Healthcare Preview for the Week of: May 12, 2025 [Podcast]
Reconciliation Text Is Here
Late Sunday night, May 11, 2025, the House Committee on Energy and Commerce released the much-anticipated budget reconciliation bill text ahead of its scheduled markup on May 13, 2025.
While the Congressional Budget Office (CBO) has not yet released a score, we expect that it will do so before the markup. In the meantime, CBO provided a letter to Energy and Commerce Chairman Guthrie confirming that the committee exceeds the $880 billion in federal savings that the House budget resolution instructed the committee to find. The vast majority of the bill’s policies and savings are in the Medicaid program, some of which were expected, including:
Establishing new work requirements in Medicaid (called “community engagement requirements” in the legislative language)
Repealing the Biden-era eligibility rules and nursing home staffing rule
Additional Medicaid policies include:
Prohibiting gender transition procedures, focused on minors
Restricting coverage of undocumented immigrants by reducing the federal match for the expansion population to 80% if the state covers undocumented immigrants with state-only funds, and checking immigration status sooner than 90 days
Implementing new cost-sharing requirements and verifying eligibility every six months for the expansion population
Banning spread pricing by pharmacy benefit managers (PBMs) and prohibiting PBM compensation based on the price of a drug as a condition of entering into a contract with a prescription drug plan in Medicare
The legislation also includes versions of policies that remain highly contested among many stakeholders, including:
Implementing a moratorium on new state directed payments (SDPs) that exceed the Medicare rate, as opposed to adjusting existing SDPs that go up to the average commercial rate
Introducing a moratorium on new or increased provider taxes, as opposed to reducing or removing existing provider taxes
Closing the managed care organization (MCO) provider tax “broad based” loophole, which is expected to impact seven of the 20 states that use MCO provider taxes (California, Illinois, Massachusetts, Michigan, New York, Ohio, and West Virginia)
You can brush up on these policies and more in our Medicaid Restructuring Options document.
The bill includes additional provisions outside of Medicaid. For example, it would codify the March 2025 Affordable Care Act program integrity proposed rule, which includes provisions to roll back certain special enrollment periods, impose new premium payments for certain individuals, prohibit states from providing coverage for sex-trait modification as an essential health benefit, and exclude Deferred Action for Childhood Arrivals recipients from the definition of “lawfully present.” It proposes a short term “doc fix,” which would establish a single conversion factor for clinicians who are qualifying participants in Advanced Alternative Payment Models and those who aren’t, and would set the update to the single conversion factor at 75% of the Medicare Economic Index (MEI) in calendar year (CY) 2026 and at 10% of the MEI for CY 2027 and future years. The bill would also prevent disproportionate share hospital payment cuts until 2029.
This bill is still in the early stages of committee processes, and we still need to see CBO estimates for federal savings and coverage changes (likely decreases). The committee markup will likely last well into the evening on Tuesday, with Democrats offering amendments and critiques. Assuming the bill passes committee, it will then need to be stitched together with the other bills that make up reconciliation for consideration on the House floor.
We are also waiting for additional language and official notice of a markup from the House Committee on Ways and Means, which has jurisdiction over the Medicare program. Its early release of language was incomplete. House Speaker Mike Johnson has indicated a desire to get the reconciliation package through the House by the Memorial Day recess.
Outside of reconciliation, the Senate Committee on the Judiciary will hold a hearing on PBMs, and the House Committee on the Judiciary, Subcommittee on Administrative State, Regulatory Reform, and Antitrust will hold a hearing on graduate medical education and evaluating the medical residency antitrust exemption.
US Department of Health and Human Services (HHS) Secretary Robert F. Kennedy Jr. will testify on Wednesday, for the first time as the HHS Secretary, before the House Appropriations Committee and the Senate Committee on Health, Education, Labor, and Pensions on the president’s fiscal year 2026 proposed HHS budget.
Secretary Kennedy along with Centers for Medicare & Medicaid Services Administrator Mehmet Oz participated in a press conference on Monday morning as President Trump signed a new executive order requiring the establishment of “most-favored-nation” pricing for prescription drugs.
Today’s Podcast
In this week’s Healthcare Preview, Debbie Curtis and Rodney Whitlock join Maddie News to discuss the released text of the House Energy and Commerce Committee’s reconciliation language and what comes next.
Bid Protests in Nevada
In Nevada’s competitive public procurement landscape, contractors and vendors invest substantial time and resources to secure government contracts. When a bid is unsuccessful — especially when there’s a suspicion of procedural errors or unfair treatment — the Nevada Revised Statutes (NRS) provide a formal avenue for challenge.
Understanding the Bid Protest or “Appeal” Process under NRS 333.370
Nevada law allows a person who submitted an unsuccessful bid or proposal to file an “appeal” challenging the contract award. However, strict deadlines and procedural requirements apply.
1. Timing Is Critical
An appeal must be filed within 11 days of the date of award as listed in the bid record. This timeline is generally non-negotiable and begins the moment the bid award becomes public.
2. Filing Requirements
The appeal process starts by submitting a notice of appeal to both the Purchasing Division and the Hearings Division of the Department of Administration. This notice must contain a written statement detailing the alleged violations of NRS Chapter 333.
3. Mandatory Security Deposit
To discourage frivolous appeals, Nevada law requires the appellant to post a bond or provide other approved security. The amount must equal 25% of the total value of the successful bid. If the contract value is based on estimates, 25% of the estimated value is used instead. This security is held until a final determination is made. If the appeal is rejected and the award is upheld, a claim may be made against the bond or other security by the Purchasing Division in an amount equal to the expenses incurred or other monetary losses suffered by the Purchasing Division and procuring agency.
4. Contested Hearing
A contested hearing must occur within 20 days of the notice of appeal. The successful bidder must also receive notice and has the right to intervene and participate. The procedures of the contested hearing, including notice provisions, contents of the appeal, avenues of informal disposition, contents of the record, standards of review, standards of proof, and requirements for the final decision are detailed in NRS 233B.121 and 233B.125.
The record for a contested hearing must include, at minimum:
All pleadings, motions and intermediate rulings.
Evidence received or considered.
A statement of matters officially noticed.
Questions and offers of proof and objections, and rulings thereon.
Proposed findings and exceptions.
Any decision, opinion or report by the hearing officer presiding at the hearing.
The hearing officer will issue a determination within 60 days, which must be in writing and include findings of fact and conclusions of law.
5. Grounds for Cancellation
Importantly, the hearing officer may only cancel a contract award if there is a finding of non-compliance with NRS Chapter 333. A cancellation of the award requires a new award in compliance with the procurement Chapter 333.
6. Automatic Stay and Limitations on Legal Action
Once an appeal is filed, it operates as a stay — halting further action on the contract until a decision is rendered. Additionally, judicial review is generally not available until the administrative process concludes.
7. Emergency Purchases
While the appeal is pending, the state is allowed to make temporary open-market purchases to meet urgent needs, minimizing disruption to public services.
8. No Liability for Damages
Even if an appeal is successful, the statute explicitly shields the state and its agents from liability. This includes attorneys’ fees, lost income, and other costs incurred by the unsuccessful bidder.
Final Thoughts
If you’re considering a bid protest or appeal, it’s advisable to consult legal counsel early to assess the merits of your case and navigate the complex procedural framework.
Listen to this post
EPA Postpones TSCA PFAS Reporting Period to April 2026
The U.S. Environmental Protection Agency announced on May 12, 2025, an interim final rule that would extend the dates of the reporting period for data submitted on the manufacture of perfluoroalkyl or polyfluoroalkyl substances (PFAS) under the Toxic Substances Control Act (TSCA). Under the interim final rule, the data submission period would begin April 13, 2026, and end October 13, 2026. Small manufacturers reporting exclusively as article importers would have until April 13, 2027, to report. According to EPA, the extension will allow it to develop and test further the software being used to collect data from manufacturers, “thereby providing critical feedback to EPA, including what additional guidance would be useful for the reporting community.” A pre-publication version of the interim final rule, which is scheduled to be published on May 13, 2025, has been posted. Publication of the interim final rule in the Federal Register will begin a 30-day comment period.
According to the interim final rule, the current reporting start date of July 11, 2025, does not allow EPA time to conduct industry beta testing of the Central Data Exchange (CDX) application and incorporate feedback prior to the start of the submission period. EPA states that “[w]ithout a period of industry beta testing as previously planned, the current reporting timeline is no longer tenable, and maintaining that timeline would require entities to submit data before EPA has sufficiently verified that the technological capacity is in place to accept that data. This would negatively impact EPA’s ability to collect, organize, and make the collected data available to the public, which is the underlying objective of the regulation as well as the Congressional direction that required its promulgation.”
According to the interim final rule, EPA is separately considering reopening certain aspects of the rule to public comment. EPA states that the delayed reporting date ensures that it has adequate time to consider the public comments and propose and issue any final modifications to the rule before the submission period begins. EPA notes that at this time, however, it “is not reopening or reconsidering any provisions of the underlying reporting rule other than the submission period dates.” As reported in our May 4, 2025, blog item, on May 2, 2025, a coalition of chemical companies submitted a TSCA Section 21 petition seeking “the typical TSCA 8(a) reporting exemptions (e.g., by-products, impurities, articles, [research and development (R&D)] materials, and a production volume threshold)” that apply in other TSCA Section 8(a) reporting rules.” EPA’s April 28, 2025, announcement outlining upcoming Agency actions to address PFAS includes implementing TSCA Section 8(a)(7) “to smartly collect necessary information, as Congress envisioned and consistent with TSCA, without overburdening small businesses and article importers.” More information on EPA’s reporting rule is available in our October 3, 2023, memorandum.
Commentary
It has been widely speculated that the Trump Administration would delay the PFAS reporting requirements and/or substantively amend the rule to relieve the reporting burden. This forthcoming Federal Register notice answers the first question and states that EPA is considering “reopening certain aspects of the rule to public comment.” While it remains unclear what EPA may be considering revising, should EPA reopen the rule for comment more broadly, it is certain EPA will get an earful during the comment period on what EPA should do to right side the rule.
Colorado’s Artificial Intelligence Act (CAIA) Updates: A Summary of CAIA’s Consumer Protections When Interacting with Artificial Intelligence Systems
During the 2024 legislative session, the Colorado General Assembly passed Senate Bill 24-205, which is known as the Colorado Artificial Intelligence Act (CAIA). This law will take effect on February 1, 2026, and requires developers and deployers of a high-risk AI system to protect Colorado residents (“consumers”) from risks of algorithmic discrimination. Notably, the Act also requires that developers or deployers must disclose to consumers that they are interacting with an AI system. Colorado Gov. Jared Polis, however, had some concerns in 2024 and expected that the legislators would refine key definitions and update the compliance structure before the effective date in February 2026.
As Colorado moves forward toward implementation, the Colorado AI Impact Task Force issued its recommendations for updates in its February 1, 2025 Report. These updates — along with the description of the Act — are covered below.
Background
A “high-risk” AI system is defined to include any machine-based system that infers outputs from data inputs and has a material legal or similar effect on the provision, denial, cost, or terms of a product or service. The statute identifies various sectors that involve consequential decisions, such as decisions related to healthcare, employment, financial or credit, housing, insurance, or legal services. Additionally, CAIA has numerous carve-outs for technologies that perform narrow tasks or certain functions, such as cybersecurity, data storage, and chatbots.
Outside of use case scenarios, CAIA also imposes on developers of AI systems the duty to prevent algorithmic discrimination and protect consumers from any known or foreseeable risks arising from the use of the AI system. A developer is one that develops or modifies an AI system used in the state of Colorado. Among other things, a developer must make documentation available for the intended uses and potential harmful uses of the high-risk AI system.
Similarly, CAIA also regulates a person that is doing business in Colorado and deploys a high-risk AI system for Colorado residents to use (the “deployer”). Deployers face stricter regulations and must inform consumers when AI is involved in a consequential decision. The Act requires deployers to implement a risk management policy and program to govern the use of the AI system. Further, the deployers must report any identified discrimination to the Attorney General’s Office within 90 days and must allow consumers to appeal AI-based decisions or request human review of the decision when possible.
Data Privacy and Consumer Rights
Consumers have the right to opt out of data processing related to AI-based decisions and may appeal any AI-based decisions. This opt-out provision may impact further automated decision-making related to the Colorado resident and the processing of personal data profiling of that consumer. The deployer must also disclose to the consumer when a high-risk AI system has been used in the decision-making process that results in an adverse decision to the consumer.
Exemptions
The CAIA contains various exemptions, including for entities operating under other regulatory regimes (e.g., insurers, banks, and HIPAA-covered entities) or for the use of certain approved technologies (e.g., technology cleared, approved, or certified by a federal agency, such as the FAA or FDA). But there are some caveats, however. For example, HIPAA-covered entities are exempt to the extent they are providing healthcare recommendations that are generated by an AI system that require the HIPAA-covered entity to take action to implement the recommendation and are not considered to be “high risk.” Small businesses are exempt to the extent that they employ fewer than 50 full-time employees and do not train the system with their own data. Thus, deployers should closely analyze the available exemptions to ensure their activities fall squarely within the recommendations.
Updates
As highlighted in the recent Colorado AI Impact Task Force Report, the report encourages additional changes to CAIA before it is enforced in February 2026. The current concerns deal with ambiguities, compliance burdens, and various stakeholder concerns. The Governor is concerned with whether the guardrails inhibit innovation and AI progress in the State.
The Colorado AI Impact Task Force notes that there is consensus to refine documentation and notification requirements. However, there is less consensus on how to adjust the definition of “consequential decisions.” Reworking the exemptions to the definition of covered systems is also a change desired by both industry and the public.
Other potential changes to the CAIA depend on how interconnected sections are potentially revised in relation to other related provisions. For example, changes to the definition of “algorithmic discrimination” depend on other issues related to obligations of developers and deployers to prevent algorithmic discrimination and related enforcement. Similarly, intervals for impact assessments may be affected greatly by changes to the definition of “intentional and substantial modification” to high-risk AI systems. Further, those impact assessments are interrelated with the developer’s risk management programs and will likely implicate any proposed changes to either impact assessments or risk management programs.
Lastly, there remains firm disagreement on amendments related to several definitions. “Substantial factor” is one debated definition that will take a creative approach to define the scope of AI technologies subject to the CAIA. Similarly, “duty of care” is hotly contested for developers and deployers and whether to remove that concept or replace it with more stringent obligations. Other debated topics that are subject to change include the exemption for small business, the opportunity to cure incidents of non-compliance, trade secret exemptions, consumer right to appeal, and the scope of attorney general rulemaking.
Guidance
Given that most stakeholders recognize that changes are needed, any business impacted by the CAIA should continue to watch the developments in the legislative process for potential changes that could drastically impact the scope and requirements of the Colorado AI Act.
Takeaways
Businesses should assess whether they, or their vendors, use any AI system that could be considered high risk under the CAIA. Some recommendations include:
Assess AI usage and consider whether that use is within the definition of the CAIA, including whether any exemptions are available
Conduct an AI risk assessment consistent with the Colorado AI Act
Develop an AI compliance plan that is consistent with the CAIA consumer protections regarding notification and appeal processes
Continue to monitor the updates to the CAIA
Evaluate contracts with AI vendors to ensure that necessary documentation is provided by the developer or deployer
Colorado has taken the lead as one of the first states in the nation to enact sweeping AI laws. Other states will likely look to the progress of Colorado and enact similar legislation or make improvements where needed. Therefore, watching the CAIA and its implementation is of great importance in the burgeoning field of consumer-focused AI systems that impact consequential decisions in the consumer’s healthcare, financial well-being, education, housing, or employment.
Listen to this post
Tips for Staying Legally Compliant in Summertime Hiring
As many employers are hiring summer staff, now is a good time to brush up on new developments in child labor, wage and hour, and workplace safety laws. These legal compliance matters may be particularly relevant to employers in the hospitality, retail, and tourism industries, since they tend to hire a lot of seasonal employees for the summer months.
Quick Hits
Some states have changed their laws regulating child labor in the past two years.
Overtime and minimum wage laws typically apply to part-time, seasonal workers.
Seven states (California, Colorado, Maryland, Minnesota, Nevada, Oregon, and Washington) have a heat regulation for workplaces.
Child Labor Considerations
State laws vary on details like the number of hours minors are allowed to work per week, the nighttime hours permitted, and the definitions of hazardous work prohibited for minors.
In the past two years, some states have enacted more restrictive child labor laws, and other states have loosened child labor restrictions. Illinois increased limits on the hours that minors can work. Colorado, Nebraska, Oregon, and Virginia passed laws to heighten penalties on employers that violate existing child labor laws. Florida, Indiana, Iowa, New Hampshire, New Jersey, and Ohio loosened rules related to the hours that minors can work.
Wage and Hour Considerations
Many seasonal employees are hourly workers who qualify for overtime pay and minimum wage, which varies by state. However, the minimum wage and overtime provisions of the federal Fair Labor Standards Act (FLSA) do not apply if the employer is an amusement or recreational establishment that does not operate for more than seven months in any calendar year, or if the employer’s average receipts for any six months during the preceding calendar year were less than one-third of its average receipts for the other six months. Examples of this may include amusement parks, summer camps, and beachside concessions.
The FLSA does not require meal and rest breaks, but some states mandate meal and rest breaks that may be paid or unpaid, depending on the state.
Some employers partner with local universities to work with summer interns who receive academic credit for their work. These internships may be paid or unpaid, if the internship meets the “primary beneficiary test” under the FLSA, which generally requires the internship to provide training related to the academic program.
Workplace Safety Considerations
Summertime heat can pose health risks for workers, whether they work outside or inside. The federal government does not have a workplace safety regulation on heat, but the Occupational Safety and Health Act has a general duty clause that requires employers to provide a workplace free of hazards that could cause death or serious harm.
Some states have their own workplace heat standards. Nevada recently implemented a heat illness prevention regulation that applies to employers with more than ten employees. Likewise, California has a new heat illness prevention regulation for indoor workplaces.
Next Steps
Employers that have started summer hiring may want to consider:
reviewing the state-level maximum hours and time-of-day restrictions applicable to minors;
ensuring that tasks assigned to minors do not fall into the category of “hazardous” occupations, such as driving, cooking with hot oil, meat processing, and operating heavy machinery;
keeping accurate records of minor employees’ dates of birth;
keeping the employee manual and employee training materials up to date;
clearly communicating that a worker is a full-time, part-time, or temporary employee;
ensuring that seasonal workers are adequately trained in workplace safety and heat illness prevention; and
ensuring that independent contractor agreements have been reviewed and updated, if plans include hiring independent contractors.
State Regulators Poised to Increase Enforcement Efforts as Trump Administration Executes Deregulation Agenda
In the first three months of the second Trump administration, federal regulators have signaled a shift in priorities while enforcing federal securities violations and consumer protection laws. In fact, the administration has effectively shuttered the Consumer Financial Protection Bureau (CFPB) and effected significant changes to the Securities and Exchange Commission’s (SEC or Commission) organizational structure and enforcement procedures. As federal regulators shift their focus, state attorneys general have shown a willingness to ramp up enforcement efforts. States have various tools at their disposal, including enforcing existing federal and state consumer financial protection and securities laws and amending state law to expand their regulatory enforcement authority.
The variances in state law and appetites of the state attorneys general may result in a patchwork style of enforcement across the United States. Moreover, states with a more aggressive enforcement approach, such as New York and Massachusetts, may also spur other states to action.
Trump Administration’s Deregulation Agenda Expected to Impact the SEC Enforcement Program
Developments in Washington strongly suggest that the SEC under the Trump administration will depart from aggressive and novel enforcement strategies that characterized the previous administration. In the first few days of the current administration, President Trump announced a “massive” deregulation initiative,1 which we expect will impact the breadth and volume of SEC enforcement activity. Some changes already taking place at the SEC include:
Refocusing the Commission’s Enforcement Approach. During his confirmation hearing, SEC Chair Paul Atkins said he “will strive to protect investors from fraud, to keep politics out of how our securities laws and regulations are applied, and to advance clear rules of the road that encourage investment in our economy.”2 He further called “for the SEC to return to its core mission” of “investor protection; fair, orderly, and efficient markets; and capital formation.”3 Senate Banking Chairman Tim Scott observed that the Commission under Chair Atkins will “roll back harmful Biden-era policies” and “provide regulatory clarity for digital assets.”4
Focus on Investor Fraud Protection. Going forward, many SEC observers expect the primary enforcement priority will shift to protecting investors from clear cases of fraud, rather than pursuing broader or more innovative regulatory actions.5
Reduction in Enforcement Division Authority. The SEC revoked the Director of the Division of Enforcement’s ability to initiate investigations, formally centralizing decision-making at the Commission level.6
Increased White House Oversight. Executive orders now restrict the SEC’s independent rule-making authority7 and embed a White House liaison in key decision‑making processes.8
Coordination with DOGE. Another executive order directs the SEC to coordinate its rule-making efforts with the DOGE government task force, which could lead to further agency restructuring and efficiency measures.9
Office Closures and Staff Reductions. The SEC reportedly canceled leases for major regional offices and plans to eliminate regional director positions, reducing the agency’s physical presence and staff autonomy.10
Focus on Big Firms. Then-Acting SEC Chair Mark Uyeda suggested in an April 8, 2025, speech that the SEC could prioritize enforcement actions against larger, more complex investment advisers and firms, leaving oversight of smaller firms to state regulators.11
Reduction in Crypto Enforcement. There will be fewer enforcement actions against the crypto industry, with a preference for rule-making and public guidance over enforcement actions to clarify the regulatory status of crypto assets.12
Cryptocurrency Enforcement Taken on by the States
Particularly in the area of cryptocurrency, states are poised to step up enforcement activity. This follows the disbanding of the Department of Justice (DOJ) National Cryptocurrency Enforcement Team and Deputy Attorney General Todd Blanche’s announcement that the DOJ will “no longer pursue litigation or enforcement actions that have the effect of superimposing regulatory frameworks on digital assets[.]”13 The DOJ will instead focus on prosecuting individuals who victimize digital asset investors or use digital assets in furtherance of criminal conduct, including terrorism, human trafficking, and gang financing.14
Several states have already taken steps to ramp up enforcement actions relating to cryptocurrency, with others likely to follow. Recent examples include:
New York
In recent years, the Attorney General has filed multiple lawsuits against crypto platforms for selling or purchasing crypto tokens without registering in the state.
In March 2023, sued KuCoin for failing to register as a securities and commodities broker-dealer under New York law.
Secured a consent order in December 2023 banning KuCoin from trading securities and commodities in New York, requiring $16.7 million in refunds to investors and $5.3 million in penalties.15
Iowa
Attorney General filed lawsuits against Lux Vending, LLC (Bitcoin Depot) and GDP Holdings LLC (Coin Flip), operators of cryptocurrency ATMs, alleging insufficient policies and procedures to identify and block scams.16
Claims include Iowa Consumer Fraud Act violations, unfair and deceptive practices, and misrepresentation.17
Asserted that companies profit from fees charged to consumers sending cryptocurrency to scammers and fail to warn or protect users adequately.
Pennsylvania
Attorney General issued a public warning to consumers about scams involving cryptocurrency ATMs.18
Provided tips for identifying scams and encouraged scam victims to contact the Attorney General’s office.
Indicated potential for future legal action against crypto companies operating ATMs in the state.
States Prepare for the Uncertain Future of the CFPB
Likewise, as the Trump administration seeks to dismantle the CFPB, states are preparing to fill the gap in regulation and enforcement of consumer protection violations.19 Recent actions states are taking to prepare for the CFPB enforcement gap include the following:20
Amicus Brief Filing. Twenty-three state attorneys general filed an amicus brief supporting the National Treasury Employees Union’s action to block the shutdown of the CFPB, emphasizing the Bureau’s historical partnership with states in consumer protection cases.21
Independent Authority Under CFPA. States leverage their independent authority under the Consumer Financial Protection Act (CFPA) to bring civil actions against covered persons or providers for unfair, deceptive, and abusive acts or practices.22 Michigan’s attorney general, for example, brought a claim under the CFPA against an online lender for offering loans with exorbitant interest rates, resulting in a settlement that stopped the lender from marketing and extending new loans to Michigan consumers.23
New York’s FAIR Act Proposal.
New York Attorney General Letitia James proposed the Fostering Affordability and Integrity through Reasonable Business Practices Act (FAIR), which would expand the state’s consumer protection law to cover “unfair” and “abusive” practices, allowing for broader enforcement authority.24
The FAIR Act would permit the New York attorney general to bring claims for a single instance of unfair, deceptive, or abusive activity, rather than being limited to conduct impacting the public at large.
The FAIR Act would enable the New York attorney general to address a wide range of conduct, including predatory loans, fraudulent landlord-tenant transactions, and other prohibited activities affecting individuals.
New York Banking Fee Regulations. New York’s Department of Financial Services proposed regulations to eliminate exploitative and deceptive banking fees, such as prohibiting overdraft fees on overdrafts of less than $20 and charging overdraft fees that exceed the overdrawn amount.25
Massachusetts Junk Fee Regulations. Massachusetts Attorney General Joy Campbell issued new regulations under the state’s consumer protection law to curb “junk fees.”26 The regulations require companies to disclose the total price of a product or service upfront and provide clear information regarding additional charges.
Expanded State Enforcement for Financial Markets
States are also increasingly scrutinizing new financial products and digital platforms, with particular attention to the trading of event contracts and the practices of online investment platforms. Recent actions in Massachusetts highlight how state regulators are responding to perceived risks and potential violations in these emerging areas.
In March, Massachusetts Secretary of the Commonwealth Bill Galvin issued a subpoena to Robinhood over its launch of a prediction markets hub, which allows users to bet on the outcomes of events such as March Madness basketball tournaments.27 Galvin raised concerns about integrating gambling-like features on a platform popular with young investors, suggesting these event contracts are designed to lure users away from sound investing.
Massachusetts previously filed an enforcement action against Robinhood for improper “gamification” features, resulting in a $7.5 million settlement for violations of state securities laws.28
The current investigation may focus on potential violations of Massachusetts’s Fiduciary Rule, which requires broker-dealers and investment advisors to act with utmost care and loyalty to customers and make recommendations solely in the customer’s best interest.29
Conclusion
Unlike past White House transitions, when federal regulators’ priorities remained relatively consistent, the Trump administration’s agenda has and will likely continue to significantly curtail the scope and volume of actions brought by federal regulators. However, we can expect state attorneys general, regulators, and legislators to increase enforcement efforts against financial markets participants. We will continue to monitor state-level initiatives very closely and will alert our financial markets clients to any significant developments.
1 The White House, “Fact Sheet: President Donald J. Trump Launches Massive 10-to-1 Deregulation Initiative” (Jan. 31, 2025), https://www.whitehouse.gov/fact-sheets/2025/01/fact-sheet-president-donald-j-trump-launches-massive-10-to-1-deregulation-initiative/.
2 Paul Atkins, Opening Statement Before the Senate Banking Committee, Nomination Hearing of Paul Atkins (Mar. 27, 2025).
3 Id.
4 Sen. Tim Scott, “Scott Applauds Paul Atkins’ Confirmation as SEC Chairman” (Apr. 9, 2025), Senate Banking Committee, https://www.banking.senate.gov/newsroom/majority/scott-applauds-paul-atkins-confirmation-as-sec-chairman.
5 On April 29, 2025, for example, the SEC filed a complaint against a CEO of an investment advisory firm and business development company alleging the CEO defrauded investors by making material misrepresentations in offering documents provided to prospective investors and engaged in self-dealing by extending loans to two companies in which the CEO had undisclosed financial interests. See Securities and Exchange Comm’n v. Derek R. Taller, 25 Civ. 3537, S.D.N.Y. (April 29, 2025).
6 Delegation of Authority to Director of the Division of Enforcement, 90 Fed. Reg. 12105 (Mar. 10, 2025).
7 Exec. Order 14215, 90 Fed. Reg. 10447 (Feb. 24, 2025).
8 Exec. Order 14215, 90 Fed. Reg. 10447 (Feb. 24, 2025).
9 Jessica Corso & Jon Hill, “Atkins Suggests He May Open SEC’s Doors To DOGE” (Mar. 27, 2025), Law360, https://www.law360.com/banking/articles/2316005.
10 Carl Ayers, “RCW exclusive: Leases on three SEC regional offices to end” (Mar. 7, 2025), Regulatory Compliance Watch, http://regcompliancewatch.com/rcw-exclusive-leases-on-three-sec-regional-offices-to-end/.
11 Mark T. Uyeda, “Remarks to the Annual Conference on Federal and State Securities Cooperation” (Apr. 8, 2025), SEC, http://sec.gov/newsroom/speeches-statements/uyeda-nasaa-040825.
12 Mark T. Uyeda, “Remarks at the Crypto Task Force’s Inaugural Roundtable” (Mar. 21, 2025), SEC, https://www.sec.gov/newsroom/speeches-statements/uyeda-remarks-crypto-roundtable-032125.
13 DOJ, “Memorandum for All Department Employees” (Apr. 7, 2025), https://www.justice.gov/dag/media/1395781/dl?inline.
14 The SEC has similarly reduced its investigations and enforcement in the area of cryptocurrency. In late April, for example, PayPal disclosed in its quarterly Form 10-Q report that the SEC was closing an inquiry, opened in November 2023, regarding PayPal’s PYUSD stablecoin, which pegs its value to the U.S. dollar.
15 New York Stipulation and Consent (Dec. 8, 2023), https://ag.ny.gov/sites/default/files/settlements-agreements/kucoin-stipulation-and-consent.pdf.
16 Iowa Attorney Department of Justice, “Attorney General Bird Sues Crypto ATM Companies for Costing Iowans More than $20 Million” (Feb. 26, 2025), https://www.iowaattorneygeneral.gov/newsroom/attorney-general-bird-sues-crypto-atm-companies-for-costing-iowans-more-than-20-million.
17 Id.
18 Pennsylvania Attorney General, “AG Sunday Warns Pennsylvanians of Rise in Scams Involving Bitcoin ATMs” (Feb. 25, 2025), https://www.attorneygeneral.gov/taking-action/ag-sunday-warns-pennsylvanians-of-rise-in-scams-involving-bitcoin-atms/.
19 Note that the materials relied upon by Katten for purposes of this advisory do not appear publicly on the CFPB’s website. However, the materials reviewed appear on CFPB letterhead and, as described herein, are consistent with public positions agency leadership has taken with respect to the nature of future agency activities in light of the recent presidential election.
20 For a closer look at what the CFPB’s new leadership proposes, see Katten’s recent advisory, “CFPB Suggests Shift In Supervision and Enforcement Priorities.”
21 National Treasury Employees Union, et al v. Russell Vought, et al., No. 25-cv-00381, Dkt. No. 24 (D. DC. Feb. 21, 2025), https://www.marylandattorneygeneral.gov/News%20Documents/022125_DC_DCt_Amicus.pdf.
22 Id. at 4.
23 Dana Nessel, Attorney General of the State of Michigan v. Huggy Lamar Price, et al., No. 19-cv-13078, Dkt. No. 1 (E.D. Mich. Oct. 18, 2019), https://www.michigan.gov/ag/-/media/Project/Websites/AG/releases/2019/october/Complaint_FILED.pdf?rev=ed465f8086f147629de063292258e59c&hash=96ABAB057544A8516DEC0A12D0C4FC88.
24 N.Y Gen. Bus. Law FAIR Business Practices Act at § 349.
25 New York Governor, “Protecting Consumers: Governor Hochul Cracks Down on Exploitative Overdraft Fees Targeting Low-Income New Yorkers” (Jan. 22, 2025), https://www.governor.ny.gov/news/protecting-consumers-governor-hochul-cracks-down-exploitative-overdraft-fees-targeting-low.
26 Mass. Attorney General, “AG Campbell Releases ‘Junk Fee’ Regulations to Help Consumers Avoid Unnecessary Costs” (Mar. 3, 2025), https://www.mass.gov/news/ag-campbell-releases-junk-fee-regulations-to-help-consumers-avoid-unnecessary-costs.
27 “Massachusetts regulator subpoenas Robinhood over sports betting” (Mar. 24, 2025), CNN, https://www.cnn.com/2025/03/24/business/regulators-probe-robinhood-prediction-markets-march-madness/index.html.
28 Id.
29 950 Code Mass. Regs. § 12.207(1)(a).
Approved New York State Budget Bolsters Child Labor Protections
On May 9, 2025, Governor Kathy Hochul signed into law numerous provisions under the FY26 New York State Budget that, among other things, increase the civil penalties for employers that violate state child labor laws and modify existing permitting and reporting requirements for employers and minor employees. Other changes include eliminating the coverage exemption for newspaper carriers, as well as the allowance for “employment of a minor fifteen years old who is found to be incapable of profiting from further instruction available and who presents a special employment certificate[.]”
Child Labor Protections
Under the New York Labor Law and existing New York State Department of Labor (“NYSDOL”) guidance, employers are subject to strict requirements when employing minors. Minor employees may not work beyond a maximum number of hours per week, depending on their age and whether school is in session. In addition, minors are limited in working at night, with specific restrictions depending on the time of year, the employee’s age, and their specific profession. Minor employees are further restricted in the types of work they can perform.
To work, minor employees are required to obtain “working papers,” which they must apply for in-person through either their school or the NYS Department of Education’s issuing offices. Employers with minor employees are also required to post a schedule of hours for all minors, including the hours they start and end as well as allotted meal periods.
Civil Penalties
Effective immediately, the New York Labor Law is amended to dramatically increase the civil penalties levied on employers for violating child labor laws. The increases are as follows:
First violation: up to $10,000 (previously up to $1,000);
Second violation: between $2,000 and $25,000 (previously up to $2,000); and
Third and subsequent violations: between $10,000 and $55,000 (previously up to $3,000).
In situations where a violation results in serious injury or death to a minor, the previous penalty was triple the maximum penalty. The amendments enact a new penalty scale for such violations:
First violation: between $3,000 and $30,000;
Second violation: between $6,000 and $75,000; and
Third and subsequent violations: between $30,000 and $175,000.
Permitting for Minor Employees
The amendments also enact several additional and/or revised requirements for employers and minor employees. Among other things, the amendments amend the Labor Law to require the creation a database of both employers and their minor employees and would require employers to provide a certification that they are only allowing minors to work in positions that are permitted by law. In addition, the amendments will allow minor employees to electronically register and apply for their working papers, a departure from the current in-person filing requirement. These changes take effect two years from becoming law.
What’s Next? Employers should review their employment practices to ensure compliance with these new provisions.
Germany: Bureaucracy Out, Digital In? The New Government’s Plans for Labour and Employment
After long negotiations between the Christian Democrats and the Social Democrats, the parties agreed to establish a coalition to form the new government and Friedrich Merz was eventually elected on 6 May 2025 as new Chancelor of Germany. The coalition agreement published by the parties offers insight into their agenda. While not the primary focus of the agreement, there are several initiatives that aim to address certain labour and employment issues of relevance to the German market.
Streamlining the future of work
The coalition agreement outlines several key initiatives designed to enhance Germany’s competitiveness as a business hub, particularly by furthering digitalisation and streamlining bureaucracy. This commitment is also reflected in their plans for addressing L&E-related issues:
Promoting qualified immigration, particularly by digitalising processes in an effort to accelerate the recognition of professional qualifications from other countries
Further reducing the written form requirements in employment law, e.g. for contracts under the Part-Time and Limited Term Employment Act (Teilzeit- und Befristungsgesetz). For further details on the previous changes that took effect in January 2025, please refer to our recent blog post on the Bureaucracy Relief Act.
Digitalisation of collective labour rights
Collective labour law is particularly impacted by the effort to digitalise employment processes:
Enabling the use of online works council meetings (Betriebsratssitzung) and works meetings (Betriebsversammlung) as an alternative to in-person meetings
Implementing an optional digital voting process for the works council elections in 2026
Right to digital access, i.e. the right to use existing digital communication channels as an alternative to the notice board for advertising among others collective labour events and opportunities
Improving Flexibility
The new government is also seeking to implement a change to the Working Hours Act (Arbeitszeitgesetz) that would allow for maximum weekly instead of daily working hours. The current position is a daily maximum of eight (or in exceptions, ten) working hours.
To comply with the EU Working Time Directive, a maximum of 48 weekly working hours would generally be permitted. Exceptions would have to be made for certain workers, e.g., for those working nightshift. Additionally, a new concept is required to allow for the increase in flexibility while still ensuring the workers’ health, safety and adequate rest time. The coalition agreement does not provide any specifics as to how this will be achieved.
According to coalition parties, the adjustment is intended to enhance the compatibility of family and work. However, while the new regulations would not constitute an increase in weekly working hours, they are likely to benefit employers by allowing for more flexible schedules due to the decreased regulations. Examples could be agreeing on a permanent 4-day week with no reduction in pay or the option to offset short-term spikes in workload by ordering work for more than 10 hours a day. Once these changes are implemented, employee handbooks or works agreements referencing maximum working hours may require changes to comply with the new regulations.
The parties also plan to implement an obligation to digitally record working hours for employers. Following the implementation, a transition period will be established during which small and mid-size companies will be exempt from the new requirements. However, the obligation does not extend to trust-based working hours. Therefore, the decision to pursue this option remains at the discretion of employers.
A further initiative aimed squarely at increasing productivity is exempting overtime income of full-time employees from income tax. The definition of overtime in this context is any working time that exceeds 34 hours in the case of employees with a CBA, or 40 hours in the case of employees without a CBA.
If employers offer bonuses to part-time employees for increasing their working hours, these bonuses remain tax-free according to the parties’ plans. It remains to be seen how the coalition will deal with attempts to exploit such bonuses.
Allowing for a smooth transition after reaching retirement age
Many employers and employees are interested in maintaining their existing employment relationship after the employee reaches the standard retirement age. However, given the restrictions in the Part-Time and Limited Term Employment Act, most flexible solutions are not viable. In most cases, employers are currently only able to establish long-term employment relationships that do not adequately address the challenges associated with such employment.
The coalition agreement now includes a plan to lift the ban on pre-employment after reaching the standard retirement age in the Part-Time and Limited Term Employment Act. This would allow employees to remain in a familiar work environment while transitioning to a reduced or limited role within their organisation. Lifting the ban would be a welcome change for both parties to an employment relationship as it would provide reliable planning and legal certainty.
The effort to encourage individuals to remain in the workforce after reaching the standard retirement age also includes plans to exempt up to EUR 2,000 of such employees’ income from income taxes.
Strengthening unions
The coalition parties plan to make compliance with collective bargaining agreements a prerequisite for the awarding of federal contracts worth EUR 50,000 or more and for start-ups with “innovative services” in the first four years after their establishment for projects worth EUR 100,000 or more.
The parties also aim to enhance the appeal of trade union memberships by offering tax incentives for their members.
Other initiatives
While these initiatives are also part of the coalition agreement, how or even if they will be implemented is less certain for some than others:
Raising the minimum wage to EUR 15 per hour by 2026, which is explicitly labeled as something that may be feasible
Implementing a legal framework for AI at the workplace
Summary
The agreement encompasses a combination of measures that are favourable to employers and those that are principally intended to strengthen employee rights. However, none of them legally binding. Thus, the agreement is, in essence, a mere collection of potential initiatives. It is not feasible for it to be realised in its entirety within the next four years. Immediate action is therefore not required. Nevertheless, it provides the most comprehensive insight into the incoming government’s plans and as a result, what employers may expect in upcoming legislative periods.
First-of-Its-Kind: Teen Privacy Law Passes in Arkansas
On April 22, 2025, Arkansas enacted the Arkansas Children and Teens’ Online Privacy Protection Act (HB 1717, Act 952), making it the first state to expand core federal children’s privacy protections to teens. The law, effective July 1, 2026, applies to for-profit websites, online services, apps, and mobile applications that are directed to children (under 13) or teens (ages 13-16), or that have actual knowledge they are collecting personal information from these groups.
The Act establishes a two-tiered framework: parental consent is required to collect personal information from children, while either the teen or their parent may consent in the case of users aged 13 to 16. Operators must also provide clear notice of their data practices, respect deletion and correction requests, and implement reasonable security measures. The statute broadly defines personal information to include not only contact details and identifiers, but also biometric data, geolocation, and any information linked or reasonably linkable to a child, teen, or parent.
The law prohibits targeted advertising to minors using their personal information and limits data collection to what is necessary for the specific service or transaction. Operators are not required to implement age verification, but are expected to comply where they have actual knowledge of a user’s age. Importantly, enforcement authority is vested exclusively in the Arkansas Attorney General; the law does not create a private right of action.
HB 1717 reflects growing state-level momentum to address youth privacy concerns amid the absence of federal privacy reform. Businesses that operate online platforms accessible to Arkansas users, particularly those relying on personalized advertising or handling sensitive data, should evaluate their compliance posture now to prepare for the law’s 2026 effective date.
FTC Defers Compliance Deadline for Parts of Amended Negative Option Rule
On May 9, 2025, the Federal Trade Commission voted to defer the compliance deadline for the amended Negative Option Rule (“Click-to-Cancel”) Rule by sixty (60) days. The amended Rule expands the scope of the prior version to cover any goods or services involving a negative option, automatic renewal plan, free trials and subscriptions. Additionally, it imposes restrictions that in some instances are more onerous that various state automatice renewal laws.
Of note, the recent amendments to the Negative Option Rule (f/k/a “Click-to-Cancel”), which went into effect on January 19, 2025, provide that misrepresenting any material facts while offering any good or service with a negative-option feature is an unfair or deceptive act or practice in violation of Section 5 of the FTC Act. This applies regardless of whether the misrepresentation is related to the negative option feature, or not. This feature of the amended Negative Option Rule already became effective in January 2025. It, as well as other features of the amended Rule, are presently the subject of judicial challenge.
The rest of the amended Rule pertaining to disclosures, consent and cancellation of negative option features were to become effective May 15, 2025. However, the FTC has now deferred enforcement of these provisions through July 2025. Starting then, in the absence of judicial intervention, covered businesses will be required to be in full compliance with the amended Negative Option Rule. .
“But the Commission’s decision to defer enforcement necessarily acknowledged that compliance entailed some level of difficulty,” according to FTC attorneys. Having conducted a fresh assessment of the burdens that forcing compliance by this date would impose, the FTC has determined that the original deferral period insufficiently accounted for the complexity of compliance.”
Of note, California’s amended automatic renewal law begins July 1. In September 2024, California Gov. Gavin Newsom signed into law AB 2863, amending California’s already onerous automatic renewal law. For example, and without limitation, the amended California ARL expands the definition of “automatic renewal” to include “a plan, arrangement, or provision of a contract that contains a free-to-pay conversion or …,” which places negative option programs within the scope of the statute. It also defines “free-to-pay conversion” as “an offer or agreement to sell or provide any goods or services, a provision under which a customer receives a product or service for free for an initial period and will incur an obligation to pay for the product or service if they do not take affirmative action to cancel before the end of that period.”
The amended California ARL also makes it unlawful to fail to obtain a consumer’s express affirmative consent to the automatic renewal or continuous service offer terms. In doing so, it effectively requires two consents – one for the terms of the service and another for the automatic renewal. California’s amended ARL also makes it unlawful requires that consumers be provided with notice of automatic renewal until cancellation, the length of the renewal period, additional terms of the renewal period and the amount or range of costs that consumers will be charged – before confirming the consumer’s billing information. Consumers must also be provided a means to cancel subscriptions as easily as the means used to sign-up. There is language in the amended ARL regading how businesses may try to save offers when consumers attempt to cancel, along with cancellation attempt disclosure requriements.
The amended Negative Option Rule applies broadly to negative option marketing in all forms, whether via the Internet, telephone, print materials or in-person transactions. It also applies to B2B transactions. Additionally, the amended Rule does not require consumers to actually utilize the negative option feature in order for the Rule to be applicable. Instead, the product or service need only be marketed or sold “with” a negative option feature. Advertisers and marketers consult with an experienced FTC compliance lawyer to discuss how to comply with FTC Negative Option Rule. Violations provide the FTC with the authority to seek redress and civil penalties.
House Bill 47 Delays Effective Date for North Carolina’s New Building Code
Recent media coverage of the Hurricane Helene Mountain Recovery Bill left out a critical piece of news for construction industry stakeholders.
House Bill 47 (“H47”) was signed into law (Session Law 2025-2) by Governor Stein on March 20. The bill’s official name is the Disaster Recovery Act of 2025–Part I, but it is more commonly known as the Hurricane Helene Mountain Recovery Bill.
The new law appropriates $524 million to fund homebuilding, agricultural recovery, and infrastructure repairs in the mountains related to the storm damage. It also sends a much-delayed $217 million to Eastern North Carolina for use in home replacement and other infrastructure repairs needed as a result of Hurricane Florence and other storms.
That’s what the media has covered.
New Building Code Delayed
Another key provision—largely absent from media coverage—involves a change to the building code that is particularly relevant to construction companies, developers, and local governments.
Senator Tim Moffit (R-Henderson, Polk, and Rutherford Counties) marshaled support for an amendment to H47 that would pause new building code regulations. The relevant provisions begin at Section 5.12 (page 21).
The takeaway is that the 2024 North Carolina State Building Code (“New Code”), scheduled for implementation this year, has been delayed by at least 12 months. North Carolina was set to adopt the New Code standards on July 1, 2025.
H47 moves that date into 2026.
The new law delays the implementation to a date 12 months after the State Fire Marshal (a) certifies that the New Code has been published and distributed to specified state and local officials and made available for purchase by members of the general public and (b) certifies that the Residential Code Council has been fully formed and organized.
In an April 7 press release, the Office of the State Fire Marshal forecasted that the new building code would be available for distribution to state and local officials by July 31, 2025, but noted that the formation of the Residential Code Council was outside of its control and depends on appointments made by the Governor and the General Assembly.
Accordingly, the earliest effective date for the New Code appears to be July 31, 2026.
With the delay, the 2018 North Carolina State Building Code remains in effect. However, as noted by the Office of the State Fire Marshal, the 2024 Code may still be used as an alternative method of construction if requested by the building owner or their agent.
Changes Can Still Occur
Whether the delay will allow the Building Code Council time to revise the New Code remains to be seen. As a result of H47, those monitoring code changes should not expect updates this year.
This delay is likely just one part of the broader building code review process, and additional changes may emerge between now and July 2026. We will continue to monitor and share updates as they become available.
Revised Draft California Privacy Regulations Lessen Impact on Business
The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024. With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025. The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations. This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.
ADMT: Most notable changes relate to ADMT, which are said to result in an 83% cost savings for businesses compared to the prior draft. “Cut to the bone,” is the way Chair Jennifer Urban characterized it, which is welcome news to many, including likely California Gavin Newson, who had sent the CPPA a letter stating that he was “pleased to learn about the Board’s decision, at its April 4, 2025 meeting, to direct Agency staff to narrow the scope of the ADMT regulations.” The revised ADMT regulations now no longer address “artificial intelligence” at all and include the following revisions (among others):
Deleting the definition “extensive profiling” (behavior advertising or monitoring employees, students or publicly available spaces) and shifting to focus on transparency and choice obligations to use to make a significant decision about consumers. However, risk assessments would still be required for profiling based on systemic observation and training of ADMT to make significant decisions, to verify identity, or for biological or physical profiling.
Streamlining the definition of ADMT to “mean any technology that processes personal information and uses computation to replace … or substantially replace human decision-making [which] means a business uses the technology output to make a decision without human involvement.” Prior drafts had covered use to help facilitate human decisions.
Streamlining the definition of significant decisions to remove decisions regarding “access to” and limit applicability to the “provision or denial of” the following more narrow types of goods and services: “financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services,” and clarifying that use for advertising is not a significant decision.
Obligations to evaluate the risk of error and discrimination for certain types of ADMT uses were deleted, but the general risk assessment obligations were largely kept. The requirement to implement policies, procedures and training to ensure that certain types of ADMT work as intended and do not discriminate were removed.
Pre-use notice obligations were streamlined.
Opt-out rights were limited to uses to make a significant decision.
Businesses were given until January 1, 2027, to comply with the ADMT regulations.
Cybersecurity Audits: Also pared back, though more through a phase-in of implementation than regarding substantive requirements, are the draft regulations on cybersecurity audits. Here are the highlights of where the CPPA landed:
Timing for completion of a first annual cybersecurity audit and filing an audit report with the state will depend on the size of the business:
April 1, 2028: $100 million + gross revenue.
April 1, 2029: between $50 million and $100 million.
April 1, 2030: under $50 million.
Rather than requiring the Board of Directors to review audit results and certify their sufficiency, such obligations were changed to a member of management with responsibility for cybersecurity.
The aspects of what an audit must assess remain broad, including the sufficiency of inventory and management of personal information and the business’ information systems, including “data maps and flows identifying where personal information is stored, and how it can be accessed” and hardware and software (including cookies) inventories and an approval and prevention processes.
Privacy Risk Assessments: We have detailed the prior drafts of the risk assessment regulations here. The latest draft not only reflects the ADMT changes discussed above but also a more thoughtful approach to the purpose and process for conducting and documenting assessments:
In keeping with the removal of the concepts of “extensive profiling” (public monitoring, HR/educational monitoring and behavioral advertising) under the ADMT regulations, these concepts were also removed from the types of high-risk activities that require a risk assessment, but were replaced with “profiling a consumer through systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student employee or independent contractor for the business” and “profiling a consumer based upon their presence in a sensitive location.” However, in the draft published for comment, these activities were more narrowly defined to include only use of such observation “to infer or extrapolate intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location or movements[,] but excluding “using a consumer’s personal information solely to deliver goods to, or provide transportation for, that consumer at a sensitive location.” These edits are responsive to concerns raised by Board member Mactaggart (e.g., a nurse ordering pizza delivered to work).
The high-risk assessment trigger of training ADMT or AI was modified to remove the reference to AI and limited to where the business intends to use the ADMT for a significant decision concerning a consumer, or to train facial recognition, emotion recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer. Triggers tied to the generation of deepfakes and the operation of generative models, such as large language models, were removed.
The other high-risk activities from prior drafts remain: selling personal information, sharing personal information (for targeted advertising), and processing sensitive personal information.
While risk assessments must still include a harm-benefit analysis (Section 7152(a)(4) and (5)), that information, and the business judgment analysis as to the pros and cons thereof, is no longer required to be included in the form of Risk Analysis Report (a new term) that is subject to government inspection. This will make the assessment requirements much less vulnerable to First Amendment challenge as unconstitutional compelled speech on a matter of opinion and not mere recitation of facts, a concern publicly expressed previously by at least one CPPA Board member. This is a very significant development. [Note that while the Colorado regulations require documentation of such a risk-benefit analysis as part of assessment documentation, they also provide that assessments may be subject to legal privilege protections.]
Similarly, the forms of assessment summaries that must be filed with the state are limited to factual recitations and the new draft abandons the prior approach of requiring filing of abridged assessments summarizing each assessment in favor of a single attestation of annual compliance with some basic information on the number of assessments, in total and by type of covered processing activities, and which categories of personal information and/or sensitive personal information was covered. This substantially reduces what must be disclosed in agency filings and again helps insulate against compelled speech challenges.
Also, likely to address Constitutional issues, Section 7154 was changed from prohibiting processing activities if risks to consumer privacy are not outweighed by identified benefits, to expressing that the goal of risk assessments is to serve to prohibit or restrict processing activities if privacy risks outweigh processing benefits. This should go a long way to protect a business’s subjective business judgment and ethical value decisions that should not be subject to second-guessing by the government, absent violation of clear and unambiguous statutory requirements.
While high-risk activities occurring on and after the effective date of the regulations (likely before the end of 2025) will be subject to assessment, businesses will have until December 31, 2027, to complete the documentation of the corresponding Risk Assessment Reports through that date, and the filing of the first annual assessment attestation would not be due until April 21, 2028.
Finally, the amendments to the existing regulations were revised:
What stayed in:
If a business maintains personal information (collected after January 1, 2022) for longer than 12 months, it must enable consumers to specify a date range or treat the request as without time limitation.
A business must ensure that when a consumer corrects their personal information, it remains corrected.
A business must inform consumers who make corrections of their personal information of the source of the incorrect data or inform the source that the information was incorrect and must be corrected.
Symmetry of choice applies to any opt-in, not just an opt-in after opt-out.
A website must display the status of opt-out choice based on GPC / OPPS browser signals or opt-out request. [Most CMPs already have this feature as optional.]
A business must provide a means to confirm that a limit-sensitive information processing request has been received and is being honored.
In verifying agent authority and the consumer’s identity, a business may not require the consumer to resubmit an individual request.
Consumer statements regarding contested accuracy of health data, which are already required, must be shared with recipients of that data if the consumer requests.
What got cut:
The requirements of businesses and service providers to implement measures to ensure deleted personal information remains deleted or de-identified was removed.
The requirement to inform consumers, as part of a request response, of their right to file a complaint with the state was removed.
The requirement to inform those to which it has disclosed personal information of a subsequent consumer correction was removed.
The requirements to provide internal and external notice of consumer claims of inaccuracy that were not corrected (due to insufficient proof), unless the request was fraudulent or abusive, were removed.
The current revisions are subject to additional revisions based on the new round of public comment, which could lead to adding back or otherwise changing provisions. However, the CPPA Board members all seemed to express the opinion at the May 1 meeting that a set of regulations needed to be timely completed, and that future rulemaking could build on the foundation of the draft that has been advanced. Accordingly, it would appear that we are at the “home stretch” with the finish line in clear view.