EPA Adds Nine PFAS to Toxics Release Inventory for Reporting Year 2025
The U.S. Environmental Protection Agency (EPA) announced on January 6, 2025, that it is updating the list of chemicals subject to toxic chemical release reporting under the Emergency Planning and Community Right-to-Know Act (EPCRA) and the Pollution Prevention Act (PPA). 90 Fed. Reg. 573. Specifically, the final rule updates the regulations to identify nine per- and polyfluoroalkyl substances (PFAS) that must be reported pursuant to the National Defense Authorization Act for Fiscal Year 2020 (FY2020 NDAA) enacted on December 20, 2019. EPA notes that as this action is being taken to conform the regulations to a Congressional legislative mandate, notice and comment rulemaking is unnecessary. The PFAS added to the Toxics Release Inventory (TRI) and the triggering events are:
Ammonium perfluorodecanoate (PFDA NH4) (Chemical Abstracts Service Registry Number® (CAS RN®) 3108-42-7) (Final Toxicity Value);
Sodium perfluorodecanoate (PFDA-Na) (CAS RN 3830-45-3) (Final Toxicity Value);
Perfluoro-3-methoxypropanoic acid (CAS RN 377-73-1) (Final Toxicity Value);
6:2 Fluorotelomer sulfonate acid (CAS RN 27619-97-2) (Final Toxicity Value);
6:2 Fluorotelomer sulfonate anion (CAS RN 425670-75-3) (Final Toxicity Value);
6:2 Fluorotelomer sulfonate potassium salt (CAS RN 59587-38-1) (Final Toxicity Value);
6:2 Fluorotelomer sulfonate ammonium salt (CAS RN 59587-39-2) (Final Toxicity Value);
6:2 Fluorotelomer sulfonate sodium salt (CAS RN 27619-94-9) (Final Toxicity Value); and
Acetic acid, [(γ-ω-perfluoro-C8-10-alkyl)thio] derivs., Bu esters (CAS RN 3030471-22-5) (Confidential Business Information (CBI) Declassification).
The final rule will be effective February 5, 2025. As of January 1, 2025, facilities that are subject to reporting requirements for these PFAS should begin tracking their activities involving these chemicals as required by EPCRA Section 313. Reporting forms will be due by July 1, 2026.
CPPA Extends Public Comment Period from January 14, 2025, to February 19, 2025; Public Hearings for Interested Parties to be Held January 14, 2025, and February 19, 2025
The California Privacy Protection Agency (CPPA) published a Notice of Extension of Public Comment Period and Additional Hearing Date on Friday, January 10, 2025, informing that the CPPA is extending the formal public comment period for the proposed updates to the California Consumer Privacy Act regulations regarding cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and insurance companies to ensure all Californians, including those affected by the devastating wildfires in Southern California, have the opportunity to participate. More information regarding public comments and the new deadline can be found here.
The CPPA will also be hosting two public hearings to provide all interested parties an opportunity to present oral and written statements or arguments regarding the proposed regulations. The first session will be tomorrow, January 14, 2025. More information can be found here. The second session will be held on February 19, 2025, with more information regarding the date, time, and location to be published.
Otherwise, the substance of the proposed updates to the regulations did not change. Our team provided a summary of the key updates from the November 8th CPPA Board meeting, including regarding the proposed updates to the regulations, here.
NHTSA Adopts Final Rule to Formalize its Whistleblower Program under the Motor Vehicle Safety Whistleblower Act
On December 17, 2024, the National Highway Traffic Safety Administration (“NHTSA” or “Agency”) adopted a final rule to formalize its whistleblower program under the Motor Vehicle Safety Whistleblower Act (Whistleblower Act).[1] Under the final rule, which adopts the April 14, 2023[2] proposed rule without significant changes, whistleblowers who share original information related to violations of NHTSA’s regulations could receive an award between 10% and 30% of any civil penalties over $1 million paid by the violating entity.
To qualify for this bounty, the whistleblower must provide original information – information that is derived from independent knowledge or analysis that is not already known to the U.S. Department of Transportation (U.S. DOT) or NHTSA. The information cannot be exclusively derived from an allegation made in a judicial or administrative proceeding or other outside source (such as a government report or investigation, or a media report). Whistleblowers must also first report the information through internal channels, except in limited circumstances, such as for good cause shown.
Therefore, manufacturers should act now to ensure they have internal policies in place that, among other things, provide reporting processes that include clear protections against retaliation for whistleblower actions. Fostering a culture of vehicle safety throughout the manufacturing process further reduces the risk of civil penalties and bounties for whistleblowers.
“Original Information”
Under the final rule, a whistleblower who submits “original information” to NHTSA related to violations of NHTSA’s regulations may receive a monetary award in the form of a percentage of any civil penalties over $1 million paid by the violating entity. NHTSA’s final rule clarified that any restitution required of the violating entity is not considered a “civil penalty” for purposes of determining the amount of civil penalties assessed against the violating entity.
Under the Whistleblower Act, Congress defined “original information” as information:
derived from the independent knowledge or analysis of an individual;
that is not known to NHTSA from any other source (unless the whistleblower is the original source); and
that is not exclusively derived from an allegation made in a judicial or an administrative action, in a governmental report, a hearing, an audit, or an investigation, or from the news media, unless the whistleblower is a source of the information.
However, whistleblowers are not required by the final rule to “have direct, first-hand knowledge of potential violations.” Rather, whistleblowers “may have ‘independent knowledge’ of information even if that knowledge derives from facts or other information that has been conveyed by third parties.”
NHTSA excludes from consideration certain categories of information submitted by whistleblowers, including information:
Derived solely from attorney-client privileged communications;
Derived solely from attorney work product; or
Obtained in violation of Federal or State criminal law, as determined by a court.
Therefore, manufacturers should properly mark all attorney-client privileged communications and any attorney work product to prevent them from forming the basis for whistleblower reporting.
Whistleblower Reporting Requirements
To be eligible for the bounty, a potential whistleblower must file a claim for a whistleblower award by completing the WB-AWARD form and submitting it to NHTSA no later than 90 calendar days from the date NHTSA publishes a “Notice of Covered Action,” which notifies the public of its intent to assess civil penalties against a violating entity.
The potential whistleblower must also first report original information through the violating entity’s internal procedures, when such procedures are in place, unless[3]:
The whistleblower reasonably believed that such an internal report would have resulted in retaliation, notwithstanding 49 U.S.C. 30171(a);
The whistleblower reasonably believed that the information: (A) was already internally reported; (B) was already subject to or part of an internal inquiry or investigation; or (C) was otherwise already known to the motor vehicle manufacturer, part supplier, or dealership; or
The Agency has good cause to waive this requirement.
Thus, manufacturers should take steps now to implement internal reporting procedures and foster a culture of vehicle safety to increase the likelihood that they will first receive reports of suspected violations and have an opportunity to act, reducing the potential for civil penalties assessments and whistleblower fees.
Next Steps for Manufacturers
Manufacturers should remember that the best defense against Safety Act violations and civil penalties is to foster a culture of vehicle safety throughout their organizations. Consistent and clear messages that vehicle safety is a priority, coupled with robust internal processes and procedures that encourage reporting and proper evaluation of potential safety issues, can mitigate a manufacturer’s risk on multiple fronts, including the emergent risk associated with NHTSA’s whistleblower program and the risk of civil penalties assessments.
Manufacturers should also ensure that they have internal policies that provide clear protections against retaliation (including protections for whistleblowers, such as an anonymous reporting option) for anyone that reports a potential violation, as well as an appropriate level of transparency for the reporter (such as confirming an issue is being investigated by the relevant safety team). These policies and messages are important steps for fostering a safety culture and should be part of the manufacturer’s regular training programs. Finally, all documents that are subject to the attorney-client privilege or protected under the work product doctrine should be properly marked and stored.
[1] The Whistleblower Act is part of the Fixing America’s Surface Transportation (FAST) Act, signed into law by President Obama in 2015.
[2] See NHTSA Publishes Proposed Rule to Formalize its Whistleblower Program under the Motor Vehicle Safety Whistleblower Act for a discussion of the proposed rule.
[3] See 49 C.F.R. 513.7(g)
Reform to Mexico’s Federal Labor Law Related to Digital Platforms
Go-To Guide:
Mexico updates its Federal Labor Law to regulate digital platforms, ensuring standardized labor conditions and rights for gig economy workers.
The amendments introduce new definitions and rules, including flexible work schedules, digital contracts, and algorithmic management transparency.
Employers must provide social security, profit sharing, and training, while workers gain union rights and protection against discrimination.
Non-compliance with the new regulations may result in fines, with a phased implementation.
On Dec. 24, 2024, Mexico published amendments to its Federal Labor Law regarding digital platforms. These changes take effect 180 days after publication.
This GT Alert highlights significant modifications to the law and details the new definitions, penalties, and implementation timelines.
I.
Purpose
The amendments seek to establish a regulatory framework for digital platforms in Mexico that standardizes labor conditions for the employees working through these platforms. This includes compensation, effective access to social security, provision of benefits, implementation of security measures, and profit sharing. The regulation seeks to ensure that digital platform employees’ labor rights are protected under a legal framework.
The initiative focuses on regulating the “gig economy” platforms, meaning income generation outside a traditional work scheme. Nonetheless, these regulations have implications for other similar business models operating under unconventional work schemes. The regulation seeks not only to standardize working conditions for employees working for these types of platforms, but also to potentially apply to any company with a similar business model, ensuring wider labor protection within the digital industry.
II.
New Definitions
Chapter IX B is incorporated into the Federal Labor Law, which addresses the topic of work on digital platforms, along with the following definitions related to this modality:
1.
Digital platform: Computer systems that assign tasks or services to workers for third parties using information technologies as defined in article 330-A of the Federal Labor Law.
2.
Work on digital platforms: A subordinate employment relationship where workers provide physical services managed by a person or company through a digital platform.
3.
Employee: An individual who works on digital platforms, earning at least one monthly minimum wage in Mexico City.
4.
Effective working time: The period from when a worker accepts a task until they complete it. Employees who do not generate a monthly net income exceeding the amount specified in the preceding paragraph will be considered independent contractors.
5.
Algorithm: Automated decision-making systems that control and supervise digital platform workers.
III.
Changes
Employment Contract: Employers must use approved contract templates and can sign them digitally. Employers must submit the contract template to the Federal Center for Conciliation and Labor Registration for approval.
The contract should establish the equipment and work supplies provided, the percentage and amount the employer will pay the employee for each task service, work, or job, any bonuses that may be applicable, and health and safety obligations, among others.
Work Schedule: Schedules are flexible and discontinuous, with employment existing only during effective working time.
Salary: Pay is set per task and includes proportional amounts for rest days, vacations, and bonuses.
Social Security: Tips that individuals generate on digital platforms will not be considered part of the base salary for social security purposes. Employers must cover occupational risks during effective working time.
Profit Sharing: Workers with over 288 annual hours can participate in profit sharing.
Union Freedom: Workers can form or join unions.
Algorithmic Management: Employers must inform workers about how algorithms affect their employment.
Employer Obligations: Special obligations are included for digital platform employees, as well as for employers and individuals who manage or operate services through digital platforms.
Review Mechanisms: Digital platforms must provide employees with mechanisms to review decisions affecting their access to or connection with the platform. Autonomous personnel, not algorithms, must manage these mechanisms.
Special Causes of Termination: New reasons for justified termination include:
–
submitting false data and;
–
compromising user security;
–
engaging in acts of dishonesty or misconduct, acts of violence, threats, insults, harassment, and/or sexual harassment, mistreatment, discriminatory acts, or other similar acts during and due to work; and
–
repeatedly failing to comply with the accepted tasks, services, works, jobs, or work-related instructions without justified cause.
Training: Employers must provide necessary training and tools.
Gender Perspective: Companies must protect workers from gender-based discrimination and violence.
IV.
Fines
Violations will be subject to additional fines calculated based on the Unidad de Medida y Actualizacion (Unit of Measurement and Update UMA), which is the economic reference in pesos used to determine the amount of payments for obligations and scenarios outlined in federal laws, state laws, and any legal provisions arising from them. For 2025, the UMA is valued at $113.14 Mexican pesos.
2,000-25,000 UMAs for failing to register contracts before the Federal Center for Conciliation and Labor Registration.
1,000-25,000 UMAs for failing to issue or report modifications in the algorithmic management policy document.
250-5,000 UMAs for violating the provisions of Article 291-K concerning administrating and managing services through digital platforms.
500-25,000 UMAs for failing to implement the mechanisms outlined in Article 291-P regarding actions related to autonomous personnel rather than algorithms.
V.
Implementation Deadlines
This regulation will be implemented gradually.
The law becomes enforceable 180 days after its publication in the OGF.
Before being enforceable, the Mexican Social Security Institute and the National Housing Fund Institute for Employees will issue guidelines through a mandatory pilot test to be conducted five days after the law takes effect. The guidelines will establish general rules on employers’ contributions for employees hired through digital platforms.
The Mexican Social Security Institute will have 180 days from the rules’ publication date, to consider the results of the pilot test prepare additional compliance initiatives, which will be presented to the Legislative Branch for discussion.
The Ministry of Labor must, within five days of the rules’ effective date, establish the general provisions governing the net income calculation for employees, which is currently determined by tasks, services, or work performed.
Read in Spanish/Leer en español.
FTC’s “Click to Cancel” Rule to Simplify Subscription Cancellations Becomes Effective
The final text of the amended Negative Option Rule, featuring the new “Click to Cancel” program, goes into effect this week on Wednesday, January 15, 2025, and should become enforceable approximately four months later on Wednesday, May 14, 2025. The FTC believes that this rule will help the FTC get money back to people who are misled by sellers who don’t tell the truth or leave out necessary information, people who get billed when they didn’t agree to pay, and sellers who make it hard, or impossible, to cancel. According to FTC Commission Chair Lina M. Khan, “Too often, businesses make people jump through endless hoops just to cancel a subscription. The FTC’s rule will end these tricks and traps, saving Americans time and money. Nobody should be stuck paying for a service they no longer want.”
This rule is part of the FTC’c ongoing review of its 1973 Negative Option Rule, which the agency is modernizing to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs in an increasingly digital economy where it’s easier than ever for businesses to sign up consumers for their products and services.
What is a negative option?
Negative options refer to transactions that include automatic renewals, continuity plans, and free- or fee-to-pay conversion offers where a buyer’s silence or failure to affirmatively act to either reject a good or service or to cancel the transaction is interpreted as continuing acceptance of the plan or offer. In other words, if the buyer does not cancel or take action to suspend the transaction’s recurring nature, they will continue to be periodically charged for the goods and services they may not have intended to purchase.
Scope of the amended rule
The amended rule applies to sellers of nearly all negative option programs (regardless of whether they originated online, via phone, or in-person), and the rule applies to both business-to-business and business-to-consumer transactions.
What does the Negative Option Rule prohibit?
The rule prohibits: (1) misrepresentations of any material fact made while marketing using negative option features; (2) requires sellers to provide important information prior to obtaining consumers’ billing information and charging consumers; (3) requires sellers to obtain consumers’ unambiguously affirmative consent to the negative option feature prior to charging them; and (4) requires sellers to provide consumers with simple cancellation mechanisms to immediately halt all recurring charges.
One of the biggest concerns of the FTC is for sellers that give free-trial subscriptions to consumers and then those consumers complain that they didn’t know the details of the subscription obligations and/or the consumers have been unable to cancel the subscription. The rule requires important information to be truthful, clear, and easy to find. Consumers have to know what they’re agreeing to before they are signed up. Sellers have to be able to show that the consumers knew what they agreed to before they signed up. The rule requires there be a way to cancel any subscription that is as quick and easy as it was to sign up.
Potential enforcement
The rule indicates that violators can be held responsible for redress and other civil penalties. Sellers can expect litigation over the following allegations involving negative options for: 1) misrepresenting any material fact made while marketing goods or services; 2) failing to clearly and conspicuously disclose material terms prior to obtaining a consumer’s billing information; 3) failing to obtain a consumer’s express informed consent before charging the consumer; and, 4) failing to provide a simple mechanism to cancel and immediately halt charges. The rule requires sellers to implement a framework that prevents the aforementioned, and violations can result in not just having to refund the consumer’s fees, but also being held responsible for civil penalties.
Rule is not popular with everyone
The rule faces multiple overlapping legal challenges across the country, such as in the Fifth Circuit Court of Appeals. The rule also faces a change in administration, and one of the most relevant concerns may be the sharp dissent from recently appointed FTC Commissioner Melissa Holyoak.
Remember the state rules
In addition to the FTC rule, negative option sellers should be mindful that automatic renewals remain a priority for state regulators. California, for example, updated its specific requirements four times in the last 14 years, the latest text of which explicitly applies to “free-to-pay conversions” of the type regulated in the updated federal rule, among other textual similarities. The state’s recent stringent update to the law will become effective on July 1, 2025, and mirrors, and in some aspects goes beyond, the FTC rule.
Listen to this post
Telecom Alert: 6th Circuit Net Neutrality Decision; Updated Application Fees; January Open Meeting; Rip and Replace Funding; RMD Filing Requirements [Volume XXII, Issue 2]
6th Circuit Overturns Net Neutrality Order
The 6th Circuit issued an opinion on January 2nd rejecting FCC arguments to uphold its statutory authority to impose net-neutrality policies and declaring that commercial broadband providers are not “telecommunications services” subject to Title II regulations under the Communications Act. The Court, relying on “the traditional tools of statutory construction,” instead classified broadband providers as offering an “information service” which escapes common-carrier regulations. The Court also rejected once long-standing deference to the FCC’s technical and policy expertise under the Chevron doctrine, citing the recent Loper Bright decision which permits courts to use their own judgment to interpret laws.
FCC Announces 2025 Application Fee Schedule
The FCC adopted rule changes to its Schedule of Application Fees at the end of the year to reflect Consumer Price Index (CPI) changes in even-numbered years. Commissioner Carr noted that the CPI increased by 17.41% since the last adjustment in 2022, which in part was related to rising inflation. While the rule changes do not implement proposed fee alterations in open rulemakings, the Order raised fees for Section 214 authorizations and cable landing licenses, wireless and experimental licensing, among other applications.
FCC Announces January Open Meeting
FCC Chairwoman Rosenworcel announced the Commission will hold an Open Meeting on January 15, 2025. In contrast to past meetings, the upcoming Open Meeting will have four panels attended by different bureaus, each providing summaries on their accomplishments over the past administration, as well as goals for the future. Topics from the bureaus will include expanding connectivity and access, competition in the marketplace, national security and public safety initiatives, and the future of communications.
FCC Proposes Auction Rules to Fund Rip and Replace Program
Following the passage of the National Defense Authorization Act, the FCC now has authority to fully fund its Rip and Replace Program, designed to reimburse companies for replacing equipment and services manufactured by entities deemed threats to national security. Within the NDAA, the Spectrum and Secure Technology and Innovation Act allows the FCC to borrow up to $3.08 billion to fund the program. To repay the borrowed funds, Chairwoman Rosenworcel hopes the Commission will expedite consideration of a Notice of Proposed Rulemaking updating the competitive bidding rules for the AWS-3 spectrum bands, whose proceeds will be directed to the Rip and Replace Program.
FCC Adopts New Filing Requirements for Robocall Mitigation Database
In efforts to combat illegal robocalls on voice service provider networks, the FCC has adopted new filing requirements for providers on its Robocall Mitigation Database (RMD). The RMD is an extensive public database which tracks provider compliance with STIR/SHAKEN and robocall mitigation rules. The new rules now require providers to annually re-certify the accuracy of their mitigation plans and pay a $100 filing fee. Additionally, a new reporting mechanism for deficient filings as well as enhanced two-factor authentication will be implemented and managed by the Wireline Competition Bureau.
Casey Lide, Thomas B. Magee, Tracy P. Marshall, Sean A. Stokes, and Wesley K. Wright also contributed to this article.
WRONG PERSON: Arbitration Denied in TCPA Suit As Camping World Looks to Have Texted a Reassigned Number– But Why?
Another day, another difficult TCPA ruling involving an online webform submission.
This time arbitration was denied in a putative TCPA class action arising out of a webform submission on campingworld.com.
In Conrad v. Camping World Holdings, 2025 WL 66689 (N.D. Al. Jan, 9, 2025) the defendant moved to compel arbitration contending Plaintiff had signed up for a recurring text program on its website, supplied his phone number and agreed to arbitration in the process.
Just one little problem– the Plaintiff claims he did not even own the phone number at the time the form was submitted. So–in his view–it would be impossible for him to have filled out the form.
The Court agreed and determined given camping world’s lack of evidence that Conrad himself filled out the form arbitration must be denied. (This also means any consent disclosure on the website would also not apply to Plaintiff!)
Conrad once again highlights the trouble with online web submissions– you never really know who is filling out the form. But the Camping World flow apparently did not collect the name of the submitted party–just relying on a double opt in to assure TCPA compliance. That is a somewhat risky maneuver.
The real risk, however, is in reassigned numbers. The number was subscribed onto the text program in 2022 but plaintiff received the texts after he obtained the number in September, 2023. This suggests to me the number changed hands and the texts went to the wrong number.
The simply way to avoid such issues is just to use the FCC’s reassigned numbers database!
If you are sending text messages on a recurring basis to numbers you obtained more than 90 days ago you simply must be using this database to avoid inevitable TCPA risk when numbers change hands.
Game On: How the CFPB’s EFTA and Regulation E Changes Could Shape Video Game and Online Marketplace Transactions
The Electronic Fund Transfer Act (EFTA) and Regulation E apply to an electronic fund transfer (EFT) that authorizes a “financial institution” to debit or credit a consumer’s account. While a “financial institution” traditionally refers to a bank, credit union, or savings association, it is well established that “financial institutions” can also include non-bank entities that directly or indirectly hold an account belonging to a consumer, or that issue an access device and agree with a consumer to provide EFT services. Prepaid accounts and “other consumer asset accounts” into which funds can be deposited by or on behalf of the consumer and which have features of deposit or savings accounts, also meet Regulation E’s definition of “account.” Some video game accounts used to purchase virtual items from multiple game developers or players may fall under the definition of “other consumer asset accounts.”
In April 2024, the Consumer Financial Protection Bureau (CFPB) issued a report on the banking and payment services becoming more prevalent in gaming and virtual worlds where consumers spend billions of dollars annually to purchase gaming assets—often by converting U.S. dollars to virtual currencies. The report raised concerns about consumer protections and the uncertain allocation of responsibility for errors or fraud when a customer’s digital currency or assets are lost through hacking, account theft, scams, or unauthorized transactions.
Recent Developments
Following that report, on January 10, 2025, the CFPB issued a proposed interpretive rule that aims to expand the scope of Regulation E’s coverage to video game platforms that hold consumers’ money for personal, family, or household use and treat those game platforms as if they are account holders just like a bank or credit union for Regulation E purposes.
The interpretive rule expands on what constitutes an EFT, particularly for new payment methods such as peer-to-peer payment platforms and digital wallets. This expansion includes transfers initiated through apps and payment systems tied to consumer accounts. The key is whether the funds act like or are used like money, such that they are accepted as a medium of exchange, a measure of value, or a means of payment.
The interpretive rule would also clarify that video game companies operating online marketplaces or otherwise facilitating EFTs would be subject to the consumer protection provisions under Regulation E, namely investigation and error resolution obligations. Additionally, the interpretive rule would require a video game company to disclose the terms and conditions of EFT services.
Next Steps
The CFPB is soliciting comments from the gaming community for this proposed interpretive rule, which must be sent via email to [email protected] on or before March 31, 2025.
7 Practical Tips for Preparing for the 2025 Annual Report and Proxy Season
As the 2025 proxy season approaches, public companies must gear up for an environment shaped by evolving regulations, investor expectations, and governance trends. To ensure your company is well-prepared, here are some practical tips to keep in mind:
1) Dust Off the Proxy Season Calendar and Confirm Filer Status
Start your preparations by revisiting your proxy season timeline. Ensure you know your key deadlines for Securities and Exchange Commission (SEC) filings, including the Form 10-K/20-F, proxy statement, and annual meeting. Check your filer status (e.g., large accelerated, accelerated, non-accelerated) to confirm applicable deadlines and determine whether any recent status changes affect your compliance requirements.
2) Be Aware of New SEC Disclosure Obligations
The SEC has introduced several new disclosure obligations for 2025. Among others, there are two key changes to note:
Insider Trading Policies and Procedures.
Narrative Disclosure – Item 408(b) of Regulation S-K requires a company to disclose whether it has adopted policies or procedures governing purchases, sales, or other dispositions of its securities by directors, officers, and employees or by the issuer itself and, if not, why it has not done so.
Exhibit Filing – Any insider trading policy must be filed as Exhibit 19 to the 2024 Form 10-K. If the company’s code of ethics includes such a policy, a separate exhibit filing is not required. (A similar disclosure requirement applies under Item 16J of Form 20-F.)
Option Award Granting Policies and Procedures (402(x) of Regulation S-K):
Narrative Disclosure – Under new Item 402(x), a company must provide narrative disclosure discussing its policies and practices regarding the timing of awards of stock options, stock appreciation rights (SARs) and similar option-like instruments in relation to the disclosure of material nonpublic information (MNPI), including how the board determines when to grant these awards. In addition, a company must disclose whether the board or compensation committee takes MNPI into account when determining the timing and terms of applicable awards, and, if so, how and whether the company has timed the disclosure of MNPI for the purpose of affecting the value of executive compensation.
Potential New Tabular Disclosure – New Item 402(x) also requires detailed tabular disclosure if, during the last completed fiscal year, stock options, SARs or similar option-like instruments were awarded to a named executive officer (NEO) within a period starting four business days before and ending one business day after the filing of a Form 10-K or 10-Q, or the filing or furnishing of a Current Report on Form 8-K that discloses MNPI (including earnings information).
3) Revisit Cybersecurity Disclosure in Light of SEC Comment Letters and Trends
On July 26, 2023, the SEC adopted final rules requiring (i) the disclosure of material cybersecurity incidents in Form 8-K, and (ii) new cybersecurity risk management, strategy, and governance disclosures in Form 10-K and 20-F. All public companies were required to comply with these disclosure requirements for the first time beginning with their annual reports on Form 10-K or 20-F for the fiscal year ending on or after Dec. 15, 2023. As a result, calendar fiscal year companies included these disclosures for the first time in their respective annual report filings last annual reporting cycle.
With the passage of time, we are beginning to see SEC comment letters issued on filings related to the new cybersecurity disclosure rules. We believe it is prudent to be familiar with these comment letter trends to assess whether any improvements might apply to a company’s first-year disclosures.
Here is an SEC comment exchange related to a company’s Item 1C cybersecurity disclosures (with the SEC comment in bold and the response following):
“We note your senior leadership team consisting of your CEO and his direct reports (SLT) is responsible for setting the tone for strategic growth, effective operations and risk mitigation at the management level, as well as, the overall managerial responsibility for confirming that the information security program functions in a manner that meets the needs of Equifax. We also note that you described the relevant expertise of your CISO but not of the other members of the SLT. Please revise future filings to discuss the relevant expertise of such members of senior management as required by Item 106(c)(2)(i) of Regulation S-K.
We respectfully acknowledge the Staff’s comment above. While our senior leadership team (“SLT”) has responsibility for risk management at the managerial level and overall managerial responsibility for the various programs of the Company, including information security, our Chief Information Security Officer (“CISO”) is the management position responsible for assessing and managing material risks from cybersecurity threats under Item 106(c)(2)(i) of Regulation S-K. In future filings, we will clarify that the CISO is the management position responsible for assessing and managing material risks from cybersecurity threats.”
It appears the SEC staff accepted the reporting person’s explanation in the above-referenced exchange, as there were no follow-up letters made public. A link to the actual letter is here.
4) Be Aware of Proxy Advisory and Institutional Shareholder Policy Updates
Both Glass Lewis and ISS have updated their guidelines for 2025, which take effect for meetings held after Jan. 1, 2025 for Glass Lewis and on or after Feb. 1, 2025 for ISS. Below are a few key takeaways from their updates:
Board Oversight of AI
Given the rise in the use of artificial intelligence (AI), Glass Lewis has noted the importance of boards’ awareness of and policies surrounding the use of such technologies and the potential associated risks. If the company has not suffered any material incidents related to its use or management of AI, Glass Lewis will generally not make voting recommendations on the basis of its oversight of AI-related issues, but if there has been a material incident, Glass Lewis will review the company’s AI-related policies to ensure sufficient oversight and adequate response to such incidents and may recommend against certain directors in light thereof.
Defensive Profile and Reincorporation.
Glass Lewis revised its stance on reincorporating the company in different states to clarify that it will take these on a case-by-case basis, depending on the shareholder rights, financial benefits, and other corporate governance provisions of the laws of the state or country of reincorporation.
ISS votes case by case when it comes to poison pills with a term of one year or less, but this year it added several factors to its list of items it takes into consideration, including the context in which the pill was adopted and the company’s overall track record regarding corporate governance. This allows for a more holistic approach in ISS’s evaluation.
Executive Compensation.
In the aftermath of the first full year of pay versus performance disclosures, Glass Lewis has clarified it will continue to evaluate executive compensation programs holistically and not in accordance with a predetermined scorecard. While there are some factors that may lead to a recommendation against or for a say-on-pay vote, Glass Lewis said it will evaluate each program in the context of its whole, rather than its parts.
Board Responsiveness to Shareholders.
Both advisors included discussion about the board’s willingness and ability to respond to shareholders in its updates for this year. Glass Lewis has added to its discussion on board responsiveness a recommendation that shareholder proposals that received significant support but did not pass (generally more than 30 percent but less than a majority) should illicit board engagement with shareholders to address the issue and then provide disclosure of those efforts. Additionally, in its evaluation of whether to recommend a vote for or against a short-term poison pill, ISS states it will include the board’s responsiveness to shareholders in its review of the company’s corporate governance practices.
Expansion of Environmental Focus.
ISS revised its guidance on what used to be its section on general environmental and community impact proposals to include all natural capital-related matters. This includes topics like biodiversity, deforestation and related ecosystem loss, and other areas that group under the theme “natural capital.”
SPACs
ISS revised its stance on proposals for special purpose acquisition companies (SPAC) extensions from a case-by-case model with a variety of factors at play, including length of the request, prior requests for extension, and acquisition transactions pending in the pipeline, to a general support of extensions of up to one year from the original termination date.
In addition to ISS and Glass Lewis, in December 2024 BlackRock released its updated U.S. proxy voting guidelines for benchmark policies.
5) Consider Hypothetical Risk Factors
On Nov. 6, 2024, the U.S. Supreme Court heard oral arguments for Facebook, Inc. v. Amalgamated Bank, a securities law case involving the 2016 Facebook (now Meta)/Cambridge Analytica’s user data scandal. Facebook investors alleged that the company, among other things, had included in its risk factor disclosures references to risks of unauthorized user data disclosures, but such risks were presented as hypothetical when in fact they had already materialized.
In its Oct. 18, 2023 opinion, the U.S. Court of Appeals for the Ninth Circuit ruled, “Because Facebook presented the prospect of a breach as purely hypothetical when it had already occurred, such a statement could be misleading even if the magnitude of the ensuing harm was still unknown.” Facebook subsequently filed a petition to the Supreme Court for a writ of certiorari. On Nov. 22, 2024, the Supreme Court dismissed the case on the grounds that the writ of certiorari was improvidently granted, affirming the Ninth Circuit’s ruling.
In light of this case and the continued hindsight focus on “hypothetical risk factors” by shareholder litigants, companies should consider reviewing their risk factors and assess whether any of them that may be deemed “hypothetical” have actually occurred, and therefore require further disclosures.
6) Familiarize Yourself With SEC Changes to EDGAR System
On Sept.27, 2024, the SEC adopted a series of rule and form amendments concerning access to and management of accounts on their Electronic Data Gathering, Analysis, and Retrieval system (EDGAR). These amendments – designed to enhance the security of EDGAR, improve the ability of filers to manage their EDGAR accounts, and modernize connections to EDGAR – are collectively referred to as EDGAR Next.
At the heart of the amendments is a shift in how filers (and appropriately permissioned third parties) access EDGAR. Presently, the SEC assigns EDGAR filers access codes; any individual in possession of a filer’s access codes may access the filer’s account, view and make changes to the information maintained therein, and transmit submissions on the filer’s behalf. EDGAR Next will retire the majority of these codes and require that EDGAR filers authorize specific individuals to perform the above-mentioned functions. Each authorized individual will verify their identity using login.gov credentials.
Enrollment in EDGAR Next opens on March 24, 2025, and all existing filers must enroll by Dec. 19, 2025.
To get a jump on preparing for enrollment, filers should take the earliest opportunity to (i) ensure that all of their existing EDGAR access codes are current and (ii) identify the individuals (e.g., employees, legal advisors, third-party filing agents) who will need access to their EDGAR accounts. Individuals who anticipate interfacing with the EDGAR Next system should obtain login.gov credentials.
7) Changes to Nasdaq Diversity Disclosure Requirement
In December 2024, the U.S. Court of Appeals for the Fifth Circuit vacated the SEC’s approval of Nasdaq’s board diversity rules. Nasdaq has stated that it will not appeal the decision. As a result, Nasdaq-listed companies will no longer need to include the previously required board diversity matrix in their proxy statement or on their website, or provide other narrative disclosure explaining why they did not have at least the minimum number of directors in specified diversity categories. There was no comparable disclosure requirement for New York Stock Exchange (NYSE) listed companies.
Notwithstanding this change, board diversity remains a continued focus for many public company boards and other considerations are still in place. For example, ISS, Glass Lewis and certain large institutional investors have their own diversity standards that may influence a company’s disclosure, and Item 407(c) of Regulation S-K may elicit diversity-related disclosures regarding a nominating committee’s consideration of director candidates. As a result, many companies are continuing to solicit such information in their directors and officers (D&O) questionnaires for the 2025 proxy season. Ultimately, each public company will need to consider relevant factors in determining whether, or to what extent, diversity factors into their SEC disclosures.
CFPB Announces Plans to Regulate Nonbank Personal Loan Providers
On January 8, the CFPB announced its intent to pursue rulemaking that would allow the agency to oversee nonbank personal loan lender. The announcement came in response to a petition filed in September 2022 by the Consumer Bankers Association and the Center for Responsible Lending, which called on the CFPB to engage in rulemaking under section 1024(a)(2) of the Consumer Financial Protection Act to subject certain “larger participants” in the nonbank personal loan market to the CFPB’s supervisory authority.
The petitioners argued that, although the CFPB’s supervisory authority already extends to large banks and nonbanks in most segments of consumer lending, the CFPB’s authority over the personal loan market currently does not extend beyond short-term payday lenders. The petitioners further argued that this gap in the CFPB’s supervisory authority creates both an unlevel playing filed and a significant risk that consumer protections issues affecting vulnerable consumers will go undetected.
In a response letter to the petitioners, the CFPB’s general counsel acknowledged the gap in the agency’s authority over the nonbank segment of the personal loan market, which consists of 85 million accounts and over $125 billion in outstanding balances. In addition, the letter expresses agreement with the petitioners’ concerns with respect to the unlevel playing filed that this gap creates. Finally, the letter states that, while the CFPB is already supervising certain nonbank personal loan providers pursuant to other authorities, the Bureau further intends to develop a proposed rule in line with the petitioners’ suggestion.
Putting it into Practice: Although the CFPB has expressed its intent to pursue so-called “large participant” rulemaking, it is unclear whether there will be any follow through. Anticipated shifts in policy priorities under the incoming administration may mean that the Bureau will not ultimately pursue the rulemaking. Despite this uncertainty, the petitioners have expressed that they are eager to continue working with the Bureau to level the playing field in the nonbank personal loan market.
Listen to this post
CFPB Updates No-Action Letter and Compliance Assistance Sandbox Policies to Spur Innovation
On January 3, 2025, the CFPB announced a reboot of its no-action letter and compliance assistance sandbox policy, aimed at promoting consumer-beneficial innovation in financial services. The new policies are designed to foster competition and transparency while addressing unmet consumer needs.
The CFPB originally rescinded the policies in 2022, citing a failure to meet transparency standards and promote consumer-beneficial innovation. The updated framework aims to address these shortcomings with several key changes, including:
Unmet Consumer Needs. Applicants must clearly identify a specific consumer problem their product or service addresses, providing data and detailed explanations to justify the innovation’s necessity and benefits.
Market Competition. To avoid granting regulatory advantages to an individual company, the CFPB will solicit applications from competitors offering similar products or services, ensuring a level playing field within the market. The Bureau does not want any company to have a first-mover advantage; but with its policy, the CFPB is essentially signaling to your competitors what you intend to do.
Eligibility Criteria. The CFPB will not consider applications that have been the subject of an enforcement action involving violations of federal consumer financial law in the past five years, or who are the subject of a pending state or federal enforcement action. This restriction applies even if the enforcement action was in a product vertical wholly unrelated to the one being considered for the no-action letter.
Former CFPB Employees Face Bureau “Non-Compete.” The Bureau has stated it will not consider applications from companies that are represented by former CFPB attorneys as outside counsel, even if those lawyers worked at the Bureau more than ten years ago, to avoid any perceived “ethical conflict.”
Finally, recipients of sandbox approvals or no-action letters are prohibited from using these designations in promotional materials to avoid misleading consumers into believing the CFPB endorses their offerings.
Putting It Into Practice: With less than a week to go before a change in administration, the Bureau has decided to reboot its regulatory sandbox policy. However, given the overbearing requirements and restrictions on applying for a no-action letter under the Bureau’s new innovation policies, it will be interesting to see how many companies decide to apply, or if the policies will soon be rescinded.
Listen to this post
CFPB Alleges Credit Reporting Agency Conducted Sham Investigations of Errors
On January 7, 2025, the CFPB filed a lawsuit against a nationwide consumer reporting agency for violations of the Fair Credit Reporting Act. The lawsuit claims the company’s investigation of consumer disputes was inadequate, specifically criticizing their intake, processing, investigation, and customer notification processes. The lawsuit also alleges the company reinserted inaccurate information on credit reports, which the agency alleges harmed consumers’ access to credit, employment, and housing. In addition to FCRA, the Bureau alleges that the company’s faulty intake procedures and unlawful processes regarding consumer reports violated the Consumer Financial Protection Act’s (CFPA) prohibition on unfair acts or practices.
Specifically, the Bureau alleges the company:
Conducted sham investigations. The CFPB claims the company uses faulty intake procedures when handling consumer disputes, including not accurately conveying all relevant information about the disputes to the original furnisher. The company also allegedly routinely accepted furnisher responses to the disputes without an appropriate review such as when furnisher responses seemed improbable, illogical, or when the company has information that the furnisher was unreliable. The Bureau also alleged the company failed to provide consumers with investigation results and provided them ambiguous, incorrect, or internally inconsistent information.
Improperly reinserted inaccurate information on consumer reports. The CFPB alleged the company failed to use adequate matching tools, leading to reinsertion of previously deleted inaccurate information on consumer reports. Consumers who disputed the accuracy of an account and thought their consumer report had been corrected instead saw the same inaccurate information reappear on their consumer report without explanation under the name of a new furnisher.
Putting It Into Practice: This lawsuit reflects a broader trend of the CFPB’s increased regulatory scrutiny of FCRA compliance. (previously discussed here, here, and here). The CFPB has demonstrated a focus on ensuring the accuracy and integrity of consumer credit information. Consumer reporting agencies should proactively review their policies and procedures related to dispute investigation, data handling, and furnisher interaction to ensure they are in compliance with all aspects of the FCRA.
Listen to this post