Supreme Court Holds FLSA Exemptions Do Not Require Heightened Evidence Standards
The U. S. Supreme Court unanimously decided in E.M.D. Sales, Inc. v. Carrera that the standard of “preponderance of the evidence” is to be used in cases where an employer claims an employee is exempt from overtime eligibility under the Fair Labor Standards Act (FLSA).
As explained in a September 2024 GT Alert, the plaintiffs in the case were sales representatives who alleged their employer, a food products distributor, failed to pay them overtime under the FLSA. The employer argued that based on a preponderance of the evidence, the employees qualified as outside salespeople and were thus exempt from FLSA overtime requirements. The Fourth Circuit found in the employees’ favor, holding that under Fourth Circuit precedent, the employer was required to prove applicability of the FLSA exemption by “clear and convincing evidence,” a higher standard than preponderance, and had failed to do so. The Fourth Circuit’s decision was an outlier among the circuits, which otherwise employ the “preponderance of the evidence” standard.
In its Jan. 15, 2025, decision authored by Justice Kavanaugh, the Supreme Court found no basis for applying the heightened “clear and convincing evidence” standard. The Court instructed that it strays from the presumptive “preponderance of the evidence” standard in civil litigation only in limited circumstances, and held that none of those circumstances existed here. The Court also rejected the employees’ argument that the strong public policy interest in guaranteeing workers’ a fair wage justifies a higher standard of proof. Thus, in cases where employers seek to prove that an employee is exempt under the FLSA, the “preponderance of the evidence” standard will apply.
Illinois ‘Swipe Fee’ Law Faces Continued Pushback as Court Partially Extends Injunction
On February 6, 2025, the U.S. District Court of the Northern District of Illinois declined to issue a preliminary injunction to stop an Illinois “swipe fee” law that would ban certain credit and debit card fees from applying to credit unions while extending a previous preliminary injunction to apply to out-of-state banks. (See our previous coverage of this litigation here, here, and here).
The Interchange Fee Prohibition Act (“IFPA”) is a novel law that would prohibit credit and debit companies from charging fees on the tax and tip portions of credit and debit card transactions beginning July 1, 2025. The rest of the transaction, including the price of goods or services, would still be subject to the fees.
In August, banking industry groups filed a lawsuit challenging the state law, arguing that it was preempted by federal banking statutes and regulations. In addition to preemption arguments, they expressed concerns that financial institutions would be unable, from a practical standpoint, to comply with the law by the July 1 deadline. They further contended that the proposed new law would require banks and credit card companies to implement costly new computer systems to distinguish between transaction amounts, taxes, and tips.
In December, U.S. District Court Judge Virginia Kendall issued a preliminary injunction barring the IFPA from applying to federally chartered banks but declined to extend the relief to state banks and credit card companies. After reviewing supplemental briefing from the parties, on Thursday, Judge Kendall further denied an extension of the injunction to credit unions, holding that the Federal Credit Union Act did not preempt the new state law. But Judge Kendall granted preliminary injunctive relief to out-of-state banks operating in Illinois, holding that the Riegle–Neal Interstate Banking and Branching Efficiency Act “likely preempts” the IFPA.
Putting It Into Practice: When it was enacted last year, Illinois’ new swipe fee law was a bold and novel change to the payment processing landscape that threatened to upend how everyday payment transactions are processed. The mixed preemption rulings in this pending litigation are likely to create additional uncertainty in that the new proposed law would apply to certain industry participants, but not others. This underscores the key challenges and difficulties that arise when states attempt to pass legislation related to payment systems that are national and international in scope.
Fifth Circuit Upholds Minimum Wage Rate for Federal Contractors
The Fifth Circuit Court of Appeals recently found the Biden administration operated within its authority when it raised the minimum wage for federal contractors to $15 per hour in 2022. This represents a relatively rare win for Biden administration policies in the Fifth Circuit, which has jurisdiction in Louisiana, Mississippi, and Texas.
Quick Hits
The Fifth Circuit upheld the Biden administration’s executive order increasing the minimum wage for federal contractors to $15 per hour in 2022.
The Fifth Circuit overturned a lower court’s decision in favor of three states that had challenged the rule.
As of January 1, 2025, the minimum wage for federal contractors is $17.75 per hour.
On February 4, 2025, the Fifth Circuit upheld the Biden administration’s $15 minimum wage for federal contractors. A three-judge panel ruled that this minimum wage rule was permissible under federal law, thereby reversing a previous federal district court ruling.
In February 2022, Louisiana, Mississippi, and Texas sued the federal government to challenge Executive Order 14026, which directed federal agencies to pay federal contractors a minimum wage of $15 per hour. Previously, the minimum wage for federal contractors was $10.95 per hour.
The states argued the executive order violated the Administrative Procedure Act (APA) and the Federal Property and Administrative Services Act of 1949 (FPASA) because it exceeded the president’s statutory authority. The states also claimed the executive order represented an “unconstitutional exercise of Congress’s spending power.”
The executive order states that its purpose is “to promote economy and efficiency in procurement by contracting with sources that adequately compensate their workers.” It noted raising the minimum wage can boost worker morale, enhance productivity, and reduce turnover.
The Fifth Circuit concluded this purpose was essential and consistent with carrying out the provisions of the FPASA. It agreed there was a sufficient link between paying a higher minimum wage and the efficiency of the federal procurement system.
As of January 1, 2025, the minimum wage for federal contractors is $17.75 per hour. Many states have their own minimum wage, and these vary widely.
Next Steps
Employers that have contracts with federal agencies may wish to stay up-to-date on any future changes to the minimum wage rate for federal contractors. Simultaneously, they must comply with state minimum wage laws where their employees perform work. The state minimum wage could be lower or higher than rate for federal contractors.
In some cases, union contracts also may dictate the wages for certain federal contractors.
The challenges of other major Biden-era rules are still pending before the Fifth Circuit, including the appeals of decisions striking down the national noncompete ban and increases in the salary threshold for overtime exemptions. Whether this confirmation of the Biden administration’s authority provides a forecast for future rulings remains to be seen, but it is a notable exception to the court’s tendencies.
Judge Denies Kochava’s Motion to Dismiss FTC’s Suit Over Selling Geolocation Data
On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission. As previously reported, in August 2022, the FTC announced a civil action against Kochava for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.”
In the order denying Kochava’s motion to dismiss, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the “FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.”
LIP GLOSS POPPIN’, TEXTS DROPPIN’: Colourpop’s Late-Night Texts May Have Compliance Floppin’
Greetings TCPAWorld!
Lip gloss is poppin’, lip gloss is cool—but late-night marketing texts? Those might land them in court. Listen up, beauty lovers and TCPA watchers—Colourpop Cosmetics is facing a serious touch-up in court over its late-night marketing tactics. A new class action lawsuit filed in the U.S. District Court for the Middle District of Florida claims the company violated federal law by blasting promotional text messages well past bedtime. See Trushel v. Colourpop Cosmetics, LLC, No. 8:25-CV-00282 (M.D. Fla. filed Feb. 4, 2025).
We all know the thrill of a midnight flash sale—one second, you’re winding down for the night, and the next, you’re frantically adding items to your cart before the “FINAL HOURS!” timer runs out. Amazon Prime Day flashbacks, anyone? But there’s a fine line between FOMO marketing and federal law violations, and according to this lawsuit, Colourpop might have crossed it.
So here is the deal. Plaintiff alleges she received multiple late-night texts from Colourpop, including a “$2 Lips” deal and other Cyber Sale alerts sent around 10 PM. That might seem harmless, but here’s the problem—the Telephone Consumer Protection Act (“TCPA”) explicitly bans marketing calls and texts before 8 AM or after 9 PM (local time). See 47 C.F.R. § 64.1200(c)(1)).
And Colourpop didn’t just allegedly text Plaintiff—it may have done this to thousands of customers across the U.S. over the last four years. That’s why this lawsuit isn’t just about one person’s disrupted sleep cycle—it’s a potential nationwide class action covering anyone in the U.S. who received similar late-night texts from Colourpop. If Colourpop loses, the financial impact could be major. The TCPA allows for damages of $500 per text—which already stings—but if Colourpop knowingly ignored the law? That jumps to $1,500 per message.
The lawsuit alleges this wasn’t just an innocent mistake. The Complaint asserts that Colourpop’s late-night texts were part of a broader telemarketing strategy—meaning these weren’t one-off messages but part of a deliberate campaign. That distinction matters because it could increase the likelihood that the Court finds Colourpop acted willfully, which raises the potential damages. And here’s another issue—Plaintiff never gave consent to receive messages outside of legal hours.
Interestingly, this isn’t Plaintiff’s first TCPA lawsuit. The same day, Plaintiff sued The Children’s Place, Inc. in the same court, alleging nearly identical violations. See Trushel v. The Children’s Place, Inc., No. 8:25-CV-00284 (M.D. Fla. filed Feb. 4, 2025). According to that Complaint, Plaintiff received late-night marketing texts from The Children’s Place around 10:35 PM and 10:36 PM on separate occasions, and the lawsuit similarly seeks damages under the TCPA’s statutory framework. With two lawsuits filed back-to-back, it raises the question—are these brands engaging in widespread non-compliance, or are plaintiffs becoming increasingly aware of TCPA violations and actively monitoring for missteps? Given the financial penalties, could some consumers opt for promotional texts and wait for a company to slip up with an eye toward litigation? One misstep in your SMS marketing could be more than just a blemish—it could stain your brand. No pun intended.
What makes this case particularly interesting is how Colourpop’s Terms of Use comes into play. I did some digging into their website, and their terms contain several provisions: 1) a mandatory arbitration clause requiring disputes to be resolved through JAMS arbitration in Los Angeles County, California; 2) a 60-day notice and informal resolution period before any legal action; 3) a class action waiver requiring all claims to be brought individually; and 4) detailed SMS marketing consent provisions that are notably silent on message timing.
But here’s where things get even more complicated for Colourpop—its SMS Terms of Use might work against it. According to its official policy, Colourpop requires users to “affirmatively opt-in” to receive marketing texts and states that “consent is not required to make any purchase.” That’s standard, but the policy doesn’t say anything about notifying users that messages may arrive at prohibited hours. In other words, just because someone opted in doesn’t mean they agreed to get texts at 10 PM.
What is more, the Terms include a “Class Action Waiver,” stating that customers agree to resolve disputes through individual arbitration rather than class actions. However, TCPA cases have successfully challenged these waivers, particularly when courts find them unconscionable or conflicting with consumer protection policies. But let’s be clear—each case has its own legal and factual workup, and enforcing arbitration clauses isn’t a one-size-fits-all. Have you ever read Troutman Amin’s motions to compel arbitration? They are top-notch, crafted with precision, and built to withstand scrutiny. Whether enforcing a waiver or strategically defending against class certification, our team knows how to keep businesses out of costly courtroom battles and in control of their legal strategy. You don’t want to be left covering up legal blemishes—you want a flawless finish. (And yes, my pun game is getting better.)
This lawsuit isn’t just about Colourpop—it’s a reminder to every brand using SMS marketing that timing isn’t just a courtesy; it’s the law. Translation? If your brand hits “send” on promotional texts after 9 PM, you might wake up to a class action lawsuit. The old saying goes, “Nothing good happens after midnight,” but for businesses, it’s starting to look like “nothing safe happens after 9 PM.”
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
It Lives: Trump Administration Defends Corporate Transparency Act; May Modify its Application
On February 5, 2025, the Trump administration added a new chapter to the saga that has been implementation of the Corporate Transparency Act (CTA), filing a notice of appeal and motion for stay against an Eastern District of Texas injunction in Smith v. United States Department of the Treasury on enforcement of the CTA’s filing deadline.
In its filing, the Treasury Department stated that it would extend the filing deadline for 30 days if the stay is granted, and would use those 30 days to determine if lower-risk categories of entities should be excluded from the reach of the filing requirements. In light of the Supreme Court’s stay of the injunction in Texas Top Cop Shop, Inc., et al. v. Merrick Garland, et al., also from the Eastern District of Texas, it is likely that stay will be granted.
Passed in the first Trump administration but implemented during the Biden presidency, the CTA – an anti-money laundering law designed to combat terrorist financing, seize proceeds of drug trafficking, and root out illicit assets of sanctioned parties and foreign criminals in the United States – has faced legal challenges around the country.
The constitutionality of the CTA was challenged in several cases, with most courts upholding the law, but some issuing either preliminary injunctions or determining that the law is unconstitutional. In addition to the appeals of Texas Top Cop Shop and Smith, both before the Fifth Circuit, appeals are currently pending in the Fourth, Ninth, and Eleventh Circuits.
Although enforcement of the CTA deadline is currently paused, the granting of a stay in Smith, or a ruling by one of the circuits, could reinstate the deadline at any time, triggering the start of the 30-day clock to file. Entities may file now notwithstanding the injunction if they choose to do so, and entities may wish to complete the filing so that they do not need to monitor the situation and to avoid high traffic to the filing website in the event a deadline is reimposed.
Please note that if you file or have already filed and the law is ultimately found unconstitutional or otherwise overturned or rescinded, you will not be under any continuing obligation regarding that filing.
Entities can, of course, choose not to file or to keep filings updated. However, be aware that in addition to the potential need to file on short notice should the preliminary injunction be limited, stayed, or overturned, financial institutions may inquire as to whether the entity has filed a CTA and could require filing as part of the financial institution’s anti-money laundering program.
DOJ Begins Its Own DEI Enforcement Efforts
Wednesday evening, February 5, 2025, Attorney General Pam Bondi issued a series of memos to various divisions of the Department of Justice (DOJ). One memo asserted that the DOJ will take action to enforce President Trump’s efforts to eliminate illegal diversity, equity, and inclusion (DEI) initiatives, as outlined in Executive Order 14173 (“Ending Illegal Discrimination and Restoring Merit-Based Opportunity”).
This memo, titled “Ending Illegal DEI And DEIA Discrimination And Preferences,” tasks the DOJ’s Civil Rights Division with investigating, eliminating, and penalizing illegal DEI “preferences, mandates, policies, programs, and activities in the private sector and in educational institutions that receive federal funds.” By March 1, 2025, the Civil Rights Division and the Office of Legal Policy are to submit a report containing recommendations to “encourage the private sector to end illegal discrimination and preferences” related to DEI. That report is also supposed to identify the most “egregious and discriminatory DEI and DEIA practitioners in each sector of concern.” One big takeaway from this memo is the implication that some private companies may face criminal penalties for DEI initiatives.
Bondi also directs the DOJ to work with the Department of Education to eliminate DEI programs at universities, based on the Supreme Court’s 2023 decision in Students for Fair Admissions, Inc. v. Fellows of Harvard Coll., 600 U.S. 181 (2023).
Notably, the memo itself does not purport to prohibit educational, cultural, or historical observances that “celebrate diversity, recognize historical contributions, and promote awareness without engaging in exclusion or discrimination.” Examples of these types of observances include Black History Month and International Holocaust Remembrance Day.
This new effort from the DOJ will likely face legal scrutiny in the coming weeks, as federal courts have routinely upheld private employers’ First Amendment right to promote DEI. Employers should stay up to date with the rapidly evolving DEI landscape and consult with legal counsel as they evaluate their practices and initiatives for compliance with federal non-discrimination laws.
Mass. Appeals Court Clarifies Chapter 93A Violations in Landlord-Tenant Dispute
The Appeals Court of Massachusetts recently took up another summary process action concerning landlord-tenant rights and Chapter 93A violations in Hayastan Indus., Inc. v. Guz. In a summary decision[1], the court affirmed a liability finding against a landlord for Chapter 93A violations under several distinct theories.
Plaintiff, a corporate entity, purchased a manufactured home and the lot it resided on from the bank after defendants defaulted on their loan. Plaintiff then brought a summary process action in the Housing Court to take possession of the manufactured home, and the tenants counter-claimed for Chapter 93A violations. The Housing Court entered judgment dismissing plaintiff’s claim for possession of the manufactured home and found plaintiff violated Chapter 93A.
The Appeals Court agreed that the Housing Court erred in concluding that the 30-day notice to quit delivered to the tenants without cause violated the M.G.L. c. 140, § 32J requirement, which is designed to protect owners of manufactured homes. At the time of the notice to quit, the tenants no longer owned the manufactured home and were no longer entitled to the statute’s protections. Thus, the Housing Court erred in dismissing the possession claim based on a M.G.L. c. 140, § 32J violation and in finding a Chapter 93A violation based on this statutory violation.
The Appeals Court further determined, however, that the Housing Court did not err when it concluded that an April 27, 2020, letter plaintiff sent to the tenants violated the Massachusetts eviction moratorium during the COVID-19 pandemic. While the letter did violate the eviction moratorium, the Appeals Court disagreed with the Housing Court that this technical violation was a “serious interference” with a tenancy such that it violated Massachusetts’ quiet enjoyment statute. The Housing Court therefore vacated that ruling and the damages awarded on this claim. This issue was remanded to the Housing Court for the limited purpose of determining whether the technical violation of the eviction moratorium caused the tenants a loss as required to recover under G.L. c. 93A.
Finally, the Appeals Court did not believe the judge erred in finding a violation of Chapter 93A due to plaintiff’s inclusion of lot fees in the summary process complaint, when such fees had previously been adjudicated by the Housing Court not to be owed by the tenants. The Housing Court found that plaintiff “commenced eviction proceedings approximately nine days after purchasing the home because it intended to make repairs and put it on the market for sale,” which supported the conclusion that the notice to quit was motivated by business reasons. These “business reasons” amounted to conduct in trade or commerce for the purposes of Chapter 93A. The Housing Court found, and the Appeals Court agreed, that even though the summary process complaint was amended to remove the demand for lot fees, the elements of c. 93A were still met at the time the summary process complaint was served. Thus, the demand for invalidated lot fees amounted to an unfair or deceptive business practice, which caused defendant to suffer an emotional injury in the form of lost sleep and anxiety. The Appeals Court noted that the failure of the company to apprise itself of the legal effect of the pending appeal did not amount to the sort of negligence that precludes liability under G.L. c. 93A.
The Appeals Court decision on the final issue seems to run contrary to established law that petitioning activity is typically immune from Chapter 93A liability.[2] It does not appear that plaintiff’s petitioning activity was frivolous or designed to frustrate competition.[3] Rather, plaintiff sought to take possession of a property it recently purchased through a summary process complaint and amended the complaint to remove the demand for lot fees it was not owed prior to actual litigation on the issue. This case highlights what appears to be a trend at the trial court level to expand the scope of Chapter 93A liability.
[1] A summary decision is a decision primarily directed to the parties and represent only the views of the panel that decide the case. It may be cited for its persuasive value but is not binding precedent.
[2] See Morrison v. Toys “R” Us, Inc., 441 Mass. 451, 457 (2004) (Chapter 93A “has never been read so broadly as to establish an independent remedy for unfair or deceptive dealings in the context of litigation, with the statutory exception as to those ‘engaged in the business of insurance’”).
[3] See Bristol Asphalt Co., Inc. v. Rochester Bituminous Products, Inc., 493 Mass. 539 (2024).
Another Arbitration Agreement Bites the Dust!
The California Court of Appeal dealt another blow to arbitration, just months after we reported the last such decision here.
This time, the Court ruled that the federal Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act of 2021 (“EFAA”) overrides state law—even in cases in which the employee has signed an arbitration agreement that explicitly invokes state law favoring arbitration.
Kristin Casey, a former employee of D.R. Horton, Inc., sued the company and one of its employees, Kris Hansen, for sexual harassment, sex discrimination, retaliation, and failure to prevent discrimination and harassment in September 2023. D.R. Horton attempted to enforce an arbitration agreement in Casey’s employment contract, which included a choice-of-law provision applying California law. Casey opposed arbitration, arguing that the EFAA gave her the right to pursue her claims in court.
The EFAA, enacted in 2022, provides that a “person alleging conduct constituting a sexual harassment dispute” may elect that “no predispute arbitration agreement . . . shall be valid or enforceable with respect to the case filed under federal, tribal or state law and relates to the sexual harassment dispute.”
The trial court upheld the arbitration agreement, enforcing the terms to which Casey had agreed. But on a writ petition, the California Court of Appeal reversed, holding that the EFAA preempts state law so long as the employment relationship involves interstate commerce (a low hurdle). The court further determined that an employer cannot rely on a choice-of-law clause to avoid the effect of the EFAA.
You can read the full decision here.
The BR Privacy & Security Download: February 2025
STATE & LOCAL LAWS & REGULATIONS
New York Legislature Passes Comprehensive Health Privacy Law: The New York state legislature passed SB-929 (the “Bill”), providing for the protection of health information. The Bill broadly defines “regulated health information” as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Regulated health information includes location and payment information, as well as inferences derived from an individual’s physical or mental health. The term “individual” is not defined. Accordingly, the Bill contains no terms restricting its application to consumers acting in an individual or household context. The Bill would apply to regulated entities, which are entities that (1) are located in New York and control the processing of regulated health information, or (2) control the processing of regulated health information of New York residents or individuals physically present in New York. Among other things, the Bill would restrict regulated entities to processing regulated health information only with a valid authorization, or when strictly necessary for certain specified activities. The Bill also provides for individual rights and requires the implementation of reasonable administrative, physical, and technical safeguards to protect regulated health information. The Bill would take effect one year after being signed into law and currently awaits New York Governor Kathy Hochul’s signature.
New York Data Breach Notification Law Updated: Two bills, SO2659 and SO2376, that amended the state’s data breach notification law were signed into law by New York Governor Kathy Hochul. The bills change the timing requirement in which notice must be provided to New York residents, add data elements to the definition of “private information,” and adds the New York Department of Financial Services to the list of regulators that must be notified. Previously, New York’s data breach notification statute did not have a hard deadline within which notice must be provided. The amendments now require affected individuals to be notified no later than 30 days after discovery of the breach, except for delays arising from the legitimate needs of law enforcement. Additionally, as of March 25, 2025, “private information” subject to the law’s notification requirements will include medical information and health insurance information.
California AG Issues Legal Advisory on Application of California Law to AI: California’s Attorney General has issued legal advisories to clarify that existing state laws apply to AI development and use, emphasizing that California is not an AI “wild west.” These advisories cover consumer protection, civil rights, competition, data privacy, and election misinformation. AI systems, while beneficial, present risks such as bias, discrimination, and the spread of disinformation. Therefore, entities that develop or use AI must comply with all state, federal, and local laws. The advisories highlight key laws, including the Unfair Competition Law and the California Consumer Privacy Act. The advisories also highlight new laws effective on January 1, 2025, which include disclosure requirements for businesses, restrictions on the unauthorized use of likeness, and regulations for AI use in elections and healthcare. These advisories stress the importance of transparency and compliance to prevent harm from AI.
New Jersey AG Publishes Guidance on Algorithmic Discrimination: On January 9, 2025, New Jersey’s Attorney General and Division on Civil Rights announced a new civil rights and technology initiative to address the risks of discrimination and bias-based harassment in AI and other advanced technologies. The initiative includes the publication of a Guidance Document, which addresses the applicability of New Jersey’s Law Against Discrimination (“LAD”) to automated decision-making tools and technologies. It focuses on the threats posed by automated decision-making technologies in the housing, employment, healthcare, and financial services contexts, emphasizing that the LAD applies to discrimination regardless of the technology at issue. Also included in the announcement is the launch of a new Civil Rights Innovation lab, which “will aim to leverage technology responsibly to advance [the Division’s] mission to prevent, address, and remedy discrimination.” The Lab will partner with experts and relevant industry stakeholders to identify and develop technology to enhance the Division’s enforcement, outreach, and public education work, and will develop protocols to facilitate the responsible deployment of AI and related decision-making technology. This initiative, along with the recently effective New Jersey Data Protection Act, shows a significantly increased focus from the New Jersey Attorney General on issues relating to data privacy and automated decision-making technologies.
New Jersey Publishes Comprehensive Privacy Law FAQs: The New Jersey Division of Consumer Affairs Cyber Fraud Unit (“Division”) published FAQs that provide a general summary of the New Jersey Data Privacy Law (“NJDPL”), including its scope, key definitions, consumer rights, and enforcement. The NJDPL took effect on January 15, 2025, and the FAQs state that controllers subject to the NJDPL are expected to comply by such date. However, the FAQs also emphasize that until July 1, 2026, the Division will provide notice and a 30-day cure period for potential violations. The FAQs also suggest that the Division may adopt a stricter approach to minors’ privacy. While the text of the NJDPL requires consent for processing the personal data of consumers between the ages of 13 and 16 for purposes of targeted advertising, sale, and profiling, the FAQs state that when a controller knows or willfully disregards that a consumer is between the ages of 13 and 16, consent is required to process their personal data more generally.
CPPA Extends Formal Comment Period for Automated Decision-Making Technology Regulations: The California Privacy Protection Agency (“CPPA”) extended the public comment period for its proposed regulations on cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and insurance companies under the California Privacy Rights Act. The public comment period opened on November 22, 2024, and was set to close on January 14, 2025. However, due to the wildfires in Southern California, the public comment period was extended to February 19, 2025. The CPPA will also be holding a public hearing on that date for interested parties to present oral and written statements or arguments regarding the proposed regulations.
Oregon DOJ Publishes Toolkit for Consumer Privacy Rights: The Oregon Department of Justice announced the release of a new toolkit designed to help Oregonians protect their online information. The toolkit is designed to help families understand their rights under the Oregon Consumer Privacy Act. The Oregon DOJ reminded consumers how to submit complaints when businesses are not responsive to privacy rights requests. The Oregon DOJ also stated it has received 118 complaints since the Oregon Consumer Privacy Act took effect last July and had sent notices of violation to businesses that have been identified as non-compliant.
California, Colorado, and Connecticut AGs Remind Consumers of Opt-Out Rights: California Attorney General Rob Bonta published a press release reminding residents of their right to opt out of the sale and sharing of their personal information. The California Attorney General also cited the robust privacy protections of Colorado and Connecticut laws that provide for similar opt-out protections. The press release urged consumers to familiarize themselves with the Global Privacy Control (“GPC”), a browser setting or extension that automatically signals to businesses that they should not sell or share a consumer’s personal information, including for targeted advertising. The Attorney General also provided instructions for the use of the GPC and for exercising op-outs by visiting the websites of individual businesses.
FEDERAL LAWS & REGULATIONS
FTC Finalizes Updates to COPPA Rule: The FTC announced the finalization of updates to the Children’s Online Privacy Protection Rule (the “Rule”). The updated Rule makes a number of changes, including requiring opt-in consent to engage in targeted advertising to children and to disclose children’s personal information to third parties. The Rule also adds biometric identifiers to the definition of personal information and prohibits operators from retaining children’s personal information for longer than necessary for the specific documented business purposes for which it was collected. Operators must maintain a written data retention policy that documents the business purpose for data retention and the retention period for data. The Commission voted 5-0 to adopt the Rule, but new FTC Chair Andrew Ferguson filed a separate statement describing “serious problems” with the rule. Ferguson specifically stated that it was unclear whether an entirely new consent would be required if an operator added a new third party with whom personal information would be shared, potentially creating a significant burden for businesses. The Rule will be effective 60 days after its publication in the Federal Register.
Trump Rescinds Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence: President Donald Trump took action to rescind former President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“AI EO”). According to a Biden administration statement released in October, many action items from the AI EO have already been completed. Recommendations, reports, and opportunities for research that were completed prior to revocation of the AI EO may continue in place unless replaced by additional federal agency action. It remains unclear whether the Trump Administration will issue its own executive orders relating to AI.
U.S. Justice Department Issues Final Rule on Transfer of Sensitive Personal Data to Foreign Adversaries: The U.S. Justice Department issued final regulations to implement a presidential Executive Order regarding access to bulk sensitive personal data of U.S. citizens by foreign adversaries. The regulations restrict transfers involving designated countries of concern – China, Cuba, Iran, North Korea, Russia, and Venezuela. At a high level, transfers are restricted if they could result in bulk sensitive personal data access by a country of concern or a “covered person,” which is an entity that is majority-owned by a country of concern, organized under the laws of a country of concern, has its principle place of business in a country of concern, or is an individual whose primary residence is in a county of concern. Data covered by the regulation includes precise geolocation data, biometric identifiers, genetic data, health data, financial data, government-issued identification numbers, and certain other identifiers, including device or hardware-based identifiers, advertising identifiers, and demographic or contact data.
First Complaint Filed Under Protecting Americans’ Data from Foreign Adversaries Act: The Electronic Privacy Information Center (“EPIC”) and the Irish Counsel for Civil Liberties (“ICCL”) Enforce Unit filed the first-ever complaint under the Protecting Americans’ Data from Foreign Adversaries Act (“PADFAA”). PADFAA makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals residing in the United States to North Korea, China, Russia, Iran, or an entity controlled by one of those countries. The complaint alleges that Google’s real-time bidding system data includes personally identifiable sensitive data, that Google executives were aware that data from its real-time bidding system may have been resold, and that Google’s public list of certified companies that receive real-time bidding bid request data include multiple companies based in foreign adversary countries.
FDA Issues Draft Guidance for AI-Enabled Device Software Functions: The U.S. Food and Drug Administration (“FDA”) published its January 2025 Draft Guidance for Industry and FDA Staff regarding AI-enabled device software functionality. The Draft provides recommendations regarding the contents of marketing submissions for AI-enabled medical devices, including documentation and information that will support the FDA’s evaluation of their safety and effectiveness. The Draft Guidance is designed to reflect a “comprehensive approach” to the management of devices through their total product life cycle and includes recommendations for the design, development, and implementation of AI-enabled devices. The FDA is accepting comments on the Draft Guidance, which may be submitted online until April 7, 2025.
Industry Coalition Pushes for Unified National Data Privacy Law: A coalition of over thirty industry groups, including the U.S. Chamber of Commerce, sent a letter to Congress urging it to enact a comprehensive national data privacy law. The letter highlights the urgent need for a cohesive federal standard to replace the fragmented state laws that complicate compliance and stifle competition. The letter advocates for legislation based on principles to empower startups and small businesses by reducing costs and improving consumer access to services. The letter supports granting consumers the right to understand, correct, and delete their data, and to opt out of targeted advertising, while emphasizing transparency by requiring companies to disclose data practices and secure consent for processing sensitive information. It also focuses on the principles of limiting data collection to essential purposes and implementing robust security measures. While the principles aim to override strong state laws like that in California, the proposal notably excludes data broker regulation, a previous point of contention. The coalition cautions against legislation that could lead to frivolous litigation, advocating for balanced enforcement and collaborative compliance. By adhering to these principles, the industry groups seek to ensure legal certainty and promote responsible data use, benefiting both businesses and consumers.
Cyber Trust Mark Unveiled: The White House launched a labeling scheme for internet-of-things devices designed to inform consumers when devices meet certain government-determined cybersecurity standards. The program has been in development for several months and involves collaboration between the White House, the National Institute of Standards and Technology, and the Federal Communications Commission. UL Solutions, a global safety and testing company headquartered in Illinois, has been selected as the lead administrator of the program along with 10 other firms as deputy administrators. With the main goal of helping consumers make more cyber-secure choices when purchasing products, the White House hopes to have products with the new cyber trust mark hit shelves before the end of 2025.
U.S. LITIGATION
Texas Attorney General Sues Insurance Company for Unlawful Collection and Sharing of Driving Data: Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its data analytics subsidiary, Arity. The lawsuit alleges that Arity paid app developers to incorporate its software development kit that tracked location data from over 45 million consumers in the U.S. According to the lawsuit, Arity then shared that data with Allstate and other insurers, who would use the data to justify increasing car insurance premiums. The sale of precise geolocation data of Texans violated the Texas Data Privacy and Security Act (“TDPSA”) according to the Texas Attorney General. The TDPSA requires the companies to provide notice and obtain informed consent to use the sensitive data of Texas residents, which includes precise geolocation data. The Texas Attorney General sued General Motors in August of 2024, alleging similar practices relating to the collection and sale of driver data.
Eleventh Circuit Overturns FCC’s One-to-One Consent Rule, Upholds Broader Telemarketing Practices: In Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025), the Eleventh Circuit vacated the FCC’s one-to-one consent rule under the Telephone Consumer Protection Act (“TCPA”). The court found that the rule exceeded the FCC’s authority and conflicted with the statutory meaning of “prior express consent.” By requiring separate consent for each seller and topic-related call, the rule was deemed unnecessary. This decision allows businesses to continue using broader consent practices, maintaining shared consent agreements. The ruling emphasizes that consent should align with common-law principles rather than be restricted to a single entity. While the FCC’s next steps remain uncertain, the decision reduces compliance burdens and may challenge other TCPA regulations.
California Judge Blocks Enforcement of Social Media Addiction Law: The California Protecting Our Kids from Social Media Addiction Act (the “Act”) has been temporarily blocked. The Act was set to take effect on January 1, 2025. The law aims to prevent social media platforms from using algorithms to provide addictive content to children. Judge Edward J. Davila initially declined to block key parts of the law but agreed to pause enforcement until February 1, 2025, to allow the Ninth Circuit to review the case. NetChoice, a tech trade group, is challenging the law on First Amendment grounds. NetChoice argues that restricting minors’ access to personalized feeds violates the First Amendment. The group has appealed to the Ninth Circuit and is seeking an injunction to prevent the law from taking effect. Judge Davila’s decision recognized the “novel, difficult, and important” constitutional issues presented by the case. The law includes provisions to restrict minors’ access to personalized feeds, limit their ability to view likes and other feedback, and restrict third-party interaction.
U.S. ENFORCEMENT
FTC Settles Enforcement Action Against General Motors for Sharing Geolocation and Driving Behavior Data Without Consent: The Federal Trade Commission (“FTC”) announced a proposed order to settle FTC allegations against General Motors that it collected, used, and sold driver’s precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent. The FTC specifically alleged General Motors used a misleading enrollment process to get consumers to sign up for its OnStar-connected vehicle service and Smart Driver feature without proper notice or consent during that process. The information was then sold to third parties, including consumer reporting agencies, according to the FTC. As part of the settlement, General Motors will be prohibited from disclosing driver data to consumer reporting agencies, required to allow consumers to obtain and delete their data, required to obtain consent prior to collection, and required to allow consumers to limit data collected from their vehicles.
FTC Releases Proposed Order Against GoDaddy for Alleged Data Security Failures: The Federal Trade Commission (“FTC”) has announced it had reached a proposed settlement in its action against GoDaddy Inc. (“GoDaddy”) for failing to implement reasonable and appropriate security measures, which resulted in several major data breaches between 2019 and 2022. According to the FTC’s complaint, GoDaddy misled customers of its data security practices, through claims on its websites and in email and social media ads, and by representing it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. However, the FTC found that GoDaddy failed to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events, and segment its shared hosting from less secure environments. The FTC’s proposed order against GoDaddy prohibits GoDaddy from misleading its customers about its security practices and requires GoDaddy to implement a comprehensive information security program. GoDaddy must also hire a third-party assessor to conduct biennial reviews of its information security program.
CPPA Reaches Settlements with Additional Data Brokers: Following their announcement of a public investigative sweep of data broker registration compliance, the CPPA has settled with additional data brokers PayDae, Inc. d/b/a Infillion (“Infillion”), The Data Group, LLC (“The Data Group”), and Key Marketing Advantage, LLC (“KMA”) for failing to register as a data broker and pay an annual fee as required by California’s Delete Act. Infillion will pay $54,200 for failing to register between February 1, 2024, and November 4, 2024. The Data Group will pay $46,600 for failing to register between February 1, 2024, and September 20, 2024. KMA will pay $55,800 for failing to register between February 1, 2024, and November 5, 2024. In addition to the fines, the companies have agreed to injunctive terms. The Delete Act imposes fines of $200 per day for failing to register by the deadline.
Mortgage Company Fined by State Financial Regulators for Cybersecurity Breach: Bayview Asset Management LLC and three affiliates (collectively, “Bayview”) agreed to pay a $20 million fine and improve their cybersecurity programs to settle allegations from 53 state financial regulators. The Conference of State Bank Supervisors (“CSBS”) alleged that the mortgage companies had deficient cybersecurity practices and did not fully cooperate with regulators after a 2021 data breach. The data breach compromised data for 5.8 million customers. The coordinated enforcement action was led by financial regulators in California, Maryland, North Carolina, and Washington State. The regulators said the companies’ information technology and cybersecurity practices did not meet federal or state requirements. The firms also delayed the supervisory process by withholding requested information and providing redacted documents in the initial stages of a post-breach exam. The companies also agreed to undergo independent assessments and provide three years of additional reporting to the state regulators.
SEC Reaches Settlement over Misleading Cybersecurity Disclosures: The SEC announced it has settled charges with Ashford Inc., an asset management firm, over misleading disclosures related to a cybersecurity incident. This enforcement action stemmed from a ransomware attack in September 2023, compromising over 12 terabytes of sensitive hotel customer data, including driver’s licenses and credit card numbers. Despite the breach, Ashford falsely reported in its November 2023 filings that no customer information was exposed. The SEC alleged negligence in Ashford’s disclosures, citing violations of the Securities Act of 1933 and the Exchange Act of 1934. Without admitting or denying the allegations, Ashford agreed to a $115,231 penalty and an injunction. This case highlights the critical importance of accurate cybersecurity disclosures and demonstrates the SEC’s commitment to ensuring transparency and accountability in corporate reporting.
FTC Finalizes Data Breach-Related Settlement with Marriott: The FTC has finalized its order against Marriott International, Inc. (“Marriott”) and its subsidiary Starwood Hotels & Resorts Worldwide LLC (“Starwood”). As previously reported, the FTC entered into a settlement with Marriott and Starwood for three data breaches the companies experienced between 2014 and 2020, which collectively impacted more than 344 million guest records. Under the finalized order, Marriott and Starwood are required to establish a comprehensive information security program, implement a policy to retain personal information only for as long as reasonably necessary, and establish a link on their website for U.S. customers to request deletion of their personal information associated with their email address or loyalty rewards account number. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points. The companies are further prohibited from misrepresenting their information collection practices and data security measures.
New York Attorney General Settles with Auto Insurance Company over Data Breach: The New York Attorney General settled with automobile insurance company, Noblr, for a data breach the company experienced in January 2021. Noblr’s online insurance quoting tool exposed full, plaintext driver’s license numbers, including on the backend of its website and in PDFs generated when a purchase was made. The data breach impacted the personal information of more than 80,000 New Yorkers. The data breach was part of an industry-wide campaign to steal personal information (e.g., driver’s license numbers and dates of birth) from online automobile insurance quoting applications to be used to file fraudulent unemployment claims during the COVID-19 pandemic. As part of its settlement, Noblr must pay the New York Attorney General $500,000 in penalties and strengthen its data security measures such as by enhancing its web application defenses and maintaining a comprehensive information security program, data inventory, access controls (e.g., authentication procedures), and logging and monitoring systems.
FTC Alleges Video Game Maker Violated COPPA and Engaged in Deceptive Marketing Practices: The Federal Trade Commission (“FTC”) has taken action against Cognosphere Pte. Ltd and its subsidiary Cognosphere LLC, also known as HoYoverse, the developer of the game Genshin Impact (“HoYoverse”). The FTC alleges that HoYoverse violated the Children’s Online Privacy Protection Act (“COPPA”) and engaged in deceptive marketing practices. Specifically, the company is accused of unfairly marketing loot boxes to children and misleading players about the odds of winning prizes and the true cost of in-game transactions. To settle these charges, HoYoverse will pay a $20 million fine and is prohibited from allowing children under 16 to make in-game purchases without parental consent. Additionally, the company must provide an option to purchase loot boxes directly with real money and disclose loot box odds and exchange rates. HoYoverse is also required to delete personal information collected from children under 13 without parental consent. The FTC’s actions aim to protect consumers, especially children and teens, from deceptive practices related to in-game purchases.
OCR Finalizes Several Settlements for HIPAA Violations: Prior to the inauguration of President Trump, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) brought enforcement actions against four entities, USR Holdings, LLC (“USR”), Elgon Information Systems (“Elgon”), Solara Medical Supplies, LLC (“Solara”) and Northeast Surgical Group, P.C. (“NESG”), for potential violations of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Rule due to the data breaches the entities experienced. USR reported that between August 23, 2018, and December 8, 2018, a database containing the electronic protected health information (“ePHI”) of 2,903 individuals was accessed by an unauthorized third party who was able to delete the ePHI in the database. Elgon and NESG each discovered a ransomware attack in March 2023, which affected the protected health information (“PHI”) of approximately 31,248 individuals and 15,298 individuals, respectively. Solara experienced a phishing attack that allowed an unauthorized third party to gain access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the compromise of 114,007 individuals’ ePHI. As part of their settlements, each of the entities is required to pay a fine to OCR: USR $337,750, Elgon $80,000, Solara $3,000,000, and NESG $10,000. Additionally, each of the entities is required to implement certain data security measures such as conducting a risk analysis, implementing a risk management plan, maintaining written policies and procedures to comply with HIPAA, and distributing such policies or providing training on such policies to its workforce.
Virgina Attorney General Sues TikTok for Addictive Fees and Allowing Chinese Government to Access Data: Virginia Attorney General Jason Miyares announced his office had filed a lawsuit against TikTok and ByteDance Ltd, the Chinese-based parent company of TikTok. The lawsuit alleges that TikTok was intentionally designed to be addictive for adolescent users and that the company deceived parents about TikTok content, including by claiming the app is appropriate for children over the age of 12 in violation of the Virginia Consumer Protection Act.
INTERNATIONAL LAWS & REGULATIONS
UK ICO Publishes Guidance on Pay or Consent Model: On January 23, the UK’s Information Commissioner’s Office (“ICO”) published its Guidance for Organizations Implementing or Considering Implementing Consent or Pay Models. The guidance is designed to clarify how organizations can deploy ‘consent or pay’ models in a manner that gives users meaningful control over the privacy of their information while still supporting their economic viability. The guidance addresses the requirements of applicable UK laws, including PECR and the UK GDPR, and provides extensive guidance as to how appropriate fees may be calculated and how to address imbalances of power. The guidance includes a set of factors that organizations can use to assess their consent models and includes plans to further engage with online consent management platforms, which are typically used by businesses to manage the use of essential and non-essential online trackers. Businesses with operations in the UK should carefully review their current online tracker consent management tools in light of this new guidance.
EU Commission to Pay Damages for Sending IP Address to Meta: The European General Court has ordered the European Commission to pay a German citizen, Thomas Bindl, €400 in damages for unlawfully transferring his personal data to the U.S. This decision sets a new precedent regarding EU data protection litigation. The court found that the Commission breached data protection regulations by operating a website with a “sign in with Facebook” option. This resulted in Bindl’s IP address, along with other data, being transferred to Meta without ensuring adequate safeguards were in place. The transfer happened during the transition period between the EU-U.S. Privacy Shield and the EU-U.S. Data Protection Framework. The court determined that this left Bindl in a position of uncertainty about how his data was being processed. The ruling is significant because it recognizes “intrinsic harm” and may pave the way for large-scale collective redress actions.
European Data Protection Board Releases AI Bias Assessment and Data Subject Rights Tools: The European Data Protection Board (“EDPB”) released two AI tools as part of the AI: Complex Algorithms and effective Data Protection Supervision Projects. The EDPB launched the project in the context of the Support Pool of Experts program at the request of the German Federal Data Protection Authority. The Support Pool of Experts program aims to help data protection authorities increase their enforcement capacity by developing common tools and giving them access to a wide pool of experts. The new documents address best practices for bias evaluation and the effective implementation of data subject rights, specifically the rights to rectification and erasure when AI systems have been developed with personal data.
European Data Protection Board Adopts New Guidelines on Pseudonymization: The EDPB released new guidelines on pseudonymization for public consultation (the “Guidelines”). Although pseudonymized data still constitutes personal data under the GDPR, pseudonymization can reduce the risks to the data subjects by preventing the attribution of personal data to natural persons in the course of the processing of the data, and in the event of unauthorized access or use. In certain circumstances, the risk reduction resulting from pseudonymization may enable controllers to rely on legitimate interests as the legal basis for processing personal data under the GDPR, provided they meet the other requirements, or help guarantee an essentially equivalent level of protection for data they intend to export. The Guidelines provide real-world examples illustrating the use of pseudonymization in various scenarios, such as internal analysis, external analysis, and research.
CJEU Issues Ruling on Excessive Data Subject Requests: On January 9, the Court of Justice of the European Union (“CJEU”) issued its ruling in the case Österreichische Datenschutzbehörde (C‑416/23). The primary question before the Court was when a European data protection authority may deny consumer requests due to their excessive nature. Rather than specifying an arbitrary numerical threshold of requests received, the CJEU found that authorities must consider the relevant facts to determine whether the individual submitting the request has “an abusive intention.” While the number of requests submitted may be a factor in determining this intention, it is not the only factor. Additionally, the CJEU emphasized that Data Protection Authorities should strongly consider charging a “reasonable fee” for handling requests they suspect may be excessive prior to simply denying them.
Daniel R. Saeedi, Rachel L. Schaller Gabrielle N. Ganz, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin contributed to this article
USPTO’s Proposed Terminal Disclaimer Practice
On May 10, 2024, the United States Patent and Trademark Office (“USPTO”) published a new proposed rule that would require when a patent applicant submits a terminal disclaimer to obviate non statutory double patenting that the applicant agrees:
that the patent in which the terminal disclaimer is filed, or any patent granted on an application in which a terminal disclaimer is filed, will be enforceable only if the patent is not tied and has never been tied directly or indirectly to a patent by one or more terminal disclaimers filed to obviate nonstatutory double patenting in which: any claim has been finally held unpatentable or invalid as anticipated or obvious by a Federal court in a civil action or by the USPTO, and all appeal rights have been exhausted; or a statutory disclaimer of a claim is filed after any challenge based on anticipation or obviousness to that claim has been made.
The USPTO has promulgated this rule to prevent inventors from attempting to receive multiple patents directed to “obvious variations” of an invention. The USPTO believes that this proposed rule will deter anticompetitive behavior and promote innovation by “allowing a competitor to avoid enforcement of patents tied by one or more terminal disclaimers to another patent having a claim finally held unpatentable or invalid over prior art.”
Currently, when a terminal disclaimer is filed to obviate nonstatutory double patenting, a patent applicant is disclaiming any overlapping subject matter with an already existing patent owned by the patent applicant and is designed to prevent a patent applicant from improperly extending a patent’s term beyond its statutory limit. If a patent challenger wants to invalidate a family of related patents connected through terminal disclaimers, the patent challenger must invalidate each patent individually. Under the proposed rule, when a patent challenger is challenging a patent family, the patent challenger would need to successfully invalidate only one claim of a patent to invalidate that patent and any related patent that is tied to the invalidated patent through a terminal disclaimer.
On July 9, 2024, public comment closed for the proposed USPTO rule. Over 350 public comments were submitted giving feedback on the proposed rule. The public commentors’ opinions ranged from supporting the USPTO’s proposed rule to arguing against the USPTO’s proposed rule. Those submitting comments included private individuals, practicing attorneys, trade and policy organizations, and corporations.
Those against the proposed rule raised many concerns. The main issue with the proposed rule was the concern about the consequences of having a single patent claim invalidating an entire patent family. Other concerns raised included the potential of increased cost during patent prosecution and concerns about the potential to hurt small businesses by incentivizing companies to invalidate one claim instead of licensing patents.
Additionally, others argued that the USPTO does not have the authority to promulgate the proposed rule and that the USPTO is exceeding its statutory authority. For example, former USPTO directors Andrei Iancu, David Hirshfeld, David Kappos, Laura Peter, and Russell Slifer submitted a joint comment against the proposed rule noting many issues with the proposed rule including noting that the proposed rule would “render unenforceable entire patents if a single claim in a different patent is found to be invalid,” that the “proposal hands a powerful cudgel to infringers,” and that the USPTO is “evidently attempting to significantly deter, if not eliminate, continuations practice– a right that inventors are given by statute.”7 Others submitting comments against the rule included the American Intellectual Property Law Association and the American Bar Association Intellectual Property Law Association.
Those supporting the USPTO’s proposed rule argued that the proposed rule would promote competition and lower the cost to consumers by removing unnecessary patents and those supporting the rule believe that it allows smaller businesses to compete with larger corporations who are using “gamesmanship” to receive unmeritorious patents. For example, the Federal Trade Commission (“FTC”) issued a public comment supporting the USPTO’s proposed rule. In the support of the rule, the FTC explained that terminal disclaimers are used to “overcome the USPTO’s rejection of patent claims that are essentially the same as those in an existing patent,” that “[t]he use of terminal disclaimers linking similar patent claims can exacerbate the exclusionary impact of patent thickets by forcing potential market entrants to incur the high cost of challenging multiple duplicative patents,” and that “[t]he [FTC] believes the proposed rule will reform terminal disclaimer practice in a manner that reduces gamesmanship by patent holders, as well as the number, size, and impact of patent thickets. Intellectual property policy that promotes competition and market entry will foster vibrant markets that promote innovation and lower prices for businesses and consumers.”
Administrative Deference
While public comment was open for the proposed USPTO rule, the Supreme Court issued its decision in Loper Bright effectively eliminating Chevron deference for administrative agency action. The Supreme Court’s decision in Chevron, required courts to give “Chevron deference” to an agency’s administrative interpretation of a statue if the agency’s interpretation of an ambiguous statute was “rational” or “reasonable” and Congress had not spoken directly on that issue. However, in Loper Bright the Supreme Court found that Chevron deference “defied the command” of the APA and violates the court’s responsibility to interpret statutes and decide questions of law. This now means that Skidmore Deference will apply. Skidmore Deference means courts should judge an agency’s actions based on “the thoroughness evident in [an agency’s] consideration, the validity of its reasoning, its consistency with earlier and later pronouncements, and all those factors which give it power to persuade, if lacking power to control.” Skidmore v. Swift & Co., 323 US 134. 140 (1944)
The PTO’S primary statutory authority for rule making comes from 35 USC Section 2(b)(2), which provides that the USPTO “may establish regulations, not inconsistent with law, which—(A) shall govern the conduct of proceedings in the Office. . . .” The Federal Circuit years before Loper Bright issued already found that the PTO’s rulemaking authority authorizes them to create regulations regarding proceedings at the PTO and does not give the PTO the authority to issue substantive rules. See, e.g., Merck & Co., Inc. Kessler, 80 F.3d 1543, 1549-50 (Fed. Cir. 1996) (emphasis in original) (finding that the USPTO’s rulemaking authority authorizes the USPTO to create regulations regarding “the conduct of proceedings at the [PTO]” and “it does NOT grant the Commissioner the authority to issue substantive rules. . . . Thus, the rule of controlling deference set forth in Chevron does not apply.”); Animal Legal Defense Fund v. Quigg, 932 F.2d 920, 930 (Fed. Cir. 1991).
Therefore, with the stricter standard when judging agency action and the Federal Circuit finding the rule making authority for the PTO limited to proceedings at the PTO, it is likely that the proposed rule will not be passed. If it is passed, the courts will likely invalidate it finding that the PTO did not have authority to pass such a rule.
What to Know About the War Being Waged Against DEI
Can you still have DEI (diversity, equity, and inclusion) programs? How about affirmative action plans? The Supreme Court’s June 2023 decision in Students for Fair Admissions v. Harvard garnered national attention in holding that Harvard’s admissions program, which used race as a factor in admissions, violated the Equal Protection Clause of the 14th Amendment. Since then, major private corporations have made headlines with their decisions to scale back certain DEI initiatives. Other private companies, such as Costco and Apple, remain unwavering in their commitment to DEI. While not without legal risk, companies that have found DEI initiatives to be helpful to their business and culture can continue with their programs.
State Attorneys General Weigh In
In a recent letter, 13 Democratic attorney generals (from California, Connecticut, Hawaii, Illinois, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Jersey, New York, Rhode Island, and Vermont) urged one retail giant to reconsider its scale back of DEI programs. The AGs’ letter reminded the retail giant that the Fair Admissions decision is a narrow ruling and does not prohibit private corporations from implementing DEI initiatives. The letter went on to remind the company that DEI initiatives are not only encouraged and beneficial but are in some cases necessary to comply with certain states’ anti-discrimination laws.
The New Administration Weighs In
President Trump’s recent executive order titled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” has made the future of DEI even more perilous. The executive order rescinded Executive Order 11246, a 1965 order that imposed affirmative action requirements on federal contractors. Additionally, the federal government has placed DEI employees on paid leave and ordered the termination of DEI activities within federal agencies. The recent executive order goes on to demand that the attorney general submit “recommendations for enforcing Federal civil-rights laws and taking other appropriate measures to encourage the private sector to end illegal discrimination and preferences, including DEI.”
Avoiding Legal Risks in Continued DEI Efforts
If you want to continue DEI efforts, do so thoughtfully and recognize the risks. The recent executive orders emphasize the idea of restoring merit to employment decisions. Therefore, your DEI measures should ensure that programs continue to be merit-based and are designed to provide equal access to opportunities for all applicants and employees. The executive order does not define the specific DEI programs or activities it deems to be illegal, however policies such as quotas, hiring preferences, or hiring goals are likely more susceptible to claims of discrimination. You should review any of your existing company policies and initiatives to ensure they comply with state and federal anti-discrimination laws, as well as recent executive actions.
In the aftermath of the Fair Admissions decision, the EEOC stated “[i]t remains lawful for employers to implement diversity, equity, inclusion, and accessibility programs that seek to ensure workers of all backgrounds are afforded equal opportunity in the workplace.” Due to recent executive actions, we may get additional guidance from the EEOC on the topic of DEI.
Before you make a decision to change an existing workplace DEI initiative or to implement a new initiative, you should consult with your legal counsel to ensure compliance with state and federal anti-discrimination laws. Be on the lookout for developments in this space, as the president’s recent executive actions will likely face legal challenges so the landscape could change.
Listen to this post