data. The California Privacy Rights Act of 2020 (CPRA) amended the CCPA, further strengthening these protections by enhancing consumer rights and enforcement mechanisms.
Importantly, employees and contractors are considered “consumers” under the CCPA.
Key Provisions of AB 1355
If enacted, AB 1355 would place strict limits on how businesses collect, use, and retain location information. Here are the major takeaways for businesses that track geolocation data.
Who Does the Law Apply To? The law would apply to any business (referred to as a “covered entity”) that collects or uses location data from individuals in California, although there is an exception for the location information of patients if the information is protected by HIPAA or similar laws. Government agencies are not considered covered entities but are prohibited from monetizing location information.
The bill defines “individual” as a “natural person located within the State of California.” So, it looks like the individual need not be a California resident. In addition, the collection or use of location data must be necessary to provide goods or services requested by that individual. It is unclear how this provision would apply in the employment context.
Express Opt-In Requirement. Individuals would be required to expressly opt in before their location data could be collected; businesses would not be permitted to infer consent or use pre-checked boxes.
Prohibited Actions. Businesses would not be permitted to:

Collect more precise location data than is necessary.
Retain location data longer than necessary.
Sell, rent, trade, or lease location data to third parties.
Infer additional data from collected location information beyond what is necessary.
Disclose location data to government agencies without a valid court order issued by a California court.

Notice and Policy Requirement. Under AB 1355, businesses would be required to provide clear, prominent notice at the point where location data is collected. The notice would need to include the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information. Companies also would need to maintain a location privacy policy detailing, among other things:

What location data is collected.
The retention and deletion policies.
Whether the data is used for targeted advertising.
The identities of third parties or service providers with access to the data.

Any changes to this policy would require at least 20 days’ notice and renewed consent.
Enforcement and Legal Remedies. If enacted, AB 1355 would permit the California Attorney General, district attorneys, and other public prosecutors to bring lawsuits against non-compliant businesses. Remedies could include all of the following:

Actual damages suffered by affected individuals.
A civil penalty of $25,000.
Court-ordered injunctions and attorney’s fees for prevailing plaintiffs.

Implications for Businesses Engaged in Location Tracking
This bill represents a major shift in how businesses must approach location tracking. If enacted, businesses relying on geolocation data for purposes such as monitoring employees, connecting with customers, improving logistics, or managing risk must:

Implement new opt-in procedures before collecting location data.
Reevaluate their data retention policies to ensure compliance.
Review agreements with third-party vendors that process location data.
Update their privacy policies and internal procedures to align with the new legal requirements.

In addition to monitoring the path of this legislation, businesses also should consider revisiting their current electronic monitoring and tracking activities. Data privacy and security laws have expanded in recent years, with geolocation data being one of the more sensitive categories of personal information protected.

HOW TO BUILD A DISCLOSURE: Court Refuses to Enforce Arbitration Provision on Humann’s Website and It is Time for a Tutorial

Johnson v. Humann, 2025 WL 606782 (N.D. Ill. Feb 25, 2025).
There a court refused to enforce an arbitration provision on a website popup ad, and the facts are worth diving into.
In Johnson the plaintiff visited Defendant’s nutrition supplements and functional foods website and received a pop-up message offering him 15% off if he signed up to receive emails and text messages.
On the bottom of the popup ad was a disclosure that said “View terms and conditions.”
In the terms hyperlink was an arbitration provision.
Plaintiff clicked on the orange “GET 15% OFF NOW” button and was brought to a separate webpage where he had to enter his personal information in order to receive messages.
Plaintiff then agreed to receive messages from Defendant but later changed his mind and texted “stop”–yet continued to receive messages from Humann.
So we can pause here and already recognize a couple of themes:

This is yet another retailer being sued in a TCPA class action over marketing text messages;
This is yet another retailer being sued in a TCPA class action over failing to honor a text message revocation; and
This is all going to get a LOT worse after April 11, 2025.

But although these themes are present and interesting, they are also not the point.
Defendant moved to compel arbitration relying on the little “view terms” link on the bottom of the popup. The court denied that motion finding the terms unenforceable–and THAT is the point.
Arbitration was denied on two grounds– BOTH of them interesting and important for folks to understand.
First, the plaintiff did not directly agree to the terms and conditions.
The disclosure merely said “view terms.” It did not say words to the effect of “by clicking this button you will ACCEPT terms.”
This is critically important. While it may be presumed that the ability to “view” terms means terms exist and you will be bound by them at some point failing to specifically advise consumers that the terms WILL bind the consumer UPON THE ACT of pressing the button or proceeding is critical. Without that language courts will not enforce the provision.
As the court in Johnson said: “The phrasing of the disclosure is particularly important given that Defendant has complete control over the language of its own website and could have written the disclosure in any way.”
Bingo.
Courts will strictly read website copy against the website operator just the way they will read ambiguities in a contract against the drafter. So be ultra-cautious here.
But that’s not all. The court also denied arbitration because the website did not give reasonable notice of the terms.
Here there were several problems:

Again, the consumer was never actually told that by doing something specific the terms and conditions would be deemed accepted;
The hyperlink for the terms and conditions was underlined but it was not blue and did not otherwise standout from the rest of the disclosure text;
The language was small and below the button; and, probably most importantly,
Although the language was close to the button it was NOT displayed on the page where the consumer was actually agreeing to receive text messages–it was displayed BEFORE the text program was entered into.

This last one deserves attention. Courts often discuss the need for a disclosure to be “spatially and temporally” connected to the act by which the disclosure is accepted.
It is easily enough to understand what “spatial” closeness means–it just means how close is the button to the disclosure.
But “temporal” closeness can be trickier to understand but really it just means did the consumer accept the disclosure at the time it was displayed?
In Johnson the “view terms” disclosure appeared on the pop up but NOT on the page where the consumer actually signed up for text messages. So there was a temporal gap between the disclosure and the acceptance of the disclosure. And that was fatal to Human’s arbitration effort.
Also, notice how the hyperlink wasn’t blue? Such a low hanging fruit issue folks. Ever since Berman that issue has been crystal clear. Just such a miss that any competent lawyer working in this space would have immediately caught.
So, some guidance on the structure and format of website terms and a guide to all.
Something like this (but probably better):

Button should indicate terms will be accepted;
The disclosure should clearly state that by clicking the button the terms will be accepted;
The disclosure should be clearly visible and neither too small nor too faint considering the background of the website;
The disclosure should be very close to (and preferably above) the button;
The disclosure should be clearly presented at the time the disclosure is being accepted;
Any hyperlinks in the disclosure should be brightly colored and highly visible (not just underlined);
Disclosure should not to tiny; and
Consumer should not be distracted by other noise on the website.

Crypto Regulatory Roundup – Q1 2025

Introduction
Since President Trump’s inauguration, the crypto industry has been on a tear. And no, this time, we’re not just talking about the price of Bitcoin. In the past two months, Washington D.C. has taken a deliberate interest in the crypto industry. In this article, we’ll explore legislative and regulatory efforts with the potential to elevate the “digital asset” industry to a broader U.S. market.
Bigger Picture
The Trump administration wants crypto to blossom, and for that to happen in the United States. This is a reversal from President Biden’s approach, made evident by President Trump’s executive order on crypto in his third day in office.
Further, the Trump administration is bringing together key stakeholders within the federal government:

A majority of Congress is now supportive of (or less against) crypto.
The crypto lobby landed over 90% of its desired candidates in the last election.
The acting chair of the SEC (Mark Uyeda), another key commissioner (Hester Peirce) and the nominated SEC chair (Paul Atkins) are supportive of crypto and are experts in the industry.
The nominated CFTC commissioner (Brian Quintenz) publicly supports crypto and has spent time at venture capital firm Andreesen Horowitz, a firm with a reputation for backing the digital asset industry.
President Trump’s appointees for Commerce (Howard Lutnick) and Treasury (Scott Bessent) each have a long history of support for the crypto industry.
The United States Supreme Court’s conservative majority could provide crypto proponents with the high-level air cover needed to ensure these legislative and regulatory changes are implemented. 

If the digital asset industry can get some workable rules in place, we could see a step-function increase in investment in this sector. On the other hand, if Congress is unable to pass needed crypto legislation, the digital asset industry would likely continue to shift offshore to crypto-friendly jurisdictions like the Cayman Islands and Abu Dhabi. 
What does this mean for business?
Here are some things to watch in investment management, for general corporates, for banks and for startups.
Investment Management: Rules classifying digital assets as securities or commodities (or neither!) could ease investment decision-making. A clearer regulatory framework could: (i) help venture funds adjust and streamline their legal forms of investment; (ii) provide a legally safer trading universe for hedge funds; (iii) provide compliance departments with reliable policies and procedures and (iv) increase broker-dealer participation for crypto market making. Back- and mid-office issues like custodying unsupported tokens could be resolved. Rules for stablecoin issuers could reduce counterparty and reputational risk related to use of those products. Larger asset managers may explore bringing new exchange-traded products to market, expanding access for institutional investors like pensions, endowments, foundations and larger RIAs.
Large Corporates: We saw household-name companies dabble in blockchain and “Web-3” a few years ago, including major retail brands, gaming companies, celebrities and sports teams using NFTs to build brand loyalty and facilitate direct company to consumer interaction. Crypto can help gamify experiences, providing instant, ownable blockchain-powered rewards and collectibles that can be traded instantly and globally. If lawmakers can provide clarity for the celebrities and the C-suite, we could see renewed interest in these initiatives.
Banks: As custodians of U.S. dollars and other “real” currencies, banks are a natural fit to custody crypto assets, and we saw major interest in this a few years ago from most global custodians and exchanges. As discussed below, interest from institutional banks waned as the SEC and FDIC purportedly pressured the banking industry to avoid crypto. However, with the recent shift in regulatory attitude, and the repeal of “SAB 121,” we could see a resurgence of custody interest from traditional banks, and an expanded customer base for them if they choose to service companies with crypto exposure.
Startups: A collaborative SEC paired with legislative clarity changes the calculus for young companies with crypto products or business lines. These companies could consider launching from the United States (vs. offshore) and could potentially distribute their products to U.S. customers with lower risk. Also, the SEC is actively exploring ways to ease public offerings for tokens, acknowledging that Reg. D or full-on securities registration are impractical fits for tokens of a decentralized or functional blockchain network.
Key legal and regulatory developments
I. Winding Down of SEC Crypto Enforcement
Over the last few years, the SEC has brought headline cases against crypto industry participants, including exchanges like Coinbase, Kraken and Binance, and issuers like Ripple. These cases kept many companies on the crypto sidelines, lest they draw the ire of the SEC. However, some of these cases have now been paused or completely dropped. On February 21, 2025, Coinbase announced that it reached an agreement in principle with the SEC to dismiss their ongoing lawsuit. It is rare for the SEC to dismiss (again, drop completely – not settle) flagship litigation. The SEC’s case against Binance has also been paused, and we could see similar action in the Kraken and Ripple cases.
While critics of the digital asset industry will argue that dropping these cases is a mistake, industry advocates have long argued that these actions were off base from the start. It is likely that the SEC dropped or paused these cases because crypto market structure legislation is coming, leading to practical, mutually agreed solutions for the parties to move forward.
II. SEC Priorities Shifting
The SEC has effectively disbanded its dedicated crypto enforcement unit. In its place, it has installed a broader cybercrimes unit, which includes a crypto focus but also focuses on potential wrongdoing from other emerging technologies like artificial intelligence and even traditional technologies like social media.
Further demonstrating the SEC’s focus on developing new solutions vs. enforcing the status quo, the SEC has created a “crypto task force.” Led by SEC Commissioner Hester Peirce, the task force will develop and recommend rules for crypto, addressing specific priorities such as:

Security Status: Defining whether a crypto asset is a security or something else.
Jurisdictional Scoping: Identifying which areas fall inside the SECs’ purview and which don’t.
Temporary Relief: Developing pathways to compliance for coin or token offerings when an issuer is willing to take responsibility for providing appropriate disclosures.
Viable Path for Token Offerings: Easing existing paths to registration, including Regulation A and crowdfunding.
Special Purpose Broker Dealer: Exploring updates to the special-purpose broker dealer no-action statement.
Custody Solutions for Investment Advisers: Developing a framework in which advisers can appropriately custody client assets themselves or with third parties.
Crypto-Lending and Staking: Clarifying whether crypto lending and staking programs are covered by the securities laws.
ETPs: Enabling new crypto exchange-traded products and allowing for additional features (e.g. staking and in-kind creations and redemptions).
Clearing Agencies and Transfer Agents: Exploring the intersection of crypto, clearing agency and transfer agent rules.
Cross-Border Sandbox: Developing a global, cross-border regulatory engagement framework to encourage industry and regulator collaboration.

III. Enabling Banks to Engage with Crypto
The SEC issued guidance in 2022 that restrained banks from custodying crypto. Staff Accounting Bulleting (“SAB”) 121 required the industry to reflect digital assets as both an asset and a liability, effectively forcing banks to maintain additional, and usually impractical, capital reserves. Updated guidance from the SEC this past January – SAB 122 – rescinds this prior guidance. We expect this repeal to allow banks to reengage with digital assets, including custodying them, a major initiative by global custodians and other banks a few years ago.
Additionally, we also could see banks begin again to take crypto companies as customers. In one of the first hearings of the newly formed Senate Banking Committee’s Subcommittee on Digital Assets, lawmakers examined the concept of “debanking” – the term for when a bank denies or closes specific customer accounts for often unexplained risks. In past years, many banks have refused to do business with crypto companies. The debanking period has ended, according to FDIC Acting Chairman Travis Hill, who noted that the prior FDIC approach “contributed to a general perception that the agency was closed for business if institutions are interested in anything related to blockchain or distributed ledger technology.”
IV. Need-to-Know Legislation: Stablecoins
An early favorite for legislation is stablecoins. Generally, stablecoins are digital tokens that are pegged to the U.S. dollar or another fixed currency. If I have one stablecoin, I have (the equivalent to) one U.S. dollar. Stablecoins are increasingly being viewed as in the U.S. national interest because they can effectively expand access to the U.S. dollar. For example, many people globally can’t readily access U.S. dollars – they may not have U.S. bank accounts, or their local bank may not hold sufficient U.S. dollars. With stablecoins, anyone with a phone can hold a digital asset that functions as, and is exchangeable for, a U.S. dollar.
In an area reminiscent of the banking industry, legislation is moving through Congress and could be on President Trump’s desk by mid-2025. The various proposed bills (e.g. Senator Hagerty’s “GENIUS Act”) define key terms like “payment stablecoin,” establish procedures for licensing and issuing stablecoins, implement reserve requirements and standards for stablecoin issuers, and apply different disclosure and registration requirements to issuers based on specific financial thresholds.
V. Need-to-Know Legislation: Market Structure
Fundamental legal and regulatory questions exist with crypto, including the question of if and when a digital asset is a security and which regulator (e.g. the SEC or the CFTC) is in charge. Crypto market structure legislation passed the House of Representatives in 2024, and the current Congress seeks to build upon that prior progress.
The Financial Innovation and Technology for the 21st Century Act (“FIT21”), passed by the House of Representatives in 2024, categorized digital assets into three categories: digital commodities regulated by the CFTC, restricted digital assets regulated by the SEC and payment stablecoins (neither digital commodities nor restricted digital assets). FIT21 would have supplanted the Howey test in determining whether a digital asset is a security by requiring issuers to certify that a digital asset runs on a blockchain that is sufficiently decentralized. Whether its FIT21 or something else, crypto market structure legislation will likely replace Howey providing rules for clearer determinations.
VI. Trump’s Executive Order on Crypto
The first sign that President Trump has prioritized crypto came on January 23, 2025, when he signed an Executive Order titled “Strengthening American Leadership in Digital Financial Technology.” The crypto executive order establishes a working group tasked with recommending a comprehensive regulatory framework for digital assets, including the potential for a national digital asset stockpile. The executive order requires the working group to achieve its objectives in 2025, reflecting the Trump administration’s intent to adopt decisive solutions quickly.
Conclusion
2025 is proving to be a banner year for crypto legislative and regulatory efforts. Stay tuned for more developments, as soon as the next few months. For those interested in engaging more directly, the SEC Commissioner Peirce’s task force is welcoming comments from the industry.

Some States Step Up Early to Regulate AI Risk Management

Key Takeaways

A global AI arms race may mean U.S. states are best positioned to regulate AI’s risks.
Colorado and Utah have enacted legislation for how AI is to be used with consumers.
Other states are emphasizing existing laws they say “have roles to play” in regulating AI.

In the span of one month, an executive order issued in 2023 focusing on artificial intelligence (AI) safety and security was repealed and replaced by an executive order focusing on the U.S. being the global leader in AI innovation, while in the EU a liability directive developed in 2022 was abandoned in favor of a bolder, simpler and faster 2025 Commission work program, with an “ambition to boost competitiveness.”
A ‘move fast and break things’ approach to an emerging technology arms race often has drawbacks. For example, the recent rise of DeepSeek provided a glimpse into what was previously unimaginable: an open-source large language model useful for a wide range of purposes, that’s fast, cheap and scalable. But within days it was hacked, sued and discredited.
While nations battle for AI supremacy by “removing barriers” and loosening regulations, in the U.S. last year, 45 states introduced AI bills, and 31 states adopted resolutions or enacted legislation. Overall, hundreds of bills in 23 different AI-related categories have been considered. Two states standout, Colorado and Utah, for their focus on consumer protection.
Colorado’s AI Act
The Colorado Artificial Intelligence Act (CAIA), which goes into effect on February 1, 2026, applies to developers and deployers of high-risk AI systems. A developer is an entity or individual that develops or intentionally and substantially modifies a high-risk AI system, and a deployer is an individual or entity that deploys a high-risk AI system. A high-risk AI system is one used as a substantial factor in making a consequential decision.
A consequential decision means a decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the terms of, education, employment, a financial or lending service government service, healthcare service, housing, insurance or legal service. 
These definitions of the CAIA can seem abstract when not applied to use cases. But a standout feature of the CAIA are its robust mitigation techniques which include a safe harbor if the National Institute of Standards and Technology’s AI Risk Management (NIST AI RMF) is considered when devising a Risk Management Policy and Program, which is required.
The NIST AI RMF provides voluntary guidance to individuals and companies on how to best manage AI risks throughout an AI system’s lifecycle, often referred to as the implementation of Trustworthy AI, which includes such characteristics as reliability, safety, security, resilience, accountability, transparency and fairness.1
The CAIA requires that deployers and developers meet certain criteria to ensure they understand what is required to protect consumers from known or foreseeable risks. In addition to a risk management policy and program, covered entities must complete impact assessments at least annually and in some instances within 90 days of a change to an AI system.
An impact assessment under CAIA requires substantial documentation. For instance, the assessment must include such things as a statement, an analysis, a description and overview of the data used, metrics, a description of transparency measures, and post-deployment monitoring and user safeguards. 
Utah’s AI Policy Act
Utah is also an early adopter of AI legislation. In fact, the Utah Artificial Intelligence Policy Act (UAIP) has been in effect since May 2024. Among other things, the UAIP seeks to simultaneously increase consumer protections and encourage responsible AI innovation by:

Mandating transparency through consumer disclosure requirements;2
Clarifying liability for AI business operations, including key terms and legal defenses;
Enabling innovation through a regulatory sandbox for responsible AI development, regulatory mitigation agreements (RMAs) and policy and rulemaking by a newly created Office of Artificial Intelligence Policy (OAIP).

The statutory inclusion of RMAs is a unique example of how Utah aspires to balance AI’s potential risks and rewards. The UAIP defines RMAs as an agreement between a participant, OAIP and relevant state agencies and defines regulatory mitigation as restitution to users, cure periods, civil fines if any and other terms that are tailored to the AI technology seeking mitigation.
While not quite a safe harbor from all liability, RMAs provide AI developers, deployers and users with an opportunity to test for unintended consequences in a somewhat controlled environment. In December, the OAIP announced that it had executed its first RMA with ElizaChat, an app schools can offer teens for their mental health.
The 12-page RMA with ElizaChat is notable for its multiple references to cybersecurity – an area the UAIP intends to eventually establish standards for – and schedules. Included in Schedule A under the subheading “Mitigation Offered” are detailed requirements the ElizaChat app must meet, including a Testing Plan and notification obligations should certain incidents occur.3
As to AI liability, the UAIP specifies and clarifies that businesses cannot blame AI for any statutory offenses. The fact that AI “made the violative statement, undertook the violative act, or was used in furtherance of the violation” is irrelevant and cannot be used as a legal defense.4 The UAIP also contemplates the creation of AI cybersecurity standards through the OAIP.
The UAIP also establishes a Learning Lab through which businesses can partner with the OAIP to responsibly develop and test AI solutions. In this way, the UAIP sets the stage for a new era of AI regulation by being the first state law to embed cross-functional learning opportunities for future rules and regulation.
Other States Are Ready To Regulate
On the day this article was published, Virginia announced it passed an AI bill. It is similar to the Colorado and Utah AI Acts with references to AI disclosures and liability standards and the NIST AI RMF. Connecticut also reintroduced “An Act Concerning AI” and New Mexico introduced an anti-algorithmic discrimination bill.
Not to be outdone, in the last few months several states’ attorneys general (AGs) have issued guidance on how they intend to protect consumers and what they expect from organizations that develop, sell and use AI, none more forcefully as AG Rosenblum of Oregon: “If you think the emerging world of AI is completely unregulated under the laws of Oregon, think again!”
AG Rosenblum discusses how Oregon’s Unlawful Trade Practices Act, Consumer Privacy Act and Equality Act affect implementation of AI, even providing seven examples under the UTPA. AG Bonta of California followed suit a week later in a seven-page advisory, citing similar laws and providing nine examples of violations of its unfair competition law.
How to Prepare
To be sure, it’s still early. But states’ regulation of AI and their inclusion of voluntary guidance frameworks such as the NIST AI RMF or RMAs provide, at a minimum, iterative starting points for the types of industry standards that will emerge as legal obligations. Therefore, organizations should consider whether their policies, procedures and plans will enable them to leverage them.

[1] For further background on the NIST AI RMF see here https://natlawreview.com/article/artificial-intelligence-has-nist-framework-cybersecurity-risk (May 2023) and here https://natlawreview.com/article/nist-releases-risk-profile-generative-ai (May 2024).
[2] Yesterday, the UAIP’s original sponsors proposed an amendment to the required disclosures section, narrowing its application to “high-risk artificial interactions” which refers to interactions with generative AI involving health, financial, medial, and mental health data. If passed, this limitation to the required disclosures will go into effect in June of this year. https://le.utah.gov/~2025/bills/static/SB0226.html. If adopted, this limitation would go some way to lessening the burden of compliance for small and medium businesses.
[3] Id. at 8.
[4] Utah Code. Ann. section 13-2-12 (2).

Decoding the Independent Agency Executive Order: Implications for the Activities of Federal Agencies and Business Interests

The Ensuring Accountability for All Agencies Executive Order (the “Independent Agency EO”), signed by President Trump on February 18, extends unprecedented direct Administration control over independent regulatory agencies, such as the Federal Communications Commission, the Securities and Exchange Commission, the Federal Trade Commission, and the Federal Energy Regulatory Commission, among others.1 The Independent Agency EO requires, inter alia, the submission of “major regulatory actions” of independent agencies to the Office of Management and Budget’s (OMB), Office of Information and Regulatory Affairs (OIRA) in the White House, imposing OIRA review and approval requirements on these agencies regulatory actions. Such review, to this point, has been limited to actions of cabinet-level executive branch departments (and their respective components and agencies), such as the Departments of Justice, Commerce, Agriculture, Homeland Security, Energy, and Transportation, over which the President has plenary authority, including with respect to their regulatory activities and actions, and the hiring and firing of political appointees, who serve at the President’s pleasure.
In addition, on February 19, the President signed a follow-on Executive Order to implement its Department of Government Efficiency (DOGE) deregulatory initiative (the “Deregulation EO”), directing all Agency heads, including those of independent agencies, to initiate a process to review all regulations under their jurisdiction for consistency with law and the Administration’s policy objectives. Agency heads were also directed, within 60 days (by April 20) to identify and submit to OIRA, regulations that are within one of seven classes that meet the Administration’s criteria for inconsistency with law and its policy objectives.
Key Takeaways:

The Independent Agency EO purports to exert unprecedented direct presidential control over independent agencies, which were created by Congress as governmental agencies outside the President’s Administration in order to insulate them from direct political influence and control. 
The order requires White House review of agency action, likely to slow the regulatory process and create uncertainty for business, though also providing business with a second “bite at the apple” to pare back or outright block particular agency regulatory initiatives through the OIRA process.
The Independent Agency EO, together with the Deregulation EO, are additional elements of efforts by the Trump Administration to limit the so-called “Administrative State”, and are simultaneously coupled with the assertion by the Administration of the President’s authority to remove independent agency heads and other political appointees at will, rather than for cause or under other criteria specified in the agency’s enabling statute. Challenges to two such removals are pending in federal court, and the acting U.S. Solicitor General has indicated in a letter to Senator Dick Durbin, ranking member of the Senate Judiciary Committee, that “certain for-cause removal provisions that apply to members of multi-member regulatory commissions are unconstitutional and that the Department [of Justice] will no longer defend their constitutionality.”
Together, these initiatives could provide the Administration with the ability to exert more direct control and influence over independent agencies, including to advance various Administration priorities, most obviously surrounding DEI, green energy, political speech, and others that will come into focus over time. In addition, the Deregulation EO’s call for an accelerated review for consistency with the Administration’s deregulatory and other policy objectives could potentially prompt some unexpected initiatives from the independent agencies.

Background
Independent regulatory agencies are quasi-legislative bodies created by Congress, that are outside the Administration yet technically are considered within the executive branch of the federal government. Independent agencies have historically acted independently from oversight and direction from the President’s administration in their rulemaking and other activities, with their power delegated by Congress through the agency’s enabling statute. The extent of the President’s authority over independent agencies has generally been thought to be limited by the provisions of an agency’s enabling statute, which typically does not extend beyond the President’s authority to appoint agency heads and senior governing officials (such as commissioners and board members), with the advice and consent of the Senate.
The Supreme Court has long held that independent agency political appointees cannot be removed without cause or in accordance with an agency’s enabling statute, which is in contrast with executive department heads serving in the President’s cabinet and other executive department political appointees, who serve at the pleasure of the President and may be removed at will. The President is now asserting the authority to fire independent agency political appointees at will, an issue which is currently pending in two federal court cases, as discussed further below.
OIRA is an office within OMB tasked with, under the 1993 Regulatory Planning and Review EO 12866 (as supplemented by 2011 EO 13563), reviewing and approving executive agency regulatory actions, ensuring compliance with executive orders, and coordinating the Administration’s policies among the cabinet-level executive departments and their component agencies. Prior to the Independent Agency EO, under EO 12866, only the regulatory actions and activities of executive departments, their agencies and components have been subject to OIRA review, which excludes “independent regulatory agency” from the definition of “agency” for purposes of EO 12866 compliance.2
The Executive Order
The Independent Agency EO declares that “[i]t shall be the policy of the executive branch to ensure Presidential supervision and control of the entire executive branch,” which President Trump says includes “the so-called ‘independent regulatory agencies.’” In accordance with this policy, all proposed and final “significant regulatory actions” must be submitted to OIRA for review and approval before the action is published in the Federal Register, removing a major element of these agencies’ independence. The OIRA submission requirement kicks in April 19, 2025 (or sooner if OMB releases new guidance before that date).
The Independent Agency EO also:

Details new protocols that OMB may coordinate and review with the agencies to ensure alignment with the Administration’s policies and agenda, including a provision directing OMB to establish performance standards for each independent agency head and requiring the periodic submission of reports to the president on each agency head’s “performance and efficiency.”
Requires each independent agency to create a White House liaison position within their agency and coordinate its policies and priorities with the White House.
Asserts that the President and Attorney General (subject to the President’s supervision), shall provide authoritative interpretations of law for the executive branch, and provides that no employee of the executive branch (which presumably includes employees of independent agencies) “may advance an interpretation of law as the position of the United States that contravenes the President’s and Attorney General’s opinion on the matter.”

Additional Considerations and Observations
As noted, the related question of whether the President may remove political appointees of an independent regulatory agency, which likewise implicates the authority of the President over these agencies, is simultaneously making its way through the courts, with the acting Solicitor General asserting in Congressional correspondence that the Department of Justice will no longer defend the constitutionality of for-cause removal provisions in independent agency enabling statutes. In one case pending before the U.S. District Court for the District of Columbia, the court temporarily stayed the President’s removal of the head of the Office of Special Counsel, with the Administration’s Application to the Supreme Court to vacate the stay held in abeyance pending further proceedings before the District Court on issuance of a preliminary injunction. In a second case, a challenge to the President’s firing of a member of the National Labor Relations Board is pending before a U.S. District Court in D.C., with an expedited briefing schedule and hearing set on the removed official’s motion for summary judgment.
It is not uncommon for independent agencies, whose head and majority (following appointments to vacancies) are typically of the President’s party, to align with the President on major policy initiatives. This can be seen, for example, from the on-again, off-again history of net neutrality’s treatment by the FCC, which has been directly connected to which party holds the presidency and the Chair and majority at the FCC. In recent comments to the press, FERC Chairman Mark Christie noted this typical pattern of alignment between the Administration in power and independent agencies on major initiatives and suggested that the majority of the consultation-related provisions of the Independent Agency EO appeared consistent with current practices, in some cases going back decades.
That said, what will be different under the Independent Agency EO, together with the authority of the President to fire independent agency heads at will if sanctioned by the Supreme Court, is that these agencies can be expected to become more of a direct instrument of the Administration in advancing its policy agenda. This can be seen most immediately from the FCC’s reported investigation into the DEI practices of an FCC-regulated entity, and the recent announcement by the FTC of an inquiry into policies of social media platforms affecting political speech. In addition, the Deregulation EO direction that all agencies, including independent agencies, identify regulations that are inconsistent with the Administration’s deregulatory and other policy objectives and develop a plan for rescinding or modifying those regulations, could potentially prompt some unexpected initiatives from the independent agencies but also could provide opportunities for regulated entities.
In terms of OIRA review, the executive order will likely slow the regulatory process and agency action, as publication in the Federal Register is to be delayed pending OIRA review for both proposed and final actions. This may be a “good news, bad news story” for businesses with issues before independent regulatory agencies. For those advocating for a particular position adopted by the agency, final action will likely be delayed and could be changed in the OIRA process. For those opposing particular agency action, the OIRA process, which includes consultation with other White House and Cabinet-level departments, as well as the ability of interested parties to comment and meet with OIRA on agency action under review, provides an additional opportunity to influence, and perhaps pare back or block, an agency proposal or final rule.
This order is likely to be subject to a court challenge, like other Trump Administration Executive Orders. Nevertheless, if your business is subject to the regulatory actions of these independent agencies, be prepared for an environment with some higher risks and uncertainty, but also for additional opportunity to engage with political actors in Congress and the Executive Branch, as well as the independent agencies themselves, to check agency action that may be adverse to your company’s interests.

1 The term “independent regulatory agency” is defined by statute in 44 U.S.C. § 3502(5) as the listed federal agencies in that section and “any other similar agency designated by statute as a Federal independent regulatory agency or commission.” In addition to the FCC, FTC, SEC, and FERC, independent agencies identified in that provision include the Federal Housing Finance Agency, the Federal Maritime Commission, the Interstate Commerce Commission (which was abolished in 1995, with the newly created Surface Transportation Board succeeding to its rail industry regulatory functions), the National Labor Relations Board, the Nuclear Regulatory Commission, and the Occupational Safety and Health Review Commission. The Independent Agency EO explicitly includes the Federal Election Commission, but excludes the Federal Reserve and its Federal Open Market Committee, though applies to Fed activities directly related to its supervision and regulation of financial institutions.2 Separately, in a process that companies with business before independent agencies may be familiar with, OIRA has explicit statutory authority under the Paperwork Reduction Act, 44 U.S.C. 3501, et seq., to review actions of any executive department or other entity in the executive branch, as well as of independent regulatory agencies, that require the submission of information to the government, so-called “information collections”. OIRA review of agency information collections under the Paperwork Reduction Act, which is a statutory requirement, is separate and distinct from reviews of executive agency regulatory actions and activities under EO 12866, which has now been extended to independent regulatory agencies by the Independent Agency EO. 

Preserving Camera Footage in Anticipation of Litigation

In Chepilko v. Henry, the Southern District of New York denied plaintiff’s motion for spoliation sanctions, finding that a public records request and a civilian complaint did not trigger defendants’ duty to preserve electronic evidence. In the ruling, Magistrate Judge Stewart D. Aaron analyzed when one’s obligation to preserve camera footage “in anticipation of litigation” arises for purposes of Rule 37(e) spoliation.
Chepilko v. Henry Background
Plaintiff alleged one defendant — a lieutenant with the New York City Police Department (NYPD) — used excessive force during a street encounter.[1] One year later, plaintiff brought claims against the defendant and the NYPD, including for excessive force, failure to intervene, and malicious prosecution. During discovery, a dispute arose regarding preservation (or lack thereof) of NYPD camera footage that may have captured the incident. Although the footage at issue was destroyed pursuant to the NYPD’s 30-day retention policy for camera footage, plaintiff argued its destruction was improper because defendants had an obligation to preserve it at the time it was destroyed. 
Plaintiff filed a motion for sanctions under Rule 37(e). In opposition, defendants argued that at the time of its deletion, defendants were not on any notice of an obligation to preserve the footage. Plaintiff did not file suit for more than 11 months and at no time prior to the filing did defendants reasonably anticipate litigation arising from the incident. Plaintiff countered that other factors – including a Freedom of Information Law (FOIL) records request and a civilian complaint filed with the New York City Civilian Complaint Review Board (CCRB) triggered defendants’ obligation to preserve the footage. In denying plaintiff’s Rule 37(e) motion, Judge Aaron considered each of plaintiff’s arguments.
At the outset of his decision, Judge Aaron noted the well-established “threshold” requirement for a successful Rule 37(e) sanctions motion – that the allegedly spoliating party have a reasonable “anticipation of litigation” at the time the evidence is destroyed. Judge Aaron rejected plaintiff’s argument that “the incident itself” should have put defendants on notice of litigation sufficient to trigger obligations to preserve and refused to “endorse a bright line rule that a police officer should anticipate litigation every time he issues a summons.” Moreover, where, as here, plaintiff was not injured and the force used was not excessive (as found on the merits), defendants are not deemed to have “reasonably foreseen litigation” as a result. Similarly, Judge Aaron noted that a 911 call after the incident did not trigger a preservation obligation as “Plaintiff merely advised the 911 operator that [the lieutenant] ‘pushed [Plaintiff] several times.’” 
Judge Aaron also rejected plaintiff’s argument that his FOIL requests for the footage from relevant cameras, filed immediately after the incident, put defendants on notice of a duty to preserve. Because initiating a public records request does not equate to a request predicated upon a potential litigation, a FOIL request does not necessarily trigger a preservation obligation. Finally, Judge Aaron rejected the argument that a plaintiff-prompted CCRB investigation triggered an obligation to preserve. The judge found that the CCRB is a separate entity from the NYPD and merely filing a civilian complaint – a relatively common occurrence – does not necessarily trigger an obligation upon another entity to preserve evidence. Accordingly, Judge Aaron rejected plaintiff’s Rule 37(e) sanctions motion in its entirety.
Takeaways for Electronic Evidence Preservation
This case serves as a useful reminder that one’s obligation to preserve evidence is triggered when litigation is reasonably anticipated, and when that obligation is triggered can be a fact intensive inquiry. There are no bright line rules about when one should reasonably anticipate litigation, and the standard can be subjective.

[1] Plaintiff received a criminal summons for disorderly conduct in disrupting vehicular traffic for standing in the street during this encounter. The summons was dismissed soon after it was issued.

Final Rule Implementing U.S. Outbound Investments Restrictions Goes into Effect

On October 28, 2024, the U.S. Department of Treasury (Treasury Department) published a final rule (Final Rule) setting forth the regulations implementing Executive Order 14150 of August 9, 2023 (Outbound Investment Order), creating a scheme regulating U.S. persons’ investments in a country of concern involving semiconductors and microelectronics, quantum information technologies and artificial intelligence sectors[1]. According to the Annex to the Outbound Investment Order, China (including Hong Kong and Macau) is currently the only identified “Country of Concern”. The Final Rule went effective on January 2, 2025.
Who are the in-scope persons?
The Final Rule regulates the direct and indirect involvement of “U.S Persons”, which is broadly defined to include (i) any U.S. citizen, (ii) any lawful permanent resident, (iii) any entity organized under the laws of the United States or any jurisdiction within the United States, including any foreign branches of any such entity, and (iv) any person in the U.S.
The Final Rule requires a U.S. Person to take all reasonable steps to prohibit a “Controlled Foreign Entity”, a non-U.S. incorporated/organized entity, from making outbound investments that would be prohibited if undertaken by a U.S. Person. As such, the Final Rule extends its influence over any Controlled Foreign Entity of such U.S. Person.
The Final Rule also prohibits a U.S. Person from knowingly directing a transaction that would be prohibited by the Final Rule if engaged by a U.S. Person. 
Which outbound investments are in-scope?
The “Covered Transactions” include investment, loan and debt financing conferring certain investor rights characteristic of equity investments, greenfield or brownfield investments and investment in a joint venture (“JV”) or fund, relating to a “Covered Foreign Person” (as discussed below), as described below: 

Equity investment: (i) acquisition of equity interest or contingent equity interest in a Covered Foreign Person; (ii) conversion of contingent equity interest (acquired after the effectiveness of the Final Rule) into equity interest in a Covered Foreign Person;
Loan or debt financing: provision of loan or debt financing to a Covered Foreign Person, where the U.S. Person is afforded an interest in profits, the right to appoint a director (or equivalent) or other comparable financial or governance rights characteristic of an equity investment but not typical of a loan;
Greenfield/brownfield investment: acquisition, leasing, development of operations, land, property, or other asset in China (including Hong Kong and Macau) that the U.S. Person knows will result in the establishment or engagement of a Covered Foreign Person; and
JV/ fund investment: (i) entry into a JV with a Covered Foreign Person that the U.S. Person knows will or plan to engage in covered activities; (ii) acquisition of limited partner or equivalent interest in a non-U.S. Person venture capital fund, private equity fund, fund of funds, or other pooled investment fund that will engage in a transaction that would be a Covered Transaction if untaken by a U.S. Person.

What are in-scope transactions and carve-out transactions?
The Final Rule identifies three categories of Covered Transactions involving covered foreign persons – Notifiable Transactions, Prohibited Transactions, and Excepted Transactions.
A “Covered Foreign Person” includes the following persons engaging in “Covered Activities” (i.e. Notifiable or Prohibited Activities identified in the Final Rule) relating to a Country of Concern:

A person of China, Hong Kong or Macau, including an individual who is a citizen or permanent resident of China (including Hong Kong and Macau and are not a U.S. citizen or permanent resident of the United States); an entity organized under the laws of China (including Hong Kong and Macau), or headquartered in, incorporated in, or with a principal place of business in China (including Hong Kong and Macau; the government of China (including Hong Kong and Macau); or an entity that is directly or indirectly owned 50% or more by any persons in any of the aforementioned categories.
A person directly or indirectly holds a board, voting rights, equity interests, or contractual power to direct or cause the management or policies of any person that derives 50% or more of its revenue or net income or incur 50% or more its capital expenditure or its operating expenses (individually or as aggregated) from China (including Hong Kong and Macau) (subject to a $50,000 in minimum); and
A person from China (including Hong Kong or Maca) who enters a JV that engages, plans to or will engage in a Covered Activity. 

Notifiable and Prohibited Transactions
The Final Rule:

Requires U.S. Persons to notify the Treasury Department regarding transactions involving covered foreign persons that fall within the scope of Notifiable Transactions, and
Prohibits U.S. Persons from engaging in transactions involving Covered Foreign Persons that fall within the scope of Prohibited Transactions.

The underlying consideration for the delineation between a Notifiable Transactions and Prohibited Transactions hinges on how impactful it is as a threat to the national security of the United States — a Notifiable Transaction contributes to national security threats, while a Prohibited Transaction poses a particularly acute national security threat because of its potential to significantly advance the military intelligence, surveillance, or cyber-enabled capabilities of a Country of Concern.
Specifically, a Notifiable Transaction necessarily involves the following Notifiable Activities, while a Prohibited Transaction necessarily involves the following Prohibited Activities:

Prohibited Activities
Notifiable Activities

Semiconductors &Microelectronics

– Develops or produces any electronic design automation software for the design of integrated circuits (ICs) or advanced packaging;
– Develops or produces (i) equipment for (a) performing volume fabrication of integrated circuit, or (b) performing volume advanced packaging, or (ii) commodity, material, software, or technology designed exclusively for extreme ultraviolet lithography fabrication equipment;
– Designs any integrated circuits that meet or exceed certain specified performance parameters[2] or is designed exclusively for operations at or below 4.5 Kelvin;
– Fabricates integrated circuits with special characteristics;[3]
– Packages any IC using advanced packaging techniques.

Designs, fabricates, or packages any ICs that are not prohibited activities.

QuantumInformationTechnology

– Develops, installs, sells, or produces any supercomputer enabled by advanced ICs that can provide a theoretical compute capacity beyond a certain threshold;[4]
– Develops a quantum computer or produces any critical components;[5]
– Develops or produces any quantum sensing platform for any military, government intelligence, or mass-surveillance end use;
– Develops or produces any quantum network or quantum communication system designed or used for certain specific purposes.[6]

None

Artificial Intelligence (AI)

– Develops any AI system that is designed or used for any military end use, government intelligence, or mass-surveillance end use;
– Develops any AI system that is trained using a quantity of computing power greater than (a) 10^25 computational operations; and (b) 10^24 computational operations using primarily biological sequence data.

Design of an AI system that is not a prohibited activity and that is:
(a) Designed for any military, government intelligence or mass-surveillance end use;
(b) Intended to be used for:

Cybersecurity applications;
(digital forensic tools;
penetration testing tools;
control of robotic system;

or
(c) Trained using a quantity of computing power greater than 10^23 computational operations.

Excepted Transactions
The Final Rule sets forth the categories of Excepted Transactions, which are determined by the Treasury Department to present a lower likelihood of transfering tangible benefits to a Covered Foreign Person or otherwise unlikely to present national security concerns. These include:

Investment in publicly traded securities: an investment in a publicly traded security (as defined under the Securities Act of 1934) denominated in any currency and traded on any securities exchange or OTC in any jurisdiction;[7]
Investment in a security issued by a registered investment company: an investment by a U.S. Person in the security issued by an investment company or by a business development company (as defined under the Investment Company Act of 1940), such as an index fund, mutual fund, or ETF;
Derivative investment: derivative investments that do not confer the right to acquire equity, right, or assets of a Covered Foreign Person;
Small-size limited partnership investment: limited partnership or its equivalent investment (at or below two million USD) in a venture capital fund, private equity fund, fund of funds, or other pooled investment fund where the U.S. Person has secured a contractual assurance that the fund will not be used to engage in a Covered Transaction;
Full Buyout: acquisition by a U.S. Person of all equity or other interests held by a China-linked person, in an entity that ceases to be a Covered Foreign Person post-acquisition;
Intracompany transaction: a transaction between a U.S. Person and a Controlled Foreign Entity (subsidiary) to support ongoing operations or other activities are not Covered Activities;
Pre-existing binding commitment: a transaction for binding, uncalled capital commitment entered into before January 2, 2025;
Syndicated loan default: acquisition of a voting interest in a Covered Foreign Person by a U.S. Person upon default of a syndicated loan made by the lending syndicate and with passive U.S. Person participation; and
Equity-based compensation: receipt of employment compensation by a U.S. Person in the form of equity or option incentives and the exercising of such incentives.

What is the knowledge standard?
The Final Rule provides that certain provisions will only apply if a U.S. Person has Knowledge of the relevant facts or circumstances at the time of a transaction. “Knowledge” under the Final Rule includes (a) actual knowledge of the existence or the substantial certainty of occurrence of a fact or circumstance, (b) awareness of high probability of the existence of a fact, circumstance or future occurrence, or (c) reason to know of the existence of a fact or circumstance.
The determination of Knowledge will be made based on information a U.S. Person had or could have had through a reasonable and diligent inquiry, which should be based on the totality of relevant facts and circumstances, including without limitation, (a) whether a proper inquiry has been made, (b) whether contractual representations or warranties have been obtained, (c) whether efforts have been made to obtain and assess non-public and public information; (d) whether there is any warning sign; and (e) whether there is purposeful avoidance of efforts to learn and seek information. 
Key points relating to the notification filing procedures
A U.S. person’s obligation to notify the Treasury Department is triggered when they know relevant facts or circumstances related to a Notifiable Transaction entered into by itself or its Controlled Foreign Entity. U.S. Person shall follow the electronic filing instructions to submit the electronic filing at https://home.treasury.gov/policy-issues/international/outbound-investment-program.
The filing of the notification is time-sensitive. The filing deadline is no later than 30 days following the completion of a Notifiable Transaction or otherwise no later than 30 days after acquiring such knowledge if a U.S. Person becomes aware of the transaction after its completion. If a filing is made prior to the completion of a transaction and there are material changes to the information in the original filing, the notifying U.S. Person shall update the notification no later than 30 days following the completion of the transaction.
In addition to the detailed information requested under the Final Rule, a certification by the CEO or other designees of the U.S. Person is required to certify the accuracy and completeness in material respects of the information submitted.
What are the consequences of non-compliance?
The Treasury Department may impose civil and administrative penalties for any Final Rule violations, including engaging in Prohibited Transactions, failure to report Notifiable Transactions, making false representation or omissions, or engaging in evasive actions or conspiracies to violate the Final Rule. The Treasury Department may impose fines, require divestments, or refer for criminal prosecutions to the U.S. Department of Justice for violations of the Final Rule.
U.S. Persons may submit a voluntary self-disclosure if they believe their conduct may have violated any part of the Final Rule. Such self-disclosure will be taken into consideration during the Treasury Department’s determination of the appropriate response to the self-disclosed activity.

Texas AG Alleges DeepSeek Violates Texas Privacy Law

On February 14, 2025, Attorney General Ken Paxton announced an investigation into DeepSeek, a Chinese artificial intelligence (“AI”) company, regarding its privacy practices and compliance with Texas law. The investigation also examines DeepSeek’s claims that its AI model rivals leading global models, including OpenAI’s technology.
As part of the investigation, Attorney General Paxton has issued Civil Investigative Demands (“CIDs”) to Google and Apple, requesting their analysis of the DeepSeek application and any documentation DeepSeek submitted before its app became available to consumers.
In a statement, Attorney General Paxton expressed concerns over DeepSeek’s potential connections to the Chinese Communist Party (“CCP”), and its implications for data security and AI competition. Citing national security and privacy risks, Paxton emphasized Texas’ commitment to upholding data protection laws and ensuring compliance with state regulations.
Additionally, on January 28, 2025, the Attorney General banned DeepSeek’s platform from all Office of the Attorney General devices, citing security concerns.
As of this publication date, the investigation remains ongoing.

California Privacy Protection Agency Clarifies Application of the CCPA to Insurance Companies

The California Privacy Protection Agency board voted on November 8, 2024, to advance a proposed rulemaking package for, among other things, a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.

Quick Hits

The California Privacy Protection Agency voted in November 2024 to advance a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.
The proposed regulation defines “insurance company” and specifies that the CCPA applies to personal data not governed by the California Insurance Code.
Illustrations in the proposed regulation clarify that insurance companies must comply with the CCPA for personal data collected from website visitors and employees.

Information obtained in an insurance transaction is governed by the federal Gramm-Leach-Bliley Act. Given this, there has been uncertainty about the CCPA’s application to insurance companies, which are state regulated. In a brief proposed regulation, the agency attempted to clarify this issue to a certain degree.
As an initial matter, the proposed regulation defines the term “insurance company” as any person or company that is subject to the California Insurance Code and its regulations, including insurance institutions, agents, and insurance support organizations. The term “insurance institution” means “any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance.
The term “agents” means a person who is licensed to transact insurance in California and an “insurance support organization” means any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions.
Having defined the scope, the proposed regulation states that the CCPA applies “to any personal information not subject to the Insurance Code and its regulations.” Although the statement lacks definite clarity, the proposed regulation provides some guidance with an additional statement that the CCPA’s requirements apply to information “that is collected for purposes not in connection with an insurance transaction, as that term is defined in Insurance Code, section 791.02.” Section 791.02(m) defines insurance transaction as “any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following: (1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment. (2) The servicing of an insurance application, policy, contract, or certificate.”
The proposed regulation provides two illustrations that further clarify the application of the CCPA:
“Insurance company A collects personal information from visitors of its website who have not applied for any insurance product or other financial product or service from Company A. This information is used to tailor personalized advertisements across different business websites. Insurance company A must comply with the CCPA, including by providing consumers the right to opt-out of the sale/sharing of their personal information and honoring opt-out preference signals, because the personal information collected from the website browsing is not related to an application for or provision of an insurance transaction or other financial product or service.”
“Insurance company B collects personal information from its employees and job applicants for employment purposes. Insurance company B must comply with the CCPA with regard to employee information, including by providing a Notice at Collection to the employees and job applicants at or before the time their personal information is collected. This is because the personal information collected in this situation is not subject to the Insurance Code or its regulations.”

Insurers may also want to note that the second illustration applies only to California resident job applicants and employees. The notice to job applicants required under the CCPA should be provided if the company solicits applicants from California.
Finally, the CCPA is not the only privacy law or regulation that needs to be considered with regard to the collection and use of consumer data and information. In particular, California Penal Code sections 630 and 638.51 are currently the subject of numerous lawsuits.