The BR Privacy & Security Download: April 2025
STATE & LOCAL LAWS & REGULATIONS
Virginia Governor Vetoes AI Bill: Virginia Governor Glenn Youngkin vetoed the Virginia High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). The Act was similar to the Colorado AI Act and would have required developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would have been required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The governor stated that the Act’s “rigid framework fails to account for the rapidly evolving and fast-moving nature of the AI industry and puts an especially onerous burden on smaller firms and startups that lack large legal compliance departments” and that the Act “would harm the creation of new jobs, the attraction of new business investment, and the availability of innovative technology” in the state. The governor also noted that existing state laws “protect consumers and place responsibilities on companies relating to discriminatory practices, privacy, data use, libel, and more” and that an executive order issued by the governor in 2024 established safeguards and oversight for AI use.
CPPA Advances Regulations for Data Broker Deletion Mechanism: The California Privacy Protection Agency (“CPPA”) advanced proposed California Delete Act regulations through the establishment of the Delete Request and Opt-Out Platform (“DROP”). These regulations would create an accessible mechanism for consumers to request the deletion of all their non-exempt personal information held by registered data brokers via a single request to the CPPA. The proposed rules also clarify the definition of a “direct relationship” with a consumer, specifying that simply collecting personal information directly from a consumer does not constitute a direct relationship unless the consumer intends to interact with the business. This revision could bring more businesses, such as third-party cookie providers, under the definition of data brokers. Consumers will likely be able to access DROP by January 1, 2026, and data brokers will be required to access it by August 1, 2026.
Virginia Enacts Reproductive Privacy Law: Virginia enacted amendments to the Virginia Consumer Data Protection Act to prohibit the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health data without consent. “Reproductive or sexual health information” is defined under the law as “information relating to the past, present, or future reproductive or sexual health of an individual,” including: (1) efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies; (2) reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex; (3) reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy; (4) use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients; (5) bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels; (6) any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described in 1 through 5; and (7) any information described in 1 through 6 that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data. “Reproductive or sexual health information” does not include protected health information as defined by HIPAA.
Oregon Attorney General Releases Enforcement Report on Oregon’s Consumer Privacy Act: The Oregon Attorney General released a six-month report on the enforcement of Oregon’s comprehensive privacy law, the Consumer Privacy Act (“OCPA”), which took effect on July 1, 2024. The report provides that, as of the beginning of 2025, the Privacy Unit within the Civil Enforcement Division at Oregon’s Department of Justice (“Privacy Unit”) received 110 complaints. Most of these complaints were about online data brokers. In the last six months, the Privacy Unit initiated and closed 21 matters after sending cure notices (the OCPA provides for a 30-day cure period, which sunsets on January 1, 2026) and broader information requests. Some of the most common deficiencies identified were the lack of requisite disclosures or confusing privacy notices (e.g., not listing the OCPA rights or not naming Oregon in “your state rights” section), and lacking or burdensome rights mechanisms (e.g., the lack of a webpage link for consumers to submit opt-out requests).
Utah Becomes First State to Enact Legislation Requiring App Stores to Verify Users’ Ages:Utah has enacted the App Store Accountability Act, which mandates that major app store providers must verify the age of every user in the state. For users under 18, the law requires verifiable parental consent before any app can be downloaded, including free apps, or any in-app purchases can be made. App stores must also confirm a user’s age category (adult, older teen (16-17), younger teen (13-15), or child (under 13)). When a minor creates an account, it must be linked to a parent’s account. App store providers are responsible for building systems to verify ages, obtain parental consent, and share this data with app developers. They must also provide sufficient disclosure to parents about app ratings and content and notify them of significant changes to apps their children use, requiring renewed consent. Violations of the law will be considered deceptive trade practices, and the act creates a private right of action for harmed minors or their parents. The core requirements for age verification and parental consent are set to take effect on May 6, 2026.
Michigan Legislative Committee Advances Judicial Privacy Bill: The Michigan Senate Committee on Civil Rights, Judiciary, and Public Safety provided a favorable recommendation for a judicial privacy bill that would allow state and federal judges to request the deletion of their personal information from public listings. The Michigan bill would create a private right of action with mandatory recovery of legal fees for any entity that fails to respond to a valid deletion request. The purpose of the bill is to protect against a significant uptick in threats against judicial officers and their families. The bill is based on Jersey’s Daniel’s Law, which has sparked a wave of class action lawsuits against data brokers and online listing companies. If passed, businesses that receive a valid request from a member of the judiciary or their immediate family members under the proposed bill would have to remove from publication any covered information pertaining to the requestor.
Virginia Legislature Passes Consumer Data Protection Act Amendments Restricting Minors’ Use of Social Media; Governor Declines to Sign: The Virginia Legislature unanimously passed a bill to amend the Virginia Consumer Data Protection Act to limit minors’ use of social media to one hour per day. Specifically, the bill would require that any social media platform operator to (1) use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor younger than 16 years of age and (2) limit any such minor’s use of such social media platform to one hour per day, per service or application, and allow a parent to give verifiable parental consent to increase or decrease the daily time limit. Virginia Governor Glenn Youngkin declined to sign the bill as passed, recommending several changes to strengthen the bill. These recommendations include raising the age of covered users from 16 to 18 and requiring social media platform operators to disable infinite scroll features and auto-playing videos unless the operator has obtained verifiable parental consent.
FEDERAL LAWS & REGULATIONS
Lawmakers Reintroduce COPPA 2.0 to Strengthen Children and Teens’ Online Privacy:U.S. Senators Bill Cassidy (R-LA) and Edward Markey (D-MA) have reintroduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”), aiming to update online data privacy rules to better protect children and teenagers. The bill seeks to address the youth mental health crisis by stopping data practices that contribute to it. COPPA 2.0 proposes several key measures, including a ban on targeted advertising to children and teens and the creation of an “Eraser Button,” allowing users to delete personal information. It also establishes data minimization rules to limit the excessive collection of young people’s data and revises the “actual knowledge” standard to prevent platforms from ignoring children on their sites. Furthermore, the legislation would require internet companies to obtain consent before collecting personal information from users aged 13 to 16. Previous versions of COPPA 2.0 have advanced in Congress, passing the Senate and a House committee in the past.
White House Seeks Stakeholder Input for Trump Administration’s AI Action Plan:The White House Office of Science and Technology Policy issued a Request for Information to gather public input on the administration’s AI Action Plan. This AI Action Plan intends to define priority policy actions to enhance America’s position as an AI powerhouse and prevent unnecessary regulations from hindering private sector innovation. The focus is on promoting U.S. competitiveness in AI, limiting regulatory burdens, and developing safeguards that support responsible AI advancement. Stakeholders, including academia, industry groups, and private sector organizations, were encouraged to share their policy ideas on topics such as model development, cybersecurity, data privacy, regulation, national security, innovation, and international collaboration. The submitted comments will be used to inform future regulatory proposals.
Congresswoman Issues RFI for Input on U.S. Privacy Act Reform: Congresswoman Lori Trahan (D-MA) announced her effort to reform the Privacy Act of 1974, aiming to protect Americans’ data from government abuse. The proposed reforms seek to address outdated provisions in the act and enhance privacy protections for individuals in the digital age. Trahan emphasized the importance of updating the act to reflect modern technological advancements and the increasing amount of personal data collected by government agencies. The initiative includes measures to ensure greater transparency, accountability, and oversight of data collection practices. Trahan highlights the urgency of the issue as a result of access by the Department of Government Efficiency staff to personal data held by several agencies and calls for legislative action to protect citizens’ privacy rights and prevent government overreach.
U.S. LITIGATION
Court Blocks Enforcement of California Age-Appropriate Design Code: Industry group NetChoice scored yet another victory over the California Age-Appropriate Design Code Act, obtaining a second preliminary injunction temporarily blocking its enforcement. The act was passed unanimously by the California legislature in 2022 and—if enforced—would place extensive new requirements on websites and online services that are “likely to be accessed by children” under the age of 18. NetChoice won its first preliminary injunction in September 2023 on the grounds that the act would likely violate the First Amendment. In August 2024, the Ninth Circuit partially upheld this injunction, finding that NetChoice was likely to succeed in demonstrating that the act’s data protection impact assessment provisions violated the First Amendment. However, the Ninth Circuit remanded the case for determination of the constitutionality of the remaining provisions as well as whether any unconstitutional provisions could be severed from the remainder of the act. On remand, Judge Beth Labson Freeman again granted NetChoice’s motion for preliminary injunction finding that the act regulates protected speech, triggering a strict scrutiny review. Judge Freeman concluded that although California has a compelling interest in protecting the privacy and well-being of children, this interest alone is not sufficient to satisfy a strict scrutiny standard. This ruling is likely to strengthen NetChoice’s opposition of similar acts, such as the Maryland Age-Appropriate Design Code Act.
Court Rejects Allegheny Health Network’s Attempt to Force Arbitration over Meta Pixel Tracking:The U.S. District Court for the Western District of Pennsylvania ruled that Allegheny Health Network (“AHN”) cannot compel arbitration in a class action lawsuit filed by a patient under a pseudonym. The patient alleged that AHN unlawfully collected and disclosed his confidential health information to Meta Platforms. AHN initially sought to compel arbitration based on an arbitration provision within their website’s Terms of Service. However, the court denied this motion, finding that the patient did not have actual or constructive notice of the arbitration agreement. The court found that the link to the AHN’s Terms of Service, a “browsewrap” agreement, was not sufficiently conspicuous, as it was located at the bottom of the homepage among numerous other links and in a less visible footer on its “Find a Doctor” page. Additionally, the court found AHN failed to prove the patient had seen the specific Terms of Service containing the arbitration provision that was added to the website.
Supreme Court Declines Review of Sandhills Medical Data Breach Suit:The U.S. Supreme Court has declined to review a Fourth Circuit decision that ruled Sandhills Medical Foundation Inc. (“Sandhills Medical”), a federally funded health center, cannot use federal immunity to shield itself from a data breach lawsuit. The lawsuit was brought by Joann Ford following a data breach at Sandhills Medical. Sandhills Medical argued it was entitled to federal immunity under 42 U.S.C. § 233(a), which protects federally funded health centers from lawsuits related to the performance of medical, surgical, dental, or related functions. The Fourth Circuit, however, interpreted “related functions” narrowly, stating it did not cover data protection. Sandhills Medical, in its petition to the Supreme Court, contended that this ruling created a circuit split with the Ninth and Second Circuits, which have taken a broader view of the immunity. Sandhills Medical warned that the Fourth Circuit’s “unnaturally cramped” reading of the statute needed correction. Despite these arguments, the Supreme Court denied Sandhills Medical’s petition, meaning the health center will now face the lawsuit in South Carolina District Court.
Utah Attorney General Seeks Reinstatement of Utah Minor Protection in Social Media Act: Utah has requested a federal appeals court to reinstate a law that imposes restrictions on social media platforms. The Utah Minor Protection in Social Media Act (the “Act”), passed in 2024, was previously blocked by a lower court. The act aims to protect minors from harmful content and requires social media companies to verify the age of users and obtain parental consent for minors. Utah’s Attorney General argues that the law is necessary to safeguard children from online dangers and prevent exploitation. Previously, tech industry group NetChoice successfully sued to block the law, arguing it infringes on First Amendment rights and imposes undue burdens on businesses.
Court Holds Sharing of IP Address Insufficient to Prove Harm in CIPA Case: Judge Edgardo Ramos of the Southern District of New York granted defendant Insider, Inc.’s (“Insider”) motion to dismiss claims that its use of Audiencerate’s website analytics tools constituted an unlawful ‘pen register’ in violation of California’s Invasion of Privacy Act (“CIPA”). Plaintiffs argued that Insider invaded their privacy when it installed a tracker on their browsers, sending their IP addresses to a third party, Audiencerate, without their consent. However, Judge Ramos found that this collection and disclosure of IP addresses was insufficient to establish harm for purposes of Article III standing. He found that unlike a Facebook ID, which can be used to track or identify specific individuals, an IP address cannot be used to identify an individual and can only provide geographic information “as granular as a zip code.” Therefore, disclosure of an IP address would not be highly offensive to a reasonable person. Judge Ramos further emphasized that this “conclusion is consistent with the general understanding that in the Fourth Amendment context a person has no reasonable expectation of privacy in an IP address.” Despite this ruling, CIPA class actions and demands are likely to remain a constant threat to business with California-facing websites.
Periodical Publisher Unable to Dismiss VPPA Class Action: Judge Lewis J. Liman of the Southern District of New York denied defendant Springer Nature America’s (“Nature”) motion to dismiss claims that its use of Meta Pixel violated the Video Privacy Protection Act (“VPPA”). The VPPA prohibits videotape service providers from knowingly disclosing personally identifiable information about their renters, purchasers, or subscribers. Despite being drafted to address information collected through physical video stores, the VPPA has become a potent tool in the hands of the plaintiffs’ bar to challenge websites containing video content. Although Nature is primarily a research journal publication, Judge Lewis found that it could qualify as a videotape service provider as defined under the VPPA in part because of the video content on its website and its subscription-based business model. Relying on the recent Second Circuit decision in Salazar v. National Basketball Association, Judge Liman also found that the plaintiff had alleged a concrete injury sufficient to confer standing because the disclosure of information about videos viewed was adequately similar to the public disclosure of private facts. This ruling should remind companies whose websites contain significant video content to carefully review their cookie usage and consent management capabilities.
U.S. ENFORCEMENT
CPPA Requires Data Broker to Shut Down: As part of its public investigative sweep of data broker registration compliance, the CPPA reached a settlement agreement with Background Alert, Inc. (“Background Alert”) for failing to register and pay an annual fee as required by California’s Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. As part of the settlement, Background Alert must shut down its operations for three years for failing to register between February 1 and October 8, 2024. If Background Alert violates any term of the settlement, including the requirement to shut down its operations, it must pay a $50,000 fine to the CPPA.
New York Attorney General Settles with App Developer for Failure to Protect Students’ Privacy: The New York Attorney General settled with Saturn Technologies, the developer of the Saturn app, for failing to protect students’ privacy. Saturn allows high school students to create a personal calendar, interact with other users, share social media accounts, and know where other users are located based on their calendars. The New York Attorney General’s investigation found that unlike what Saturn Technologies represented, the company failed to verify users’ school email and age to ensure only high school students from the same high school interacted. The investigation also found that Saturn Technologies used copies of users’ contact books even when the user changed their phone settings to deny Saturn’s access to their contact book. Under the settlement, Saturn Technologies must pay $650,000 in penalties and change its verification process, provide enhanced privacy options for students under 18, and prompt users under 18 to review their privacy settings every six months.
New York Attorney General Sues Insurance Companies for Back-to-Back Data Breaches: The New York Attorney General sued insurance companies National General and Allstate Insurance Company for back-to-back data breaches, which exposed the driver’s license numbers of more than 165,000 New Yorkers. In 2020, attackers took advantage of a flaw on two of National General’s auto insurance quoting websites, which displayed consumers’ full driver’s license numbers in plain text. The complaint alleges that National General failed to detect the breach for two months and failed to notify consumers and the appropriate state agencies. The complaint also alleges that National General continued to leave driver’s license numbers exposed on a different quoting website for independent insurance agents, resulting in another data breach in 2021. This action is the New York Attorney General’s latest effort to hold auto insurance companies accountable for failing to protect consumers’ personal information against an industry-wide campaign by attackers targeting online auto insurance quoting applications.
California Attorney General Announces Investigative Sweep of Location Data Industry: The California Attorney General announced an ongoing investigative sweep into the location data industry. The California Attorney General sent letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). The enforcement sweep is intended to ensure that businesses comply with their obligations under the CCPA with respect to consumers’ rights to opt out of the sale and sharing of personal information and limit the use of sensitive personal information, which includes precise geolocation data. The letters sent by the California Attorney General notify recipients of potential violations of the CCPA and request additional information regarding how the recipients offer and effectuate such CCPA rights. Location data has become an enforcement priority for the California Attorney General given the federal landscape affecting California’s immigrant communities and reproductive and gender-affirming healthcare.
CPPA Settles with Auto Manufacturer for CCPA Violations: The CPPA settled with American Honda Motor Co. (“Honda”) for its alleged CCPA violations. The CPPA alleged that Honda (1) required consumers to verify themselves and provide excessive personal information to exercise their rights to opt out and limit; (2) used an online privacy management tool that failed to offer consumers their CCPA rights in a symmetrical way; (3) made it difficult for consumers to authorize agents to exercise their CCPA rights on their behalf; and (4) shared personal information with ad tech companies without contracts containing CCPA-required language. As part of the settlement, Honda must pay $632,500, implement new and simpler methods for submitting CCPA requests, and consult a user experience designer to evaluate its methods, train its employees, and ensure the requisite contracts are in place with third parties with whom it shares personal information. This action is a part of the CPPA’s investigative sweep of connected vehicle manufacturers and related technologies.
OCR Settles with Healthcare Provider for HIPAA Violations: The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) settled with Oregon Health & Science University (“OHSU”) over potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule’s right of access provisions. The HIPAA Privacy Rule requires covered entities to provide individuals or their personal representatives access to their protected health information within thirty days of a request (with the possibility of a 30-day extension) for a reasonable, cost-based fee. OCR initiated an investigation against OHSU for a second complaint OCR received in January 2021 from the individual’s personal representative. OCR resolved the first complaint in September 2020, when OCR notified OHSU of its potential noncompliance with the Privacy Rule for only providing part of the requested records. However, OHSU did not provide all of the requested records until August 2021. As part of the settlement, OHSU must pay $200,000 in penalties.
Democratic FTC Commissioners Fired by Trump Administration: The Trump administration fired the Federal Trade Commission’s (“FTC”) Democratic Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter. Their removal leaves the FTC with no minority party representation among the agency’s five commissioner bench. Slaughter was originally nominated by Trump in 2018 and was serving her second term. Bedoya was in his first term as commissioner. Bedoya and Slaughter indicated in public statements that they would take legal action to challenge the firings. Among potential privacy impacts of the firings is how the lack of minority party representation may affect the enforcement of the EU-U.S. Data Privacy Framework (“DPF”), which is used by many businesses to legally transfer personal data from the EU to the United States. The DPF is intended to be an independent data transfer mechanism, and the removal may heighten concerns about the independence of agencies tasked with enforcing the DPF. The move at the FTC follows the prior removal of democrats from the U.S. Privacy and Civil Liberties Oversight Board, which is charged with providing oversight of the redress mechanism for non-U.S. citizens under the DPF.
CFPB Drops Suit Against TransUnion: The Consumer Financial Protection Bureau (“CFPB”) voluntarily dismissed with prejudice its lawsuit against TransUnion in which it alleged that TransUnion engaged in deceptive marketing practices in violation of a 2017 consent order. The CFPB provided no explanation for its decision and each party agreed to bear its own litigation costs and attorneys’ fees.
INTERNATIONAL LAWS & REGULATIONS
CJEU Rules Data Subject Is Entitled to Explanation of Automated Decision Making: The Court of Justice of the European Union (“CJEU”) ruled that a controller must describe the procedure and principles applied in any automated decision-making technology in a way that the data subject can understand what personal data was used, and how it was used, in the automated decision making. The ruling stemmed from an Austrian case where a mobile telephone operator refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria. The court also stated that the mere communication of an algorithm does not constitute a sufficiently concise and intelligible explanation. In order to meet the requirements of transparency and intelligibility, it may be appropriate to inform the data subject of the extent to which a variation in the personal data would have led to a different result. Companies will have to be creative in assessing what information is required to ensure the explainability of automated decision-making to data subjects.
European Parliament Publishes Report on Potential Conflicts Between GDPR and EU AI Act: The European Parliament published a report on the interplay of the EU AI Act with the EU General Data Protection Regulation (“GDPR”). One of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment, and use of “high-risk AI systems.” To achieve this, the EU AI Act allows “special categories of personal data” to be processed, based on a set of conditions (e.g., privacy-preserving measures) designed to identify and to avoid discrimination that might occur when using such new technology. The report concludes that the GDPR, which imposes limits on the processing of special categories of personal data, might prove restrictive in the circumstances under which the GDPR allows the processing of special categories of personal data. The paper recommends that GDPR reforms of further guidelines on how the GDPR works with the EU AI Act would help address any conflicts.
Norwegian and Swedish Data Protection Authorities Release FAQs on Personal Data Transfers to United States: The Norwegian and Swedish data protection authorities issued FAQs on Personal Data Transfers to the United States in response to the dismissal of several members of the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”). The PCLOB is responsible for providing oversight of the redress mechanism for non-U.S. citizens under the U.S.-EU Data Protection Framework (“DPF”), which is one legal mechanism available to transfer EU personal data to the U.S. under the GDPR. Datatilsynet, the Norwegian data protection authority, stated that it understands that the intent is to appoint new PCLOB members in the future and that, even without a quorum, the PCLOB can perform some tasks related to the DPF. Accordingly, Datatilsynet stated that issues would only arise in the adequacy decision underpinning the DPF as a result of the removal of the PCLOB members if the appointment of new members takes a long time. The Swedish data protection authority, Integritetsskydds myndigheten (“IMY”) also cited confusion of the European business community following the dismissal of several members of the PCLOB. The IMY stated that the Court of Justice of the European Union has the authority to annul the DPF adequacy decision but has not taken such action. As a result, the DPF is still a valid mechanism for data transfer according to the IMY. Both data protection authorities indicated they would continue to monitor the situation in the U.S. to determine if anything occurred that affected the DPF and its underlying adequacy decision.
OECD Releases Common Reporting Framework for AI Incidents: The OECD Organization for Economic Co-operation and Development (“OECD”) released a paper titled “Towards a Common Reporting Framework for AI Incidents.” The paper outlines the need for a standardized approach to reporting AI-related incidents. It emphasizes the importance of transparency and accountability in AI systems to ensure public trust and safety. The report proposes a framework that includes guidelines for identifying, documenting, and reporting incidents involving AI technologies. The paper specifically identifies 88 potential criteria for a common AI incident reporting framework across 8 dimensions. The 8 dimensions are (1) incident metadata, such as date of occurrence, title, and description of the incident; (2) harm details focusing on severity, type, and impact; (3) people and planet, describing impacted stakeholders and associated AI principles; (4) economic context describing the economic sectors where the AI was deployed; (5) data and input, which includes a description of the inputs selected to train the AI system; (6) AI model providing information related to the model type; (7) task and output, describing the AI system tasks, automation level, and outputs; and (8) other information about the incident to catch any complementary information reported with respect to an incident.
China Issues Draft Measures for Financial Institutions to Report Cybersecurity Incidents and for Data Compliance Audits: The People’s Bank of China (“PBOC”) released draft administrative measures for reporting cybersecurity incidents in the financial sector (“Draft Measures”). The Draft Measures provide guidelines for identifying, reporting, and managing cybersecurity incidents by financial institutions regulated by the PBOC. Reporting requirements and timing vary according to type of entity and classification of incidents. Incidents would be classified as one of four categories – especially significant, significant, large, and average. Separately, the Cyberspace Administration of China (“CAC”) issued administrative measures on data protection audit requirements (“Data Protection Audit Measures”). The Data Protection Audit Measures provide (1) the conditions under which an audit of a data handler’s compliance with relevant personal information protection legal requirements would be required; (2) selection of third-party compliance auditors; (3) frequency of compliance audits; and (4) obligations of data handlers and third-party auditors in conducting compliance audits. The Data Protection Audit Measures include guidelines setting forth the specific factors that data handlers must evaluate in an audit, including the legal basis for processing personal information, whether the data handler has complied with notice obligations, how personal information is transferred outside of China, and the technical security measures employed by the data handler to protect personal information, among other factors.
European Commission Releases Third Draft of General-Purpose AI Code of Practice: The European Commission announced the publication of the third draft of the EU General-Purpose AI Code (“Code”). The first two sections of the draft Code detail transparency and copyright obligations for all providers of general-purpose AI models, with notable exemptions from the transparency obligations for providers of certain open-source models in line with the AI Act. The third section of the Code is only relevant for a small number of providers of most advanced general-purpose AI models that could pose systemic risks, in accordance with the classification criteria in Article 51 of the AI Act. In the third section, the Code outlines measures for systemic risk assessment and mitigation, including model evaluations, incident reporting, and cybersecurity obligations. A final version of the General-Purpose AI Code of Practice is due to be presented and published to the European Commission in May.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.
Criminal Health Care Fraud Enforcement: Projections for 2025 and Beyond [Podcast]
Since Pam Bondi was appointed U.S. Attorney General, we’ve seen notable shifts in the U.S. Department of Justice’s (DOJ’s) criminal enforcement priorities.
How significant are some of these changes, and how might they affect your health care organization as we progress through 2025 and beyond?
On this episode, Epstein Becker Green attorneys Sarah Hall, Melissa Jampol, Thomas Jaworski, and Richard Westling discuss what to expect from criminal health care fraud enforcement under Attorney General Bondi’s leadership and how it may impact the health care industry.
Safety Perspectives from the Dallas Region: Staying Safe During Texas Wildfire Season [Podcast]
In this episode of our Safety Perspectives From the Dallas Region podcast series, shareholders John Surma (Houston) and Frank Davis (Dallas) discuss the critical topic of workplace safety during wildfire season. With Texas currently facing significant wildfires, Frank and John discuss essential OSHA guidelines, preparedness steps, and emergency action plans to ensure the safety of employees in affected areas.
Court Sides with RICO Complainant Who Received Tainted Medical Marijuana and with FDA on Regulating E-Cigarettes – SCOTUS Today
The Racketeer Influenced and Corrupt Organizations Act (RICO) allows any person “injured in his business or property by reason of” racketeering activity to bring a civil suit for damages. 18 U. S. C. §1964(c). However, the statute forbids suits based on “personal injuries.” But are economic harms resulting from personal injuries “injuries to ‘business or property?’”
Yesterday, in Medical Marijuana, Inc. v. Horn, the U.S. Supreme Court, in a 5–4 opinion written by Justice Barrett and joined by Justices Kagan, Sotomayor, Gorsuch, and Jackson, answered that question in the affirmative. Justices Thomas and Kavanaugh wrote dissenting opinions, the latter joined by the Chief Justice and Justice Alito.
Attempting to alleviate his chronic pain, Douglas Horn purchased and began taking “Dixie X,” advertised as a tetrahydrocannabinol-free (“THC-free”), non-psychoactive cannabidiol tincture produced by Medical Marijuana, Inc. However, when his employer later subjected him to a random drug test, Horn tested positive for THC. When Horn refused to participate in a substance abuse program, he was fired. Horn then brought his RICO suit.
The U.S. Court of Appeals for the Second Circuit, reversing the U.S. District Court for the Western District of New York, held that Horn had been “injured in his business” when he lost his job and rejecting the “antecedent-personal-injury bar,” which several circuits had adopted to exclude business or property losses that derive from a personal injury. Affirming the Second Circuit, the Supreme Court held that the civil RICO statute did not categorically bar that form of recovery.
Interestingly (and the subject of the dissents, particularly that of Justice Thomas, who asserted that cert. had been improvidently granted), the Court did not address issues deemed outside of the question presented, including whether Horn suffered a personal injury when he consumed THC, whether the term “business” encompasses all aspects of “employment,” and what “injured in his . . . property” means for purposes of §1964(c). Thus, the majority opinion encompasses several assumptions, the verification of which will be the subject of the Court’s ultimate remand to the Second Circuit.
The essence of the opinion is derived from the dictionary, and a debate over how its definitions should be read informs the split among the Justices. Justice Barrett’s majority opinion starts with the American Heritage Dictionary and the “ordinary meaning of ‘injure’”: to “cause harm or damage to” or to “hurt.” While the statute precludes recovery for injury to the person, its business or property requirement operates with respect to the kinds of harm for which the plaintiff can recover, not the cause of the harm for which he seeks relief. For example, a gas station owner beaten in a robbery cannot recover for his pain and suffering. But if injuries from the robbery force him to shut his doors, he can recover for the loss of his business. A plaintiff can seek damages for business or property loss, in other words, regardless of whether the loss resulted from a personal injury.
Rejecting Medical Marijuana’s (and the dissenters’) view of what “business or property” should mean under RICO, Justice Barrett, in a delightfully written paragraph, remarks that:
Medical Marijuana tries valiantly to engineer a rule that yields its preferred outcomes. (Civil RICO should permit suit against Tony Soprano, but not against an ordinary tortfeasor.) But its textual hook—the word “injured”—does not give it enough to go on. When all is said and done, Medical Marijuana is left fighting the most natural interpretation of the text—that “injured” means “harmed”—with no plausible alternative in hand. That is a battle it cannot win.
It didn’t.
With respect to the remand, Justice Barrett noted that RICO’s “direct relationship” requirement is a constraint on civil RICO claims and, given the complications in the factual underpinnings of the case, that requirement might prove to be an insurmountable barrier to Horn’s succeeding. Horn himself “concedes that he faces ‘a heavy burden on remand.'”
The second case decided yesterday shows that if the Court is indeed going to be unanimous, it will not be succinct. Justice Alito’s 46-page discourse on behalf of a unanimous Court in Food and Drug Administration v. Wages and White Lion Investments, L.L.C. proves that point. I shall argue that Justice Alito’s lengthy opinion indirectly provides much useful guidance to patients, providers, and payers with respect to likely challenges to administrative actions, especially in the health care space, in the current Trump administration.
The issue in the case concerned whether the FDA lawfully denied respondents authorization to market certain electronic nicotine-delivery system products, known as electronic cigarettes, “e-cigarettes,” or “vapes.” These products come in a variety of flavors that particularly appeal to young people, and they pose unique risks. While the FDA has always had authority to determine whether a manufacturer could market a new drug, the FDA gained particular jurisdiction to regulate tobacco products under the Family Smoking Prevention and Tobacco Control Act of 2009 (TCA). The TCA barred the FDA from banning all regulated tobacco products outright, but it blocked marketing any “new tobacco product” without FDA authorization. The TCA requires the FDA to deny such an application unless an applicant shows that its product “would be appropriate for the protection of the public health.” To determine this, the FDA must consider, among other things, “the risks and benefits to the population as a whole.”
The respondents in the case had petitioned for judicial review of the FDA’s denial orders under the Administrative Procedure Act (APA). The Fifth Circuit, sitting en banc, held that the “FDA had acted arbitrarily and capriciously by applying application standards different from those articulated in its predecisional guidance documents regarding scientific evidence, cross-flavor comparisons, and device type. The court expressed particular concern about the FDA’s failure to review marketing plans it previously deemed critical. It also rejected the FDA’s argument that any errors were harmless.”
Reversing the Fifth Circuit, the Supreme Court first declined to reach the argument that the FDA erred in evaluating the respondents’ applications under standards developed in adjudication rather than standards promulgated in notice-and-comment rulemaking. Instead, the Court concluded that the denial orders were sufficiently consistent with the FDA’s predecisional guidance—as to scientific evidence, comparative efficacy, and device type—and thus did not run afoul of the so-called “change-in-position doctrine,” which provides that “[a]gencies are free to change their existing policies as long as they provide a reasoned explanation for the change,” “display awareness that [they are] changing position,” and consider “serious reliance interests.”
This doctrine asks whether an agency changed existing policy and, if so, whether it displayed awareness of the change and offered good reasons for it. Here, the new policy that led to the rejection of the respondents’ applications was “sufficiently consistent” with the agency’s predecisional guidance regarding scientific evidence. It was also consistent with the TCA’s provision that “well-controlled investigations” or other “valid scientific evidence,” if found “sufficient,” may support a finding that a new tobacco product is “appropriate for the public health.”
However, there was still a “harmless error” issue for the Court to decide. And that related to the Fifth Circuit’s rejection of the FDA’s claim of harmless error regarding the agency’s change of position on marketing plans. The FDA did not dispute that despite assuring manufacturers that marketing plans would be “critical” to their applications, it ultimately did not consider the respondents’ marketing plans. The FDA argued that this was harmless because it had issued denials to manufacturers other than the respondents that were based upon marketing plans indistinguishable from those of the respondents. While the Fifth Circuit applied an incorrect standard of review under governing precedents, doing it correctly “presents a difficult problem, requiring reconciliation of the so-called remand rule developed in SEC v. Chenery Corp., 318 U. S. 80, 88, 93–95, with the APA’s instruction that reviewing courts must take ‘due account’ of ‘the rule of prejudicial error’ that ‘ordinarily appl[ies] in civil cases,’ Shinseki v. Sanders, 556 U. S. 396, 406 (quoting 5 U. S. C. §706).”
The Court continues, “The most natural interpretation of the APA’s language is that reviewing courts should adapt the ‘rule of prejudicial error’ applicable in ordinary civil litigation (also known as the harmless-error rule) to the administrative-law context, which, of course, includes the remand rule.” However, the Court has acknowledged that a remand may be unwarranted in certain cases when an agency’s decision “is supported by a plethora of factual findings, only one of which is unsound, because a remand would be pointless.” Given the fact that both the FDA and the Fifth Circuit might have been in error with respect to the harmless error question, and that the FDA has not asked the Court to decide the harmless error question at this point in the case, the Supreme Court vacated the Fifth Circuit’s holding and remanded the case to it so that the Circuit Court “can decide the question afresh” under the correct reading of the caselaw requirements described by the Supreme Court.”
One recognizes the importance of the FDA’s consideration of marketing a tobacco product directed at young people. But perhaps more importantly, I suggest that the Court’s decision offers grounds for useful observations about the many changes in regulatory position and various rulemaking determinations (or lack thereof) being made by various administrative agencies during the current administration. Many of these events are occurring in the food and drug and health care coverage and reimbursement spaces. The length and depth of this unanimous opinion with respect to the FDA’s responsibilities when it has changed position or otherwise might be challenged under the APA for having acted arbitrarily or capriciously suggests the intensity and precision of what federal courts will require in administrative law challenges. In this decision, the agency largely prevailed, though the facts of the case occurred during the previous administration. The court challenges in the current administration are just beginning to take shape as the regulatory environment is radically changing.
Even during the Supreme Court’s current term, at the beginning of a new presidential term, we shall see—and many of my readers will bring—regulatory challenges that will be guided by what the Court held yesterday.
Wyoming Bans Most Non-Compete Agreements
Wyoming just banned most non-compete agreements (Wyo. Stat. § 1-23-108): starting July 1, 2025, most agreements that restrict workers from working in competitive jobs will be void, absent some exceptions for:
High-Level Employees: Non-compete agreements with “executive and management personnel” and “officers and employees who constitute professional staff to executive and management personnel” will still be enforceable. However, the statute does not define these terms, so employers should review those roles carefully.
Sale-of-Business: Sellers and buyers can agree to non-competes when selling or transferring a business.
Trade Secrets: Employers can protect trade secrets through narrowly tailored non-compete agreements that comply with the state’s definition of trade secrets, i.e. “the whole or a portion or phase of a formula, pattern, device, combination of devices or compilation of information which is for use, or is used in the operation of a business and which provides the business an advantage or an opportunity to obtain an advantage over those who do not know or use it.” Wyo. Stat. § 6-3-501(a)(xi).
Recovery of Relocation, Education, and Training Expenses: Employers can contract with employees to recoup training, education, and/or relocation expenses if an employee leaves within 4 years, with varying repayment percentages based on tenure:
Up to 100% if employment lasted less than two yearsUp to 66% if employment was between two and three years
Up to 33% if employment was between three and four years
Special Rules for Physicians
Non-compete agreements for physicians that restrict practice are prohibited. Further, doctors may notify patients with rare disorders about their new practice location and contact information. Notably, the statute clarifies that an agreement that contains an enforceable non-compete against a physician that is otherwise permitted by law will remain enforceable.
Looking Ahead
The statute applies only prospectively to contracts signed on or after July 1, 2025. Wyoming employers and business should consult legal counsel to update or implement restrictive covenant agreements in a timely manner.
Tempus Fugit Ad Nevada
Three days after Delaware’s governor, Matt Meyer, signed into law controversial amendments to Delaware’s General Corporation Law, another publicly traded company filed preliminary proxy materials with the Securities and Exchange Commission seeking stockholder approval of a reincorporation in Nevada.
“Fugit inreparabile tempus”*
Tempus AI, Inc. describes itself as “a healthcare technology company focused on bringing artificial intelligence and machine learning to healthcare in order to improve the care of patients across multiple diseases”. Although its principal executive offices are in Chicago, Illinois, it was incorporated in Delaware. Tempus’ proxy materials emphasize Nevada’s “statute focused” approach and its board’s belief “that Nevada can offer more predictability and certainty in decision-making because of its statute-focused legal environment”. The company also faults the litigation environment in Delaware:
The Board also considered the increasingly litigious environment in Delaware, which has engendered less meritorious and costly litigation and has the potential to cause unnecessary distraction to the Company’s directors and management team and potential delay in the Company’s response to the evolving business environment. The Board believes that a more stable and predictable legal environment will better permit the Company to respond to emerging business trends and conditions as needed.
I expect that Tempus’ board was aware of the Delaware legislation, but the changes were not enough to convince it to remain in the Blue Hen state.
* Time flies irretrievably. Publius Vergilius Maro, Georgics, Liber III.
Immigration Enforcement and Healthcare Facilities: Key Considerations for Providers
Recent changes in federal immigration enforcement practices have prompted renewed attention to how healthcare providers manage requests from law enforcement agencies. While federal policy continues to recognize healthcare facilities as sensitive environments, there has been increased interest in enforcement activity in or around such locations. Healthcare organizations should consider taking this opportunity to review internal protocols and confirm they are prepared to respond in a manner that is consistent with applicable federal and state law.
This post outlines key considerations related to patient privacy, facility access, and provider obligations when immigration enforcement activity intersects with clinical operations.
Patient Privacy and Requests for Information
Healthcare providers remain subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which generally prohibits the disclosure of protected health information (PHI) without patient authorization, except in limited circumstances. One such exception is when disclosure is required by law—for example, pursuant to a valid court order or a judicial warrant.
Providers should be aware that administrative warrants issued by immigration authorities alone typically do not meet HIPAA’s “required by law” standard. In such instances, providers should consider verifying whether the request is supported by sufficient legal authority before disclosing patient information. Internal policies and staff training may help ensure that any disclosures are appropriately limited in scope and consistent with federal and state privacy laws.
Facility Access and On-Site Enforcement Activity
In some cases, immigration officials or other law enforcement personnel may seek to enter a healthcare facility to interview or take custody of an individual. Providers should consider preparing for such scenarios by identifying points of contact for handling law enforcement inquiries, establishing protocols for reviewing documentation, and confirming when legal counsel should be contacted.
Importantly, hospitals and other emergency care providers remain obligated to comply with the Emergency Medical Treatment and Labor Act, which requires the screening and stabilization of patients seeking emergency care, regardless of their background or circumstances.
Nondiscrimination and Access to Care
Providers that participate in Medicare or Medicaid are also subject to federal nondiscrimination requirements under the Civil Rights Act and Section 1557 of the Affordable Care Act, as well as state civil rights laws. These laws generally prohibit denying care on the basis of national origin or perceived immigration status. Healthcare organizations may wish to review their policies to ensure they reflect these ongoing obligations.
State and Local Considerations
In addition to federal law, healthcare providers should consider any applicable state or local requirements related to law enforcement interactions, patient rights, or data privacy. Several state attorneys general and regulatory agencies have issued advisories or guidance materials to assist providers in navigating these issues. For example, Maryland’s attorney general released guidance for Maryland providers in light of the recent policy changes on immigration enforcement. Reviewing such materials in consultation with counsel may help organizations develop compliant, well-informed operational protocols.
Conclusion
As enforcement practices evolve, healthcare providers would benefit from reviewing their procedures for responding to law enforcement activity—particularly in contexts involving patient privacy, facility access, and legal process. A proactive approach can help ensure compliance with relevant laws and support the delivery of uninterrupted, nondiscriminatory care.
Providers with questions about specific scenarios or legal requirements are encouraged to consult our team to assess how these considerations apply in their jurisdiction and operational context.
Listen to this post
VHA and DLA Enter Into Another Interagency Agreement: Déjà Vu All Over Again?
In March 2025, the Defense Logistics Agency (“DLA”) and the Veterans Health Administration (“VHA”) entered into another interagency agreement. The agencies announced that the purpose of the 10-year, $3.6 billion agreement is to align supply chain requirements and centralize logistical support DLA will provide to all VHA healthcare facilities nationwide.
The 2025 agreement follows three DLA and VHA interagency agreements entered into between 2018 and 2020. In 2018, DLA and VHA entered into an agreement under which VHA began transitioning its medical supplies purchasing to DLA’s Electronic Catalog (“ECAT”). In 2019, the agencies entered into another interagency agreement which allowed VHA to access medical and surgical items by leveraging the DLA supply chain and provided for creating a centralized ordering system, rather than using the separate VHA and DLA systems.
In December 2020, the agencies expanded their 2019 agreement. The 2020 agreement created a strategic partnership allowing VHA to pilot adoption of the DLA Defense Medical Logistics Standard Support (“DMLSS”) inventory management system. DMLSS serves as the primary system for DLA’s Medical Surgical Prime Vendor (“MSPV”) program. In 2021, the agencies announced plans to merge their MSPV programs. The plan was for the VA MSPV program to wind down and transition to the DLA MSPV program by September 2023. However, the merger was scuttled because of a bid protest filed at the U.S. Court of Federal Claims.
Companies selling medical and surgical supplies to the federal government might wonder whether the March 2025 agreement is nothing more than another interagency agreement between DLA and VHA extending their partnership. Alternatively, because we currently are living in a Department of Government Efficiency (“DOGE”) government contracts streamlining environment, the March 2025 agreement could mean DLA and VHA are getting ready to take another run at consolidating their MSPV programs.
Wyoming Enacts Law to Restrict the Use of Noncompete Agreements
Employers in Wyoming will soon be limited in their use of noncompete agreements under a newly enacted law that makes the state the latest of a growing number of states to restrict noncompete agreements in the employment context.
Quick Hits
Wyoming enacted legislation that will void noncompete agreements with employees with limited exceptions.
Noncompete agreements will remain permissible in certain contexts, such as the sale of a business, the protection of trade secrets, the recovery of employers’ costs to relocate or train employees, and to restrict post-employment activity of executive or managerial personnel and their key staff.
The law also prohibits noncompete clauses in agreements involving physicians and will allow them to inform patients with certain rare disorders of their new practice without facing liability.
The law only applies to contracts entered into on or after July 1, 2025.
On March 19, 2025, Governor Mark Gordon signed Senate File 107 into law, which will significantly limit the enforceability of noncompete covenants in employment contracts. The new legislation, which will take effect on July 1, 2025, applies to contracts entered into on or after that date. Employers that use restrictive covenants will have to rethink how they protect their business interests and manage their workforce.
In enacting the new noncompete prohibitions, Wyoming joins a growing list of states, which includes California, Minnesota, and Oklahoma, to impose significant restrictions or completely ban employee noncompete agreements. Ohio is also considering a bill that would ban noncompete agreements for workers or prospective workers this legislative session.
Here is what employers need to know about the new Wyoming law and its implications.
Employee Noncompete Agreements Are Void
The law declares that as of July 1, 2025, “[a]ny covenant not to compete that restricts the right of any person to receive compensation for performance of skilled or unskilled labor” is void. The law applies prospectively to contracts entered into on or after July 1, 2025, specifically stating that “[n]othing in this act shall be construed to alter, amend or impair any contract or agreement entered into before July 1, 2025.”
Key Exceptions to the Ban
While Senate File 107 broadly invalidates noncompete agreements, the law contains some notable exceptions:
Sale of Business—Under the law, noncompete clauses remain enforceable in contracts related to the purchase and sale of a business or its assets.
Protection of Trade Secrets—The law will permit the use of noncompete agreements or clauses “to the extent the covenant provides for the protection of trade secrets” as they are defined under state law.
Recovery of Training Expenses—The law permits employers to include provisions in employment contracts allowing them to recover relocation, education, and training expenses, with recovery amounts decreasing based on the length of the employee’s service. (Up to 100 percent for service less than two years, up to 66 percent for between two and less than three years, and up to 33 percent for between three and less than four years.)
Executive and Management Personnel—The law exempts the noncompete ban for agreements involving “[e]xecutive and management personnel and officers and employees who constitute professional staff to executive and management personnel.”
Although not defined, the “executive and managerial personnel” restriction substantially mirrors a prior version of Colorado’s noncompete statute. Cases interpreting the Colorado statute recognized that the issue would typically be a question of fact. However, courts routinely recognized that restrictive covenants could be applied to both key personnel who are “in charge” and individuals who conduct or supervise a business, often including various levels of management.
Special Considerations for Physicians
Senate File 107 specifically declares void “[a]ny covenant not to compete provision of an employment, partnership or corporate agreement between physicians that restricts the right of a physician to practice medicine … upon termination of the physician’s employment, partnership or corporate affiliation.” The law will further allow physicians, upon termination of their employment, the partnership, or corporate affiliation, to inform patients with certain “rare disorders[s]” about their new practice and provide their contact information without facing liability.
Next Steps
Wyoming’s new noncompete law marks a significant shift in the state, reflecting a broader national trend. That trend could continue, particularly after a 2024 Federal Trade Commission (FTC) rule that sought to ban nearly all noncompete agreements in employment was struck down in court. The government had appealed but the Trump administration has halted those appeals while it considers the FTC’s rule.
In light of the changes, employers in Wyoming may want to consider reviewing and revising any new employment contracts and evaluating alternative strategies for protecting their business interests. Employers using noncompete agreements may want to consider whether those provisions are being applied in one of the specifically enumerated exceptions. Employers may also want to ensure that noncompete agreements that fall into one of the permissible categories have reasonable geographic and temporal limitations. Wyoming courts will not blue pencil or revise noncompliant restrictive covenants, and instead, noncompliant restrictive covenants will be voided.
This Week in 340B: March 25 – 31, 2025
Find this week’s updates on 340B litigation to help you stay in the know on how 340B cases are developing across the country. Each week we comb through the dockets of more than 50 340B cases to provide you with a quick summary of relevant updates from the prior week in this industry-shaping body of litigation.
Issues at Stake: Rebate Model; Contract Pharmacy; Other
In four cases against the Health Resources and Services Administration (HRSA) alleging that HRSA unlawfully refused to approve drug manufacturers’ proposed rebate models, 37 state and regional hospital associates filed an amici brief in support of HRSA.
In a breach of contract case filed by a covered entity against a Medicare Advantage plan, the covered entity dismissed the case in its entirety with prejudice.
In an appealed case challenging a proposed West Virginia law governing contract pharmacy arrangements, plaintiff-appellees filed a brief, and in another similarly appealed case, appellants filed a reply brief.
In a case challenging a proposed state law governing contract pharmacy arrangements in Missouri, plaintiffs filed a notice of appeal with the Eighth Circuit.
March 2025 PFAS Legislative Developments
Federal Legislature
One new bill was introduced.
State Legislature
Sixty six bills were introduced across fifteen states.
Topics include: Exemptions from PFAS bans; PFAS testing requirements; Establishing liability for PFAS contamination; Regulating PFAS contamination in water sources.
State Regulations
NH Env-Dw 1500 was published as a Final Rule. This is a rebate program for well water contaminated by PFAS. The purpose is to establish criteria and procedures for administering the PFAS removal rebate program for private wells.
New Bills This Period
PFAS Legislation
Federal
One new bill introduced.
State
Sixty six bills introduced.
One in CT
One in DE
One in FL
Eight in HI
One in IA
Five in ME
Nine in MA
Eighteen in MN
One in NM
Two in NY
Eight in NC
Two in PA
Four in RI
One in TX
Four in WI
Texas Court Vacates FDA’s Laboratory Developed Test (LDT) Final Rule
A Texas judge for the U.S. District Court for the Eastern District of Texas issued a ruling on March 31, 2025, to vacate and set aside, in its entirety, the U.S. Food and Drug Administration’s (FDA) Final Rule titled Medical Devices; Laboratory Developed Tests (LDTs) (LDT Final Rule). The Court remanded the matter to the Secretary of the U.S. Department of Health and Human Services (HHS) “for further consideration.” The LDT Final Rule would have required companies to obtain FDA clearance in order to continue marketing their LDTs.
The ruling prevents the LDT Final Rule – a rule heavily criticized by many clinical laboratory industry stakeholders – from going into effect. Prior to the LDT Final Rule, FDA exercised enforcement discretion with respect to the regulation of LDTs. The LDT Final Rule would have essentially ended FDA’s general enforcement discretion approach, thereby significantly increasing the regulatory requirements imposed on manufacturers of LDTs.
LDT Background
Historically, FDA has taken a broad enforcement discretion approach to regulating LDTs. LDTs are a subset of in vitro diagnostic products (IVDs) that are designed, manufactured, and used within a single laboratory. Although FDA has long asserted its authority to regulate LDTs as devices, it previously deemed LDTs low risk and, therefore, opted to take a broad enforcement discretion approach with respect to its regulation of LDTs. Under this approach, FDA has not enforced certain device requirements, such as premarket review, reporting, registration and listing, and quality system regulation, against LDT manufacturers.
LDTs, however, have become significantly more complex in the past few decades. Currently, many laboratories manufacturing LDTs employ high-tech instruments (such as algorithms and automation), run LDTs in high volumes, and widely market and accept specimens from across the United States. To address the changing LDT landscape, both FDA and Congress have pursued changes to FDA’s enforcement discretion policy. FDA has previously attempted to modify its enforcement discretion approach through guidance, which was never finalized, and members of Congress have introduced, but failed to pass, new legislation, most recently, the Verifying Accurate, Leading-edge IVCT Development Act (VALID Act).
LDT Final Rule
On May 6, 2024, FDA issued the LDT Final Rule amending FDA’s regulations to make explicit that IVDs are medical devices under the Federal Food, Drug, and Cosmetic Act (FD&C Act), including when the IVD manufacturer is a laboratory, thus capturing LDTs within FDA’s regulatory purview. Along with this amendment, FDA finalized a policy under which FDA was set to begin a phased implementation of IVD requirements over the course of four years. These phases were set to begin in May 2025.
FDA received over 6,500 comments on the proposed LDT rule, many of which challenged FDA’s authority to regulate LDTs. FDA has continuously asserted that it has authority to regulate LDTs, but that it has chosen to adopt a policy of enforcement discretion. Many clinical laboratory industry stakeholders disagree with this assertion, believing that LDTs fall outside FDA’s scope of authority.
U.S. District Court for the Eastern District of Texas Lawsuit
Within weeks of FDA issuing the LDT Final Rule, the American Clinical Laboratory Association (ACLA) and its member company Health TrackRx filed a lawsuit against FDA claiming that the rule exceeds the agency’s legal authority to regulate LDTs. Then in August 2024, the Association for Molecular Pathology (AMP) filed its own lawsuit describing the rule as “a historically unprecedented power grab.” The two cases were consolidated. Both lawsuits claim the LDT Final Rule must be vacated under the Administrative Procedure Act (APA) because it is “in excess of [FDA’s] statutory jurisdiction, authority, or limitations” and is “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law”. See 5 U.S.C. § 706(2).
The Court, on March 31, 2025, entered a judgment in favor of the plaintiffs. In its Opinion and Order, the Court states that, “the text, structure, and history of the [FD&C Act] and [the Clinical Laboratory Improvement Act (CLIA)] make clear that FDA lacks the authority to regulate laboratory-developed test services”. Throughout its opinion, the Court outlines its disagreement with FDA’s expansion and interpretation of the definition of “device” and the agency’s overall interpretation of its authority to regulate LDTs under the FD&C Act.
Specifically, the Court states LDTs are services regulated under CLIA, for which the Centers for Medicare & Medicaid Services (CMS) is primarily responsible for issuing implementing regulations. The Court notes that Congress created a separate statutory and regulatory framework for laboratory test services under CLIA. In its opinion, the Court defines an LDT as “a methodology or process by which a laboratory generates biochemical, genetic, molecular, or other forms of clinical information about a patient specimen for use by the treating physician” and that “[e]ach laboratory uses its own unique knowledge of the protocols, performance characteristics, and means of analysis to develop such methodologies and processes”.
The Court further claims: “Unlike a drug or device, which is a manufactured and packaged article of commerce with user instructions, a laboratory-developed test service is a proprietary methodology performed by only the developing laboratory. That service generates information from test results and transmits that information to the ordering physician. The testing service is not sold as a kit, and the protocol is not transferred in any manner to other laboratories, hospitals, or other facilities outside the developing laboratory entity. No physical product is sold, and no article of personal property is transferred such that title passes from one party to another.”
By employing this particular definition of LDTs, the Court claims that LDTs are services that laboratory professionals perform rather than a physical product sold by a laboratory that could be subject to FDA jurisdiction as a device. As a result, the Court vacated and set aside the LDT Final Rule in its entirety, holding that the LDT Final Rule exceeds FDA’s statutory authority and violates the APA.
Implications
Due to the Court’s order, the LDT Final Rule will not go into effect as planned in May 2025. Unless appealed by the government, this ruling essentially halts FDA’s ability to promulgate further regulations or guidance regulating LDTs. To officially settle the debate of how LDTs should be regulated and to clarify the authority between FDA and CMS, members of Congress would need to act and reinvigorate the VALID Act or similar legislation.
We anticipate there will be further developments on the regulatory position of LDTs. Manufacturers of LDTs should be sure they have data to demonstrate their LDTs have the necessary specificity and sensitivity to ensure the data generated through such tests can be relied upon and have clinical value for physicians, and are consistent with any applicable CLIA requirements.