The EU’s Omnibus Package: A Step Back on Sustainability?
We reported in previous blog posts (here and here) on the European Commission’s Green Deal initiatives and their impact on companies doing business in Europe as well as the significant recent headwind against these instruments.
On Wednesday, 26 February 2025, the European Commission (the “Commission”) published the first set of proposals – the omnibus package, which includes considerable simplification in the areas of sustainable finance disclosure, sustainability due diligence, the European Union (EU) taxonomy, the border carbon adjustment mechanism and European investment programs.
The Commission aims to reduce complexity of EU requirements for all businesses, in particular SMEs and small mid-caps (SMCs, i.e. companies with not more than 500 employees) while focusing on larger companies with potential bigger impact on climate. This article focuses on the changes affecting the Directive (EU) 2022/2464 on corporate sustainability (“CSRD”) and the Directive (EU) 2024/1760 on corporate sustainability due diligence (“CS3D”).
The relevant draft directives can be found here and here.
Background to the original CSRD and CS3D
The CSRD, which entered into force on 5 January 2023, with a deadline for implementation into national laws on 6 July 2024, is a legislative measure introduced by the EU to improve the quality, consistency and comparability of sustainability information provided by companies. The CSRD requires some companies, based on their size, to report sustainability information. For details, please see our previous article here.
The CS3D, which entered into force on 25 July 2024 with a deadline for implementation on 26 July 2026, aims to foster sustainable and responsible corporate behaviour in companies’ operations and across their global value chains. As we reported, the French authorities published a memorandum on 20 January 2025 urging the EU to modify the CSRD and the CS3D, which they consider not to be aligned with the competitiveness challenges EU companies are facing. For details, please see our previous article here.
With its omnibus package, the European Commission is now proposing to address some of the criticisms raised against the existing directives.
The proposed changes to the CSRD
The current CSRD requires EU large undertakings, as well as EU and non-EU listed companies (excluding micro-undertakings) to report sustainability information. Moreover, in some cases, non-EU undertakings are targeted and their EU subsidiary or branch have to make available the sustainability report.
The initial timeframe for applying the CSRD differs depending on the type of undertaking: financial year (“FY”) 2024 for large undertakings which are public interest entities with more than 500 employees; FY 2025 for other large undertakings; FY 2026 for listed SMEs; and FY 2028 for non-EU undertakings with net EU turnover above EUR 150 million (through their subsidiary or branch).
The Commission now proposes to increase the threshold and require EU large undertakings with more than 1,000 employees to comply with the reporting obligations starting with FY 2027, and non-EU undertakings with net turnover above EUR 450 million starting with FY 2028.
It is also proposed to simplify and streamline the European Sustainability Reporting Standards (“ESRS”) through a Delegated Act by reducing mandatory datapoints, prioritizing quantitative data, distinguishing between mandatory and voluntary datapoints, ensuring global compatibility, and improving clarity and consistency with EU laws. Under the proposal, the Commission will no longer be able to adopt sector-specific standards and to propose the option to convert a limited assurance requirement to a reasonable assurance requirement.
The new proposed reporting obligations and timelines can be summarized as follows:
Existing Categories of Companies
Existing Timeframes
New Proposed Categories
New Proposed Timeframes
Large public interest (“PIE”) companies and parent companies of a large group exceeding at least two of the following three thresholds: > 500 employees > EUR 50 million turnover > EUR 25 million balance sheet
In 2025 for FY 2024
Large undertakings with more than 1,000 employees and exceeding one of the following thresholds: > EUR 50 million turnover > EUR 25 million balance sheet
In 2028 for FY 2027
Other large EU undertakings
In 2026 for FY 2025
Listed SMEs
In 2027 for FY 2026
Deleted
Deleted
Non-EU undertakings with: > EUR 150 million turnover ; and at least 1 subsidiary in the EU that is itself covered by the CSRD or a branch in the EU that generated a net turnover of EUR 40 million
In 2029 for FY 2028
Non-EU undertakings with: > EUR 450 million turnover ; and at least one large EU subsidiary or a branch in the EU that generated a net turnover of EUR 50 million
In 2029 for FY 2028
While exempt, companies can opt for voluntary reporting based on the voluntary standards for SMEs (“VSME Standard”) developed by European Financial Reporting Advisory Group (“EFRAG”). This standard is proportionate to their size and capacity, focusing on providing essential sustainability information without the complexities required of larger companies.
The proposed changes to the CS3D
The current CS3D applies to EU limited liability companies and partnerships with more than 1,000 employees and a net worldwide turnover of more than EUR 450 million, as well as ultimate parent companies of a corporate group that meet these thresholds on a consolidated basis, and franchisors/licensors meeting certain conditions and thresholds. The CS3D also applies to non-EU undertakings of a legal form comparable to LLCs/partnerships with a net turnover of more than EUR 450 million generated in the EU, as well as ultimate parent companies of a corporate group that meets the threshold on a consolidated basis, and franchisors/licensors meeting certain conditions and thresholds.
The current timeframe for applying the CS3D differs depending on the type of undertaking: July 2027 for EU companies with more than 5,000 employees and EUR 1,500 million worldwide turnover, as well as non-EU companies with more than EUR 1,500 million turnover generated in the EU; July 2028 for EU companies with more than 3,000 employees and EUR 900 million worldwide turnover, as well as non-EU companies with more than EUR 900 million turnover generated in the EU; and July 2029 for all other companies in scope.
The Commission proposes to extend the transposition deadline of the Directive into national law by one year to 26 July 2027 with the first phase of application for the largest companies postponed to 26 July 2028 (instead of July 2027). The omnibus package proposes new turnover and employee thresholds and changes to the dates when reporting is required under the CR3D. The below table summarises the existing and proposed new rules:
Current CS3D
Omnibus changes
Categories
When
Categories
When
EU companies > 5,000 employees > EUR 1,5 billion worldwide turnover
From 26 July 2027
EU companies > 3,000 employees > EUR 900 million worldwide turnover
From 26 July 2028
EU companies > 3000 employees > EUR 900 million worldwide turnover
From 26 July 2028
Non-EU companies > EUR 1,5 billion worldwide turnover
From 26 July 2027
Non-EU companies > EUR 900 million worldwide turnover
From 26 July 2028
Non-EU companies > EUR 900 million worldwide turnover
From 26 July 2028
Deleted
Deleted
EU undertakings >1000 employees and EUR 450 million net worldwide turnoverNon-EU undertakings >450 million net worldwide turnover
From 26 July 2029
No change: From 26 July 2029
No change: From 26 July 2029
The Commission announced it would issue guidelines by July 2026, to help companies adapt and rely more on best practices rather than extensive legal and advisory services.
Substantive changes to the CS3D include the following elements:
due diligence efforts are primarily directed at direct business partners, rather than the entire supply chain
companies are required to conduct in-depth assessments only when there is plausible information suggesting potential or actual adverse impacts at the level of indirect partners;
the obligations concerning indirect business partners are limited to cases of circumvention or when there is credible information about likely or actual adverse impacts
the frequency of mandatory monitoring exercises is reduced, alleviating the administrative burden on companies
regular monitoring is required every five years, with additional assessments triggered by significant changes or new risks
companies are required to engage only with relevant stakeholders, focusing on those directly affected by their operations
the trickle-down effect is reduced by the limitation of information that in-scope undertakings can request from their SME and SMCs business partners to the information specified in the VSME Standard, unless in-scope undertakings require additional information to complete the mapping (e.g. on impacts not covered by the standards) and they cannot obtain this information in any other reasonable way.
Outlook and next steps
For the Omnibus Package to become law, it requires approval from both the European Parliament and a majority of EU member states in the European Council. Once law, directives would then have to be transposed into national laws. Until then, existing national laws remain in effect.
It is too early to predict a clear outcome, as significant criticism has been raised against the Omnibus Package from different parts of the EU suggesting that easing sustainability reporting rules could undermine long-term green growth and corporate accountability and impact on human rights and environmental protections.
However, given that key EU member states are in favour of the Omnibus Package and the drive to increase competitiveness, the weight of the Draghi Report and the fact the EC has asked for the legislative process to be fast-tracked, we would expect that a lot of the proposed changes will become EU law likely in months, not years.
Some EU countries may well decide to further goldplate their national laws to address some of the raised criticisms, which would risk a divergence of approach to reporting standards on a national level. This would be an unfortunate outcome and make the monitoring of reporting obligations burdensome.
EPA Reopens Comment Period on Proposed Risk Management Rule for PV29
On March 4, 2025, the U.S. Environmental Protection Agency (EPA) announced that it is reopening the comment period for the January 2025 proposed rule to address the unreasonable risk of injury to human health presented by Color Index (C.I.) Pigment Violet 29 (PV29) under its conditions of use (COU) as documented in EPA’s January 2021 risk evaluation and September 2022 revised risk determination. 90 Fed. Reg. 11142. Comments are due April 29, 2025.
As reported in our January 27, 2025, memorandum, EPA proposes, under Section 6(a) of the Toxic Substances Control Act (TSCA), to:
Require use of assigned protection factor (APF) 50 respirators and equipment and area cleaning to address the risk from inhalation exposure to dry powder PV29 (also referred to as regulated PV29), where dry powder PV29 is expected to be present, for the following COUs:
Domestic manufacture;
Import;
Incorporation into formulation, mixture, or reaction products in paints and coatings;
Incorporation into formulation, mixture, or reaction products in plastic and rubber products;
Intermediate in the creation or adjustment of color of other perylene pigments;
Recycling;
Industrial and commercial use in automobile (original equipment manufacturer (OEM) and refinishing) paints and coatings;
Industrial and commercial use in coatings and basecoats paints and coatings;
Industrial and commercial use in merchant ink for commercial printing; and
Disposal.
Require manufacturers (including importers), processors, and distributors in commerce of regulated PV29 to provide downstream notification of the requirements.
Require recordkeeping.
The BR Privacy & Security Download: March 2025
STATE & LOCAL LAWS & REGULATIONS
Virginia Legislature Passes Bill Regulating High-risk AI: The Virginia legislature passed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). Using a similar approach to the Colorado AI Act passed in 2023 and California’s proposed regulations for automated decision-making technology, the Act defines “high-risk AI systems” as AI systems that make consequential decisions, which are decisions that have material legal or similarly significant effects on a consumer’s ability to obtain things such as housing, healthcare services, financial services, access to employment, and education. The Act would require developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would be required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The bill is currently with Virginia Governor Glenn Youngkin, and it is unclear if he will sign it.
Connecticut Introduces AI Bill: After an effort to pass AI legislation stalled last year in the Connecticut House of Representatives, another AI bill was introduced in the Connecticut Senate in February. SB-2 would establish regulations for the development, integration, and deployment of high-risk AI systems designed to prevent algorithmic discrimination and promote transparency and accountability. SB-2 would specifically regulate high-risk AI systems, defined as AI systems making consequential decisions affecting areas like employment, education, and healthcare. The bill includes similar requirements as the Connecticut AI bill considered in 2024 and would require developers to use reasonable care to prevent algorithmic discrimination and provide documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of high-risk AI systems would be required to implement risk management policies, conduct impact assessments before deployment of high-risk AI systems, disclose AI system use to consumers, and provide opportunities for appeal and correction.
New York Governor Signs Several Privacy Bills: New York Governor Kathy Hochul signed a series of bills expanding compliance obligations for social media platforms, debt collectors who use social media platforms, and dating applications. Senate Bill 895B—effective 180 days after becoming law—requires social media platforms operating in New York to post terms of service explaining how users may flag content they believe violates the platform’s terms. Senate Bill 5703B—effective immediately—prohibits the use of social media platforms for debt collection purposes. Senate Bill 2376B—effective 90 days after becoming law—expands the scope of New York’s identity theft protection law by including in its scope the theft of medical and health insurance information. Finally, Senate Bill 1759B—effective 60 days after becoming law—requires online dating services to notify individuals who were contacted by members who were banned for using a false identity, providing them with specific information to help users prevent being defrauded. Importantly, the New York Health Information Privacy Act, which would significantly expand the obligations of businesses that may collect broadly defined “health information” through their websites, has not yet been signed.
California Reintroduces Bill Requiring Browser-Based Opt-Out Preference Signals: For the second year in a row, the California Legislature has introduced a bill requiring browsers and mobile operating systems to provide a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser or mobile operating system. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with the ability to opt out of the sale or sharing of their personal data, including through an opt-out preference signal. AB 566 would amend the CCPA to ensure that consumers have the ability to do so. AB 566 requires the opt-out preference signal setting to be easy for a reasonable person to locate and configure. The bill further gives the California Privacy Protection Agency (“CPPA”), the agency charged with enforcing the CCPA, the authority to adopt regulations to implement and administer the bill. The CPPA has sponsored AB 566.
Virginia Senate Passes Amendments to Virginia Consumer Protection Act: Virginia’s Senate Bill 1023 (“SB 1023”) amends the Virginia Consumer Data Protection Act by banning the sale of precise geolocation data. The bill defines precise location data as anything that can locate a person within 1,750 feet. Introduced by Democratic State Senator Russet Perry, the bill has garnered bipartisan support in the Virginia Senate, passing with a 35-5 vote on February 4, 2025. Perry stated that the type of data the bill intends to ban has been used to target people in domestic violence and stalking cases, as well as for scams.
Task Force Publishes Recommendations for Improvement of Colorado AI Act: The Colorado Artificial Intelligence Impact Task Force published its Report of Recommendations for Improvement of the Colorado AI Act. The Act, which was signed into law in May 2024, has faced significant pushback from a broad range of interest groups regarding ambiguity in its definitions, scope, and obligations. The Report is designed to help lawmakers identify and implement amendments to the Act prior to its February 1, 2026, effective date. The Report does not provide substantive recommendations regarding content but instead categorizes topics of potential changes based on how likely they are to receive consensus. The report identified four topics in which consensus “appears achievable with additional time,” four topics where “achieving consensus likely depends on whether and how to implement changes to multiple interconnected sections,” and seven topics facing “firm disagreement on approach where creativity will be needed.” These topics range from key definitions under the Act to the scope of its application and exemptions.
AI Legislation on Kids Privacy and Bias Introduced in California: California Assembly Member Bauer-Kahan introduced yet another California bill targeting Artificial Intelligence (“AI”). The Leading Ethical AI Development for Kids Act (“LEAD Act”) would establish the LEAD for Kids Standards Board in the Government Operations Agency. The Board would then be required to adopt regulations governing—among other things—the criteria for conducting risk assessments for “covered products.” Covered products include an artificial intelligence system that is intended to, or highly likely to, be used by children. The Act would also require covered developers to conduct and submit risk assessments to the board. Finally, the Act would authorize a private right of action for parents and guardians of children to recover actual damages resulting from breaches of the law.
FEDERAL LAWS & REGULATIONS
House Committee Working Group Organized to Discuss Federal Privacy Law: Congressman Brett Guthrie, Chairman of the House Committee on Energy and Commerce (the “Committee”), and Congressman John Joyce, M.D., Vice Chairman of the Committee, announced the establishment of a working group to explore comprehensive data privacy legislation. The working group is made up entirely of Republican members and is the first action in this new Congressional session on comprehensive data privacy legislation.
Kids Off Social Media Act Advances to Senate Floor: The Senate Commerce Committee advanced the Kids Off Social Media Act. The Act would prohibit social media platforms from allowing children under 13 to create accounts, prohibit platforms from algorithmically recommending content to teens under 17, and require schools to limit social media use on their networks as a condition of receiving certain funding. The Act is facing significant pushback from digital rights groups, including the Electronic Frontier Foundation and the American Civil Liberties Union, which claim that the Act would violate the First Amendment.
Business Groups Oppose Proposed Updates to HIPAA Security Rule: As previously reported, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). See Blank Rome’s Client Alert on the proposed rule. A coalition of business groups, including the College of Healthcare Information Management Executives, America’s Essential Hospitals, American Health Care Association, Association of American Medical Colleges, Federation of American Hospitals, Health Innovation Alliance, Medical Group Management Association and National Center for Assisted Living, have written to President Trump and HHS Secretary Robert F. Kennedy, Jr. opposing the proposed rule. The business groups argue that the proposed rule imposes great financial burdens on the healthcare sector, including on rural hospitals, which would divert attention and funds away from other critical areas. The business groups also argue that the proposed rule contradicts Public Law 116-321, which explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the HIPAA Security Rule, by not addressing or incorporating this legal requirement.
National Artificial Intelligence Advisory Committee Adopts List of 10 AI Priorities: The National Artificial Intelligence Advisory Committee (“NAIC”), which was established under the 2020 National Artificial Intelligence Initiative Act, approved a draft report for the Trump administration with 10 recommendations to address AI policy issues. The recommendations cover AI issues in employment, AI awareness and literacy, and AI in education, science, health, government, and law enforcement, as well as recommendations for empowering small businesses and AI governance and supporting AI innovation in a way that would benefit Americans.
CFPB Acting Director Instructs Agency Staff to Stop Work: Consumer Financial Protection Bureau (“CFPB”) Acting Director Russel Vought instructed agency staff to “stand down” and refrain from doing any work. The communication to CFPB employees followed an instruction to suspend regulatory activities and halt CFPB rulemaking. Vought also suspended CFPB’s supervision and examination activities. This freeze would impact the CFPB’s rule on its oversight of digital payment apps as well as the CFPB’s privacy rule that created a right of data portability for customers of financial institutions.
U.S. LITIGATION
First Washington My Health My Data Lawsuit Filed: Amazon is facing a class action lawsuit alleging violations of Washington’s My Health My Data Act (“MHMDA”), along with federal wiretap laws and state privacy laws. The suit is the first one brought under MHMDA’s private right of action and centers on Amazon’s software development kit (“SDK”) embedded in third-party mobile apps. The plaintiff’s complaint alleges Amazon collected location data of users without their consent for targeted advertising. The complaint also alleges that the SDK collected time-stamped location data, mobile advertising IDs, and other information that could reveal sensitive health details. According to the lawsuit, this data could expose insights into a user’s health status, such as visits to healthcare facilities or health behaviors, without users knowing Amazon was also obtaining and monetizing this data. The lawsuit seeks injunctive relief, damages, and disgorgement of profits related to the alleged unlawful behavior. The outcome could clarify how broadly courts interpret “consumer health data” under the MHMDA.
NetChoice Files Lawsuit to Challenge Maryland Age-Appropriate Design Act: NetChoice—a tech industry group—filed a complaint in federal court in Maryland challenging the Maryland Age-Appropriate Design Code Act as violating the First Amendment. The Act was signed into law in May and became effective in October 2024. It requires online services that are likely to be accessed by children under the age of 18 to provide enhanced safeguards for, and limit the collection of data from, minors. In its Complaint, NetChoice alleges that the Act will not meaningfully improve online safety and will burden online platforms with the “impossible choice” of either proactively censoring categories of constitutionally protected speech or implementing privacy-invasive age verification systems that create serious cybersecurity risks. NetChoice has been active in challenging similar Acts across the country, including in California, where it has successfully delayed the implementation of the eponymous California Age-Appropriate Design Code Act.
Kochava Settles Privacy Class Action; Unable to Dismiss FTC Lawsuit: Kochava Inc. (“Kochava”), a mobile app analytics provider and data broker, has settled the class action lawsuits alleging Kochava collected and sold precise geolocation data of consumers that originated from mobile applications. The settlement requires Kochava to pay damages of up to $17,500 for the lead plaintiffs and attorneys’ fees of up to $1.5 million. Among other changes to its privacy practices Kochava must make, the settlement requires Kochava to implement a feature aimed at blocking the sharing or use of raw location data associated with health care facilities, schools, jails, and other sensitive venues. Relatedly, U.S. District Judge B. Lynn Winmill of the District of Idaho denied Kochava’s motion to dismiss the lawsuit brought by the Federal Trade Commission (“FTC”) for Kochava’s alleged violations of Section 5 of the FTC Act. The FTC alleges that Kochava’s data practices are unfair and deceptive under Section 5 of the FTC Act, as it sells the sensitive personal information collected through its Mobile Advertising ID system (“MAIDs”) to its customers, providing customers a “360-degree perspective” on consumers’ behavior through subscriptions to its data feeds, without the consumer’s knowledge or consent. In the order denying Kochava’s motion to dismiss, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the “FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.”
Texas District Court Blocks Enforcement of Texas SCOPE Act: The U.S. District Court for the Western District of Texas (“Texas District Court”) granted a preliminary injunction blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act (“SCOPE Act”). The SCOPE Act requires digital service providers to protect children under 18 from harmful content and data collection practices. In Students Engaged in Advancing Texas v. Paxton, plaintiffs sued the Texas Attorney General to block enforcement of the SCOPE Act, arguing the law is an unconstitutional restriction of free speech. The Texas District Court ruled that the SCOPE Act is a content-based statute subject to strict scrutiny, and that with respect to certain of the SCOPE Act’s monitoring-and-filtering, targeted advertising and content monitoring and age-verification requirements, the law’s restrictions on speech failed strict scrutiny and should be facially invalidated. Accordingly, the Texas District Court issued a preliminary injunction halting the enforcement of such provisions. The remaining provisions of the law remain in effect.
California Attorney General Agrees to Narrowing of Its Social Media Law: The California Attorney General has agreed to not enforce certain parts of AB 587, now codified in the Business & Professions Code, sections 22675-22681, which set forth content moderation requirements for social media platforms (the “Social Media Law”). X Corp. (“X”) filed suit against the California Attorney General, alleging that the Social Media Law was unconstitutional, censoring speech based on what the state sees as objectionable. While the U.S. District Court for the Eastern District of California (“California District Court”) initially denied X’s request for a preliminary injunction to block the California Attorney General from enforcing the Social Media Law, the Ninth Circuit overturned that decision, holding that certain provisions of the law regarding extreme content failed the strict-scrutiny test for content-based restrictions on speech, violating the First Amendment. X and the California Attorney General have asked the California District Court to enter a final judgment based on the Ninth Circuit decision. The California Attorney General has also agreed to pay $345,576 in attorney fees and costs.
U.S. ENFORCEMENT
Arkansas Attorney General Sues Automaker over Data Privacy Practices: Arkansas Attorney General Tim Griffin announced that his office filed a lawsuit against General Motors (“GM”) and its subsidiary OnStar for allegedly deceiving Arkansans and selling data collected through OnStar from more than 100,000 Arkansas drivers’ vehicles to third parties, who then sold the data to insurance companies that used the data to deny insurance coverage and increase rates. The lawsuit alleges that GM advertised OnStar as offering the benefits of better driving, safety, and operability of its vehicles, but violated the Arkansas Deceptive Trade Practices Act by misleading consumers about how driving data was used. The lawsuit was filed in the Circuit Court of Phillips County, Arkansas.
Healthcare Companies Settle FCA Claims over Cybersecurity Requirements: Health Net and its parent company, Centene Corp. (collectively, “Health Net”), have settled with the United States Department of Justice (“DOJ”) for allegations that Health Net falsely certified compliance with cybersecurity requirements under a U.S. Department of Defense contract. Health Net had contracted with the Defense Health Agency of the U.S. Department of Defense (“DHA”) to provide managed healthcare support services for DHA’s TRICARE health benefits program. The DOJ alleged that Health Net failed to comply with its contractual obligations to implement and maintain certain federal cybersecurity and privacy controls. The DOJ alleged that Health Net violated the False Claims Act by falsely stating its compliance in related annual certifications to the DHA. The DOJ further alleged that Health Net ignored reports from internal and third-party auditors about cybersecurity risks on its systems and networks. Under the settlement, Health Net must pay the DOJ and DHA $11.25 million.
Eyewear Provider Fined $1.5M for HIPAA Violations: The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) imposed a $1,500,000 civil money penalty against Warby Parker for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The penalty resulted from a cyberattack involving unauthorized access to customer accounts, affecting nearly 200,000 individuals. An OCR investigation resulted from a 2018 security incident. Between September 25, 2018, and November 30, 2018, third parties accessed customer accounts using usernames and passwords obtained from breaches of other websites, a method known as “credential stuffing.” The compromised data included names, addresses, email addresses, payment card information, and eyewear prescriptions. OCR found that Warby Parker failed to conduct an accurate risk analysis, implement sufficient security measures, and regularly review information system activity.
CPPA Finalizes Sixth Data Broker Registration Enforcement Action: The California Privacy Protection Agency announced that it is seeking a $46,000 penalty against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker, for allegedly failing to register and pay an annual fee as required by the California Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. This action comes following a 2024 data breach in which National Public Data reportedly exposed 2.9 billion records, including names and Social Security Numbers. This is the sixth action taken by the CPPA against data brokers, with the first five actions resulting in settlements.
INTERNATIONAL LAWS & REGULATIONS
First EU AI Act Provisions Become Effective; Guidelines on Prohibited AI Adopted: The first EU AI Act (the “Act”) provisions to become effective came into force on February 2, 2025. The Act’s provisions prohibiting certain types of AI systems deemed to pose an unacceptable risk and rules on AI literacy are now applicable in the EU. Prohibited AI systems are those that present unacceptable risks to the fundamental rights and freedoms of individuals and include social scoring for public and private purposes, exploitation of vulnerable individuals with subliminal techniques, biometric categorization of natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation, and emotion recognition in the workplace and education institutions, unless for medical or safety reasons, among other uses. The new AI literacy obligations will require organizations to put in place robust AI training programs to ensure a sufficient level of AI literacy for their staff and other persons working with AI systems. Certain obligations related to general-purpose AI models will become effective August 2, 2025. Most other obligations under the Act will become effective August 2, 2026.
UK Introduces AI Cyber Code of Practice: The UK government has introduced a voluntary Code of Practice to address cybersecurity risks in AI systems, with the aim of establishing a global standard via the European Telecommunications Standards Institute (“ETSI”). This code is deemed necessary due to the unique security risks associated with AI, such as data poisoning and prompt injection. It offers baseline security requirements for stakeholders in the AI supply chain, emphasizing secure design, development, deployment, maintenance, and end-of-life. The Code of Practice is intended as an addendum to the Software Code of Practice. It provides guidelines for developers, system operators, data custodians, end-users, and affected entities involved in AI systems. Principles within the code include raising awareness of AI security threats, designing AI systems for security, evaluating and managing risks, and enabling human responsibility for AI systems. The code also emphasizes the importance of documenting data, models, and prompts, as well as conducting appropriate testing and evaluation.
CJEU Issues Opinion on Pseudonymized Data: The Court of Justice of the European Union (“CJEU”) issued a decision in a case involving an appeal by the European Data Protection Supervisor (“EDPS”) against a General Court decision that annulled the EDPS’s decision regarding the processing of personal data by the Single Resolution Board (“SRB”) during the resolution of Banco Popular Español SA during insolvency proceedings. The case reviewed whether data transmitted by the SRB to Deloitte constituted personal data. Personal data consisted of comments from parties interested in the proceedings that had been pseudonymized by assigning a random alphanumeric code, as well as aggregated and filtered, so that individual comments could not be distinguished within specific commentary themes. Deloitte did not have access to the codes or the original database. The court held that the data was personal data in the hands of the SRB. However, the court ruled that the EDPS was incorrect in determining that the pseudonymized data was personal data to Deloitte without analyzing whether it was reasonably possible that Deloitte could identify individuals from the data. As a takeaway, the CJEU left open the possibility that pseudonymized data could be organized and protected in such a way as to remove any reasonable possibility of re-identification with respect to a particular party, resulting in the data not constituting personal data under the GDPR.
European Commission Withdraws AI Liability Directive from Consideration; European Parliament Committee Votes to Press On: The European Commission announced it plans to withdraw the proposed EU AI Liability Directive, a draft legislation for addressing harms caused by artificial intelligence. The decision was announced in the Commission’s 2025 Work Program stating that there is no foreseeable agreement on the legislation. However, the proposed legislation has not yet been officially withdrawn. Despite the announcement, members of the European Parliament on the body’s Internal Market and Consumer Protection Committee voted to keep working on liability rules for artificial intelligence products. It remains to be seen whether the European Parliament and the EU Council can make continued progress in negotiating the proposal in the coming year.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.
Supreme Court Says EPA Has No Authority to Impose “End-Result” Requirements in Clean Water Act Permits
On Tuesday, March 4, 2025, the Supreme Court issued an opinion in City and County of San Francisco, California v. Environmental Protection Agency, U.S. No. 23-753 in which the City and County of San Francisco (San Francisco) challenged certain provisions in the Clean Water Act (CWA) National Pollution Discharge Elimination System (NPDES) permit for its Oceanside wastewater treatment plant (WWTP) that conditioned compliance on whether the receiving water body met certain water quality standards. Among other requirements and restrictions, the NPDES permit at issue prohibited the WWTP from 1) making any discharge that “contribute[s] to a violation of any applicable water quality standard,” and 2) performing any treatment or making any discharge that “create[s] pollution, contamination, or nuisance as defined by California Water Code section 13050.”
According to San Francisco, these permit requirements created significant uncertainty for the compliance status of its Oceanside WWTP by holding petitioner responsible for a condition it could not directly control—the quality of the oceanwater into which the WWTP discharges. The EPA, on the other hand, argued that it needs the authority to impose these “end-result” permit requirements when the regulated entity does not provide the agency with adequate information to craft more specific requirements that will be adequately protective of receiving water quality.
Justice Samuel Alito delivered the opinion of the Court, which held in a 5-4 opinion that the CWA provisions authorizing the EPA to impose “effluent limitations” (33 U.S.C. § 1311) in NPDES permits do not authorize such “end-result” requirements that “condition [permittees’] compliance on whether receiving waters meet applicable water quality standards.” In other words, the EPA cannot impose requirements that “simply tell[] a permittee that a particular end result must be achieved and that it is up to the permittee to figure out what it should do.” Justice Amy Coney Barrett, joined by three justices (Sotomayor, Kagan and Jackson), argued in dissent that there is nothing in the “straightforward statutory language” of the CWA that distinguishes “end-result” permit requirements from other requirements the majority found to be acceptable.
A driving concern for the majority was the potential hole that “end-result” requirements could create in CWA Section 1342(k), which deems a permittee to be in compliance with the CWA if it is in compliance with its permit. This “permit shield” provision offers certain legal assurances to permittees that would otherwise be exposed to harsh civil and even criminal penalties for violations of the CWA that are ultimately outside of their control. The Court found that “end-result” permit requirements, by “making the permittee responsible for any drop in water quality below the acceptable standard,” would potentially swallow the protections offered by Section 1342(k) and result in significant civil and criminal exposure for permittees, even when they comply with all the other terms of their permits.
A second key issue for the Court was the lack of any mechanism in the CWA for apportioning liability where multiple permittees, each with “end-result” permit requirements, discharge into the same water body. In such a case, the EPA would have to “unscramble the polluted eggs after the fact” to determine which permittee was liable. According to the Court, it was exactly this backwards-looking convoluted enforcement scheme that Congress sought to abandon when it amended the Water Pollution Control Act in 1972 to create the modern Clean Water Act.
Notably, the Court upheld “narrative” permit terms, such as requirements to implement best management practices without specifying the exact practices to implement in every given situation. In doing so, the Court rejected San Francisco’s argument that “all limitations” imposed under CWA Section 1311 must qualify as “effluent limitations” and upheld conditions that “do not directly restrict the quantities, rates, or concentration” of pollutants that a permittee may discharge.
The Court’s holding impacts NPDES permits throughout California and across the country. “End-result” permit requirements in the form of receiving water limitations are commonly found in general NPDES permits, including California’s Construction General Permit and Industrial General Permit, as well as site-specific NPDES permits. The Court’s holding also may impact pending regulatory and citizen-suit enforcement actions, at least to the extent such actions are based on “end-result” permit requirements similar to the ones rejected by the Supreme Court.
Foley Automotive Update 06 March 2025
Foley is here to help you through all aspects of rethinking your long-term business strategies, investments, partnerships, and technology. Contact the authors, your Foley relationship partner, or our Automotive Team to discuss and learn more.
Special Update — Trump Administration and Tariff Policies
Foley & Lardner provided an update on the potential ramifications of steel and aluminum tariffs on multinational companies.
Foley & Lardner partner Gregory Husisian described sentiment among Chief Financial Officers on the Trump administration’s approach to trade policy in The Wall Street Journal article, “The Latest Dilemma Facing Finance Chiefs: What to Tell Investors About Tariffs.”
Key tariff announcements include:
USMCA-compliant automakers have a one-month exemption from the 25% tariffs on U.S. imports from Canada and Mexico that were announced on March 4. The Trump administration announced the decision on March 5, following discussions with Ford, GM, and Stellantis.
In a March 5 MEMA update regarding the temporary pause of auto tariffs on Canada and Mexico, President and CEO Bill Long stated “Conversations held today indicate positive results that USMCA-compliant parts are included, but we are awaiting official confirmation from the Administration.” In breaking news on March 6, Commerce Secretary Howard Lutnick stated to CNBC: “It’s likely that it will cover all USMCA compliant goods and services, so that which is part of President Trump’s deal with Canada and Mexico are likely to get an exemption from these tariffs. The reprieve is for one month.”
On March 4, U.S. duties on Chinese imports were doubled to 20%. China intends to implement new tariffs on U.S. imports on March 10, and the nation added over two dozen U.S. companies to export control and corporate blacklists.
The Canadian government does not plan to repeal the 25% retaliatory tariffs on approximately C$30 billion worth of goods from U.S. exporters, announced on March 4. Canada could also implement a second round of 25% tariffs in three weeks on C$125 billion of products that include cars, trucks, steel, and aluminum. Mexico plans to announce tariffs on U.S. imports on March 9.
25% levies on U.S. imports of steel and aluminum could be implemented March 12.
Announcements could follow on April 2 regarding 25% sector-specific tariffs that would include automobile and semiconductor imports, along with broader “reciprocal tariffs” on countries that tax U.S. imports. Details have not been provided regarding the recent threat for 25% duties on European imports.
A February 25 executive order directed the government to consider possible tariffs on copper.
Automotive Key Developments
U.S. new light-vehicle sales are estimated to have reached a SAAR between 16.1 and 16.3 million units in February 2025, according to preliminary analysis from J.D. Power and Haver Analytics.
Annual U.S. auto sales could decline by 500,000 units, and up to 2 million units, if the Trump administration were to implement 25% tariffs on automotive imports from Mexico and Canada, according to automotive analysts featured in the Detroit Free Press and Bloomberg. In addition, a recession could begin “within a year” if certain tariffs “persist for any length of time.”
The Alliance for Automotive Innovation and Anderson Economic Group estimate tariffs on Mexican and Canadian imports could raise the cost of a new vehicle by up to 25%, or by a range of $4,000 to $12,000, depending on the model.
Crain’s Detroit reports product launch delays are impacting suppliers as automakers postpone investment decisions until there is more stability in areas that include “federal tariffs, regulatory policy and electric vehicle incentives.”
A number of large auto suppliers are taking steps to reduce expenses in order to support profitability amid market uncertainty, according to a report in Automotive News.
The Wall Street Journal provided overviews of the potential impact of tariffs on automakers and vehicle components, stating that “no sector is as exposed to possible Trump tariffs as the auto industry.”
The benchmark price for domestic steel has increased 25% this year to $900 a ton, ahead of a possible 25% import tariff on the metal.
The Wall Street Journal reports the potential for tariffs on aluminum have already raised costs for buyers, as there are few U.S. suppliers capable of meeting supply needs after years of declining domestic production.
The National Highway Traffic Safety Administration laid off 4% of its staff as part of a government-wide reduction of federal employees. NHTSA had expanded its workforce by roughly 30% under the Biden administration, and it was estimated to have a staff of approximately 800 prior to the job cuts.
At the annual MEMA Original Equipment Suppliers event on February 27, the North American purchasing chief of Stellantis indicated the automaker will consider supplier requests for pricing relief. This represents a reversal of a “no more claims” policy announced in 2024.
OEMs/Suppliers
Stellantis reported a full-year 2024 net profit of $5.8 billion on net revenue of $156.9 billion, representing year-over-year declines of roughly 70% and 17%, respectively.
GM will temporarily halt production for a number of weeks at its Corvette plant in Bowling Green, Kentucky, for undisclosed reasons.
Mercedes plans to reduce capacity in Germany as part of an initiative to reduce expenses by 10% through 2027 amid heightened competition, uneven demand, and high material costs. The automaker may also reduce its sales and finance workforce in China, according to unidentified sources in Reuters.
China’s top-selling automaker, BYD, could decide on a third plant location in Europe within the next two years. The automaker has plants underway in Szeged, Hungary, and Izmir, Türkiye.
Detroit Manufacturing Systems, LLC will acquire Android Industries, LLC and Avancez, LLC. The combined entity, Voltava LLC, will be headquartered in Auburn Hills, Michigan, and it is expected to reach over $1.5 billion in annual revenue.
Market Trends and Regulatory
J.D. Power estimates the average monthly payment for a new vehicle reached $738 in February, up 2.4% year-over-year. The analysis noted “vehicle affordability remains a challenge for the industry and is the primary reason why the sales pace, while strengthening, has not returned to pre-pandemic levels.”
The new vehicle average transaction price reached $48,118 in January 2025, according to analysis from Edmunds.
The International Longshoremen’s Association (ILA) ratified a six-year labor contract with the United States Maritime Alliance (USMX), ending months of uncertainty over the potential for a follow-up strike at U.S. East and Gulf Coast ports.
National “right to repair” legislation was introduced in Congress last month by a bipartisan group of lawmakers. The Right to Equitable and Professional Auto Industry Repair Act (H.R. 906) follows multiple recent attempts by Congress to pass similar legislation.
The 2026 Detroit Auto Show will take place January 14–25, 2026, at Huntington Place.
In response to concerns over the compliance costs associated with 2025 carbon dioxide emissions standards in the European Union, the European Commission announced automakers will now have a three-year window to meet emissions targets in the bloc.
Autonomous Technologies and Vehicle Software
Automotive News provided an update on the outlook for artificial intelligence (AI) adoption in certain automotive applications.
A number of automakers are pursuing software and AI-based technology to differentiate their vehicles’ self-driving features, according to a report in The Wall Street Journal.
Stellantis debuted a Level 3 automated driving system, STLA AutoDrive 1.0, that is expected to facilitate hands-free and eyes-off functionality at speeds of up to 37 mph. The automaker did not provide a launch date for the technology. The Society of Automotive Engineers (SAE) defines Level 3 as autonomous technology that can drive the vehicle under limited conditions without human supervision.
Mercedes is currently the only automaker with a Level 3 system approved for use in the U.S., and the automaker’s Drive Pilot is only available in Nevada and California. Honda plans to launch Level 3 automated driving system in 2026, in the 0 Series in North America.
Uber began offering its customers driverless Waymo rides in Austin, Texas.
Electric Vehicles and Low Emissions Technology
China’s Xiaomi has a goal to deliver over 300,000 EVs in 2025, and this would more than double its deliveries last year. The consumer electronics giant sells nearly all its EVs within China.
China announced new export restrictions on tungsten and other specialty metals used in applications that include EV batteries.
TechCrunch analysis indicates there are currently 34 battery factories either planned, under construction, or operational in the U.S., up from two in 2019.
Stellantis’ Brampton Assembly plant in Ontario has been temporarily shut down as the automaker reevaluates plans for the next-generation electric Jeep Compass SUV that was scheduled to begin production in early 2026. This follows a decision by Ford to delay the launch of its next-generation gas and hybrid F-150 pickup trucks.
Canada’s zero-emission vehicle sales declined by nearly 30% in January 2025 from December 2024. This follows a halt in the federal rebate program, when funding was exhausted ahead of the original termination date of March 31, 2025.
The Trump administration directed federal buildings across the U.S. to shut off EV chargers, according to communications from the General Services Administration described by unidentified sources in Bloomberg.
Upstream’s 2025 Automotive and Smart Mobility Global Cybersecurity Report found that attacks involving EV chargers increased to 6% in 2024, from 4% in 2023. According to the report, 59% of the EV charging attacks in 2024 had the potential to impact millions of devices, including chargers, mobile apps, and vehicles.
Among the top 10 battery electric vehicle (BEV) models with the fewest reported problems in the J.D. Power 2025 U.S. Electric Vehicle Experience (EVX) Ownership Study, seven were in the mass market segment. BMW iX was rated highest overall and highest in the premium BEV segment, and the Hyundai IONIQ 6 ranked highest in the mass market BEV segment.
Consumer Reports’ Best Cars of the Year for 2025 includes six models with hybrid options and one fully electric model.
BEV sales in Europe increased 34% year-over-year in January 2025, while overall new-vehicle registrations fell by 2.5%, according to data from the European Automobile Manufacturers’ Association (ACEA). BEVs achieved a 15% market share in Europe, compared to 10.9% in January 2024.
Analysis by Julie Dautermann, Competitive Intelligence Analyst
French Senators Propose Repealing or Postponing the Implementation of CSRD Requirements Under French Law
On 26 February 2025, the European Commission published its Omnibus simplification package which aims at simplifying several ESG-related legislations.
In the context of this publication, we offered insight on the proposals announced by the Commission, which notably included i) a proposal for a Directive amending the implementation and transposition deadlines of the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD), and ii) a proposal for a Directive amending the scope and requirements of the CSRD and CSDDD.
The postponement of the CSRD reporting requirements would only concern companies that are not yet subject to reporting. We offer advice on what should companies do on CSRD while they wait for the EU to make up its mind.
Some stakeholders have not waited for the EU to make final decisions before attempting to change companies’ sustainability obligations. While the CSRD was transposed into French law by an Order published in December 2023, several senators proposed on 4 March 2025 to repeal the Order, “in order to avoid major difficulties for companies”.
The same senators also proposed a 4-year postponement on the implementation of sustainability reporting requirements under French law. They argue that the current timeline for the entry into force of the CSRD reporting requirements is already causing significant operational difficulties to French companies. Postponing the implementation of the sustainability reporting obligations for four years would allow companies to better prepare for these new rules, giving them the time needed to structure their reporting effectively, according to these senators.
This position could change and is not definitive insofar as these amendments have been tabled in the Senate on first reading of a bill and are due to be debated in public session on March 10 and (possibly) 11 2025.
These amendments echo the French position published in January 2025, calling for an indefinite delay of the CSDDD, a two-year delay on the CSRD, and well as a significant reduction on the scope of sustainability reporting. However, they may come as a surprise from a country which had already transposed the CSRD and that was a forerunner on the duty of care.
Adèle Bourgin contributed to this article.
Property Resilience Assessments and ASTM Standard (E 3429-24): A Potential New Due Diligence Option for Real Estate Transactions
In order to address the growing challenges posed by escalating climate uncertainties in the real estate sector, ASTM International (ASTM) published in October 2024 the “Standard Guide for Property Resilience Assessments,” Standard E 3429-24 (Standard E 3429-24). Standard E-3429-24 is designed to assess how properties withstand and adapt to evolving environmental threats. By way of background, for over a century, ASTM has created and published various consensus standards that guide “best practices” in industries such as construction, real estate, engineering and environmental management. These standards are widely used in regulatory compliance, contractual agreements and industry best practices, with the aim of ensuring a consistent and reliable framework for evaluating risks and assessing performance. Real estate industry professionals have long relied on ASTM’s Standard E 1527-21 for Phase I Site Assessments to ensure that “all appropriate inquiries” are met under environmental statutory requirements. Standard E 3429-24 is intended to constitute a forward-looking “resilience assessment” for a property and to provide a new tool known as “Property Resilience Assessments (PRAs).” A PRA is intended to assess potential climate-related threats, evaluate a property’s vulnerabilities and recommend strategies to enhance resilience.
In practice, a PRA may be organized into up to three distinct stages:
Stage 1 – Hazard Identification: This stage identifies potential natural hazards that may affect a property. The PRA process includes evaluating a broad range of hazards and risks that may affect the property, including, among others, (i) extreme temperature fluctuation, (ii) geologic phenomenon such as earthquakes and coastal erosion, (iii) flood or drought conditions, (iv) wildfires and (v) wind related threats, including tropical cyclones, tornadoes and hurricanes. The findings are intended to provide a qualitative assessment of risk levels associated with each applicable hazard (e.g., an indication of severity and relative frequency of each identified hazard).
Stage 2 – Risk Evaluation: This stage evaluates the risks posed by the hazards identified in Stage 1. It includes an assessment of potential safety concerns, structural vulnerabilities and functional recovery time. The analysis incorporates both qualitative assessments (e.g., damage risks can be expressed on a multi-level system of “high, medium or low”) and quantitative assessments (e.g., damage risks can be expressed on the potential monetary value of repair or ratio of damage to the overall property) of potential harm that could be caused by such risks.
Stage 3 – Resilience Measures: This stage identifies conceptual resilience measures to enhance property-level performance and recovery. In Stage 3, information from Stages 1 and 2 is analyzed to identify potential measures to enhance a property’s ability to endure the risks identified in Stages 1 and 2, and to provide certain resilience measures that may be taken by the property owner, broken into three distinct categories: (i) Accommodate (e.g., elevate buildings and mechanical systems), (ii) Protect (e.g., build seawalls around the subject property), and (iii) Retreat/Relocate (e.g., remove or relocate a building and related infrastructure).
Importantly, ASTM clarifies that the development and use of PRAs is intended to provide a “flexible approach” to facilitate property-level decision-making, rather than prescribe a particular course of action with respect to the subject property. In contrast to traditional due diligence tools used in real estate transactions that assess pre-existing property conditions, such as a Phase I or a Property Condition Report, a PRA offers a forward-looking perspective that is inherently more subjective. The subjectivity of the PRAs may lead to additional negotiations among the parties involved with a property transaction (e.g., a borrower and its lender), but the PRAs will provide all parties with a more comprehensive understanding of future property risks and therefore enable more informed decision-making regarding investments in the property.
While the application and use of PRAs and Standard E 3429-24 have not yet been widely adapted as market standard in the real estate industry, a growing number of third-party providers are actively marketing services to produce these reports. Some providers note that the anticipated cost for a PRA is similar to that of a Property Condition Assessment, although it varies based on the size of the property, complexity of the asset and the number of hazards that are being considered. Standard E 3429-24 recommends that these providers possess a professional designation in architecture, engineering or science, along with three to five years of experience in building performance, natural hazard mitigation or resilience fields, applicable to the subject property.
As PRAs become more commonplace, they could be of assistance and provide guidance for real estate professionals who look to participate in transactions in markets that face perceived environmental threats or hazards, and if a particular property faces potential future environmental risks.
A link to ASTM’s Standard E 3429-24 may be accessed here.
ESG Update: Texas Federal Court Cites Loper Bright in Upholding Biden-Era ESG 401(k) Investing Rule
A Biden-era US Department of Labor (DOL) Rule permitting consideration of environmental, social, and governance (ESG) factors when choosing investments as a “tiebreaker” was recently upheld by Texas federal Judge Matthew Kacsmaryk. This decision applied the US Supreme Court’s 2024 ruling in Loper Bright v. Raimondo, revisiting three topics lost in 2025’s Department of Government Efficiency-era drama.
With a February 14 decision, Judge Kacsmaryk upheld the Biden-era Rule allowing retirement plan fiduciaries to consider ESG factors when choosing investments as a “tiebreaker.” In other words, when all other considerations for competing investments are equal. The court held that the Rule was in accordance with a strict reading of the Employment Retirement Income Security Act of 1974 (ERISA). The decision is available here.
Below, we break down the court’s decision and answer four questions on the minds of regulatory decisionmakers.
But first, some background. Until President Trump took office in January, ESG litigation, Loper Bright, and indeed, Judge Kacsmaryk were among our most chronicled topics:
Past content referencing ESG litigation is here, here, and here.
Here and here are discussions of the impact of the Supreme Court’s decision in Loper Bright v. Raimondo.
We last discussed Judge Kacsmaryk here, here, and here.
What Is in the Rule?
The Prudence and Loyalty in Selecting Plan Investments and Exercising Shareholder Rights Rule (Investment Duties Rule) was adopted in late 2022 and became effective on January 30, 2023. The DOL intended this rule to permit consideration of “climate change and other environmental, social, and governance factors” by plan investors “as they make decisions about how to best grow and protect” retirement savings, clarifying the duties of fiduciaries to ERISA employee benefits plans. The Biden Administration’s Rule neutralized a Trump-era Rule forbidding retirement plan fiduciaries from considering nonpecuniary factors — generally considered as factors that do not have a material effect on financial risk, financial return, or both — when making investment decisions.
In Texas federal court, 26 states and several other parties challenged the DOL’s Investment Duties Rule. After the case was filed, defendants moved to transfer the case to the US District Court for the District of Columbia or a district court where a plaintiff resided. The plaintiffs in turn amended their complaint to add the State of Oklahoma and Alex L. Fairly, an Amarillo, Texas, resident, as plaintiffs. After this amendment, a Texas federal court determined that the venue was proper.
What Is in the Decision?
The Valentine’s Day decision in Utah v. Micone, which began as Utah v. Walsh then Utah v. Su, came after a 2024 Fifth Circuit remand for reconsideration after the Supreme Court’s decision in Loper Bright, which overruled precedent giving rise to “Chevron deference.” Chevron deference used to require a court to defer to the relevant agency’s interpretation of an ambiguous statute so long as the agency interpretation of the statute was reasonable. In Loper Bright, the Supreme Court overruled Chevron and held that courts must “exercise their independent judgment” when interpreting federal statutes and may not defer to agency interpretations simply because they determine that a statute is ambiguous.
Earlier, the initial Northern District of Texas ruling upheld the Biden-era Rule relying, in part, on Chevron deference, holding that the DOL’s interpretation of fiduciary duty provisions in ERISA was reasonable. On remand, the Fifth Circuit instructed the District Court to reconsider whether the Rule violated ERISA under a post-Chevron, Loper Bright analysis.
To some’s surprise (particularly considering another Northern District of Texas ruling issued days earlier, read more here), Judge Kacsmaryk again upheld the Rule as being in accordance with ERISA following remand. The opinion rejected Republican-state (and other) plaintiffs’ claim that the Investment Duties Rule’s nonpecuniary factor or tiebreaker provision violates ERISA’s text. The opinion explained that ERISA’s fiduciary provisions require that “a fiduciary must always discharge his duties in the interest of the beneficiary alone and only for the purpose of gaining financial benefit.” However, the provisions do not explicitly limit what a fiduciary may consider while discharging his or her duty.
Does Loper Bright Indicate the Executive Branch Always Loses?
The court stated that, under a strict textual reading, “ERISA’s text does not invalidate” tiebreaker provisions. In conclusion, Judge Kacsmaryk warns fiduciaries against letting impermissible considerations taint their decisions but further notes it is not the province of the court to decide the “wisest” outcome, ultimately holding that the Investment Duties Rule “does not permit a fiduciary to act for other interests than the beneficiaries’ or for other purposes than the beneficiaries’ financial benefit. For that reason, under the Loper Bright standard, it is not contrary to law.”
Despite the court’s cautioning and explicit reference to the replaced Trump-era Rule as potentially wise guidance, the decision remains significant. While narrow, the decision acts as a considerable example of a court approving the use of ESG principals and stands as a potential case study for the limited impact Loper Bright may have on agency deference decisions.
What Happens Next?
It is no secret that the Trump Administration does not support ESG investment considerations. Republicans have consistently stated that embracing ESG considerations ignores fiduciary duties, and both Florida and Texas have enacted laws prohibiting ESG considerations and banning money managers that engage in climate-action causes.
With the Biden-era Rule now affirmed at the District Court level, we see three paths forward for the Trump Administration: (1) stand back while plaintiffs potentially appeal the decision to the Fifth Circuit, allowing another bite at the apple for overturning the Rule without executive action; (2) begin a DOL formal notice-and-comment rulemaking process to issue a new Rule, revoking and replacing the Investment Duties Rule promulgated in 2022; or (3) work through a less formal process, allowing agencies like the DOL’s Employee Benefits Security Administration to use their sub-regulatory power to interpret law and make enforcement recommendations.
While the regulations do not carry legal weight in the same way a formal rule would, they can impact the actions and decisions those regulated take. There is certainly precedent for such an approach, provided by the 2022 DOL compliance assistance release, which warned against 401(k) investments into cryptocurrency and was upheld after a federal court challenge.
Whichever route is taken, we think it is unlikely the Trump Administration will allow the Rule to remain on the books into perpetuity.
Farm to Fly Act Reintroduced in Congress, Would Expand Use of Biofuels for Aviation
On January 16, 2025, Senators Jerry Moran (R-KS), Chuck Grassley (R-IA), Tammy Duckworth (D-IL), Pete Ricketts (R-NE), Amy Klobuchar (D-MN), and Joni Ernst (R-IA) reintroduced the Farm to Fly Act (S. 144), which would help accelerate the production and development of sustainable aviation fuel (SAF) through existing U.S. Department of Agriculture (USDA) programs to allow further growth for alternative fuels to be used in the aviation sector and create new markets for American farmers. According to Moran’s January 21, 2025, press release, the Farm to Fly Act would:
Clarify eligibility for SAF within current USDA Bio-Energy Programs, expanding markets for American agricultural crops through aviation bioenergy;
Provide for greater collaboration for aviation biofuels throughout USDA agency mission areas, increasing private sector partnerships; and
Affirm a common definition of SAF for USDA purposes, as widely supported by industry to enable U.S. crops to contribute most effectively to aviation renewable fuels.
The press release notes that in September 2024, Senators Moran, Duckworth, Klobuchar, and John Boozman (R-AR) launched the Sustainable Aviation Caucus “to promote the longevity of the aviation and renewable fuels industries.” Representatives Max Miller (R-OH), Mike Flood (R-NE), Brad Finstad (R-MN), Nikki Budzinski (D-IL), Claudia Tenney (R-NY), Tracey Mann (R-KS), Mike Bost (R-IL), Don Bacon (R-NE), Randy Feenstra (R-IA), Dusty Johnson (R-SD), Mark Alford (R-MO), Eric Sorensen (D-IL), Mariannette Miller-Meeks (R-IA), and Michelle Fischbach (R-MN) reintroduced companion legislation (H.R. 1719) in the House on February 27, 2025.
Textualism Again Comes to the Fore, Albeit with Contradictory Views on the Court – SCOTUS Today
Only a few readers of SCOTUS Today are lawyers who are professionally occupied with environmental matters.
However, almost all of my readers are constantly occupied with administrative law matters, governed in the post-Chevron world by questions of whether Congress has delegated power to administrative agencies and—to the extent that it has—how legislative text should be read or interpreted.
Those issues are at the heart of today’s decision in City and County of San Francisco v. Environmental Protection Agency.
Under the Clean Water Act (CWA), 33 U. S. C. §§ 1151, et seq., the Environmental Protection Agency (EPA) and authorized state agencies issue permits that impose requirements on entities that wish to discharge “pollutants” into U.S. waters.
The CWA regulatory scheme encompasses the National Pollutant Discharge Elimination System (NPDES), which makes it unlawful to discharge pollutants into covered bodies of water unless authorized by permit.
In a victory for San Francisco, Justice Alito, writing for a 5-4 majority, rejected the EPA’s “end result” sewage permits issued under the CWA. The permits focus on water quality instead of outlining specific requirements to prevent pollution. San Francisco had challenged nonspecific or “narrative” wastewater permits issued by the EPA to protect surface water quality. The “end result” terminology was created by the Court’s majority, and, in Alito’s words, “involves provisions that do not spell out what a permittee must do or refrain from doing; rather, they make a permittee responsible for the quality of the water in the body of water into which the permittee discharges pollutants.”
According to this wording, a permittee like San Francisco could satisfy every specific requirement set forth in the permit but “may nevertheless face crushing penalties if the quality of the water in its receiving waters falls below the applicable standards.” Thus, the majority held that “end result” permits exceed the authority designated in the CWA. Justice Alito was joined by the Chief Justice and Justices Thomas, Kavanaugh, and in part by Justice Gorsuch. Interestingly, Justice Barrett was joined by Justices Kagan, Sotomayor, and Jackson in a partial dissent.
Both the essential reasoning of the Court and its conclusion could be stated succinctly. However, Justice Alito wrote for 20 pages and Justice Barrett wrote for 14. The reason why is that both the majority and partial dissenters were focused on text and context, which they parsed in intensive detail.
Contrasting legislative “limitations” or “restrictions” that are imposed from “without” (i.e., the legislature) with those whose source impermissibly comes from “within” (i.e., are to be imposed by the permittee itself), the Court defined its obligation as ascertaining what legislative terms mean in their specific context.
One can make light of that detailed exercise as the product of a linguistics laboratory. However, one recalls yet again Justice Kagan’s pronouncement (somewhat later rescinded) that “we are all textualists now.” And, at least today, everyone was just that, though they didn’t all see text in the same way.
Ultimately, City and County of San Francisco goes down as yet another opinion by a mostly conservative court, limiting agency authority by a narrow and literal reading of text rather than delving into questions of legislative intent and broad policy assessments.
Pest Practices: EPA Uses FIFRA EPA to Adopt Additional Operational and Workplace Controls on Ethylene Oxide
Having adopted stringent air emission controls on commercial sterilizers that use ethylene oxide (EtO), the Environmental Protection Agency (EPA) has now adopted further controls on workplace exposure to EtO, including adopting new employee exposure limits, limiting the use of EtO in sterilizing food products and cosmetics, establishing requirements for operating commercial sterilizers that use EtO and new recordkeeping and training requirements. These controls represent the next step in EPA’s campaign to control exposure to what it considers a toxic chemical.
Unlike its prior emission regulations, EPA issued these controls as an Interim Registration Review Decision (ID) under its Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) authority to regulate pesticides. Since its primary purpose is anti-bacterial, EtO has been regulated as a pesticide since 1966 and was registered under FIFRA in 1984. FIFRA gives EPA the authority to review and reregister pesticides and to confirm the allowed uses and warning on their required labels. It also allows EPA to issue interim findings and requirements even though it has not completed its registration process.
EPA began the reregistration process for EtO in 2013 but has yet to complete it. In 2021, however, as EPA began its focus on control of EtO, it began considering an ID to limit exposure. In 2023, it issued a draft ID, inviting comments from the regulated and environmental communities. On January 5 2025, EPA issued its final ID, which is not published in the Federal Register but is on EPA’s website.
In the ID, EPA imposes stringent limits on commercial sterilizers. It limits the applicable uses for EtO by stating that EtO can no longer be used for museum, library and archival materials, cosmetics, or musical instruments. The ID also limits EtO uses for food sterilization stating that it can no longer be used generally on whole or ground spices or seasoning materials, although it can be used for a specified list of such materials and used to treat another list of such materials only if additional treatment is necessary. The ID further imposes concentration limits to be applied by 2035, limiting concentration for medical device sterilization to 600 mg/L unless the device design requires greater concentration levels or has U.S. Food and Drug Administration (“FDA”) approvals for greater levels. Finally, commercial sterilization facilities are required to have separate heating, ventilating and air conditioning systems for offices and control rooms and for EtO processing areas.
The ID adds significant rules regarding employee exposure. It goes beyond the Occupational Safety and Health Administration’s (“OSHA”) Permissible Exposure Limits and applies an eight-hour time weighted average exposure limit that ratchets down over time. Through December 31, 2027, facilities are required to assure that the eight-hour time weighted limit is no greater than 1.0 ppm, but by January 1, 2035, the exposure limit must be reduced to 0.1 ppm. EPA adopts similar reductions for the short term exposure limit and the EPA action levels. Similarly, EPA imposes requirements to workers to use either air/airline respirators or self-contained breather apparatus when engaged in tasks involving direct exposure to EtO such as connecting and disconnecting EtO containers or unloading product from the sterilization chamber or aeration area. Finally, the ID requires continuous monitoring devices in both process and non-processing areas.
The ID also imposes enhanced training and recordkeeping requirements. Training must include a discussion of the health effects of EtO exposure and specific language that EtO is a carcinogen and describe symptoms of acute and chronic exposure. Recordkeeping includes monitoring sterilizer EtO concentrations, worker exposure data, indoor monitoring results, and worker training.
The ID imposes similarly stringent rules for sterilizers in healthcare facilities, including hospitals, veterinary facilities, and dental offices. Such facilities may only use EtO in single chamber sterilization devices that utilize emission capturing systems that limit worker and public exposure. The ID also imposes similar worker exposure requirements and similar rules on respirators. The rule on training and recordkeeping are similar as well.
The ID establishes numerous new requirements for EtO use for both commercial sterilizers and healthcare facility sterilizers and each of these requirements have different start and compliance dates. Since the ID is not subject to publication in the Federal Register, these requirements may not have been subject to the broad attention applied to EPA regulations but are just as dramatic and far reaching. EPA issued the ID in the last days of the Biden administration, and it is not clear if the Trump administration is reviewing the ID, along with other late adopted EPA regulations. What is clear is that users of EtO face significant additional requirements as a result of the ID and need to review and understand them.
Litigation Minute: Emerging Contaminants: What’s on the Horizon?
What You Need to Know in a Minute or Less
Emerging contaminants are synthetic or natural chemicals that have not been fully assessed from a health or risk perspective and are reportedly finding their way into consumer products and the environment. These include chemicals that have been widely used throughout society for decades but are now being targeted due to scientific developments and public scrutiny regarding their uses. Across industries, we are seeing increased regulation of consumer products, manufacturing processes, and industrial emissions, as well as new waves of litigation against unsuspecting businesses, putting their operations and financial stability at risk.
The first edition in this three-part series underscores the impact of the regulatory regime on the legal landscape and forecasts what lies ahead with a new regime and the substances likely in line for increased scrutiny, particularly ethylene oxide (EO) and perfluoroalkyl or polyfluoroalkyl substances (PFAS), as well as other chemicals.
In a minute or less, here is what you need to know about what is on the horizon for emerging contaminants litigation and regulation.
Regulation Drives Litigation
EO is a versatile compound used to make ethylene glycol and numerous consumer products, including household cleaners and personal care items. Also used to sterilize medical equipment and other plastics sensitive to heat or steam, its uptick in litigation was largely driven by regulators’ positions surrounding EO’s alleged carcinogenic risk.
In 2016, the US Environmental Protection Agency (EPA) released its Integrated Risk Information System (IRIS) Assessment, finding that EO was 60 times more toxic than previous estimates and “carcinogenic to humans.”1 Widespread litigation soon followed, despite:
the EPA recognizing that its assessment included several uncertainties;2
state agencies, such as the Texas Commission on Environmental Quality, concluding that the EPA significantly overestimated EO’s carcinogenic risks;3 and
state agencies, such as the Tennessee Department of Health, finding no evidence for the clustering of high numbers of cancers near facilities that emit EO.4
The takeaway: A lack of robust science does not minimize litigation risk. Immature and incomplete scientific information will drive early litigation, particularly when it receives regulatory attention and is widely publicized on social media and the popular press.
Where Federal Efforts Slow, States Pick Up the Slack
With Republicans taking control of the Senate, House of Representatives, and White House in November, expect that some legislation and regulation concerning emerging contaminants will be scaled back or unlikely to gain traction. This includes the EPA’s regulation of EO under the Clean Air Act and requirements for the use of EO as a pesticide, as well as bills introduced in Congress to phase out certain uses of PFAS, which are used in firefighting foams, personal care products, food packaging, and other consumer product applications.
But where federal legislation and regulation slow, expect state-level efforts and private litigation such as citizen suits to increase. For example, more than 20 states identified PFAS as an immediate, mid-, or long-term focus for 2025, and President Donald Trump’s first term saw a significant increase in environmental citizen suits.
The takeaway: Do not expect that the new administration will result in a lack of focus on emerging contaminants nationwide. Companies with products or intermediaries that become the focus of emerging contaminant legislation or regulation should consider whether it is appropriate to participate in legislative meetings, hearings, stakeholder sessions, and opportunities to comment and testify; meet with regulators and representatives in critical states; or contribute to the development of model legislation for use in various states.
Other Chemicals “Emerging” as Emerging Contaminants
With increased scientific scrutiny and regulatory activity acting as catalysts for litigation involving emerging contaminants, many other ubiquitous chemical substances may get caught up in the next waves of regulation and litigation—including, for example, microplastics, formaldehyde, and phthalates.
Microplastics
Microplastics can come from several sources, such as cosmetics, glitter, clothing, or larger plastic items breaking down over time. While a definitive correlation between microplastic exposure and adverse health effects has not yet been established, and the EPA states that “[m]icroplastics have been found in every ecosystem on the planet, from the Antarctic tundra to tropical coral reefs, and have been found in food, beverages, and human and animal tissue,” recent petitions to the EPA have called for increased monitoring of microplastics in drinking water. Examples of early litigation involving microplastics include consumer fraud and greenwashing claims.
Formaldehyde
Used in the production of construction materials, insulation, and adhesives, and as a preservative in cosmetics and personal care products, formaldehyde has seen an uptick in the filing of personal-injury claims and class actions alleging harm due to alleged exposure. These cases draw on the EPA’s August 2024 IRIS Toxicological Review of Formaldehyde and December 2024 final risk evaluation for formaldehyde under the Toxic Substances Control Act, despite high-profile challenges to the EPA’s assessments that have highlighted concerns with its scientific shortcomings.
Phthalates
The use of ortho-phthalate plasticizers in industrial applications and consumer products such as cosmetics, plastics, and food packaging has recently diminished. However, the listing of numerous phthalates as alleged reproductive toxicants and carcinogens under California’s Proposition 65, combined with Consumer Product Safety Commission restrictions on the use of phthalates in children’s toys and articles and the US Food and Drug Administration’s removal of 25 ortho-phthalate plasticizers from the Food Additive Regulations, are keeping phthalates in the spotlight. Recent phthalate litigation includes mislabeling and false advertising claims for food and childcare products containing trace phthalate residues.
The takeaway: Although litigation and regulatory developments related to EO and PFAS continue to capture headlines, more is on the horizon. Again, immature science can drive early litigation.