European Commission Clarifies Definition of “ICT Services” under DORA
The European Insurance and Occupational Pensions Authority recently published the European Commission’s response (Q&A 2999) on the question of which services fall under the definition of “ICT services” under Article 3(21) of the EU Digital Operational Resilience Act (DORA). This guidance was highly anticipated by the financial services sector to clarify the distinction between information communication and technology (ICT) services and financial services.
“ICT Services” Under DORA
The definition of “ICT services” is integral to determining the scope of services subject to DORA’s regulatory framework.
Article 3(21) of DORA defines “ICT services” to mean “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
Q&A 2999
Q&A 2999 confirms that the definition of “ICT services” under DORA is intentionally broad and the onus is on a financial entity to assess whether the services it relies on are ICT services. Such assessment should be performed taking into account the general position referred to in Recital 63 of DORA, which specifies that DORA covers a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities, and without prejudice to sectoral regulations applicable on regulated financial services.
Notably, Q&A 2999 provides that, in the case of financial services with an ICT component, the receiving financial entity should assess:
whether the services constitute an ICT service under DORA; and
if the providing financial entity and the financial services it provides are regulated under EU law or any national legislation of a Member State or of a third country.
If the answer to both items (a) and (b) above is yes, then the related service should be considered as predominantly a financial service, and not an ICT service within the scope of DORA.
Conversely, where the service provided by a regulated financial entity is unrelated or is independent from its regulated financial services, the service should be considered as an ICT service within the scope of DORA.
Conclusion
Q&A 2999 provides a timely clarification for financial entities receiving services from other regulated firms. Q&A 2999 explains that certain regulated financial services and ancillary activities remain out of scope and are not considered ICT services under DORA and, therefore, do not need to be included in internal registers of financial entities. This also applies to entities regulated in third countries. However, ICT services provided by financial entities that are unrelated to or independent of regulated financial should be classified as ICT services under DORA.
Q&A 2999 is available here.
FCC Proposes Increased Broadband Availability in the 900 MHz Band
On January 16, 2025, the FCC closed out Jessica Rosenworcel’s term as Chairwoman by releasing a Notice of Proposed Rulemaking (“NPRM”) seeking to expand the use of the 896-901/935-940 MHz (“900 MHz”) band for broadband use. The NPRM builds on the Commission’s 2019 rulemaking, which created a 3/3 MHz broadband allocation at 897.5-900.5/936.5-939.5 MHz and established a process for clearing narrowband incumbents from the band.
The NPRM was released in response to a Petition for Rulemaking filed by ten entities, including Anterix, Inc., which holds the majority of 900 MHz band spectrum in the U.S., and the FCC is now proposing to expand the ability to license broadband not just in the 3/3 MHz segment, but across the entire 5/5 MHz of the 900 MHz band. Eligibility to obtain a 5/5 MHz broadband license would be similar to the eligibility required to obtain a broadband license in the 3/3 MHz segment. Applicants would need to hold more than 50% of the total amount of licensed 900 MHz band spectrum in the county, hold or be eligible to hold the 3/3 MHz broadband license, and clear or protect from interference all covered incumbents from the narrowband segment (896–897.5/935–936.5 MHz and 900.5–901/939.5–940 MHz).
Unlike in the 3/3 MHz broadband segment, the FCC proposes that incumbent relocations from the narrowband segment would be accomplished through a voluntary negotiation process. In the 3/3 MHz segment, the FCC allows a broadband applicant to trigger mandatory negotiations once relocation agreements are reached or interference protection is demonstrated to 90% of covered incumbents (“complex systems” are exempted). The FCC does not propose to establish a narrowband segment mandatory relocation process for applicants seeking a 5/5 MHz license. This is noteworthy because Anterix, as the “presumptive broadband licensee,” has already relocated a number of incumbents from the broadband segment of the band to the narrowband segment, and many incumbents are now concerned about being forced from the spectrum they just relocated to (or are in the process of relocating to). However, the FCC does ask whether it should consider some process to deal with holdouts and also asks whether to modify the complex system exemption.
Also of note, the Commission asks whether to lift or modify the ongoing narrowband licensing freeze for the 900 MHz band. Currently, no applications for new or expanded 900 MHz narrowband operations will be accepted unless the applications pertain to broadband license-related incumbent relocations. The FCC notes that in many areas of the country, there still are no broadband licensees. On the other hand, in other areas with broadband licensees, have relocations concluded such that narrowband licensing can resume? Should the freeze be lifted only with respect to current license holders? Or should any applicant be able to obtain a new license in the 900 MHz band?
Comments and Reply Comments will be due 60 and 90 days, respectively, from the date of the NPRM’s publication in the Federal Register, which has not yet occurred.
FCC Responds to Cybersecurity Threats with CALEA Ruling
Earlier this month, in the waning days of Jessica Rosenworcel’s tenure as Chair of the Democrat-led FCC, the FCC released a Declaratory Ruling concluding that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access and interception of communications. Effectively, the FCC determined that CALEA can serve as a hook for additional rules addressing emergent cybersecurity issues.
The Commission also adopted a Notice of Proposed Rulemaking (NPRM) that would apply cybersecurity and supply chain risk management obligations to a broader set of providers.
Commissioners Carr and Simington dissented from the Declaratory Ruling and NPRM. While Chairman Carr frequently references cybersecurity threats, particularly those stemming from state-sponsored actors in the People’s Republic of China (PRC), it is unclear whether the new GOP-led FCC will allow the Declaratory Ruling and NPRM to stand or will pursue another course of action.
Background. Enacted in 1994, CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to ensure that law enforcement agencies have necessary surveillance capabilities of telecommunications equipment, facilities, and services. Notably, under the “substantial replacement” provision of CALEA, the FCC has interpreted the term “telecommunications carrier” for purposes of CALEA to include facilities-based broadband Internet access service (BIAS) and interconnected VoIP providers. [1]
Declaratory Ruling. Previously, the FCC found that Section 105 of CALEA requires telecommunications carriers to avoid the risk that suppliers of untrusted equipment will illegally intercept or surveil a carrier’s switching premises without its knowledge.[2] In the Declaratory Ruling, the Commission imposed an affirmative duty on “telecommunications carriers” (again, including BIAS and iVoIP providers) to secure their networks, and clarified that telecommunications carriers’ responsibilities under CALEA extend to their equipment as well as network management practices.
The FCC concluded that carriers are obligated to prevent interception of communications or access to call-identifying information by any means other than pursuant to a lawful authorization with the affirmative intervention of an officer of the carrier acting in accordance with FCC rules. In adopting the Declaratory Ruling, the Commission puts carriers on notice that all incidents of unauthorized interception of communications and access to call-identifying information amount to a violation of the carrier’s obligations under CALEA.
Within this context, the FCC concluded that Congress has authorized the Commission to adopt rules requiring telecommunications carriers to take steps to secure their networks.
Notice of Proposed Rulemaking. In its NPRM, the FCC proposes to apply cybersecurity requirements to a broad set of service providers, including facilities-based fixed and mobile BIAS providers, cable systems, wireline video systems, wireline communications providers, satellite communications providers, commercial mobile radio providers, covered 911 and 988 service providers, and international section 214 authorization holders, among others (Covered Providers).
The Commission proposes that Covered Providers would be obligated to create and implement cybersecurity and supply chain risk management plans. The plans would identify the cyber risks the carrier faces, as well as how the carrier plans to mitigate such risks. Covered Providers would also need to describe their organization’s resources and processes to ensure confidentiality, integrity, and availability of its systems and services. The plans would require annual certification and be submitted in the Network Outage Reporting System (NORS).
[1] Telecommunications carrier includes:
A person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; A person or entity engaged in providing commercial mobile service . . . ; A person or entity that the Commission has found is engaged in providing wire or electronic communication switching or transmission service such that the service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.
47 CFR § 1.20002(e).
[2] Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11436-37, para. 35 (2019).
MGM Inks $45M Class Action Settlement for 2019 and 2023 Data Breaches
MGM Resorts agreed to pay $45 million to settle over a dozen class action lawsuits concerning 2019 and 2023 data breaches. A federal court in Nevada preliminarily approved the settlement, which, according to lawyers, covers over 37 million MGM customers.
The 2019 incident occurred when millions of customers’ names, addresses, telephone numbers, and other personal information were stolen from MGM’s system and published on a cybercrime forum. In 2023, the group Scattered Spider was allegedly behind an attack on MGM and other Las Vegas resorts, where customers’ personal information, including social security numbers, was stolen. MGM reportedly sustained over $100 million in damages following the attack.
Oregon DOJ Issues Children’s Privacy Toolkit under State Consumer Privacy Rights Law
The Oregon Department of Justice (DOJ) released a new toolkit sharing with Oregonians how to protect their online information to celebrate Data Privacy Day. The toolkit includes information on how consumers can exercise their rights under the Oregon Consumer Privacy Act (OCPA) and encourages them to take control of their personal information.
The OCPA went into effect in July 2024 and allows consumers to educate themselves about the types of data being collected and how that data is used. It also grants consumers the right to request that a business delete their data, opt out of the sale of their data, and be informed of third parties who receive their data. Instructions on where to find that information can be found here.
Consumers under the age of 13 are granted additional rights through the OCPA. Through a recent survey, the Oregon DOJ learned that the top concern related to consumer privacy is the privacy of children’s data. While the federal Children’s Online Privacy Protection Act deals with protecting children’s data online and requires parental consent before the collection of personal information from children under the age of 13, the OCPA allows consumers to request deletion of data about a child or themselves to reduce the risk of exploitation by advertisers or data brokers. The toolkit includes tips for parents on monitoring, managing, and restricting the collection of a child’s information.
The Oregon DOJ established an online compliance system to report businesses not responsive to consumer requests under the OCPA. Since July 2024, the Oregon DOJ has received 118 consumer privacy complaints. Businesses are given 30 days to comply with the OCPA; possibly facing face up to $7,500 per violation.
This new toolkit is intended to serve as a guide for businesses to review their privacy notices and confirm that their disclosures about the collection, use, and disclosure of consumer data are clear and transparent. While the toolkit targets for-profit businesses, OCPA will expand it to include non-profit organizations later this year; look for further guidance from the Oregon DOJ starting this summer.
Preparing for EDGAR Next: Considerations for Existing and Prospective SEC Filers
Highlights
The SEC has adopted amendments aimed at modernizing and enhancing the security of its EDGAR system
Compliance with the amendments will require existing EDGAR filers to complete a one-time enrollment process, while new applicants for EDGAR access will benefit from automatic enrollment
Existing filers will have from March 24, 2025, through Dec. 19, 2025, to complete EDGAR Next enrollment
The Securities and Exchange Commission (SEC) adopted a series of rule and form amendments on Sept. 27, 2024, concerning access to and management of accounts on its Electronic Data Gathering, Analysis, and Retrieval system (EDGAR). The amendments – designed to enhance the security of EDGAR, improve the ability of filers to manage their EDGAR accounts, and modernize connections to EDGAR – are collectively referred to as EDGAR Next.
EDGAR Next will change how electronic filers and their representatives interface with EDGAR. Currently, the SEC assigns each electronic filer a set of access codes. Any individual in possession of a filer’s access codes may access the filer’s EDGAR account, view and make changes to the information maintained therein, and transmit filings and correspondence to the SEC on the filer’s behalf. EDGAR Next will retire the majority of these codes and require that filers authorize specific individuals to perform these functions. Individuals seeking to access a filer’s account will be required complete a multifactor authentication of their identity.
To permit a streamlined application process for new and prospective electronic filers, the SEC has adopted an amended version of Form ID, the successful submission of which will enroll the applicant automatically in EDGAR Next.
Effective and Compliance Dates
These are important dates to keep in mind.
March 24, 2025: The EDGAR Next Filer Management dashboard goes live, allowing existing filers to begin enrollment in EDGAR Next. New filers become required to apply for EDGAR access on the amended version of Form ID. Successful new applicants are automatically enrolled in EDGAR Next. Legacy filing processes remain available to enrolled and unenrolled filers through Sept. 12, 2025.
Sept. 15, 2025: The initial EDGAR Next enrollment window ends and compliance with EDGAR Next security protocols becomes required of all filers. Existing filers who have not enrolled in EDGAR Next by this time are not able to take actions in EDGAR other than enroll. Enrollment continues to be permitted for a three-month grace period.
Dec. 19, 2025: The grace period for EDGAR Next enrollment ends. Existing filers who have not enrolled become required to reapply for EDGAR access on an amended Form ID.
EDGAR Next Roles and Permissions
EDGAR Next requires each electronic filer to authorize and maintain at least two individuals (or one, in the case of a filer that is an individual or single-member company) as account administrators. Account administrators manage the filer’s EDGAR account, make submissions on behalf of the filer, serve as points of contact for SEC staff, and authorize and de-authorize other account administrators, users, delegated entities and technical administrators.
A filer may empower up to 20 account administrators. All account administrators are co-equal, possessing the same authority and responsibility to manage the filer’s EDGAR account. Actions that are required to be performed by account administrators can be performed by any account administrator individually and do not require joint action.
Filers – through their account administrators – optionally may authorize:
Users: Individuals permitted to view basic information about the filer and transmit filings on behalf of the filer, but lacking administrative privileges to make changes to the filer’s account.
Delegated Entities: Entities, authorized representatives of which are permitted to view basic information about the filer and transmit filings on behalf of the filer but lack administrative privileges to make changes to the filer’s account. A delegated entity must possess an EDGAR account. A delegated entity’s account administrators are considered delegated account administrators in respect of a delegating filer’s EDGAR account; delegated account administrators may authorize delegated users in respect of a delegating filer’s EDGAR account.
Technical Administrators: Individuals permissioned to manage the technical aspects of a filer’s connection to EDGAR application programming interfaces (APIs), including the issuance, sharing and deactivation of API tokens. Connection to EDGAR APIs is optional, however, filers electing to connect to APIs must authorize and maintain at least two technical administrators.
It is expected that many filers will leverage API connections maintained by filing agents; such filers will not be required to maintain their own technical administrators. Filers should contact their filing agents for information regarding whether and how such agents anticipate leveraging API connections.
Accessing EDGAR and the EDGAR Next Dashboard
All account administrators, users, and technical administrators will be required to complete a multifactor authentication when accessing the EDGAR Filing and OnlineForms websites, as well as when interacting with the EDGAR Next Filer Management Dashboard. The individual account credentials used for this purpose must be obtained through login.gov, the U.S. General Services Administration’s secure sign-in service.
Once a year (at the quarter end of their choosing), filers will reconfirm their account administrators, users, delegated entities and technical administrators through a check-the-box election on the EDGAR Next Filer Management dashboard. Account administrators separately may authorize or de-authorize account administrators, users, delegated entities and technical administrators at any point throughout the year.
Enrolling in EDGAR Next
Existing filers that maintain current EDGAR access codes will enroll in EDGAR Next through the EDGAR Next Filer Management dashboard. Existing filers will not be required to submit an amended Form ID application or present supplemental documentation to SEC staff; they need only provide the names and contact information of their initial account administrators. Filers must provide the email address associated with each initial account administrator’s login.gov account.
Bulk enrollment of existing EDGAR accounts will be permitted to further streamline the enrollment process. The EDGAR Business Office anticipates that the majority of enrollment requests will be processed in minutes.
Prospective filers seeking to obtain EDGAR access for the first time, as well as existing filers that have lost access to EDGAR or failed to enroll in EDGAR Next by Dec. 19, 2025, will be required to submit an amended Form ID application. The amended Form ID includes a section allowing applicants to identify account administrators. If an applicant wishes to appoint an account administrator not employed by the applicant, the applicant must present a notarized power of attorney indicating that the prospective account administrator is duly authorized to manage the applicant’s EDGAR account. The EDGAR Business Office anticipates that amended Form ID applications will be processed on the same timetable as current Form ID applications.
Account Management and Filing Considerations for Entities
The SEC recommends that all filing entities, including single-member entities, authorize at least two account administrators. Filing entities are permitted, but not required, to designate employees as account administrators.
Currently, many entities liaise with law firms and third-party filing agents to transmit filings and correspondence to the SEC. EDGAR Next will continue to permit this. Law firms and filing agents will offer varying service models. Two anticipated common models are:
Full-Service Model: Some law firms and filing agents will offer end-to-end service, preparing and transmitting filings and correspondence to the SEC on behalf of clients. Firms and agents offering full-service models will generally act as delegated entities in respect of client EDGAR accounts; some may permit their representatives to act as account administrators or users of client accounts.
Self-Service Model: Some law firms and filing agents will offer more limited, self-service models. Firms and agents offering self-service models may provide clients with access to filing software and/or otherwise support clients in preparing and transmitting filings and correspondence via EDGAR, but generally will not require that clients delegate to them.
Account Management and Filing Considerations for Individuals
The SEC recommends that all individual filers authorize at least two account administrators. Individual filers are permitted, but not required, to act as their own account administrators.
Currently, many individual filers authorize trusted third parties (such as law firms, filing agents or related registrants) to access their EDGAR accounts and make SEC filings on their behalf. EDGAR Next will continue to permit this. A non-exhaustive list of options for individual account management are:
Self-Administration: Some individual filers will act as their own account administrators, authorizing trusted third parties as users and delegating to law firms, filing agents or registrants, empowering such users and delegated entities to make filings on their behalf while retaining personal control over the maintenance of their EDGAR account.
Close Administration: Some individual filers will authorize a close group of trusted third parties to act as account administrators, permitting such account administrators to maintain their EDGAR account and authorize users and delegated entities to make filings on their behalf.
Decentralized Administration: Some individual filers will authorize a larger group of account administrators. For example, a Section 16 insider who sits on the board of several public companies may authorize one or more account administrators at each company, permitting each account administrator to authorize users and delegate to preferred filing agents.
Preparing for What’s “Next”
To get a jump on preparing for enrollment in EDGAR Next, existing filers should:
Locate and validate their current EDGAR access codes (i.e., CCC, password and passphrase)
Identify the individual responsible for enrolling them in EDGAR Next
Determine the individuals and entities that will act as account administrators, users, delegated entities and technical administrators (if applicable)
Ensure that all desired account administrators, users, and technical administrators maintain login.gov credentials
Connect with law firms and filing agents (as applicable) regarding their service offerings
Takeaways
EDGAR Next offers a more secure, modernized connection to EDGAR, and its Filer Management dashboard provides a more intuitive, user-friendly interface for interaction with EDGAR. Filers should plan to devote time and attention to preparing for, enrolling in and becoming comfortable navigating the new system.
CISA + FBI Issue Joint Advisory on Threat Actors Chaining Ivanti Vulnerabilities
On January 22, 2025, the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory related to previous vulnerabilities in the Ivanti Cloud Service Appliance, including an administrative bypass, a SQL injection, and remote code execution vulnerabilities – previously listed as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190 and CVE-2024-9380.
The alert advises that “threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains… In one confirmed compromise, the actors moved laterally to two servers.”
According to CISA:
“CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.”
Ethical Hacker Uncovers Vulnerability in Subaru Starlink Service
Ethical hackers identified an arbitrary account takeover flaw in the administrator portal for Subaru’s Starlink service, which could allow a threat actor to hijack a vehicle through a Subaru employee account. This vulnerability could allow a threat actor to remotely track, unlock, and start connected vehicles. The ethical hacker reported to Subaru that they could bypass multi-factor authentication (MFA) by removing the client-side overlay from the user interface. Through various endpoints, the ethical hacker could use a vehicle search to query a consumer’s last name, zip code, telephone number, email address, or VIN number and gain access to the vehicle.
This “access” allowed the ethical hacker to:
Remotely start, turn off, lock, unlock, and retrieve the current location of any Subaru vehicle.
Retrieve a Subaru vehicle’s location history from the past 12 months, accurate to within about 15 feet.
Query and retrieve the personal information of any consumer, including emergency contacts, authorized users, physical address, billing information, and vehicle PIN.
Access other user data (e.g., support call history, previous owners, odometer reading, sales history, etc.).
The ethical hacker informed Subaru that this vulnerability could allow any threat actor to track and hijack any Subaru vehicle in the United States, Canada, or Japan. Fortunately, Subaru responded to the ethical hacker’s outreach immediately and patched the offending vulnerability within 24 hours, but this issue raises wider concerns about the motor vehicle industry. With broad access built into vehicle systems as a default, they are very difficult to secure and protect from outside threats. Manufacturers may consider security by design when building these systems and find a balance between ease of service and consumer information security.
Italian Garante Investigates DeepSeek’s Data Practices
On January 28, 2025, the Italian Data Protection Authority (“Garante”) announced that it had launched an investigation into the data processing practices of Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence (collectively, “DeepSeek”). The investigation focuses on the collection, use and storage of personal data in relation to DeepSeek’s chatbot services.
Key Areas of Inquiry
The Garante indicated that it has formally requested information from DeepSeek with regards the following:
Details on how DeepSeek collects personal data, including the specific methods and channels used, and which personal data are collected. The Garante is also seeking information on the nature of the data used to train the AI system, including whether personal data is included.
Clarification on whether data is sourced directly from users, third parties or other mechanisms. Particularly, the Garante is interested in understanding whether personal data is collected through web scraping, and how both registered and unregistered users are informed about such data processing activities.
Identification of the legal basis relied on to legitimize the processing of personal data.
Confirmation on whether personal data is stored on servers located in China and compliance with applicable international data transfers requirements.
Next Steps
DeepSeek is required to provide the requested information to the Garante within 20 days. Failure to do so could lead to further regulatory action, including potential enforcement actions. The Garante previously sanctioned OpenAI’s ChatGPT for infringements to certain requirements of the European General Data Protection Regulation following a similar fact-finding inquiry.
Read the Garante’s press release (in Italian and English).
Privacy Tip #429 – Threat Actors Continue to Use QR Codes For Fraudulent Purposes
We have repeatedly warned our readers about malicious QR codes and their use by threat actors.
Threat actors are now using these codes to disguise packages as gifts. Upon opening the package, recipients find a note with instructions to scan a QR code to identify the sender. The code launches a website that asks for credentials to get more information about the “gift” and provides instructions for returns. The website could also ask for credit card or personal information.
It has become such a problem that the Federal Trade Commission (FTC) has issued a scam alert.
According to the FTC:
“If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away. Create a strong password that is hard to guess, and turn on two-factor authentication.
If you’re concerned someone has your personal information, get your free credit report at AnnualCreditReport.com. Look for signs that someone is using your information, like accounts in your name you don’t recognize. (You can get a free credit report every week.)
Also review your credit card bills and bank account statements and look for transactions you didn’t make. And consider taking other steps to protect your identity, like freezing your credit or putting a fraud alert on your credit report.
If you think someone stole your identity, report it, and get a personal recovery plan at IdentityTheft.gov.”
2025 New Jersey Employment Law Updates
The start of a new year is a great time for New Jersey employers to review their employee handbooks and policies and consider revisions based on changes in the law or best practices. This GT Alert summarizes some recent legal updates and changes on the horizon to help focus employers as they evaluate the compliance of their policies.
Pay Transparency
As set forth in a November 2024 GT Alert, New Jersey, like a number of other states, will soon enforce pay transparency requirements and mandate certain job posting disclosures. Effective June 1, 2025, New Jersey employers with 10 or more employees over 20 calendar weeks doing business or taking applications for employment within the state must disclose the hourly wage or annual salary range and general benefit information in all job postings for new positions and transfer opportunities. Covered employers must also post promotion opportunities to the entire affected department, with certain exceptions.
Remote Workers
The New Jersey Attorney General and New Jersey Division on Civil Rights (DCR) issued guidance on existing legal requirements applicable to workers employed with New Jersey companies who reside and work outside the state. The DCR published this update in the wake of recent case law holding that “a court would not apply New Jersey law to a multi-state dispute.” The DCR took the position that “[b]y its terms, the [New Jersey Law Against Discrimination (LAD)] does not protect only New Jersey residents. For instance, the LAD provides that ‘all persons shall have the opportunity to obtain employment . . . without discrimination.’” Thus, according to the DCR, the LAD protects all employees who work for a New Jersey employer “regardless of their residency or where they physically work, including those who work remotely full-time or part-time on a hybrid schedule.”
The DCR stated that it was providing guidance “to clarify and explain DCR’s understanding of existing legal requirements in order to facilitate compliance with the LAD.” However, it acknowledged that “[t]his guidance document does not impose any new or additional requirements that are not included in the LAD, does not establish any rights or obligations for any person, and will not be enforced by DCR as a substitute for enforcement of the LAD.” Although not law, employers should be aware of the DCR’s position to the extent it may impact decisions on charges of discrimination filed with the agency and potentially be viewed as persuasive by the courts.
Dress Codes (Employees and Patrons)
The New Jersey Attorney General and the DCR issued a consent decree stemming from a charge of discrimination against a New Jersey restaurant involving a gender-binary dress code for employees and patrons. The DCR’s press release stated that a non-binary individual was denied service because they purportedly failed to adhere to rules for men’s attire. The DCR took the position that the restaurant’s dress code policy violated the law because “New Jersey’s civil rights laws make it unlawful to discriminate based on gender identity. Those protections mean that places open to the public, including restaurants, can’t maintain gender-binary dress codes that exclude LGBTQ+ people.” Employers with dress code requirements for employees and/or the public should review their policies to ensure compliance.
The New Jersey Data Protection Act
Effective Jan. 15, 2025, the New Jersey Data Protection Act (NJDPA) imposes new protections for New Jersey consumers regarding personal data released to businesses. Personal data is defined as “information that is linked or reasonably linkable to an identified or identifiable person.” New Jersey residents now have the right to limit whether and how their personal data may be collected and used, the right to correct inaccuracies in their personal data, and the right to delete their personal data. The NJDPA also imposes new compliance obligations on businesses, including, but not limited to, responding to consumer requests not later than 45 days after receipt and providing certain information free of charge.
The NJDPA’s compliance obligations apply to New Jersey companies that operate as either “controllers” or “processors.” “Controllers” are individuals or legal entities that determine the purpose and means of processing personal data; processors are individuals or entities that collect, modify, and otherwise process personal data on behalf of a controller. The NJDPA applies to controllers conducting business in New Jersey or producing products or services targeted to the state’s consumers and that, during a calendar year, either (1) control or process personal data of at least 100,000 consumers, with certain exceptions; or (2) control or process the personal data of at least 25,000 consumers while deriving revenue, or receiving a discount on the price of any goods or services, from selling personal data.
The NJDPA also directs the Director of the Division of Consumer Affairs to promulgate regulations necessary to effectuate the purpose of this new law.
Retirement Plan Requirements
RetireReady NJ requires all New Jersey employers with 25 or more employees that do not offer a qualifying retirement plan for their employees to provide certain retirement benefits. Covered employers were required to register with the state by Sept. 15, 2024 (if 40 or more employees) or Nov. 15, 2024 (if between 25-39 employees), but the RetireReady NJ webpage appears to still be accepting registrations. Additionally, exempt employers that already provide retirement benefits must certify their exemption on the webpage. Employers who fail to comply with RetireReady NJ may be subject to penalties, ranging from a warning to monetary fines.
Employment Law Regulations Impacting New Jersey Residents
Private households in New Jersey employing domestic workers may now be considered employers and have important obligations under the Domestic Workers’ Bill of Rights (DWBR). The DWBR gives certain workers providing in-home services to private households—i.e., childcare, house cleaning, care for disabled or elderly individuals, and/or cooking—with the right to a contract, the right to minimum wage, as well as overtime compensation, break time, and privacy, safety, and discrimination protections. The law took effect July 1, 2024, and applies regardless of the immigration status of the worker.
Immigration Status Protections
Pursuant to S2869, signed into law in August 2024, employers may not coerce or attempt to coerce an employee based on the employee’s immigration status for the purpose of concealing purported violations of state wage, benefit, or tax laws. “Any employer that coerces or attempts to coerce an employee based on the employee’s immigration status, and in furtherance of violating the State’s labor laws, will be subject to penalties in addition to any penalties to which the employer may be subject due to employment violations.”
Wage and Hour
As previously announced by the New Jersey Department of Labor, effective Jan. 1, 2025, the minimum wage applicable to most employees increased to $15.49 per hour.
Employers should also consider reviewing other pay practices (such as timing of payment, calculation of premium pay, and commission plans), as well as employee exemption classifications.
Potential Developments for 2025
Employers should also be aware of the following pending legislation:
A.B. 3854 would regulate the use of automated employment decision tools (AEDTs) in hiring to “minimize employment discrimination that may result from the use of the tools.” Under this proposed legislation, employers using AEDTs would be subject to a number of requirements. This bill was referred to the Assembly Labor Committee in May 2024.
A.B. 3911 would require employers that use artificial intelligence to analyze applicant-submitted videos to abide by specific procedural requirements to safeguard the interview process. This bill was referred to the Assembly Science, Innovation and Technology Committee.
A.B. 3816 would provide bereavement leave for reproductive loss, such as miscarriage or stillbirth. This bill was referred to the Assembly Labor Committee in April 2024.
A.B. 3505 would allow employees to use paid family leave and/or paid sick leave for bereavement following the death of a family member. This bill was referred to the Senate Budget and Appropriations Committee.
FTC Finalizes Amendments to Rule Protecting Children’s Data: Regulatory Freeze Likely Signals Further Revisions
On January 16, 2025, the Federal Trade Commission (FTC) announced that it finalized changes to the COPPA Rule, which protects information collected online from children under the age of 13. The COPPA Rule imposes obligations on the operators of commercial websites and online services (including mobile apps and online games) that are directed to children under the age of 13 and that collect, use, or disclose children’s personal information. The COPPA Rule was last amended in 2013. For the purposes of this discussion, we will refer to the Rule, as amended, as the “new COPPA Rule” (although further changes are anticipated) in contrast to the “current COPPA Rule.”
Notably, the new COPPA Rule is pending further review following the January 20, 2025, Presidential Action instituting a Regulatory Freeze Pending Review.
The FTC’s new chair and then-commissioner, Andrew N. Ferguson, had previously issued a concurring statement on the new COPPA Rule. While he supported the enhanced measures improving children’s data privacy, Ferguson criticized the new COPPA Rule as being highly problematic in three major areas, adding unnecessary burdens to businesses. The Regulatory Freeze procedure means that Chair Ferguson or his designee will again review the new COPPA Rule.
Considering Ferguson’s prior criticism, businesses can expect that the new COPPA Rule will undergo further revisions before it is finalized. That said, businesses should be aware that measures such as requiring a separate and specific verifiable parental consent (VPC) for disclosure of children’s data to third parties, and identification of specific third-party recipients of such data, were noted with approval by Ferguson and are likely to ultimately pass. These measures encourage businesses to carefully select vendors with whom data may be shared, and to examine such vendors’ track record on privacy and security. The enhanced requirements to the information security program are likely here to stay. The pending review of the new COPPA Rule as a result of the Regulatory Freeze means businesses have a little more time to prepare to address additional compliance requirements.
Key Changes Introduced in the New COPPA Rule Expanded DefinitionsThe definition of “personal information” was expanded to include biometric identifiers that can be used for the automated or semi-automated recognition of an individual, with the definition listing examples of such identifiers. This amendment reflects the evolving concerns over more-recent data collection practices: biometric identifiers such as fingerprints or facial scans may be combined with persistent identifiers (such as IP addresses) that may uniquely and persistently identify a child.
The new COPPA Rule also contains a stand-alone definition of a “mixed audience” website or service, which means platforms that do not target children as their primary audience. The current COPPA Rule uses the term “mixed audience,” but does not expressly define it. A mixed-audience website or online service is a sub-category of child-directed websites and online services subject to the COPPA Rule. The new COPPA Rule clarifies that operators of mixed-audience websites and online services may use the exceptions to the VPC requirement set forth in §312.5(c) of the COPPA Rule, as is true for operators of online services targeting children as their primary audience. The definition of “online contact information” also was amended to include mobile telephone numbers, provided the operator uses them only to send text messages to a parent in connection with obtaining VPC.
New Examples of “Child-Directedness” FactorsThe determination of whether a website or a service is “child-directed” is based on factual analysis under both the current and the new COPPA Rule. The current COPPA Rule already requires that businesses pay attention to known indicators that children may be using their platform. See, for example, Yelp settlement and NGL Labs settlement. The current COPPA Rule features a non-exhaustive list of evidence that the FTC may consider in determining “child-directedness.” See COPPA Rule §312.2 (definition of “Web site or online service directed to children”).
The new COPPA Rule provides additional examples: (1) marketing or promotional materials or plans, (2) representations to consumers or third parties, (3) reviews by users or third parties, and (4) age of users on similar websites or services. Commenters on proposed amendments previously expressed concerns about the latter two factors, noting, for example, that this amendment would incentivize competitors or others to file false reviews, potentially trying to influence how a website or online service is categorized. In response to these comments, the FTC reiterated that child-directedness is determined on a totality of the circumstances, and that evidence such as reviews may receive little weight given that reviews may not always be representative, accurate, or genuine.
Separate Consent for Targeted AdvertisingThe new COPPA Rule will require a separate and specific VPC before any non-integral disclosure of children’s personal information to third parties, such as for third-party advertising. The amendment is meant to reduce the flow of children’s information to data brokers and discourage targeting children with personalized advertising, because the process of obtaining consent is an expensive and cumbersome process for businesses. This is one of the areas that Ferguson previously flagged as highly problematic.
Basically, the new COPPA Rule seems to suggest that every time a business decides to share children’s data with a third party, it is a material change requiring a separate consent. If so, given the operational costs of obtaining VPC, this requirement will greatly discourage businesses from switching from their existing third-party vendors. Ferguson noted that not every change to the identities of third parties should require a new consent, but only changes that would make a reasonable parent believe that the privacy and security of their child’s data is being placed at materially greater risk. Further clarifications from the FTC in this area are expected.
Additional Options to Collect VPCThe new COPPA Rule added three new methods for obtaining VPC, including via “text plus” (with requirements similar to the current “email plus” method), facial recognition, or by using knowledge-based authentication (using multiple-choice questions that are hard to guess and that children under 13 will have difficulty answering). Additionally, the payment transaction method for obtaining VPC was revised to remove the “monetary” requirement, meaning that consent may be obtained without receiving and then refunding a payment. Notably, the list of methods to obtain VPC is not exhaustive under either the current or the new COPPA Rule.
Collection Solely for Age Verification PurposesFerguson also criticized the new COPPA Rule for its failure to add an exception to the general prohibition on the unconsented collection of children’s data for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled. Currently, collection of age verification–related information, such as photographs or government-issued ID images, require VPC and discourage the use of age verification techniques that are more accurate than a self-declaration. Businesses can expect further changes to the Rule on this issue as well.
Data Retention and Deletion RequirementsThe current COPPA Rule provides that an operator may retain children’s data only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The new COPPA Rule provides that operators are expressly prohibited from indefinitely retaining children’s data. This is one of the areas that Ferguson flagged as seriously problematic, as it is likely to generate outcomes not favorable to users. For example, data such as digital diary entries, childhood photos, or emails may be erased, blindsiding a user who cherished such records and relied on the platform to preserve them. Ferguson further noted that the “indefinitely” requirement is meaningless given that a company may get around it by stating that data will be kept for “two hundred years.” Again, we expect to see further revisions on this topic.
WISP and Data Retention Policy RequirementsThe new COPPA Rule modifies operators’ obligations with respect to direct and online notices, information security, and deletion and retention protocols. Regarding information security, the current COPPA Rule states only that the operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
The new COPPA rule adds more prescriptive requirements to:
Designate at least one employee to coordinate the information security program
Conduct risk assessments at least annually
Design, implement, and maintain safeguards to control the risks identified through risk assessments
Regularly test and monitor the effectiveness of such safeguards
Evaluate and modify the operator’s information security program (WISP) at least annually to address identified risks.
Operators also must determine that their service providers and third parties are capable of maintaining the confidentiality, security, and integrity of the information and must obtain written assurances that such entities will employ reasonable measures to maintain the confidentiality, security, and integrity. With respect to data retention, the new COPPA Rule provides that at a minimum, the operator must establish, implement, and maintain a written data retention policy that sets forth the purposes for which children’s personal information is collected, the business need for retaining such information, and a timeframe for deletion of such information. This policy must be provided in the notice of information practices posted on the website or online service in accordance with § 312.4(d) of the COPPA Rule.
These requirements are broadly aligned with some of the requirements of the FTC Safeguards Rule and the FTC’s guidance to businesses on what constitutes a reasonable information security program. Commentary to the new COPPA Rule clarifies that a separate information security program and data retention policy is not needed for children’s data, but rather general programs and policies that encompass children’s data and otherwise meet the requirements of the COPPA Rule will be sufficient.
Enhanced Transparency for Safe Harbor ProgramsCOPPA Safe Harbor programs – self-regulatory initiatives approved by the FTC to implement COPPA protections – will now be required to publicly disclose membership lists and provide additional reports to the FTC. These changes aim to increase accountability and transparency within these programs.
SummaryOriginally, the new COPPA Rule was to take effect 60 days after its publication in the Federal Register, and covered businesses were to have one (1) year from the publication date to achieve full compliance with most amendments unless earlier compliance dates are specified. As discussed, however, the new COPPA Rule was not yet published and is considered withdrawn pursuant to the January 20, 2025, Regulatory Freeze Pending Review, until they can be reviewed by the FTC Chair or his delegates for this task. While further changes are anticipated, businesses that have knowledge of children using their online platforms should review the new COPPA Rule and be aware of its current compliance impacts. Now is the time to review and update information security practices and take a careful look at each vendor’s compliance.