Some States Step Up Early to Regulate AI Risk Management
Key Takeaways
A global AI arms race may mean U.S. states are best positioned to regulate AI’s risks.
Colorado and Utah have enacted legislation for how AI is to be used with consumers.
Other states are emphasizing existing laws they say “have roles to play” in regulating AI.
In the span of one month, an executive order issued in 2023 focusing on artificial intelligence (AI) safety and security was repealed and replaced by an executive order focusing on the U.S. being the global leader in AI innovation, while in the EU a liability directive developed in 2022 was abandoned in favor of a bolder, simpler and faster 2025 Commission work program, with an “ambition to boost competitiveness.”
A ‘move fast and break things’ approach to an emerging technology arms race often has drawbacks. For example, the recent rise of DeepSeek provided a glimpse into what was previously unimaginable: an open-source large language model useful for a wide range of purposes, that’s fast, cheap and scalable. But within days it was hacked, sued and discredited.
While nations battle for AI supremacy by “removing barriers” and loosening regulations, in the U.S. last year, 45 states introduced AI bills, and 31 states adopted resolutions or enacted legislation. Overall, hundreds of bills in 23 different AI-related categories have been considered. Two states standout, Colorado and Utah, for their focus on consumer protection.
Colorado’s AI Act
The Colorado Artificial Intelligence Act (CAIA), which goes into effect on February 1, 2026, applies to developers and deployers of high-risk AI systems. A developer is an entity or individual that develops or intentionally and substantially modifies a high-risk AI system, and a deployer is an individual or entity that deploys a high-risk AI system. A high-risk AI system is one used as a substantial factor in making a consequential decision.
A consequential decision means a decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the terms of, education, employment, a financial or lending service government service, healthcare service, housing, insurance or legal service.
These definitions of the CAIA can seem abstract when not applied to use cases. But a standout feature of the CAIA are its robust mitigation techniques which include a safe harbor if the National Institute of Standards and Technology’s AI Risk Management (NIST AI RMF) is considered when devising a Risk Management Policy and Program, which is required.
The NIST AI RMF provides voluntary guidance to individuals and companies on how to best manage AI risks throughout an AI system’s lifecycle, often referred to as the implementation of Trustworthy AI, which includes such characteristics as reliability, safety, security, resilience, accountability, transparency and fairness.1
The CAIA requires that deployers and developers meet certain criteria to ensure they understand what is required to protect consumers from known or foreseeable risks. In addition to a risk management policy and program, covered entities must complete impact assessments at least annually and in some instances within 90 days of a change to an AI system.
An impact assessment under CAIA requires substantial documentation. For instance, the assessment must include such things as a statement, an analysis, a description and overview of the data used, metrics, a description of transparency measures, and post-deployment monitoring and user safeguards.
Utah’s AI Policy Act
Utah is also an early adopter of AI legislation. In fact, the Utah Artificial Intelligence Policy Act (UAIP) has been in effect since May 2024. Among other things, the UAIP seeks to simultaneously increase consumer protections and encourage responsible AI innovation by:
Mandating transparency through consumer disclosure requirements;2
Clarifying liability for AI business operations, including key terms and legal defenses;
Enabling innovation through a regulatory sandbox for responsible AI development, regulatory mitigation agreements (RMAs) and policy and rulemaking by a newly created Office of Artificial Intelligence Policy (OAIP).
The statutory inclusion of RMAs is a unique example of how Utah aspires to balance AI’s potential risks and rewards. The UAIP defines RMAs as an agreement between a participant, OAIP and relevant state agencies and defines regulatory mitigation as restitution to users, cure periods, civil fines if any and other terms that are tailored to the AI technology seeking mitigation.
While not quite a safe harbor from all liability, RMAs provide AI developers, deployers and users with an opportunity to test for unintended consequences in a somewhat controlled environment. In December, the OAIP announced that it had executed its first RMA with ElizaChat, an app schools can offer teens for their mental health.
The 12-page RMA with ElizaChat is notable for its multiple references to cybersecurity – an area the UAIP intends to eventually establish standards for – and schedules. Included in Schedule A under the subheading “Mitigation Offered” are detailed requirements the ElizaChat app must meet, including a Testing Plan and notification obligations should certain incidents occur.3
As to AI liability, the UAIP specifies and clarifies that businesses cannot blame AI for any statutory offenses. The fact that AI “made the violative statement, undertook the violative act, or was used in furtherance of the violation” is irrelevant and cannot be used as a legal defense.4 The UAIP also contemplates the creation of AI cybersecurity standards through the OAIP.
The UAIP also establishes a Learning Lab through which businesses can partner with the OAIP to responsibly develop and test AI solutions. In this way, the UAIP sets the stage for a new era of AI regulation by being the first state law to embed cross-functional learning opportunities for future rules and regulation.
Other States Are Ready To Regulate
On the day this article was published, Virginia announced it passed an AI bill. It is similar to the Colorado and Utah AI Acts with references to AI disclosures and liability standards and the NIST AI RMF. Connecticut also reintroduced “An Act Concerning AI” and New Mexico introduced an anti-algorithmic discrimination bill.
Not to be outdone, in the last few months several states’ attorneys general (AGs) have issued guidance on how they intend to protect consumers and what they expect from organizations that develop, sell and use AI, none more forcefully as AG Rosenblum of Oregon: “If you think the emerging world of AI is completely unregulated under the laws of Oregon, think again!”
AG Rosenblum discusses how Oregon’s Unlawful Trade Practices Act, Consumer Privacy Act and Equality Act affect implementation of AI, even providing seven examples under the UTPA. AG Bonta of California followed suit a week later in a seven-page advisory, citing similar laws and providing nine examples of violations of its unfair competition law.
How to Prepare
To be sure, it’s still early. But states’ regulation of AI and their inclusion of voluntary guidance frameworks such as the NIST AI RMF or RMAs provide, at a minimum, iterative starting points for the types of industry standards that will emerge as legal obligations. Therefore, organizations should consider whether their policies, procedures and plans will enable them to leverage them.
[1] For further background on the NIST AI RMF see here https://natlawreview.com/article/artificial-intelligence-has-nist-framework-cybersecurity-risk (May 2023) and here https://natlawreview.com/article/nist-releases-risk-profile-generative-ai (May 2024).
[2] Yesterday, the UAIP’s original sponsors proposed an amendment to the required disclosures section, narrowing its application to “high-risk artificial interactions” which refers to interactions with generative AI involving health, financial, medial, and mental health data. If passed, this limitation to the required disclosures will go into effect in June of this year. https://le.utah.gov/~2025/bills/static/SB0226.html. If adopted, this limitation would go some way to lessening the burden of compliance for small and medium businesses.
[3] Id. at 8.
[4] Utah Code. Ann. section 13-2-12 (2).
Decoding the Independent Agency Executive Order: Implications for the Activities of Federal Agencies and Business Interests
The Ensuring Accountability for All Agencies Executive Order (the “Independent Agency EO”), signed by President Trump on February 18, extends unprecedented direct Administration control over independent regulatory agencies, such as the Federal Communications Commission, the Securities and Exchange Commission, the Federal Trade Commission, and the Federal Energy Regulatory Commission, among others.1 The Independent Agency EO requires, inter alia, the submission of “major regulatory actions” of independent agencies to the Office of Management and Budget’s (OMB), Office of Information and Regulatory Affairs (OIRA) in the White House, imposing OIRA review and approval requirements on these agencies regulatory actions. Such review, to this point, has been limited to actions of cabinet-level executive branch departments (and their respective components and agencies), such as the Departments of Justice, Commerce, Agriculture, Homeland Security, Energy, and Transportation, over which the President has plenary authority, including with respect to their regulatory activities and actions, and the hiring and firing of political appointees, who serve at the President’s pleasure.
In addition, on February 19, the President signed a follow-on Executive Order to implement its Department of Government Efficiency (DOGE) deregulatory initiative (the “Deregulation EO”), directing all Agency heads, including those of independent agencies, to initiate a process to review all regulations under their jurisdiction for consistency with law and the Administration’s policy objectives. Agency heads were also directed, within 60 days (by April 20) to identify and submit to OIRA, regulations that are within one of seven classes that meet the Administration’s criteria for inconsistency with law and its policy objectives.
Key Takeaways:
The Independent Agency EO purports to exert unprecedented direct presidential control over independent agencies, which were created by Congress as governmental agencies outside the President’s Administration in order to insulate them from direct political influence and control.
The order requires White House review of agency action, likely to slow the regulatory process and create uncertainty for business, though also providing business with a second “bite at the apple” to pare back or outright block particular agency regulatory initiatives through the OIRA process.
The Independent Agency EO, together with the Deregulation EO, are additional elements of efforts by the Trump Administration to limit the so-called “Administrative State”, and are simultaneously coupled with the assertion by the Administration of the President’s authority to remove independent agency heads and other political appointees at will, rather than for cause or under other criteria specified in the agency’s enabling statute. Challenges to two such removals are pending in federal court, and the acting U.S. Solicitor General has indicated in a letter to Senator Dick Durbin, ranking member of the Senate Judiciary Committee, that “certain for-cause removal provisions that apply to members of multi-member regulatory commissions are unconstitutional and that the Department [of Justice] will no longer defend their constitutionality.”
Together, these initiatives could provide the Administration with the ability to exert more direct control and influence over independent agencies, including to advance various Administration priorities, most obviously surrounding DEI, green energy, political speech, and others that will come into focus over time. In addition, the Deregulation EO’s call for an accelerated review for consistency with the Administration’s deregulatory and other policy objectives could potentially prompt some unexpected initiatives from the independent agencies.
Background
Independent regulatory agencies are quasi-legislative bodies created by Congress, that are outside the Administration yet technically are considered within the executive branch of the federal government. Independent agencies have historically acted independently from oversight and direction from the President’s administration in their rulemaking and other activities, with their power delegated by Congress through the agency’s enabling statute. The extent of the President’s authority over independent agencies has generally been thought to be limited by the provisions of an agency’s enabling statute, which typically does not extend beyond the President’s authority to appoint agency heads and senior governing officials (such as commissioners and board members), with the advice and consent of the Senate.
The Supreme Court has long held that independent agency political appointees cannot be removed without cause or in accordance with an agency’s enabling statute, which is in contrast with executive department heads serving in the President’s cabinet and other executive department political appointees, who serve at the pleasure of the President and may be removed at will. The President is now asserting the authority to fire independent agency political appointees at will, an issue which is currently pending in two federal court cases, as discussed further below.
OIRA is an office within OMB tasked with, under the 1993 Regulatory Planning and Review EO 12866 (as supplemented by 2011 EO 13563), reviewing and approving executive agency regulatory actions, ensuring compliance with executive orders, and coordinating the Administration’s policies among the cabinet-level executive departments and their component agencies. Prior to the Independent Agency EO, under EO 12866, only the regulatory actions and activities of executive departments, their agencies and components have been subject to OIRA review, which excludes “independent regulatory agency” from the definition of “agency” for purposes of EO 12866 compliance.2
The Executive Order
The Independent Agency EO declares that “[i]t shall be the policy of the executive branch to ensure Presidential supervision and control of the entire executive branch,” which President Trump says includes “the so-called ‘independent regulatory agencies.’” In accordance with this policy, all proposed and final “significant regulatory actions” must be submitted to OIRA for review and approval before the action is published in the Federal Register, removing a major element of these agencies’ independence. The OIRA submission requirement kicks in April 19, 2025 (or sooner if OMB releases new guidance before that date).
The Independent Agency EO also:
Details new protocols that OMB may coordinate and review with the agencies to ensure alignment with the Administration’s policies and agenda, including a provision directing OMB to establish performance standards for each independent agency head and requiring the periodic submission of reports to the president on each agency head’s “performance and efficiency.”
Requires each independent agency to create a White House liaison position within their agency and coordinate its policies and priorities with the White House.
Asserts that the President and Attorney General (subject to the President’s supervision), shall provide authoritative interpretations of law for the executive branch, and provides that no employee of the executive branch (which presumably includes employees of independent agencies) “may advance an interpretation of law as the position of the United States that contravenes the President’s and Attorney General’s opinion on the matter.”
Additional Considerations and Observations
As noted, the related question of whether the President may remove political appointees of an independent regulatory agency, which likewise implicates the authority of the President over these agencies, is simultaneously making its way through the courts, with the acting Solicitor General asserting in Congressional correspondence that the Department of Justice will no longer defend the constitutionality of for-cause removal provisions in independent agency enabling statutes. In one case pending before the U.S. District Court for the District of Columbia, the court temporarily stayed the President’s removal of the head of the Office of Special Counsel, with the Administration’s Application to the Supreme Court to vacate the stay held in abeyance pending further proceedings before the District Court on issuance of a preliminary injunction. In a second case, a challenge to the President’s firing of a member of the National Labor Relations Board is pending before a U.S. District Court in D.C., with an expedited briefing schedule and hearing set on the removed official’s motion for summary judgment.
It is not uncommon for independent agencies, whose head and majority (following appointments to vacancies) are typically of the President’s party, to align with the President on major policy initiatives. This can be seen, for example, from the on-again, off-again history of net neutrality’s treatment by the FCC, which has been directly connected to which party holds the presidency and the Chair and majority at the FCC. In recent comments to the press, FERC Chairman Mark Christie noted this typical pattern of alignment between the Administration in power and independent agencies on major initiatives and suggested that the majority of the consultation-related provisions of the Independent Agency EO appeared consistent with current practices, in some cases going back decades.
That said, what will be different under the Independent Agency EO, together with the authority of the President to fire independent agency heads at will if sanctioned by the Supreme Court, is that these agencies can be expected to become more of a direct instrument of the Administration in advancing its policy agenda. This can be seen most immediately from the FCC’s reported investigation into the DEI practices of an FCC-regulated entity, and the recent announcement by the FTC of an inquiry into policies of social media platforms affecting political speech. In addition, the Deregulation EO direction that all agencies, including independent agencies, identify regulations that are inconsistent with the Administration’s deregulatory and other policy objectives and develop a plan for rescinding or modifying those regulations, could potentially prompt some unexpected initiatives from the independent agencies but also could provide opportunities for regulated entities.
In terms of OIRA review, the executive order will likely slow the regulatory process and agency action, as publication in the Federal Register is to be delayed pending OIRA review for both proposed and final actions. This may be a “good news, bad news story” for businesses with issues before independent regulatory agencies. For those advocating for a particular position adopted by the agency, final action will likely be delayed and could be changed in the OIRA process. For those opposing particular agency action, the OIRA process, which includes consultation with other White House and Cabinet-level departments, as well as the ability of interested parties to comment and meet with OIRA on agency action under review, provides an additional opportunity to influence, and perhaps pare back or block, an agency proposal or final rule.
This order is likely to be subject to a court challenge, like other Trump Administration Executive Orders. Nevertheless, if your business is subject to the regulatory actions of these independent agencies, be prepared for an environment with some higher risks and uncertainty, but also for additional opportunity to engage with political actors in Congress and the Executive Branch, as well as the independent agencies themselves, to check agency action that may be adverse to your company’s interests.
1 The term “independent regulatory agency” is defined by statute in 44 U.S.C. § 3502(5) as the listed federal agencies in that section and “any other similar agency designated by statute as a Federal independent regulatory agency or commission.” In addition to the FCC, FTC, SEC, and FERC, independent agencies identified in that provision include the Federal Housing Finance Agency, the Federal Maritime Commission, the Interstate Commerce Commission (which was abolished in 1995, with the newly created Surface Transportation Board succeeding to its rail industry regulatory functions), the National Labor Relations Board, the Nuclear Regulatory Commission, and the Occupational Safety and Health Review Commission. The Independent Agency EO explicitly includes the Federal Election Commission, but excludes the Federal Reserve and its Federal Open Market Committee, though applies to Fed activities directly related to its supervision and regulation of financial institutions.2 Separately, in a process that companies with business before independent agencies may be familiar with, OIRA has explicit statutory authority under the Paperwork Reduction Act, 44 U.S.C. 3501, et seq., to review actions of any executive department or other entity in the executive branch, as well as of independent regulatory agencies, that require the submission of information to the government, so-called “information collections”. OIRA review of agency information collections under the Paperwork Reduction Act, which is a statutory requirement, is separate and distinct from reviews of executive agency regulatory actions and activities under EO 12866, which has now been extended to independent regulatory agencies by the Independent Agency EO.
Preserving Camera Footage in Anticipation of Litigation
In Chepilko v. Henry, the Southern District of New York denied plaintiff’s motion for spoliation sanctions, finding that a public records request and a civilian complaint did not trigger defendants’ duty to preserve electronic evidence. In the ruling, Magistrate Judge Stewart D. Aaron analyzed when one’s obligation to preserve camera footage “in anticipation of litigation” arises for purposes of Rule 37(e) spoliation.
Chepilko v. Henry Background
Plaintiff alleged one defendant — a lieutenant with the New York City Police Department (NYPD) — used excessive force during a street encounter.[1] One year later, plaintiff brought claims against the defendant and the NYPD, including for excessive force, failure to intervene, and malicious prosecution. During discovery, a dispute arose regarding preservation (or lack thereof) of NYPD camera footage that may have captured the incident. Although the footage at issue was destroyed pursuant to the NYPD’s 30-day retention policy for camera footage, plaintiff argued its destruction was improper because defendants had an obligation to preserve it at the time it was destroyed.
Plaintiff filed a motion for sanctions under Rule 37(e). In opposition, defendants argued that at the time of its deletion, defendants were not on any notice of an obligation to preserve the footage. Plaintiff did not file suit for more than 11 months and at no time prior to the filing did defendants reasonably anticipate litigation arising from the incident. Plaintiff countered that other factors – including a Freedom of Information Law (FOIL) records request and a civilian complaint filed with the New York City Civilian Complaint Review Board (CCRB) triggered defendants’ obligation to preserve the footage. In denying plaintiff’s Rule 37(e) motion, Judge Aaron considered each of plaintiff’s arguments.
At the outset of his decision, Judge Aaron noted the well-established “threshold” requirement for a successful Rule 37(e) sanctions motion – that the allegedly spoliating party have a reasonable “anticipation of litigation” at the time the evidence is destroyed. Judge Aaron rejected plaintiff’s argument that “the incident itself” should have put defendants on notice of litigation sufficient to trigger obligations to preserve and refused to “endorse a bright line rule that a police officer should anticipate litigation every time he issues a summons.” Moreover, where, as here, plaintiff was not injured and the force used was not excessive (as found on the merits), defendants are not deemed to have “reasonably foreseen litigation” as a result. Similarly, Judge Aaron noted that a 911 call after the incident did not trigger a preservation obligation as “Plaintiff merely advised the 911 operator that [the lieutenant] ‘pushed [Plaintiff] several times.’”
Judge Aaron also rejected plaintiff’s argument that his FOIL requests for the footage from relevant cameras, filed immediately after the incident, put defendants on notice of a duty to preserve. Because initiating a public records request does not equate to a request predicated upon a potential litigation, a FOIL request does not necessarily trigger a preservation obligation. Finally, Judge Aaron rejected the argument that a plaintiff-prompted CCRB investigation triggered an obligation to preserve. The judge found that the CCRB is a separate entity from the NYPD and merely filing a civilian complaint – a relatively common occurrence – does not necessarily trigger an obligation upon another entity to preserve evidence. Accordingly, Judge Aaron rejected plaintiff’s Rule 37(e) sanctions motion in its entirety.
Takeaways for Electronic Evidence Preservation
This case serves as a useful reminder that one’s obligation to preserve evidence is triggered when litigation is reasonably anticipated, and when that obligation is triggered can be a fact intensive inquiry. There are no bright line rules about when one should reasonably anticipate litigation, and the standard can be subjective.
[1] Plaintiff received a criminal summons for disorderly conduct in disrupting vehicular traffic for standing in the street during this encounter. The summons was dismissed soon after it was issued.
Final Rule Implementing U.S. Outbound Investments Restrictions Goes into Effect
On October 28, 2024, the U.S. Department of Treasury (Treasury Department) published a final rule (Final Rule) setting forth the regulations implementing Executive Order 14150 of August 9, 2023 (Outbound Investment Order), creating a scheme regulating U.S. persons’ investments in a country of concern involving semiconductors and microelectronics, quantum information technologies and artificial intelligence sectors[1]. According to the Annex to the Outbound Investment Order, China (including Hong Kong and Macau) is currently the only identified “Country of Concern”. The Final Rule went effective on January 2, 2025.
Who are the in-scope persons?
The Final Rule regulates the direct and indirect involvement of “U.S Persons”, which is broadly defined to include (i) any U.S. citizen, (ii) any lawful permanent resident, (iii) any entity organized under the laws of the United States or any jurisdiction within the United States, including any foreign branches of any such entity, and (iv) any person in the U.S.
The Final Rule requires a U.S. Person to take all reasonable steps to prohibit a “Controlled Foreign Entity”, a non-U.S. incorporated/organized entity, from making outbound investments that would be prohibited if undertaken by a U.S. Person. As such, the Final Rule extends its influence over any Controlled Foreign Entity of such U.S. Person.
The Final Rule also prohibits a U.S. Person from knowingly directing a transaction that would be prohibited by the Final Rule if engaged by a U.S. Person.
Which outbound investments are in-scope?
The “Covered Transactions” include investment, loan and debt financing conferring certain investor rights characteristic of equity investments, greenfield or brownfield investments and investment in a joint venture (“JV”) or fund, relating to a “Covered Foreign Person” (as discussed below), as described below:
Equity investment: (i) acquisition of equity interest or contingent equity interest in a Covered Foreign Person; (ii) conversion of contingent equity interest (acquired after the effectiveness of the Final Rule) into equity interest in a Covered Foreign Person;
Loan or debt financing: provision of loan or debt financing to a Covered Foreign Person, where the U.S. Person is afforded an interest in profits, the right to appoint a director (or equivalent) or other comparable financial or governance rights characteristic of an equity investment but not typical of a loan;
Greenfield/brownfield investment: acquisition, leasing, development of operations, land, property, or other asset in China (including Hong Kong and Macau) that the U.S. Person knows will result in the establishment or engagement of a Covered Foreign Person; and
JV/ fund investment: (i) entry into a JV with a Covered Foreign Person that the U.S. Person knows will or plan to engage in covered activities; (ii) acquisition of limited partner or equivalent interest in a non-U.S. Person venture capital fund, private equity fund, fund of funds, or other pooled investment fund that will engage in a transaction that would be a Covered Transaction if untaken by a U.S. Person.
What are in-scope transactions and carve-out transactions?
The Final Rule identifies three categories of Covered Transactions involving covered foreign persons – Notifiable Transactions, Prohibited Transactions, and Excepted Transactions.
A “Covered Foreign Person” includes the following persons engaging in “Covered Activities” (i.e. Notifiable or Prohibited Activities identified in the Final Rule) relating to a Country of Concern:
A person of China, Hong Kong or Macau, including an individual who is a citizen or permanent resident of China (including Hong Kong and Macau and are not a U.S. citizen or permanent resident of the United States); an entity organized under the laws of China (including Hong Kong and Macau), or headquartered in, incorporated in, or with a principal place of business in China (including Hong Kong and Macau; the government of China (including Hong Kong and Macau); or an entity that is directly or indirectly owned 50% or more by any persons in any of the aforementioned categories.
A person directly or indirectly holds a board, voting rights, equity interests, or contractual power to direct or cause the management or policies of any person that derives 50% or more of its revenue or net income or incur 50% or more its capital expenditure or its operating expenses (individually or as aggregated) from China (including Hong Kong and Macau) (subject to a $50,000 in minimum); and
A person from China (including Hong Kong or Maca) who enters a JV that engages, plans to or will engage in a Covered Activity.
Notifiable and Prohibited Transactions
The Final Rule:
Requires U.S. Persons to notify the Treasury Department regarding transactions involving covered foreign persons that fall within the scope of Notifiable Transactions, and
Prohibits U.S. Persons from engaging in transactions involving Covered Foreign Persons that fall within the scope of Prohibited Transactions.
The underlying consideration for the delineation between a Notifiable Transactions and Prohibited Transactions hinges on how impactful it is as a threat to the national security of the United States — a Notifiable Transaction contributes to national security threats, while a Prohibited Transaction poses a particularly acute national security threat because of its potential to significantly advance the military intelligence, surveillance, or cyber-enabled capabilities of a Country of Concern.
Specifically, a Notifiable Transaction necessarily involves the following Notifiable Activities, while a Prohibited Transaction necessarily involves the following Prohibited Activities:
Prohibited Activities
Notifiable Activities
Semiconductors &Microelectronics
– Develops or produces any electronic design automation software for the design of integrated circuits (ICs) or advanced packaging;
– Develops or produces (i) equipment for (a) performing volume fabrication of integrated circuit, or (b) performing volume advanced packaging, or (ii) commodity, material, software, or technology designed exclusively for extreme ultraviolet lithography fabrication equipment;
– Designs any integrated circuits that meet or exceed certain specified performance parameters[2] or is designed exclusively for operations at or below 4.5 Kelvin;
– Fabricates integrated circuits with special characteristics;[3]
– Packages any IC using advanced packaging techniques.
Designs, fabricates, or packages any ICs that are not prohibited activities.
QuantumInformationTechnology
– Develops, installs, sells, or produces any supercomputer enabled by advanced ICs that can provide a theoretical compute capacity beyond a certain threshold;[4]
– Develops a quantum computer or produces any critical components;[5]
– Develops or produces any quantum sensing platform for any military, government intelligence, or mass-surveillance end use;
– Develops or produces any quantum network or quantum communication system designed or used for certain specific purposes.[6]
None
Artificial Intelligence (AI)
– Develops any AI system that is designed or used for any military end use, government intelligence, or mass-surveillance end use;
– Develops any AI system that is trained using a quantity of computing power greater than (a) 10^25 computational operations; and (b) 10^24 computational operations using primarily biological sequence data.
Design of an AI system that is not a prohibited activity and that is:
(a) Designed for any military, government intelligence or mass-surveillance end use;
(b) Intended to be used for:
Cybersecurity applications;
(digital forensic tools;
penetration testing tools;
control of robotic system;
or
(c) Trained using a quantity of computing power greater than 10^23 computational operations.
Excepted Transactions
The Final Rule sets forth the categories of Excepted Transactions, which are determined by the Treasury Department to present a lower likelihood of transfering tangible benefits to a Covered Foreign Person or otherwise unlikely to present national security concerns. These include:
Investment in publicly traded securities: an investment in a publicly traded security (as defined under the Securities Act of 1934) denominated in any currency and traded on any securities exchange or OTC in any jurisdiction;[7]
Investment in a security issued by a registered investment company: an investment by a U.S. Person in the security issued by an investment company or by a business development company (as defined under the Investment Company Act of 1940), such as an index fund, mutual fund, or ETF;
Derivative investment: derivative investments that do not confer the right to acquire equity, right, or assets of a Covered Foreign Person;
Small-size limited partnership investment: limited partnership or its equivalent investment (at or below two million USD) in a venture capital fund, private equity fund, fund of funds, or other pooled investment fund where the U.S. Person has secured a contractual assurance that the fund will not be used to engage in a Covered Transaction;
Full Buyout: acquisition by a U.S. Person of all equity or other interests held by a China-linked person, in an entity that ceases to be a Covered Foreign Person post-acquisition;
Intracompany transaction: a transaction between a U.S. Person and a Controlled Foreign Entity (subsidiary) to support ongoing operations or other activities are not Covered Activities;
Pre-existing binding commitment: a transaction for binding, uncalled capital commitment entered into before January 2, 2025;
Syndicated loan default: acquisition of a voting interest in a Covered Foreign Person by a U.S. Person upon default of a syndicated loan made by the lending syndicate and with passive U.S. Person participation; and
Equity-based compensation: receipt of employment compensation by a U.S. Person in the form of equity or option incentives and the exercising of such incentives.
What is the knowledge standard?
The Final Rule provides that certain provisions will only apply if a U.S. Person has Knowledge of the relevant facts or circumstances at the time of a transaction. “Knowledge” under the Final Rule includes (a) actual knowledge of the existence or the substantial certainty of occurrence of a fact or circumstance, (b) awareness of high probability of the existence of a fact, circumstance or future occurrence, or (c) reason to know of the existence of a fact or circumstance.
The determination of Knowledge will be made based on information a U.S. Person had or could have had through a reasonable and diligent inquiry, which should be based on the totality of relevant facts and circumstances, including without limitation, (a) whether a proper inquiry has been made, (b) whether contractual representations or warranties have been obtained, (c) whether efforts have been made to obtain and assess non-public and public information; (d) whether there is any warning sign; and (e) whether there is purposeful avoidance of efforts to learn and seek information.
Key points relating to the notification filing procedures
A U.S. person’s obligation to notify the Treasury Department is triggered when they know relevant facts or circumstances related to a Notifiable Transaction entered into by itself or its Controlled Foreign Entity. U.S. Person shall follow the electronic filing instructions to submit the electronic filing at https://home.treasury.gov/policy-issues/international/outbound-investment-program.
The filing of the notification is time-sensitive. The filing deadline is no later than 30 days following the completion of a Notifiable Transaction or otherwise no later than 30 days after acquiring such knowledge if a U.S. Person becomes aware of the transaction after its completion. If a filing is made prior to the completion of a transaction and there are material changes to the information in the original filing, the notifying U.S. Person shall update the notification no later than 30 days following the completion of the transaction.
In addition to the detailed information requested under the Final Rule, a certification by the CEO or other designees of the U.S. Person is required to certify the accuracy and completeness in material respects of the information submitted.
What are the consequences of non-compliance?
The Treasury Department may impose civil and administrative penalties for any Final Rule violations, including engaging in Prohibited Transactions, failure to report Notifiable Transactions, making false representation or omissions, or engaging in evasive actions or conspiracies to violate the Final Rule. The Treasury Department may impose fines, require divestments, or refer for criminal prosecutions to the U.S. Department of Justice for violations of the Final Rule.
U.S. Persons may submit a voluntary self-disclosure if they believe their conduct may have violated any part of the Final Rule. Such self-disclosure will be taken into consideration during the Treasury Department’s determination of the appropriate response to the self-disclosed activity.
Texas AG Alleges DeepSeek Violates Texas Privacy Law
On February 14, 2025, Attorney General Ken Paxton announced an investigation into DeepSeek, a Chinese artificial intelligence (“AI”) company, regarding its privacy practices and compliance with Texas law. The investigation also examines DeepSeek’s claims that its AI model rivals leading global models, including OpenAI’s technology.
As part of the investigation, Attorney General Paxton has issued Civil Investigative Demands (“CIDs”) to Google and Apple, requesting their analysis of the DeepSeek application and any documentation DeepSeek submitted before its app became available to consumers.
In a statement, Attorney General Paxton expressed concerns over DeepSeek’s potential connections to the Chinese Communist Party (“CCP”), and its implications for data security and AI competition. Citing national security and privacy risks, Paxton emphasized Texas’ commitment to upholding data protection laws and ensuring compliance with state regulations.
Additionally, on January 28, 2025, the Attorney General banned DeepSeek’s platform from all Office of the Attorney General devices, citing security concerns.
As of this publication date, the investigation remains ongoing.
California Privacy Protection Agency Clarifies Application of the CCPA to Insurance Companies
The California Privacy Protection Agency board voted on November 8, 2024, to advance a proposed rulemaking package for, among other things, a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.
Quick Hits
The California Privacy Protection Agency voted in November 2024 to advance a proposed regulation to clarify the application of the California Consumer Privacy Act (CCPA) to insurance companies.
The proposed regulation defines “insurance company” and specifies that the CCPA applies to personal data not governed by the California Insurance Code.
Illustrations in the proposed regulation clarify that insurance companies must comply with the CCPA for personal data collected from website visitors and employees.
Information obtained in an insurance transaction is governed by the federal Gramm-Leach-Bliley Act. Given this, there has been uncertainty about the CCPA’s application to insurance companies, which are state regulated. In a brief proposed regulation, the agency attempted to clarify this issue to a certain degree.
As an initial matter, the proposed regulation defines the term “insurance company” as any person or company that is subject to the California Insurance Code and its regulations, including insurance institutions, agents, and insurance support organizations. The term “insurance institution” means “any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance.
The term “agents” means a person who is licensed to transact insurance in California and an “insurance support organization” means any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions.
Having defined the scope, the proposed regulation states that the CCPA applies “to any personal information not subject to the Insurance Code and its regulations.” Although the statement lacks definite clarity, the proposed regulation provides some guidance with an additional statement that the CCPA’s requirements apply to information “that is collected for purposes not in connection with an insurance transaction, as that term is defined in Insurance Code, section 791.02.” Section 791.02(m) defines insurance transaction as “any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following: (1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment. (2) The servicing of an insurance application, policy, contract, or certificate.”
The proposed regulation provides two illustrations that further clarify the application of the CCPA:
“Insurance company A collects personal information from visitors of its website who have not applied for any insurance product or other financial product or service from Company A. This information is used to tailor personalized advertisements across different business websites. Insurance company A must comply with the CCPA, including by providing consumers the right to opt-out of the sale/sharing of their personal information and honoring opt-out preference signals, because the personal information collected from the website browsing is not related to an application for or provision of an insurance transaction or other financial product or service.”
“Insurance company B collects personal information from its employees and job applicants for employment purposes. Insurance company B must comply with the CCPA with regard to employee information, including by providing a Notice at Collection to the employees and job applicants at or before the time their personal information is collected. This is because the personal information collected in this situation is not subject to the Insurance Code or its regulations.”
Insurers may also want to note that the second illustration applies only to California resident job applicants and employees. The notice to job applicants required under the CCPA should be provided if the company solicits applicants from California.
Finally, the CCPA is not the only privacy law or regulation that needs to be considered with regard to the collection and use of consumer data and information. In particular, California Penal Code sections 630 and 638.51 are currently the subject of numerous lawsuits.
Federal Court Finds Consumer Wire Transfers Are Subject to the Electronic Funds Transfer Act
In an apparent departure from decades of jurisprudence acknowledging the exemption of wire transfers from the ambit of the Electronic Funds Transfer Act (EFTA or the Act), one federal district court recently found that a bank may be liable under EFTA for unauthorized consumer wires initiated using a bank’s electronic banking platforms. See New York v. Citibank, N.A., Case No. 24-CV-659, 2025 WL 251302 (S.D.N.Y. Jan. 21, 2025). While this ruling is not binding authority in any federal circuit and might not sway other courts to adopt its logic, it does signal a need for financial institutions to prepare for legal challenges to their policies and practices regarding wire transfers.
The Obligations of Financial Institutions Under EFTA
EFTA — along with its implementing Regulation E — imposes various obligations on financial institutions related to electronic fund transfers. The Act specifically requires financial institutions to provide lengthy written disclosures to certain customers, investigate and resolve allegedly unauthorized electronic fund transfers, and, in many instances, assume liability for the bulk of consumer losses stemming from such unauthorized transactions. As applied, EFTA limits a consumer’s liability in connection with an unauthorized electronic fund transfer if the customer properly notifies their financial institution of the transaction within 60 days. A financial institution is generally required to investigate and resolve disputed fund transfers within 10 business days of the impacted consumer’s notice. If the investigation determines that an electronic fund transfer was indeed unauthorized, the financial institution is liable to cover all but $50 to $500 of the loss, depending on when the consumer gave notice.
EFTA violations can subject financial institutions to both civil penalties and regulatory enforcement problems. The Act expressly permits private rights of action with statutory penalties, whether such cases are filed as class actions or on an individualized, consumer-by-consumer basis. The Act separately allocates regulatory enforcement authority among multiple administrative agencies, including the federal banking agencies, the administrator of the National Credit Union Administration, the Secretary of Transportation, the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC).
Prior Jurisprudence Exempting Wire Transfers From the Scope of EFTA
Until this past month, courts generally held that bank wires are not “electronic fund transfers” subject to EFTA. These courts often applied the statute’s plain language in reaching that conclusion.
EFTA notably defines an “electronic fund transfer” as “any transfer of funds . . . initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape,” excluding “any transfer of funds . . . made by a financial institution on behalf of a consumer by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.” 15 U.S.C. § 1693a (7)(b). Unlike many traditional electronic fund transfers involving the transfer of money to or from a customer’s account, wire transfers involve a financial institution sending funds to another financial institution on a wire network like Fedwire or the Clearing House Interbank Payments System (CHIPS).
Regulation E explicitly excludes “wire or other similar transfers” from the Act’s definition of “electronic fund transfer.” See 12 C.F.R. § 1005.3(c)(3); 12 C.F.R. § 205.3(c)(3). Many courts have likewise cited Regulation E’s definition of “electronic fund transfer” to support their findings that the EFTA does not regulate wire transfers. See Nazimuddin v. Wells Fargo Bank, N.A., Case No. 24-20343, 2025 WL 33471 (5th Cir. Jan. 6, 2025) (“Because Regulation E excludes ‘wire or other similar transfers’ from the definition of ‘electronic fund transfer,’ the EFTA does not apply to the wire transfers of which Plaintiff complains in this case.”); Stepakoff v. IberiaBank Corp., 637 F. Supp. 3d 1309 (S.D. Fla. Oct. 31, 2022) (“Count I fails to state a claim for relief because [Regulation E] exempts the requested wire transfer at issue from EFTA coverage.”); Fischer & Mandell LLP v. Citibank, N.A., Case No. 09 Civ. 1160, 2009 WL 1767621 (S.D.N.Y. June 22, 2009) (“Regulation E explicitly excludes from the coverage of the EFTA transfers of funds made through checks and wire transfers.”).
Southern District of New York Court Finds That EFTA Extends to Consumer Wire Transfers
A federal district court in the Southern District of New York recently took a different view regarding EFTA’s non-applicability to wire transfers. In a decision issued just this past month, the district court found that EFTA does indeed extend to consumer wires initiated using a bank’s electronic banking platform. The court reasoned that EFTA’s language covers “consumer portions of transactions while forgoing regulation of purely interbank transfers,” such that the component of an electronic wire transfer that does not involve a purely interbank transfer of funds is within the ambit of the Act.
The district court postured that a single wire transfer is, in reality, a series of three consecutive but independent transfers of funds. The first transaction occurs when a consumer initiates a wire transfer by sending a payment order to its financial institution, instructing it to transfer funds from its account to a recipient’s account at another financial institution. The second transaction occurs when the consumer’s financial institution, through a wire network like Fedwire or CHIPS, transfers the funds to the recipient’s financial institution. And the third transaction occurs when the recipient’s financial institution transfers the funds to the recipient’s account. Within this framework, the district court reasoned that since the first transaction comprising a wire transfer does not involve an interbank transfer, if a consumer sends a payment order to its financial institution electronically, such as via a bank’s online banking portal, then EFTA applies to that first step of the wire transfer process. Therefore, the court held that a bank may be liable under EFTA for failing to investigate and resolve allegedly unauthorized wire transfers initiated using the bank’s electronic banking platforms. The court noted that its piecemeal analysis of a wire transfer, differentiating the initial transaction as “ancillary to an interbank wire,” comports with Congressional intent to protect consumer interests in enacting the EFTA.
Potential Implications for Financial Institutions Moving Forward
The Southern District of New York’s recent decision raises important questions for banks as to whether they need to address EFTA-compliance issues regarding their wire transfer practices. Even if other courts continue to exempt all wire transfers from EFTA, class action plaintiffs’ attorneys may be emboldened by the recent case law to justify new legal actions against financial institutions, especially in New York federal court, notwithstanding that many banks’ customer account agreements include provisions mandating arbitration. The risk alone should be enough to cause banks to take caution moving forward.
Yet, financial institutions seeking to comply with the new case law will unfortunately be faced with a somewhat burdensome task. Long-standing consumer contracts and standard form customer account and disclosure statements would need to be updated and amended in mass with all applicable customers of the bank. New wire dispute resolution processes would need to be developed, audited and communicated during training sessions for bank staff. Finally, because the EFTA shifts significant liability to banks for unauthorized transactions, many banks may also begin to impose additional security measures to protect against unauthorized wires, which would increase the administrative expense for these types of transactions and could impede the ordinary speed of wire transfers moving forward.
CNIPA Rejects 63 Attempts to Maliciously Register DeepSeek Trademarks

On February 24, 2025, China’s National Intellectual Property Administration (CNIPA) announced that it rejected 63 trademark applications attempting to maliciously register DeepSeek and graphic. CNIPA stated that, “some agencies are suspected of providing illegal services, with obvious intentions of ‘riding the wave’ and seeking improper benefits. CNIPA resolutely cracked down on such malicious applications.”
China has previously rejected en masse applications and ex-officio cancelled trademarks that have been maliciously applied for and registered, respectively. For example, in 2022, CNIPA cancelled trademarks for Olympic mascots and athletes for “infringing on the personality rights and other legitimate rights and interests of others, has caused significant adverse social impact, and damaged the good image of China’s strict protection of intellectual property rights.” CNIPA rejected 429 trademark applications, including those for Eileen Gu (谷爱凌 and homonyms). CNIPA also cancelled, ex-officio, 43 trademarks, 20 of which were for Eileen Gu.
The original announcement and full list of rejected applications is available here (Chinese only).
FCC One-To-One Consent Rule Set-Back
The Eleventh Circuit granted a reprieve to businesses worried the FCC’s “one-to-one” update to the TCPA Rule. As we wrote in December, the update was set to go into effect at the end of January, and according to the FCC would “close the lead generator loophole.” Specifically, it would have prohibited “generic consent.” Namely where people agree to be called by “affiliates,” “partners” or third parties. That prohibition would have been true even if those entities were specifically identified elsewhere. It would also have required consent from the individual to be called at a specific phone number, by a specific company, even though this is already required under TCPA.
Shortly before the effective date, an industry group challenged the change, saying that the FCC was essentially expanding the TCPA’s prior express consent requirement with its “one-to-one” rule. The group had two concerns. First, that the FCC was restricting consent to only one seller at a time. Second, that consent must be associated with the interaction that prompted consent. Both of these, the group argued, essentially added to the TCPA’s definition of prior express consent.
The Eleventh Circuit agreed. It relied on the Supreme Court’s Loper decision to contradict the FCC’s interpretation of the TCPA. The court concluded that the FCC had gone beyond the plain meaning of the phrase prior express consent. Although this decision is currently only binding with the Eleventh Circuit, the FCC postponed the change by a year (until January 26, 2026).
Putting it into Practice: We will be monitoring to see if the FCC withdraws or pares back its modification to the TCPA Rule prior to January of next year and whether other circuits follow the Eleventh Circuit’s ruling.
Listen to this post
NO LOGS FOR YOU: Court Declines to Require Privilege Log for Withheld Communications.
I have a fascinating tidbit from a TCPA discovery dispute.
In a recent decision on a motion to compel, a defendant was not required to produce purported communications between its attorneys and class members, or a “privilege log” thereof.
Taking a quick step back, Federal Rule of Civil Procedure 26(b)(5)(A)(ii) generally requires that parties withholding information based on attorney-client privilege or the work product doctrine “describe the nature of the documents, communications, or tangible things not produced or disclosed.” This description, generally known as a “privilege log,” was ultimately not required by a magistrate judge in Walston v. Nat’l Retail Solutions, Inc. d/b/a NRS Pay. No. 24 C 83, 2025 WL 580518, *6 (N.D. Ill. Feb. 21, 2025).
In Walston, the plaintiff wanted all records of communication between the defendant or its counsel and potential class members. Id. at *4. This lead to a motion to compel by the plaintiff and two interesting disputes regarding plaintiff’s discovery requests: (1) whether plaintiff was entitled to records of communication between defendant and potential class members and (2) whether plaintiff was entitled to records of communication between defendant’s counsel and potential class members.
Regarding the first dispute, the defendant contended that it had not communicated with class members—and that any such communications were made by its counsel. Id. at *5. The court agreed that documents that the defendant never possessed—i.e., because their counsel (probably) had the communications and never explicitly gave them to the defendant—could not be compelled by a discovery request. Id. at *6.
However, it is worth noting that, if the defendant had communicated with potential class members, that information would have been discoverable. Id. at *5.
On the second dispute as to communications between defendant’s counsel and potential class members, the defendant again asserted that it never had those communications. Id. at *6. Further, to the extent that the defendant communicated with its counsel regarding those communications, the defendant asserted attorney-client privilege and the work product doctrine. Id. The plaintiff requested a privilege log of withheld communications, and the defendant argued that documents created after a lawsuit is filed are presumed privilege and thus not subject to a privilege log. Id. at 5.
The court noted an emerging trend in which courts are not enforcing strict adherence with Rule 26(b)(5)(A)(ii) and thus not requiring a privilege log for withheld communication between a client and their counsel that occurred after litigation has commenced. Id. at 5 (citing Rayome v. Abt Elecs., 2004 WL 1435098, at *4 (N.D. Ill. Apr. 3, 2024)).
That is the key takeaway from this case: the promising view that privilege logs are not required for communication between counsel and their client in litigation matters. Privilege logs can be burdensome and, in some cases, just as damaging as producing the privileged information.
More updates are to come, as we see how courts apply this emerging trend!
District Court Blocks Enforcement of SCOPE Act Requirements
On February 7, 2025, the U.S. District Court for the Western District of Texas granted a preliminary injunction further blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act (“SCOPE Act”). The SCOPE Act, which was enacted in 2023, imposes obligations on digital service providers to protect minors.
In a separate lawsuit regarding the SCOPE Act (Computer & Communications Industry Association v. Paxton), the District Court enjoined certain provisions of the law before it went into effect. In August 2024, plaintiffs, including a student-run civic engagement organization, a “social-good” advertising company, a mental health content creator and an unidentified high school student, sued Texas Attorney General Ken Paxton to block enforcement of the SCOPE Act on the basis that the law is an unconstitutional restriction of free speech.
In Students Engaged in Advancing Texas v. Paxton, the District Court ruled that the law is a content-based statute subject to strict scrutiny. The District Court further held that with respect to certain of the SCOPE Act’s monitoring-and-filtering requirements (§ 509.053 and § 509.056(1)), targeted advertising requirements (§ 509.052(2)(D) and § 509.055), and content monitoring and age-verification requirements (§ 509.057), the plaintiffs had carried their burden in showing that the law’s restrictions on speech fail strict scrutiny and should be facially invalidated. The District Court also ruled that § 509.053 and § 509.055 were unconstitutionally vague. Accordingly, the District Court issued a preliminary injunction enjoining Paxton from enforcing those provisions pending final judgment in the case. The remaining provisions of the law remain in effect.
U.S. Export Controls On Software License Keys
With the many updates to U.S. export controls in the past few months, it would be easy to miss a recent update concerning software keys. The U.S. Commerce Department Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) to add new Sec. 734.19 of the EAR, specifying how and when license requirements apply to:
Software license keys allowing a user the ability to use software or hardware; and
Software keys that renew existing software or hardware use licenses.
Sec. 734.19 specifies that such software keys are classified and controlled under the same Export Control Classification Numbers (ECCNs) as the corresponding software or hardware to which they provide access, imposing the same controls and authorization requirements. For hardware, BIS provided that “the software key would be classified under the corresponding ECCN in the software group (e.g., a software license key that allows the use of hardware classified under ECCN 5A992 would be classified under ECCN 5D992).”
As a result of this clarification, companies that provide software keys to their customers should review their export compliance programs to ensure they have appropriate controls not only around the provision of software, but also around corresponding license keys. For instance, companies should be aware that even if no authorization was required for the release of the initial software license key, renewal use licenses may be subject to authorization requirements to the extent circumstances changed (e.g., if the end user was added to the Entity List).
This change is particularly noteworthy given the EAR’s license requirement for the export, reexport, or transfer (in-country) to or within Russia or Belarus of many types of software, including certain EAR99 software.