Kelley v. Homminga, No. 25-9013 & Devon Energy Production Co. v. Oliver,
No. 25-9014 – Decided March 14, 2025
The Texas Supreme Court unanimously held that the Fifteenth Court of Appeals’ jurisdiction is limited to cases within its exclusive appellate jurisdiction and those transferred to it under the Texas Supreme Court’s power to equalize dockets.
“We conclude S.B. 1045 is susceptible of only one reasonable construction: the Legislature did not intend the Fifteenth Court to hear every civil appeal within its statewide jurisdiction.”
Background:
In 2023, the Texas Legislature passed S.B. 1045, creating the Fifteenth Court of Appeals, a new intermediate appellate court with exclusive, statewide appellate jurisdiction over appeals involving the State and appeals from Texas’s recently created business court. Shortly after the Fifteenth Court began hearing cases in September 2024, a question about the scope of its jurisdiction arose: Does it have general, statewide appellate jurisdiction in addition to its exclusive intermediate appellate jurisdiction?
Two cases presented the issue: Kelley v. Homminga and Devon Energy Production Co. v. Oliver. In both cases, the defendants appealed directly to the Fifteenth Court, even though neither appeal was within the Fifteenth Court’s exclusive jurisdiction. Both sets of defendants argued that the Fifteenth Court could hear their appeals because it had general appellate jurisdiction. Each set of plaintiffs moved to transfer the appeal to the regional court of appeals that would ordinarily hear the case—in Kelley, the First or Fourteenth Court, and in Devon, the Thirteenth Court.
The Fifteenth Court denied both transfer motions over dissents by Chief Justice Brister. The majority held that because the Government Code grants the Fifteenth Court general appellate jurisdiction over civil cases statewide, the Fifteenth Court could hear the cases. But in Chief Justice Brister’s view, this would increase the number of appeals in the Fifteenth Court and divert judicial resources to cases outside the court’s exclusive jurisdiction. He further expressed concern that construing the court’s jurisdiction so broadly would incentivize forum-shopping and lead to gamesmanship. The First Court agreed with the Fifteenth Court majority, while the Thirteenth and Fourteenth Courts disagreed. In accordance with Texas Rule of Appellate Procedure 27a, the Fifteenth Court promptly notified the Texas Supreme Court of the courts’ disagreement so that it could resolve the dispute.
Issue:
Does the Fifteenth Court of Appeals’ jurisdiction extend beyond (1) the cases over which it has exclusive intermediate appellate jurisdiction and (2) cases transferred to it by the Supreme Court for docket equalization purposes?
Court’s Holding:
No. S.B. 1045’s text and structure indicate that the Fifteenth Court’s jurisdiction is limited to cases that are (1) within its exclusive jurisdiction or (2) transferred to it by the Supreme Court for docket equalization purposes.
What It Means:
- In a unanimous per curiam opinion, the Supreme Court held that the Fifteenth Court’s jurisdiction extends only to those cases involving the State or from the business court.
- The Supreme Court’s decision ensures that the Fifteenth Court will remain focused on quickly and efficiently resolving the categories of cases the Legislature placed within its exclusive jurisdiction. Indeed, instead of being “[b]urdened with thousands of civil cases of every stripe,” today’s decision ensures that the Fifteenth Court will be able “to give special attention to those cases the Legislature has defined as critical to the State’s interests.” Op. at 10.
- The prompt decisions by the Fifteenth Court, regional courts of appeals, and Supreme Court underscore their commitment to providing timely and predictable answers to disputes that arise as the Fifteenth Court of Appeals proceeds with its work.
- Any appeals filed in the Fifteenth Court that fall outside its exclusive jurisdiction are subject to transfer.
The Court’s order and opinion for Kelley v. Homminga, No. 25-9013, are available here.
The Court’s order and opinion for Devon Energy Production Co. v. Oliver, No. 25-9014, are available here.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Texas Supreme Court. Please feel free to contact the following practice group leaders:
Appellate and Constitutional Law Practice
| Thomas H. Dupree Jr. +1 202.955.8547 tdupree@gibsondunn.com |
Allyson N. Ho +1 214.698.3233 aho@gibsondunn.com |
Julian W. Poon +1 213.229.7758 jpoon@gibsondunn.com |
| Brad G. Hubbard +1 214.698.3326 bhubbard@gibsondunn.com |
Related Practice: Texas General Litigation
| Trey Cox +1 214.698.3256 tcox@gibsondunn.com |
Collin Cox +1 346.718.6604 ccox@gibsondunn.com |
Gregg Costa +1 346.718.6649 gcosta@gibsondunn.com |
| John Adams +1 214.698.3335 jsadams@gibsondunn.com |
David Woodcock +1 214.698.3211 dwoodcock@gibsondunn.com |
This alert was prepared by Texas of counsels Ben Wilson and Kathryn Cherry and associates Elizabeth Kiernan, Stephen Hammer, and Jaime Barrios.
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: This week, the Acting Chairman Caroline D. Pham announced a 30-day compliance and remediation initiative for investigations and matters that do not involve customer harm or abuse.
New Developments
- CFTC Staff Withdraws Advisory on Swap Execution Facility Registration Requirement. On March 13, the CFTC Division of Market Oversight (“DMO”) announced it is withdrawing CFTC Letter No. 21-19, Staff Advisory Swap Execution Facility (“SEF”) Registration Requirement, effective immediately. As stated in the withdrawal letter, DMO determined to withdraw the advisory since it has created uncertainty regarding whether certain entities are required to register as SEFs. [NEW]
- Acting Chairman Caroline D. Pham Delivers Keynote Address at FIA BOCA50. On March 11, Acting Chairman Caroline D. Pham announced a new 30-day compliance and remediation initiative or enforcement sprint. This initiative involves review of the CFTC’s currently open investigations and enforcement matters regarding compliance violations, such as recordkeeping, reporting or other compliance violations without customer harm or market abuse. The CFTC will seek to expeditiously resolve these matters in the next 30 days to conserve the CFTC’s resources and free up Division of Enforcement staff to pursue fraudsters and scammers and seek recoveries for victims, whether through disgorgement, restitution, or other measures. [NEW]
- SEC Crypto Task Force to Host Roundtable on Security Status. On March 3, the SEC announced that its Crypto Task Force will host a series of roundtables to discuss key areas of interest in the regulation of crypto assets. The “Spring Sprint Toward Crypto Clarity” series will begin on March 21 with its inaugural roundtable, “How We Got Here and How We Get Out – Defining Security Status.” The SEC indicated that initial roundtable on March 21 is open to the public, will be held from 1 p.m. to 5 p.m. at the SEC’s headquarters at 100 F Street, N.E., Washington, D.C and that the primary discussion will be streamed live on SEC.gov, and a recording will be posted at a later date. The SEC also noted that information regarding the agenda and roundtable speakers will be posted on the Crypto Task Force webpage.
- CFTC Commissioner Christy Goldsmith Romero to Step Down from the Commission and Retire from Federal Service. On February 26, Commissioner Christy Goldsmith Romero announced she is stepping down from the Commission and will retire from federal service. Commissioner Romero extended gratitude towards President Biden for her nomination, the U.S. senate for its unanimous confirmation, and her current and former staff and CFTC for their public service.
- CFTC Releases Enforcement Advisory on Self-Reporting, Cooperation, and Remediation. On February 25, the CFTC’s Division of Enforcement issued an Advisory on how the Division will evaluate a company’s or individual’s self-reporting, cooperation, and remediation when recommending enforcement actions to the Commission and establishes the factors the Division will consider. This marks the first time the Division will use a matrix to determine the appropriate mitigation credit to apply. Commissioner Kristin N. Johnson released a statement that “any effort to adopt new reporting processes, particularly processes that require inter-division guidelines and infrastructure, must be consistent with the mandates of [the CFTC]” and consequently, that she does not support the Advisory. Additional information regarding the Advisory can be found in our client alert.
New Developments Outside the U.S.
- The ESAs Acknowledge the European Commission’s Amendments to the Technical Standard on Subcontracting Under the Digital Operational Resilience Act. On March 7, the European Supervisory Authorities (EBA, EIOPA and ESMA – the “ESAs”) issued an opinion on the European Commission’s (“EC”) rejection of the draft Regulatory Technical Standard (“RTS”) on subcontracting. The EC indicated that it rejected the original draft RTS on subcontracting, which specified further elements that financial entities must determine and assess when subcontracting ICT services that support critical or important functions under the Digital Operational Resilience Act (“DORA”), on the grounds that certain elements exceeded the powers given to the ESAs by DORA. The opinion acknowledges the assessment performed by the EC and opines that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. The ESAs said that, for this reason, they do not recommend further amendments to the RTS in addition to the ones proposed by the EC. The ESAs encouraged the EC to finalize the adoption of the RTS without further delay as submitted to the ESAs.
- EC Publishes Sustainability Omnibus Package. On February 26, the EC published the sustainability omnibus package and accompanying Q&A, alongside the Clean Industrial Deal communication and investment simplification package. ISDA said that the proposals are intended to simplify sustainability reporting and due diligence, as well as reduce administrative burdens on companies. The EC has also launched a consultation until March 26 on draft amendments to the Taxonomy Disclosures delegated act, including, inter alia, the suspension of the Trading Book Key Performance Indicator to 2027. The EC also proposed to delay the Corporate Sustainability Due Diligence Directive (“CSDDD”) transposition deadline and application date by one year to July 26, 2027 and 2028 respectively. Other CSDDD proposals include the removal of the EC review clause to evaluate whether additional due diligence requirements should be imposed on the provision of financial services and investment activities by July 26, 2026, the removal of the EU-wide harmonized civil liability regime and the deletion of the requirement to terminate business relationships. The EC’s proposed changes to the Carbon Border Adjustment Mechanism (“CBAM”) regulation include an exemption for small importers of CBAM goods and a postponement of the obligation for importers to purchase CBAM certificates to February 1, 2027. The Clean Industrial Deal further notes that the EC is working on a CBAM review report that will assess the functioning of the mechanism and potential scope extension to other emissions trading system sectors which will be presented in the autumn, followed by a legislative proposal in early 2026. The proposed amendments to the Corporate Sustainability Reporting Directive, CSDDD and CBAM will now be considered for adoption by the European Parliament and the Council.
New Industry-Led Developments
- ISDA Expands SwapsInfo to Include European CDS Trading Activity. On March 13, ISDA announced that it has expanded its SwapsInfo derivatives database and website to include European credit default swaps (“CDS”) trading activity, creating a more comprehensive picture of derivatives trading in the EU, UK and US. The new data includes EU and UK index and single-name CDS traded notional and trade count, based on transactions publicly reported by 18 European approved publication arrangements and trading venues. [NEW]
- ISDA Submits Paper to ESMA on OTC Derivatives Identifier for MIFIR Transparency. On March 11, ISDA submitted a paper to ESMA setting out its view on how the delegated act specifying the identifying reference data to be used for over-the-counter (“OTC”) derivatives transparency under the Markets in Financial Instruments Regulation (“MIFIR”) should be implemented. The delegated act leaves room for interpretation by ESMA on which unique identifier should be used, creating a risk that the International Securities Identification Number may be retained in some form. The ISDA paper makes the case for the use of the unique product identifier (“UPI”), maintaining its position that this will create more effective transparency and a more attractive consolidated tape, as well as reducing cost and complexity, and aligning with the increasing international consensus on using the UPI as the basis for OTC derivatives identification. [NEW]
- ISDA Responds to FSB Consultation on Leverage In NBFI. On February 28, ISDA responded to the Financial Stability Board’s (FSB) consultation on leverage in the non-bank financial intermediation (NBFI) sector. ISDA made the following points: overly prescriptive regulatory recommendations for all NBFI-sector firms across all geographies and market sectors could be inappropriate; the ways in which the use of leverage in the NBFI sector would create financial stability risks deserve further examination; ISDA believes the FSB should undertake a deeper analysis of the impact of the proposed measures on the cost of hedging, market liquidity and liquidity needs in times of stress; and the FSB should account for how the use of derivatives and secured financing, which the FSB characterizes as leverage-inducing activities, support key functions performed by financial markets, including: financing, hedging, price discovery, and market stabilization through countercyclical behaviors.
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)
Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)
Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)
Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)
Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)
Adam Lapidus, New York (212.351.3869, alapidus@gibsondunn.com )
Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)
William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )
David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)
Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com )
Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)
Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
This Review addresses (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, wiretapping, biometrics, anti-hacking and computer intrusion statutes, and TCPA; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Review and Outlook, and additional developments relevant to AI will be covered in the Artificial Intelligence Review and Outlook.
II. REGULATION OF PRIVACY AND DATA SECURITY
a. New Comprehensive State Privacy Laws Passed in 2024
b. Comprehensive State Privacy Laws Becoming
Effective in 2025
c. State Privacy Frameworks and Trends
i. Enforcement and Rulemaking Authority
ii. Scope of Automated Decisionmaking Regulations
iii. Consumer Rights
a. Florida’s Online Protection for Minors Act
b. Protecting Georgia’s Children on Social Media Act of 2024
c. Maryland’s Kids Code
d. New York’s SAFE for Kids Act
e. Illinois’ Amended Biometric Information Privacy Act
f. Colorado’s Privacy of Biometric Identifiers and Data Bill
g. New York’s Amended Labor Law
h. California’s Protecting Our Kids from Social Media Addiction Act
i. Colorado and California’s Amendments to the “Sensitive Data” Definition
a. Comprehensive Federal Privacy Legislation
b. Other Introduced Legislation
a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security
d. Notable FTC Enforcement Actions
e. Financial Privacy
f. Children’s and Teens’ Privacy
g. Biometric Information
a. A Dramatic Shift Under the Trump Administration
b. Impact of the Trump Administration’s Actions on the Pre-Trump CFPB’s Ambitious Agenda
c. Other Regulators and Private Litigation: Filling a Potential Enforcement Gap
a. Regulation
b. Enforcement
c. SEC Enforcement Outlook for 2025
a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions
a. Department of Homeland Security
b. Department of Justice
c. Department of Commerce
d. Department of Energy
e. Department of Defense
f. Federal Communications Commission
i. California Privacy Protection Agency
ii. California Attorney General
III. CIVIL LITIGATION REGARDING PRIVACY AND DATA SECURITY
A. Data Breach Litigation
B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
C. Anti-Hacking and Computer Intrusion Statutes
D. Telephone Consumer Protection Act Litigation
E. State Law Litigation
a. Limited Reach of the CCPA’s Private Right of Action
b. Other CCPA Defenses
i. Application of BIPA to Cloud Services Companies
ii. In-State Processing of Non-Illinois Residents’ Data
iii. Biometric Data Must Be “Capable of Identifying” the Plaintiff
iv. BIPA Damages Amendment v. Defendant’s Lack of Control of the Data at Issue
vi. Pleading Requirement for AI Model-Training Theory
vii. Other Noteworthy Developments
b. Texas Biometric Privacy Law Litigation
c. New York Biometric Privacy Law Litigation
Congress’s continued failure to pass a comprehensive privacy law left the states—as well as federal agencies—to keep leading the charge in defining and regulating cybersecurity and privacy in the United States. The states embraced this charge in 2024—seven states enacted new comprehensive privacy laws, and four states’ comprehensive privacy laws took effect. With 11 new comprehensive privacy laws slated to take effect in 2025 and 2026, 20 states and approximately half of the U.S. population will be covered by a state comprehensive privacy law by 2026. While the newly enacted laws generally follow a similar framework and share common core requirements, important variations are starting to emerge, which threaten to further complicate the already heavy compliance burden for companies operating across state lines. At the same time, there was a growing emphasis on children’s online privacy and biometric data in 2024, and a number of states amended their existing comprehensive privacy law to reflect this focus. State regulators similarly pursued an aggressive enforcement agenda in 2024, with a notable focus on children’s data/social media, biometric data, and data brokers.
There was also significant legislative, rulemaking, and enforcement activity at the federal level in 2024. Notably, the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), which prohibits data brokers from transferring American’s sensitive personal data to certain foreign countries, was enacted and went into effect in 2024. In addition, numerous federal agencies—including the FTC, SEC, CFPB, DOJ, and HHS—promulgated privacy and data protection regulations and guidance on a range of issues, including children’s online privacy, biometric data, health data, location data, data brokers/national security, and cybersecurity incident disclosure, among other issues. Many federal agencies also brought enforcement actions against companies for alleged privacy, data security, and related violations.
While we expect some of these trends to continue in 2025 and beyond, particularly at the state level, the Trump administration’s early policy changes—defined by deregulation of the technology industry, removal of what some consider historical barriers to innovation, and a reversal of Biden-era policies related to content moderation, AI and digital assets, among other things—signal a significant shift at the federal level that will inevitably shape state policy and enforcement priorities.
Litigation likewise remained active in 2024, with a continued uptick in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics laws. Litigation is expected to continue in these areas in 2025.
This Review contextualizes these and other 2024 developments by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, wiretapping, biometrics, anti-hacking and computer intrusion statutes, and TCPA; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in detail by Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Outlook .
II. REGULATION OF PRIVACY AND DATA SECURITY
The state comprehensive data privacy law expansion trend continued in 2024, with seven states enacting new laws: Minnesota, Nebraska, New Hampshire, New Jersey, Maryland, Kentucky, and Rhode Island. Comprehensive data privacy laws took effect in four states in 2024: Florida, Texas, Oregon, and Montana. In 2025, another eight states—Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee, and Maryland—will see their laws go into effect, and laws will take effect in three more states—Indiana, Kentucky, and Rhode Island—in early 2026. At that point, the total number of effective comprehensive state privacy laws will be 20, just seven years after California enacted the trail-blazing California Consumer Privacy Act. In addition, at the time of this report, the Connecticut, Iowa, and Tennessee legislatures are in various states of amending their current laws and another 16 states are actively considering data privacy legislation, with drafting and negotiations in various phases, and states have continued to enact narrower sector-specific laws covering minors, biometric information, and health information. We discuss these laws below and highlight different states’ approaches to consumer rights.
Some state governments have also demonstrated a commitment to enforcing their data privacy laws, and announced several significant enforcement actions in 2024. With the continued absence of comprehensive federal privacy legislation, we suspect that states will continue to actively enforce their respective privacy laws. We discuss state-level enforcement below in our State Agencies section.
Since California enacted the first comprehensive state privacy law in 2018, 19 other states have followed suit with their own comprehensive privacy legislation. The pace of legislation has accelerated in recent years—while only five states enacted privacy laws between 2018-2022, eight enacted laws in 2023, and seven more in 2024. Currently, 16 other states are also considering privacy legislation: Alabama, Arkansas, Georgia, Hawaii, Illinois, Massachusetts, Mississippi, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, South Carolina, Vermont, Washington, and West Virginia.
The seven state privacy laws enacted in 2024—Minnesota, Nebraska, New Hampshire, New Jersey, Maryland, Kentucky, and Rhode Island—generally share the same basic requirements, providing consumers with rights to access, correct and delete their personal data, and opt out of targeted advertising, profiling, and the sale of personal data. Although these core elements remain consistent, certain states have introduced unique provisions. We discuss the state laws passed in 2024 that will go into effect in 2025 in more detail below. For analysis of comprehensive privacy laws that took effect in 2024 (including Florida, Texas, Oregon, and Montana), please refer to last year’s review.
b. Comprehensive State Privacy Laws Becoming Effective in 2025
A few months into 2025, comprehensive state privacy laws for five states—Delaware, Iowa, Nebraska, New Hampshire, and New Jersey—have already gone into effect with three more—Tennessee, Maryland and Minnesota—coming online later this year. While these laws are largely coextensive with existing comprehensive privacy laws, they also contain distinguishing features, which we summarize below. Nebraska’s and New Hampshire’s laws are substantially similar to existing state privacy laws, so we do not summarize those.
Delaware
The Delaware Personal Privacy Act for the most part aligns with other states’ laws, but notably does not provide entity-level exemptions for institutions of higher education or most nonprofit organizations, unless the nonprofit provides services to victims or witnesses of child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.[1]
Delaware—along with Minnesota (discussed below) and Oregon—also requires that, as part of a consumer access request, data controllers disclose to the consumer the list of specific third parties, rather than just the categories of third parties, to which a business has disclosed that consumer’s personal data.
Iowa
The Iowa Consumer Data Protection Act differs from other comprehensive state privacy laws by omitting several widely adopted consumer rights.[2] Iowa does not mandate data protection assessments for processing activities involving “heightened risk of harm to consumers,” which sets it apart from every other state except for Utah, which also does not have this requirement.[3] Consumers also lack the right to opt out of processing for targeted advertising and profiling. They do, however, have the right to opt out of the sale of personal data. Iowa also diverges from most states in the manner it requires consent to collect and process sensitive data.[4] The common practice is for controllers to obtain opt-in consent, but Iowa requires pre-use notice with an opportunity for consumers to opt out prior to having their data collected. This approach is distinctly controller-friendly, setting the default presumption that controllers can collect sensitive consumer data unless the consumer takes action to opt out.
Maryland
Maryland’s Online Data Privacy Act, which will take effect in October 2025, has some of the strictest requirements in the country.[5] It is the only state to prohibit the sale of sensitive personal information entirely. With respect to minors, Maryland prohibits the sale of their personal information and the processing of their personal information for targeted advertising.[6] Maryland defines a minor as anyone under the age of 18, as compared to 16 and under in California’s and Virginia’s comprehensive data privacy laws (among others). And, unlike other states, Maryland extends this obligation to any business that “knew or should have known” the consumer’s age. Other states, like Texas and Connecticut, require actual knowledge or willful disregard of the consumer’s age.[7]
Minnesota
Most states give consumers the right to opt out of automated processing that furthers a significant decision (such as an employment decision), but, with its Consumer Data Privacy Act, Minnesota is the first state to offer consumers the right to question these decisions.[8] Minnesota’s right to question includes the ability to: (1) know the reason behind the decision, (2) know what actions the consumer might have taken to secure a different decision in the future, (3) review the personal data used, and (4) correct inaccurate personal data and have the decision reevaluated. As businesses become more reliant on automated programs to assist in decisionmaking, this “right to question” will be a unique area of compliance that companies operating in Minnesota will have to be ready for.
New Jersey
With the New Jersey Data Privacy Law, which we also covered in last year’s update, New Jersey joins California and Colorado in the small group of states that grants rulemaking authority to a state agency.[9] New Jersey’s privacy law authorizes its director of the Division of Consumer Affairs to promulgate implementing regulations under Senate Bill 332, allowing the state agency to create rules to better carry out the law’s intended purpose. The state agency has not yet proposed any regulations under this authorization.
Tennessee
The Tennessee Information Protection Act, while largely similar to other comprehensive state privacy laws, is unique in that it recognizes an affirmative defense to a violation.[10] If a data controller either maintains and complies with a written policy that aligns with the National Institute of Standards and Technology privacy framework or has documented policies designed to safeguard consumer privacy, it may avail itself of this defense.[11]
The recent wave of state privacy legislation shows that most states are converging on core obligations, but meaningful divides on specific issues are also emerging. This section examines some of the most important distinctions between state privacy laws and their implications for compliance.
All state privacy laws, except California, grant enforcement authority solely to the state attorney general, prohibiting private citizens from filing lawsuits. To date, public actions have only been filed in California and Texas, although other state Attorneys General continue to serve non-public violation notices, requests for information, or civil investigative demands, and this is expected to increase as more state laws go into effect.
Only three states—California, Colorado, and New Jersey—have empowered state agencies to issue regulations related to their respective privacy laws.[12] While California and Colorado have already issued regulations, New Jersey only recently empowered its Division of Consumer Affairs within the Department of Law and Public Safety to do so. Unlike California and Colorado, New Jersey did not set a deadline for passing regulations, making it uncertain whether and when the state will exercise its rulemaking authority.
All states with privacy laws (except Utah and Iowa) allow consumers to opt out of certain forms of automated decisionmaking. States typically define automated decisionmaking as the processing of personal information to analyze or predict personal aspects such as health or behavior in furtherance of a significant decision.[13] Some states restrict this right to “solely” automated decisionmaking, while others provide the right to opt out of automated decisionmaking more broadly. The statutory scope of these opt out rights will become increasingly important as businesses roll out new automated processing tools.
| Opt-out right for “solely” automated decisionmaking[14] | Opt-out right for automated decisionmaking[15] | No opt-out right[16] |
| Connecticut Delaware Florida Indiana Maryland Montana Nebraska New Hampshire Rhode Island Tennessee Texas |
California*[17] Colorado Kentucky Minnesota New Jersey Oregon Virginia |
Iowa Utah |
Definition of “Sale”
Every state with privacy laws imposes obligations on businesses that “sell” personal information. Some states define the “sale” of data as an exchange for “monetary or other valuable consideration,” while others define sale as an exchange for “monetary consideration” only.
These differences can have major impacts, particularly for businesses that participate in marketing cooperatives or other similar organizations that provide services in exchange for data, rather than payment.
| Monetary or other valuable consideration[18] | Monetary consideration only[19] |
| California Colorado Connecticut Delaware Florida Maryland Minnesota Montana Nebraska New Hampshire New Jersey Oregon Rhode Island Texas |
Indiana Iowa Kentucky Tennessee Utah Virginia |
Children
Since the Children’s Online Privacy Protection Act (COPPA) was enacted in 1998, state privacy law has generally considered children’s data to be sensitive data subject to the COPPA Rule’s requirement that businesses must obtain parental consent before collecting personal information from children under 13 years old.[20]
However, in recent years, many state laws have expanded their youth privacy protections to include heightened opt-in consent requirements for teenagers under the age of 16, requiring businesses to get affirmative consent for targeted advertising or the sale of data. New Jersey and Minnesota extend the opt-in requirement to those under 17, and Delaware extends it to age 18.
Maryland goes further than any other state by prohibiting targeted advertising and the sale of data entirely if a business “knew or should have known” that the individual is under 18.
| Opt-in consent for sale of data or targeted advertising (for children under 16 years old)[21] | Opt-in consent for sale of data, targeted advertising, and profiling (for children under 16 years old)[22] | No targeted advertising or sale of data[23] | No age-specific provisions[24] |
| California Connecticut Delaware (<18) Minnesota (<17) Montana New Hampshire |
New Jersey (<17) Oregon |
Maryland (<18) | Colorado Florida Indiana Iowa Kentucky Nebraska Rhode Island Tennessee Texas Utah Virginia |
Although most states offer consumers the right to opt out of targeted advertising and the right to access and delete their data, many states provide additional consumer protections.
Most states require businesses to honor universal opt-out mechanisms, such as the Global Privacy Control. Universal opt-out mechanisms allow consumers to opt out of personal data sales and targeted advertising automatically, rather than adjusting their preferences on a site-by-site basis.
By the end of January 2026, 11 states will require controllers to recognize universal opt-out mechanisms. California, Colorado, Delaware, Montana, Nebraska, and Texas currently have an active requirement. New Jersey, Minnesota, and Maryland will require controllers to recognize universal opt-out mechanisms in the second half of 2025, followed by Connecticut and Oregon in January 2026.
Most laws require businesses to disclose the “categories” of third parties that receive consumer information (for example, advertisers or payment processors). Delaware, Minnesota, and Oregon, however, require businesses to disclose a list of specific third parties in response to an access request. In Rhode Island, no request is necessary—a business is required to post the list of specific third parties in a conspicuous location on its website.
Delaware and New Jersey are notable for being the only two states that require businesses to actually delete information after receiving a consumer request to delete.[25] Most states allow data to be kept if it is de-identified or removed from non-exempt use cases.[26]
| States with requirement | States without requirement | |
| Universal opt-out mechanism[27] | California Colorado Connecticut Delaware Maryland Minnesota Montana Nebraska New Hampshire New Jersey Oregon Texas |
Florida Indiana Iowa Kentucky Rhode Island Tennessee Utah Virginia |
| Response to right to access must include a list of “specific third parties” that have received the consumer’s personal data[28] | Delaware Minnesota Oregon Rhode Island (must be posted publicly) |
California Colorado Connecticut Florida Indiana Iowa Kentucky Maryland Montana Nebraska New Hampshire New Jersey Tennessee Texas Utah Virginia |
| Actual deletion required on request (not just de-identification or removal from non-exempt use cases)[29] | Delaware New Jersey |
California Colorado Connecticut Florida Indiana Iowa Kentucky Maryland Minnesota Montana Nebraska New Hampshire Oregon Rhode Island Tennessee Texas Utah Virginia |
In addition to the comprehensive state privacy laws discussed above, states have continued to legislate in specific sectors, particularly in relation to minors’ data, biometric information, and employee social media data.
On March 25, 2024, Florida Governor Ron DeSantis signed legislation to ban social media platforms from allowing children aged 13 and under to create social media accounts. The law requires social media platforms to delete existing accounts for children under the age of 14, and allows minors who are 14 and 15 to have social media accounts only upon parental consent.[30] The law is effective as of January 1, 2025.[31]
The law also imposes a range of other restrictions. Websites that publish “material harmful to minors”—which generally refers to “obscene” materials, like pornography—must verify the age of the person attempting to access the material.[32] Social media platforms must also verify the age of users, using “commercially reasonable method[s]” and conduct such age verification through an independent third party.[33] These third parties may not retain or use personal identifying information for other purposes than age verification, and must anonymize and protect personal identifying information from unauthorized access.[34]
The law has been challenged by three internet-industry groups, which cite First Amendment concerns. According to these plaintiffs, the law is unconstitutional as it restricts minors’ access to speech and forces businesses to collect sensitive data.[35] The law is currently paused from enforcement until a preliminary injunction motion for one of the ongoing cases is resolved.[36]
b. Protecting Georgia’s Children on Social Media Act of 2024
On April 23, 2024, Georgia Governor Brian Kemp also signed legislation imposing new restrictions on minors’ internet usage. Under the Protecting Georgia’s Children on Social Media Act of 2024, social media companies are required to prevent minors, defined as those under 16 years old,[37] from using their services without the “express consent” of a parent or guardian.[38] Social media companies are also required to use commercially reasonable efforts to verify the age of account holders.[39] The law goes into effect on July 1 of this year.[40]
In addition to the age verification requirements, social media companies must make available, upon a parent or guardian’s request, a list and description of features offered on their platforms that parents and guardians can utilize to censor or moderate content.[41]
Regarding minors’ personal data, social media platforms are prohibited from displaying any advertising to a minor based on their personal information, except age and location, and may not collect personal information from a minor’s posts, content, messages, text, or usage activities other than what is “adequate, relevant, and reasonably necessary for the purposes for which such information is collected.”[42]
On May 9, 2024, Maryland Governor Wes Moore signed legislation requiring data protection impact assessments for the processing of children’s data and default privacy settings for children. The law is effective as of October 1, 2024. The law defines “child” as any consumer under the age of 18.[43] It requires companies that operate online products that are “reasonably likely to be accessed by children” to provide, upon request of the Division of Consumer Protection of the Office of the Attorney General, a data protection impact assessment that identifies the purpose of an online product, how it uses children’s data, and whether it is designed in a manner consistent with the best interests of children.[44] “Best interests of children” refers to the reasonable foreseeability of material physical, financial, psychological, or emotional harm to children; a highly offensive intrusion on children’s reasonable expectation of privacy, or discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.[45] The law also requires that these companies put in place default privacy settings that offer children a “high level of privacy,” restricting companies’ ability to profile minors or process unnecessary data.[46]
On February 3, 2025, an internet-industry trade association filed a complaint against the Maryland Attorney General, alleging that the Maryland Kids Code violated the First Amendment and 14th amendment. The plaintiff remarked that the law “presents websites with an impossible choice: either proactively censor broad categories of constitutionally protected speech or force users to submit sensitive personal information.” The plaintiff also takes issue with the law’s data protection impact assessment, alleging a First Amendment violation for “compel[ling] speech in the form of a data impact statement.” It additionally argues that the “reasonably likely to be accessed by children” and “best interests of children” standards are vague.[47] A ruling is expected in the coming weeks.
On June 20, 2024, New York Governor Kathy Hochul signed the Stop Addictive Feeds Exploitation (SAFE) For Kids Act, the first set of restrictions in the nation on purportedly addictive social media feeds for minors. “Minor” under the law means individuals under the age of 18.[48] The law mandates that, unless parental consent is granted, minors may not receive “addictive feeds,” which are defined as websites, online services, or applications in which multiple pieces of media are recommended, selected, or prioritized for display to a user based on information associated with them or their device, unless specifically requested by the user (i.e., through a manual search).[49] The law also creates restrictions on platforms that offer “addictive feeds” as a significant part of their services, prohibiting these platforms from sending notifications to minors about the “addictive feed” between the hours of twelve to six a.m. Eastern Time, unless they receive parental consent.[50] This law will go into effect 180 days after New York Attorney General Letitia James finalizes regulations necessary for implementation.
On August 2, 2024, Illinois Governor J.B. Pritzker signed into law amendments to the Illinois Biometric Information Privacy Act (BIPA). These amendments were effective immediately.[51] Principal among these amendments was the provision that collecting the same biometric data from an individual using the same method is considered a single BIPA violation, and disclosing the same biometric data from the same person to the same recipient using the same method constitutes another single violation.[52] The amendments were enacted in response to the Illinois Supreme Court’s holding in Cothron v. White Castle that separate claims accrue under BIPA each time a private entity collects, and each time a private entity discloses, a person’s biometric data without that person’s consent.[53] Cothron’s holding would have allowed damages to accrue exponentially, and the recent amendments aim to mitigate that possibility. Since the amendments were signed into law, several courts have differed on whether the amendments should apply retroactively.
f. Colorado’s Privacy of Biometric Identifiers and Data Bill
On May 31, 2024, Colorado Governor Jared Polis approved a bill expanding consumers’ privacy rights and controllers’ and processors’ privacy obligations to biometric identifiers and biometric data.[54] Specifically, the bill requires controllers to make available to the public, with limited exceptions, a written policy specifying for biometric data and biometric identifiers: i) a data retention schedule, ii) a protocol for responding to data security incidents, including notifying consumers (processors must have a protocol for notifying controllers),[55] and iii) guidelines for required deletion.[56] Biometric identifiers or biometric data must be deleted at the earliest of i) when the initial purpose for collection has been satisfied, ii) 24 months after the consumer last interacted with the controller, or iii) the earliest feasible date, which must be no more than 45 days (or up to 45 additional days) after storage is no longer necessary as determined by an at least once-yearly audit.[57]
Under the bill, employers must receive employees’ consent, which employers must not require as a condition of employment, to collect and process biometric data or biometric identifiers unless collection and processing is reasonably expected for a job or background check or is to: i) grant access to locations or systems, ii) record the employees’ full work day hours, iii) improve workplace or employee safety or security, or iv) improve public safety or security in a crisis.[58]
The bill also includes consumer rights and protections that are generally common requirements in state privacy laws, such as notice, consent, and access rights. Specifically, the bill prohibits a controller from collecting biometric identifiers or biometric data unless the controller first discloses the collection, the specific purpose for collection, the length of retention, and, if the biometric identifier is being shared, the specific purpose for sharing.[59] The controller also must not share the biometric identifier unless the consumer consents to such sharing or requests the sharing to complete a financial transaction, the sharing is to a processor and is necessary for the purpose of collection, or the sharing is otherwise required by law.[60] The bill grants consumers the right to access their biometric data collected by a controller, including the categories of biometric data collected or shared, its sources, the purposes for its collection or sharing, and the identities of third parties with which the controller discloses the biometric data.[61] A controller is prohibited from purchasing a biometric identifier unless the purchase is unrelated to the service provided to the consumer, the controller pays the consumer and the consumer provides consent, and the controller cannot refuse to provide, or charge a different rate for, a service because a consumer did not consent to the collection or processing of its biometric identifier, unless such collection is necessary to provide the service.[62]
The bill, which amends the Colorado Privacy Act (CPA), takes effect July 1, 2025.[63]
On September 14, 2023, New York Governor Kathy Hochul signed legislation amending the New York State Labor Law to restrict employers from accessing their employees’ and job applicants’ “Personal Accounts.”[64] This law is currently in effect.[65] Personal Account under the law covers several popular social media applications, defined as “an account or profile on an electronic medium where users may create, share, and view user-generated content . . . exclusively for personal purposes.”[66] The law applies to all employers operating in the state of New York, excluding law enforcement agencies, fire departments, and departments of corrections and community supervision.[67]
The law prohibits employers from requesting, requiring, or coercing their employees or job applicants to provide a password, username, or other information to access a Personal Account, to access their Personal Accounts in their employer’s presence, or to reproduce information from their Personal Accounts.[68] Employers are prohibited from retaliating against any employee or job applicant that refuses to provide such information.[69]
The law still enables employers to retrieve employee or job applicant information for the purpose of investigating or reporting alleged misconduct, provided the information is in the public domain or voluntarily shared.[70] The law also enables employers to require employees to disclose access information to a Personal Account on the employer’s internal information systems,[71] or to an account used for business purposes.[72]
h. California’s Protecting Our Kids from Social Media Addiction Act
On September 20, 2024, California enacted its Protecting Our Kids from Social Media Addiction Act. The law prohibits operators of “addictive” internet-based services or applications from providing “addictive feeds” to minors, unless the operator does not have actual knowledge that the user is a minor or obtains verifiable parental consent to provide such feeds to the minor user.[73] The law also prohibits these operators from sending notifications to minor users between certain hours.[74] Operators are also required to annually disclose the number of minor users of its service or application.[75]
This law was blocked from enforcement earlier this year, with the trial court concluding that the law was likely an unconstitutional restriction on protected speech. As of January 28, 2025, the Ninth Circuit has granted a permanent injunction against the law’s enforcement, pending the defendants’ appeal.[76]
i. Colorado and California’s Amendments to the “Sensitive Data” Definition
On April 17, 2024, Colorado Governor Jared Polis signed a bill to expand the definition of “sensitive data” under the CPA to include “biological data” and “neural data,” which went into effect on August 7, 2024. Similarly, on September 28, 2024, California passed a bill to amend the definition of “sensitive personal information” in the California Consumer Privacy Act to include “neural data,” which went into effect immediately.
Both laws define “neural data” to include information generated by measuring the activity of a consumer’s central or peripheral nervous system.[77] Colorado requires that “neural data” “be processed by or with the assistance of a device,”[78] whereas California provides that “neural data” “is not inferred from nonneural information.”[79] Both laws would apply to novel neurotechnology devices and more commonplace items like electroencephalograms (EEGs).[80] Colorado has gone one step further by including “biological data” in its definition of “sensitive information,” which it defines as “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes.”[81]
Calls for comprehensive federal privacy legislation remain loud and unanswered, despite bipartisan congressional efforts to introduce new legislation.
The comprehensive American Privacy Rights Act (APRA) was introduced on April 7, 2024, by a bipartisan and bicameral group of lawmakers, and attempts to create a unified data privacy standard addressing the collection and processing of personal data as well as data breaches.[82] As proposed, APRA would grant consumers the right to access, correct, delete, and export collected data and to know who their data is transferred to and the purpose for transfer.[83] The Congressional Research Service notes that APRA would also preempt state privacy laws, subject to certain exceptions.
Since its introduction APRA has seen little movement, due to strong opposition from a variety of stakeholders and prioritization of other legislation. State regulators, such as the California Privacy Protection Agency, oppose APRA as it would preempt state laws in the same area. Certain interest groups opposed the removal of provisions relating to civil rights protections and algorithmic accountability. A last-minute cancellation of the House Committee on Energy and Commerce’s scheduled markup of the APRA on June 27, 2024 was the last official action taken on the bill.
While momentum for APRA has slowed, former FTC Chair Jon Leibowitz stated “[t]here’s 85% agreement between Democrats and Republicans about what should be in it, so I expect real movement on privacy legislation, even if what goes through lacks a private right of action, for example.” However, given the many other competing objectives of the new Trump Administration in the early days of the Administration, it is unlikely that a bill will be passed in the coming months.
Congress passed only one privacy-related law in 2024, which focused on national security issues, although a number of consumer and individual privacy-related laws were introduced. In April 2024, President Biden signed H.R. 815 into law, which included the Protecting Americans’ Data from Foreign Adversaries Act of 2024.[84] PADFAA represents an effort to regulate the transfer of personal data from the U.S. due to national security concerns. The law, which went into effect on June 23, 2024, prohibits data brokers from selling, transferring, or disclosing personally identifiable sensitive data of a U.S. individual to any foreign adversary country (China, Russia, Iran, and North Korea) or any entity controlled by a foreign adversary country.[85] PADFAA defines “personally identifiable sensitive data” broadly as “any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.”[86]
Other proposed privacy legislation covered a range of topics—including workplace privacy, health privacy, financial privacy, privacy for children online, facial recognition, and AI—several of which attracted significant bipartisan support, but lawmakers remained divided over the same two issues that sunk more comprehensive federal privacy legislation: (1) whether federal privacy laws should preempt state laws (a position attracting more Republican support); and (2) whether it should include a private right of action (which more Democrats favor).
Of the proposed privacy-focused legislation in 2024, much of the focus was on digital privacy and safety, especially for children on social media. Congress held widely publicized hearings on the topic, questioning social media executives on their failure to protect children online. In July 2024, the U.S. Senate overwhelmingly passed a pair of measures seeking to put more responsibility on social media platforms to ensure child safety online: The Kids Online Safety Act, which establishes a duty of care for online platforms and requires them to activate the most protective settings for kids by default, and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), which amends COPPA. COPPA 2.0 extends existing COPPA protections by banning online companies from collecting personal information from teenage users over the age of 12 and under 17, and broadening the entities and services covered. It also makes it unlawful to collect and use personal information from children and teens in targeted advertisements while affording users a right to erasure of their content and imposes new obligations for businesses that collect personal information from children and teens. The full House of Representatives has yet to debate either bill and it is unclear if action will be taken in 2025 to move either forward.
Other privacy bills introduced in 2024 include: The Verifying Kids’ Online Privacy Act (amending COPPA to define a child as an individual under the age of 16 rather than 13 and requiring operators to verify the age of individuals accessing their service), the Stop Spying Bosses Act (requiring disclosure of or prohibiting surveillance, monitoring, and collection of worker data),[87] the No Robot Bosses Act (prohibiting employers from relying exclusively on automated decisionmaking systems to make decisions regarding employment),[88] the Reproductive Data Privacy and Protection Act (ensuring government entities that seek to compel disclosures relating to reproductive or sexual health information cannot do so for investigatory purposes),[89] the American Donor Privacy and Foreign Funding Transparency Act (restricting the ability of federal government entities to collect or require submission of information on the identification of donors to tax-exempt organizations),[90] the Protecting Privacy in Purchases Act (prohibiting payment card networks from requiring firearms retailers to use a merchant category code that would distinguish it from a general merchandise or sporting goods retailer),[91] and others described in this Review.
Congress also considered cybersecurity-related legislation: The Healthcare Cybersecurity Act of 2024 (requiring the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to work together and implement a variety of measures to improve cyber defenses in the healthcare sector),[92] the Farm and Food Cybersecurity Act of 2024 (requiring studies and simulation exercise for food-related cyber emergencies, threats, and disruptions),[93] and the Health Infrastructure Security and Accountability Act (creating mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses, and business associates along with requiring independent audits).[94]
In 2024, federal regulators continued to actively pursue enforcement action and rulemaking related to cybersecurity and data privacy. This section summarizes the noteworthy efforts by the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), Securities and Exchange Commission (SEC), Department of Health and Human Services (HHS), and other federal and state agencies. The priorities reflected in federal enforcement actions and rulemakings will likely shift in 2025, as the newly appointed agency leaders implement the Trump Administration’s policy agenda.
The FTC continued its active regulation and enforcement of cybersecurity and data privacy in 2024. A number of the FTC’s litigation matters, many of which represented its focus on sensitive consumer data such as geolocation and health information, reached settlement. The impact of the agency’s rulemaking can also be seen in its recent settlement agreements. For example, aspects of its Standards for Safeguarding Customer Information Rule (Safeguards Rule) were often cited in settlements of data privacy enforcement matters through terms, such as limiting an entities’ agents’ access to consumer information only where necessary.
The FTC also launched, via orders pursuant to Section 6(b) of the FTC Act, fact-finding studies into eight companies to investigate how the companies use consumers’ personal data to engage in personalized pricing—the practice of charging different customers different prices for the same good. In his concurring statement, Former Commissioner, and current Chair, Andrew Ferguson emphasized the primary goal of these studies as fact-finding rather than pursuing enforcement action or rulemaking. He suggested that any necessary remedial action should be left to Congress and state lawmakers.
Other areas that the FTC prioritized included algorithmic bias and AI, commercial surveillance, data security, and children’s privacy. Further, the FTC expanded its regulatory and enforcement scope related to biometric information.
This section discusses the FTC’s notable actions in 2024; however, it bears noting that the agency’s outlook this year will be impacted by President Trump’s February 18, 2025 executive order requiring independent agencies to consult with the White House about its strategic plans, priorities, and draft regulations. While the executive order expressly lists the FTC, SEC, and FCC as impacted agencies, the CFPB probably will be impacted as well if it is operational under the Trump administration.
On March 25, 2024, Republican Melissa Holyoak was sworn in as a Commissioner for the FTC, filling the seat left open by former Commissioner Christine Wilson in March 2023. Subsequently, on April 2, 2024, Republican Andrew Ferguson was sworn in as a Commissioner, filling the seat left open by former Commissioner Noah Phillips in October 2022.
In December 2024, President Donald Trump announced he planned to appoint Commissioner Ferguson to replace then-Chair Lina Khan. During the same month, reports circulated with a leaked document that professed to lay out Ferguson’s priorities for the agency, if he were selected as the Chair. Specifically, it stated Ferguson’s “Agenda for the FTC” would: “Reverse Lina Khan’s Anti-Business Agenda,” with “no more novel and legally dubious consumer protection cases,” and by “stop[ping] abus[e of] FTC enforcement authorities as a substitute for comprehensive privacy legislation”; “Hold Big Tech Accountable and Stop Censorship,”[95] including through focused antitrust enforcement; “Protect Freedom of Speech and Fight Wokeness,” including by “end[ing] the FTC’s attacks on online anonymity”; and “Fight the Bureaucracy to Implement Trump’s Agenda.” On January 20, 2025, President Trump appointed Andrew Ferguson as the new FTC Chairman.
In December 2024, President Trump also announced he planned to nominate Mark Meador as the new Republican FTC commissioner to replace the seat left open by prior Chair Lina Khan, whose term expired on January 31, 2025. Meador is currently a partner at law firm Kressin Meador Powers and previously worked for the FTC and the DOJ and as Deputy Chief Counsel for Antitrust & Competition to Republican Senator Mike Lee. Meador has vocally supported efforts to regulate big technology companies and has called for increased antitrust enforcement.
If Meador is confirmed, the FTC will be led by a Republican majority for the first time since Commissioner Bedoya was confirmed in 2022.
Algorithmic bias has been a growing concern regarding the use of AI technology for the FTC under former FTC chair, Lina Khan. In 2023, Khan, in a guest editorial for the New York Times, expressed concern over AI tools being fed information “riddled with errors and bias,” thereby “automating discrimination” and unfairly inhibiting people’s access to financial services, employment, and housing, among others.
In December 2023, the FTC filed a complaint and proposed stipulated order against a convenience store chain. The FTC alleged the chain used AI-based facial recognition technology (FRT) to identify customers who may have been engaging in shoplifting and other problematic behavior. In March 2024, the court entered the stipulated order, which prohibits the company from using FRT for five years. In December of 2024, the FTC once again filed a complaint and proposed stipulated order, this time against an AI and Deep Learning-based video analytics and video cloud software company, alleging that the company made false, misleading, or unsubstantiated claims that its AI-powered facial recognition software was free of gender or racial bias, and that it had one of the highest accuracy rates on the market despite lacking the evidence to support such claims. The complaint also alleged that the company did not train its FRT software on “millions of faces” as it advertised, but only on approximately 100 unique individuals. The FTC’s finalized order against the company prohibits the company from misrepresenting the accuracy and efficacy of its technology without competent and reliable testing of the technology to support its claims, among other restrictions and requirements.
Newly appointed Chair Ferguson has expressed his disagreement with the FTC’s prior approach to AI, indicating his belief that the “pro-regulation side of the AI debate” is “the wrong one.” For example, Chair Ferguson has expressed some disagreement with the FTC’s approach to defining bias. In his statement concurring in the FTC’s action against the AI and Deep Learning-based video analytics and video cloud software company, IntelliVision, he expressed discomfort with relying on “statistical disparity in false-positive and false-negative rates” to define or determine the presence of bias and instead focused on IntelliVision’s failure to substantiate its claims that its software had “zero gender or racial bias.”
In 2023, as discussed in our prior alerts, the FTC issued an Advance Notice of Proposed Rulemaking on commercial surveillance and data security. In July 2024, the FTC issued orders to “eight companies offering surveillance pricing products and services . . . seek[ing] information about the potential impact these practices have on privacy, competition, and consumer protection.” In January 2025, the FTC then released its initial findings in a surveillance pricing market study, which provided insights into the level of detail at which consumer behavior and demographics are surveilled and analyzed and the effects this has on surveillance pricing. That same day, the FTC announced it would open up public comments on its commercial surveillance probe, which, unrelated to any proposed rulemaking, asked for public input until April 17, 2025 from businesses and workers about their experiences or views on the impact of surveillance pricing. On January 22, 2025, Chair Ferguson closed public comments. The unexplained shutdown of public comments has been criticized by fellow FTC Commissioner Alvaro Bedoya.
While Chair Ferguson has voiced support for the FTC’s attempts to inform consumers regarding the extent of commercial surveillance, he has criticized the FTC’s approach to targeted advertising and AI arguing both that such targeted advertising is beneficial to consumers, and that mass data collection is difficult to avoid but also critical for the operation of many free internet services. The FTC may take a different approach to commercial surveillance concerns going forward. Both Chair Ferguson and Commissioner Melissa Holyoak dissented from the former Democratic majority in the FTC for what the Republican Commissioners perceived as rushing to publish the initial findings of the surveillance pricing study. Chair Ferguson and Commissioner Holyoak opined that it was irresponsible for the FTC to put forward such a preliminary “beta” version of their findings, just to publicize an FTC statement on the matter prior to the start of President Trump’s term.
In 2024, the FTC continued to aggressively enforce data privacy and the uses of sensitive consumer information. There are a few trends that businesses can observe as part and parcel of the agency’s agenda last year—in case resolutions, the FTC required the entities collecting and using location and health information for non-essential functions to delete that data, and invest in significant privacy and data security programs. Irrespective of an administration change, the FTC likely will continue to focus on the failure to protect or the misuse of sensitive data—actions that Commissioner Holyoak has supported in multiple concurring statements she published supporting related FTC actions and settlements.
Corporate Landlord of Single-Family Homes. The FTC and a corporate landlord reached a settlement to resolve the FTC’s allegations of undisclosed “junk fees,” improper retention of tenants’ security deposits and refunds, and misrepresentation of home inspection and maintenance practices. The company agreed to pay a $45 million fee that the FTC says will be used to refund impacted consumers. The company is also permanently restrained from mispresenting monthly lease pricing and fees, property conditions, and the circumstances under which it will deduct funds from consumers’ security deposits. Consistent with the agency’s recent focus on consumer data retention, the settlement requires the corporate landlord to delete all financial data collected from consumers outside limited circumstances.
Digital Marketing and Data Aggregator. After facing allegations of impermissibly collecting and using consumers’ location data for advertising purposes, a marketing company reached a settlement with the FTC. The administrative complaint alleged the company failed to fully disclose to consumers how their location data, which would reveal where they live and work, would be used for purposes other than necessary app functions. The agreed-upon order prohibits the company from sharing in any way consumers’ precise location data, or offering any product or service designed to target consumers based on their location. The FTC also required the company to destroy all stored location data or ensure the data is deidentified.
Substance Abuse Telehealth Firms. The DOJ settled an action it brought on behalf of the FTC against two telehealth companies for alleged violation of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) through unfair and deceptive trade practices relating to alcohol and substance abuse treatment. In addition to the monetary penalties, the court-approved joint stipulations banning the companies from disclosing consumer health information to third parties for advertising purposes. The companies must also implement a privacy and data security program to formalize the process by which they keep health information secure, as well as a data retention schedule to limit the time period that they retain consumer data.
Online Therapy. In May 2024, an online therapy firm began issuing refund notifications to impacted consumers, based on a 2023 settlement with the FTC arising out of allegations that the firm shared consumers’ sensitive data with third parties. The FTC has indicated that it considers sensitive consumer data to include email addresses, IP addresses, and answers to personal health questions. The online therapy provider was charged with sharing such consumer information with online and app advertisers without setting appropriate limitations for the advertisers’ use of the data, and without obtaining consumer consent.
Software Provider. The FTC settled allegations against a UK-based software provider that its Czech subsidiary collected and sold consumer browsing information without adequate notice and consent. The subsidiary is alleged to have sold the browsing data to more than 100 third parties. As per the final order, the company and its subsidiaries are required to delete the copies of the data that was sold, and to obtain consent from future consumers before selling browsing data for advertising purposes.
Data Brokers. The FTC brought a second amended complaint against a data broker for allegedly violating Section 5 of the FTC Act by selling consumers’ precise location data. The second amended complaint comes after the presiding federal district court judge denied the data broker’s attempt to dismiss the suit. In her concurring statement in support of the Commission’s vote to file the amended pleading, Commissioner Holyoak underscored the importance of “vigorously pursuing” the action in order to protect precise geolocation information identifying consumers’ visits to sensitive locations. A separate data broker also agreed to settle FTC claims that it unlawfully tracked and sold sensitive location data. The Commission voted 5-0 to approve the final order, which prohibits the data broker from selling sensitive location data or collecting such data, outside a limited number of approved purposes.
Security Camera Company. The DOJ settled an action it brought on behalf of the FTC against a security camera company that is alleged to have violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM). The company is also alleged to have had insufficient security measures over consumer data it collected, allowing a hacker to access customers’ security camera data in 2021. The hacker is alleged to have accessed cameras in particularly sensitive locations such as psychiatric hospitals and women’s health clinics. The company agreed to pay a $2.95 million monetary penalty for its CAN-SPAM violation and implement an information privacy program, among other actions.
Smart Home Technology. In December, the FTC sent the first set of payments to consumers allegedly harmed by a home security company’s misuse of credit reports. The company, which agreed to a settlement with the FTC in 2021, paid $5 million to be disbursed directly to consumers. According to the FTC, the company’s sales representatives relied on false or unverified information to help consumers get financing approval for products and services that they would not otherwise be qualified to receive. The FTC’s December payment of nearly $500,000 is directed to 470 consumers, who filed a valid claim. Additional funds are stated to be distributed at a later date.
Pursuant to Section 6(b) of the FTC Act, the FTC issued orders to eight firms, including financial services firms, that advertise using customer information and machine learning technologies to engage in targeted pricing to consumers. The orders require recipient companies to disclose documents showing how they use consumer data, such as credit history, to engage in “surveillance pricing,” also known as “personalized pricing.” This pricing practice involves charging different prices for the same product based on the consumer’s personal data. The firms were mandated to provide documents and information relating to four specific aspects of their personalized pricing:
- The types of products and services offered using personalized pricing;
- The personalized pricing offerings’ underlying data and how such data was collected;
- Targeted clients and their use of the offerings; and
- Resulting pricing differentials for the same offering and other impacts.
In a concurring statement, then-Commissioner Ferguson underscored the primary goal of these studies as gathering information rather than pursuing enforcement actions, expressing the importance of revealing to Congress and the public “whether and how consumers’ private data may be used to affect their pocketbooks.” He voiced less enthusiasm for the Commission taking remedial action based on the studies’ outcome, suggesting instead that state and federal legislators may address any needed response through privacy laws.
In addition to launching the personalized pricing study, the FTC began to incorporate aspects of its Safeguards Rule in case resolutions. Settlement agreements of actions involving unsecured consumer information, in particular, reflect certain components of the Safeguards Rule. For example, a common settlement term requires companies to implement information privacy programs and abstain from misleading consumers about the strength and integrity of their consumer privacy measures. One important feature of these programs is that the entity must place limitations on an employee’s, contractor’s, and authorized third parties’ access to consumer information based on job necessity.
At the end of 2023, the FTC proposed amendments to COPPA, aiming to shift the burden for protecting children’s privacy and security from parents to service providers. As of January 16, 2025, the FTC finalized changes to COPPA. The final rule’s amendments include:
- Opt-in parental consent requirements for covered operators to disclose children’s personal information to third-party companies for targeted advertising or other purposes;
- Limits on data retention where covered operators may only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected;
- Public disclosure requirements for COPPA’s self-regulatory Self-Harbor programs, such as disclosure of information on their membership lists; and
- Several amended definitions, including the expansion of “personal information” to include biometric identifiers and government-issued identifiers.
In adopting the final rule, the FTC decided against adopting some proposed changes it received during the public comment period, such as a requirement to limit the use of push notifications directed to children without parental consent and changes to requirements applicable to educational technology companies that operate in a school environment.
In 2023, the FTC also sought comment on the Entertainment Software Rating Board’s (ESRB) application for a “Privacy-Protective Facial Age Estimation” technology that analyzes a user’s face to confirm their age, which would serve as a consent mechanism under COPPA’s requirement that parents consent to an online service collecting their children’s personal data. On March 29, 2024, the FTC denied the ESRB’s application with a vote of 4-0 due to insufficient information. The FTC made this denial without prejudice to enable the ESRB to re-file the application in the future, when the FTC anticipates that additional information will assist in the understanding of age verification technologies. The FTC otherwise took no position on the merits of the application.
In 2024, the FTC continued to pursue enforcement actions against major technology companies in relation to children’s and teens’ privacy. For example, the FTC referred a complaint to the DOJ against a technology company for possibly violating COPPA by allowing children to use its application without parental consent. The FTC also took action against an anonymous messaging application marketed to kids and teens for allegedly violating COPPA by failing to ensure that a parent receives direct notice of and consents to its practices around collecting, using, or disclosing their child’s personal information.[96] Although not an enforcement action, the FTC additionally examined the data collection and use practices of nine big technology companies, which eventually led to a report upon which the FTC based recommendations to policymakers and companies.
In May 2023, the FTC published its Policy Statement on Biometric Information. See the Biometric Information section of our 2024 annual update for additional details on the policy statement.
The policy statement specified that making unsubstantiated marketing claims regarding the validity, reliability, accuracy, performance, fairness, or efficacy of technologies relying on biometric information constitute deceptive practices under Section 5 of the FTC Act. In December 2024, the FTC announced a proposed consent order with an AI and Deep Learning-based video analytics and video cloud software company to settle the FTC’s allegations that the company could not substantiate its marketing claims on the accuracy of its facial recognition technologies, including its accuracy across genders, ethnicities and skin tones. The proposed order prohibits the company from making misrepresentations regarding the efficacy and lack of bias in its facial recognition technologies.
Over the past year, the CFPB finalized and proposed multiple rulemakings which implicate privacy issues, with a flurry of such action in the waning days of the Biden Administration. As of this report’s publication, the Trump Administration has paused implementation of several of these rulemakings, and the agency’s future is currently uncertain.
Following significant actions by the CFPB in 2024—including related to data privacy, data security, and algorithmic decisionmaking—thus far in 2025, the interim CFPB Directors appointed by President Trump have imposed significant operational changes that raise significant questions about the agency’s future scope and direction.
After removing Rohit Chopra as CFPB Director on January 31, 2025, President Trump appointed in quick succession Treasury Secretary Scott Bessent and then Office of Management and Budget Director Russell Vought as Acting CFPB Directors. Bessent and then Vought moved rapidly to freeze virtually all CFPB activities, ordering employees to stop all enforcement and litigation activity; halting rulemakings and suspending effective dates of pending rules; closing the CFPB’s Washington, DC office for a week and cancelling the headquarter’s lease; canceling the CFPB’s next pull of funding from the Federal Reserve; cancelling over $100 million in vendor contracts; firing probationary-period staff; and dismissing (without explanation) various enforcement actions filed during the Biden Administration. While President Trump and the head of DOGE, Elon Musk, have expressed a desire to eliminate the CFPB, the Trump Administration has recently taken the position in court that it only intends to make the agency more “streamlined and efficient.”
Consistent with this position, Jonathan McKernan, President Trump’s nominee for CFPB Director, testified in early March before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, that he would continue to enforce consumer protection laws while advocating for reforms to increase accountability and end the CFPB’s “past excesses.” At the time of publication, McKernan’s nomination is pending confirmation.
b. Impact of the Trump Administration’s Actions on the Pre-Trump CFPB’s Ambitious Agenda
Precisely how CFPB under Trump-appointed leadership will reshape the agency’s approach to consumer protection remains to be seen.
The outgoing CFPB pursued an ambitious and aggressive rulemaking, policy, and enforcement agenda, often in reliance on novel and expansive interpretations of its statutory authority. In the near term, regulated parties can expect new CFPB leadership to critically examine these initiatives—likely rescinding some rules and guidance, and continuing to drop certain enforcement actions while continuing to pursue others.
For example, there is substantial uncertainty around the agency’s key 2024 rulemakings and guidance related to data privacy, data security, and AI. Specifically, on December 3, 2024, the CFPB proposed a sweeping new rule that would subject data brokers to the Fair Credit Reporting Act, with the goal of limiting the sharing of consumer financial data. On March 5, 2025, the comment period for this rule was extended from March 3, 2025, until April 2, 2025, with the Bureau stating it was doing so in order to give interested persons additional time to consider and submit comments. What new leadership will do with respect to this rule remains to be seen, although it seems unlikely they will embrace it in its proposed form.
Additionally, the effective date of the agency’s final rule issued in October 2024 under Section 1033 of the Consumer Financial Protection Act (CFPA) requiring certain financial institutions to make data such as account and transaction information available upon request to consumers and authorized third parties has been suspended. The ordered suspension sweeps in all other CFPB final rules that had not gone into effect as of February 3, 2025, like the final rule issued in June 2024 aiming to mitigate AI-driven bias in housing appraisals that was slated to go into effect in approximately June 2025. However, a significant final rule issued in November 2024 establishing the agency’s supervisory power over nonbank digital payment providers took effect before then-Acting Director Bessent’s February 3, 2025 instruction freezing final rules, so whether action will be taken to rescind the rule remains to be seen.
The CFPB’s prior leadership had also intensified scrutiny of AI in financial services, issuing guidance and a special edition of its Supervisory Highlights emphasizing compliance obligations, which new CFPB leadership may also rescind.
In the longer term, the CFPB’s future is uncertain. Courts might step in to limit an administrative shutdown of the agency. The National Treasury Employees Union (NTEU), which represents unionized CFPB employees, brought an action in federal court challenging Vought’s stop-work directive, arguing that separation-of-powers principles prevent the Trump Administration from winding down a congressionally authorized agency.[97] The court in that matter ordered a senior CFPB official to testify on March 10, 2025 about the status of the agency’s statutorily required activities in connection with NTEU’s request for a preliminary injunction to halt mass terminations and other cuts. Additionally, the City of Baltimore and Economic Action Maryland Fund has challenged Vought’s attempt to transfer the CFPB’s funds to the Federal Reserve, arguing, among other things, that such action violated the Administrative Procedure Act because the agency would be deliberately leaving itself without enough funding to perform its legally mandated duties.[98] A preliminary injunction preventing the funds transfer is in place until March 14, 2025.[99]
c. Other Regulators and Private Litigation: Filling a Potential Enforcement Gap
If the CFPB’s activities continue to wane, other regulators may step up their enforcement activities. For example, the FTC, which has concurrent enforcement authority with the CFPB over certain statutes, can police “unfair practices” under the FTC Act and has insight into the CFPB’s investigations and enforcement under the agencies’ memorandum of understanding. State attorneys general also have broad authority to enforce state consumer protection laws, may enforce the (federal) Consumer Financial Protection Act in their respective jurisdictions under 12 U.S.C. § 5552, and have a “blueprint” for enforcement activity in the form of a report published by the CFPB in January 2025, prior to the leadership transition. State banking departments may also enhance supervisory oversight over non-bank financial institutions in light of any perceived supervisory gap at the federal level.
Additionally, private litigants may seize upon regulatory uncertainty to pursue consumer litigation.
Businesses that have invested in compliance with recent CFPB mandates must now reassess their strategies in light of shifting federal priorities and the possibility of increased state and private litigation risk. As the regulatory pendulum swings, staying ahead of both federal and state developments will be critical for businesses seeking to navigate this rapidly evolving environment.
The SEC continued its historic levels of enforcement activity in 2024, with a continued emphasis on disclosure and transparency requirements surrounding cybersecurity. The SEC’s new cybersecurity disclosure rule for public companies also went into effect in 2024, and numerous companies filed disclosures as required under the rule. In addition, the SEC finalized new cybersecurity disclosure rules for broker-dealers and registered investment advisers.
Companies begin disclosures of cybersecurity incidents. The SEC’s new cyber disclosure rule for public companies, which requires them to publicly disclose material cyber incidents, went into effect in December 2023, and 2024 was the first full year of implementation of the rule.[100] In 2024, approximately 50 public companies filed cybersecurity disclosures on Form 8-K. Many of these disclosures were for non-material impacts. Initially, several companies made non-material disclosures under the new cybersecurity reporting Item 1.05, which was specifically created for disclosures of material cybersecurity incidents. As a result, the Director of the SEC’s Division of Corporate Finance issued a statement suggesting that such disclosures were appropriate under Form 8-K Item 8.01, which is for miscellaneous statements, rather than Item 1.05. Due to the strict timing requirements, some companies have made filings under item 1.05, stating that the company could not determine that the impact was material, only to later amend their 8-K filing to state that the company had found the impact to not be material. Notably, fewer than 20% of filings state a material impact.
Additionally, on June 24, 2024, the SEC issued five new compliance and disclosure interpretations addressing hypothetical scenarios involving the public company disclosure requirement. Four of these interpretations concern ransomware payment, and provide guidance on how to conduct materiality assessments in scenarios where the company makes such a payment, while the fifth addresses materiality determinations following a series of separate but potentially related incidents.
SEC adopts data breach notification requirements for additional financial institutions. On August 2, 2024, a final rule went into effect updating Regulation S–P to require registered investment advisers, transfer agents, and broker-dealers to notify customers within 30 days if their information may have been stolen. Covered institutions have 18 months for larger entities or 24 months for smaller entities[101] from the date of publication in the federal register to comply with the requirements. Key requirements under the new regulation include:
- Covered institutions must implement an incident response program regardless of whether an incident has occurred.
- Covered institutions must disclose an incident to customers as soon as practicable, and no later than 30 days after discovery of an incident. The customer notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. This requirement is waived where an institution determines that the affected data will not be used or it is reasonably likely that it will not be used in a way that adversely affects customers.
- Expands existing requirements to safeguard customer data and dispose of unused customer data to include additional types of data and apply to transfer portals in addition to previously covered institutions.
Court dismisses much of the SEC’s complaint against Software Company. The SEC originally sued a software company in 2023 over a high-profile breach of the company’s computer system in 2020. In light of the breach, the SEC alleged that the company had made materially false statements regarding its cybersecurity practices in certain public filings and on its publicly facing website, then subsequently made misleading statements regarding a series of cybersecurity incidents that culminated in a high-profile cyber attack.
As we previously discussed in our July 25, 2024 client alert, the court dismissed the majority of the SEC’s claims. The remaining claims are related to the Security Statement that the company posted to their website in 2017. Most notably, the court rejected the SEC’s attempt to bring an internal accounting controls violation claim under Section 13(b)(2)(B) in the context of cybersecurity-related actions. The court reasoned that the SEC’s position that its authority to regulate an issuer’s “system of internal accounting controls” includes the authority to regulate cybersecurity controls was “not tenable,” and unsupported by the statute, legislative intent, or precedent.
The court’s decision also calls into question the SEC’s ability to rely on claims of inadequate disclosure controls and procedures in similar circumstances, given that the court ruled that a single disclosure failure is insufficient to put the adequacy of a company’s disclosure controls and procedures in issue.
SEC fines transfer agent for alleged failure to protect client funds. A transfer agent was hacked in 2022 and 2023, resulting in the theft of $6.6 million in client funds. The company recovered about $2.6 million and fully reimbursed clients. The SEC found that the transfer agent had failed to take adequate measures to secure client funds, censured the respondent, issued a cease-and-desist order, and fined the transfer agent for $850,000.
SEC fines stock exchange operator for allegedly failing to meet disclosure requirements. The SEC alleged that the parent company of a number of stock exchanges waited several days after learning about a cyberattack to inform compliance and legal officials at the subsidiary exchanges. The SEC took the position that this violated the Regulation Systems Compliance and Integrity (Reg-SCI) by preventing the subsidiary exchanges from making their own timely disclosures to the SEC. The company agreed to pay $10 million to settle the charges but did not admit the allegations.
SEC settles with marketing firm over alleged disclosure and internal control failures. The SEC settled with a communications and marketing company for $2.1 million over the company’s alleged violation of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. The SEC alleged that the company failed to create sufficient internal cybersecurity disclosure controls, which resulted in delayed response to a 2021 ransomware attack. The SEC order notes that data security was critical to the company’s business because the company secured sensitive client data. The company settled the allegations following an investigation without admitting fault.
On October 21, 2024, the SEC Division of Examinations published its annual examination priorities, which include cybersecurity as one of the Division’s planned areas of focus in 2025. However, President Trump’s nominee to chair the SEC is expected to be more pro-business than the outgoing chair, which may result in less enforcement activity overall. Moreover, Republican members of the Commission, Mark Uyeda and Hester Pierce, have expressed skepticism regarding the SEC’s previous efforts regarding cybersecurity, with both issuing dissents against recent cybersecurity enforcement actions. Commissioner Uyeda also previously issued a statement sharply criticizing the 2023 public-company disclosure rules. Nevertheless, the SEC recently announced the reformation of the crypto and cybersecurity division as the Cyber and Emerging Technologies Unit, with a focus on “[r]egulated entities’ compliance with cybersecurity rules and regulations,” among other priorities. Accordingly, while we expect the SEC will continue to focus on cybersecurity in 2025, there will likely be lower and less aggressive enforcement activity related to cybersecurity.
In October 2024, the Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR) announced the launch of a Risk Analysis Initiative to guide health care organizations in conducting thorough evaluations of their cybersecurity practices. The initiative focuses on protecting the confidentiality, integrity, and availability of protected health information to reduce the likelihood of cyber incidents. OCR explained that it “created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with [HIPAA’s] Security Rule,” which sets standards for protecting ePHI through administrative, technical, and physical safeguards, requiring businesses to conduct thorough risk assessments, implement and document security measures, and maintain continuous ePHI protections. The Risk Analysis Initiative signals renewed interest in enforcing HIPAA’s Security Rule, underscoring the need for covered entities to ensure they are conducting thorough and accurate ePHI-related risk assessments.
Relatedly, on December 27, HHS issued a notice of proposed rulemaking aimed at improving HIPAA’s Security Rule. The proposed rule would require HIPAA-covered entities and their business associates to bolster existing cybersecurity protections for protected health information, including encrypting protected health information, deploying additional technical controls to shield against malicious software, and requiring multi-factor authentication. In announcing the proposed rule, Deputy Secretary Andrea Palm emphasized the “increasing frequency and sophistication of cyberattacks in the health care sector” that “pose a direct and significant threat to patient safety” and disrupt patient care. The responsibility for finalizing the rule now lies with the Trump administration, which may be more skeptical of implementing new regulations. Specifically, President Trump issued an Executive Order requiring a “Regulatory Freeze Pending Review,” directing federal agencies, including the HHS, to “not propose or issue any rule in any matter . . . until a department or agency head appointed or designated by the President . . . reviews and approves the rule.” Thus, it is unclear whether the proposed rule will proceed under the new administration.
HHS finalized two significant HIPAA rules in 2024. On February 8, OCR finalized a rule updating the Confidentiality of Substance Use Disorder Patient Records regulations to improve coordination among providers by allowing a single consent for treatment, payment, and health care operations, while also permitting de-identified disclosures to public health authorities. The rule strengthens patient protections by aligning enforcement with HIPAA, introducing civil penalties for violations, requiring specific consent for substance use disorder counseling notes, and creating a safe harbor for investigative agencies acting with reasonable diligence before requesting records.
OCR finalized another rule on April 26, which modifies the HIPAA Privacy Rule to strengthen protections for reproductive health care by prohibiting the use or disclosure of protected health information to investigate or impose liability on individuals, health care providers, or others involved in lawful reproductive health care. The rule also requires covered entities to obtain signed attestations for specific requests related to reproductive health care and mandates that these entities update their Notice of Privacy Practices to reflect these new privacy protections.
HHS released a statement in May 2024, explaining that it will extend COVID-era telehealth and audio-only services beyond 2024, as was planned. As HHS explained, this change was prompted by “changes in patterns of care and higher levels of use of telehealth and audio-only services that can be expected to continue into future benefit years.” Thus, any telehealth or audio-only services between patients and qualified health professionals “that is reimbursable under applicable state law and otherwise meets applicable risk adjustment data submission standards may be submitted to issuers’ External Data Gathering Environment” servers “for purposes of HHS-operated risk adjustment program for the 2024 benefit year and beyond.” In practice, the extension of telehealth and audio-only services beyond 2024 allows insurers to include these services in their risk adjustment data, which helps determine the appropriate reimbursement they receive for covering individuals enrolled in the Affordable Care Act marketplace and Medicaid. Through this policy pronouncement, HHS has signaled its ongoing commitment to and recognition of telehealth’s growing role in healthcare delivery.
In addition to OCR’s final rule strengthening data protections for reproductive health care, discussed above, the FTC also took action to protect individuals’ reproductive health data. In April 2024, it finalized an order banning a data broker and its successor from sharing or selling sensitive, precise location data, which the FTC alleged could be used to track visits to “medical and reproductive health clinics and places of worship.” In addition to the ban, the order requires the data broker and its successor to develop a program to maintain a comprehensive list of sensitive locations, delete previously collected data unless deidentified or consented to by consumers, and establish privacy programs and safeguards to ensure data is not used for identifying individuals or associating with sensitive locations.
HHS made data privacy and cybersecurity a key focus in 2024, ramping up enforcement efforts for HIPAA violations, including actions involving “ransomware, phishing, health information left unsecured on the internet, impermissible access to electronic PHI, reproductive health information impermissibly disclosed, and untimely patient access to PHI.”
Of note, the HHS reached a sizable settlement involving HIPAA Security Rule violations. In December 2024, HHS announced a $1.19 million penalty against Clearway Pain Solutions Institute for violations of the HIPAA Security Rule “following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system” to “retrieve PHI for use in potential fraudulent Medicare claims.” HHS concluded that the contractor had gained impermissible access on three separate occasions, compromising the PHI of over 34,000 individuals. OCR also found that Clearway Pain Solutions Institute failed to conduct a thorough risk analysis of potential vulnerabilities to electronic protected health information (ePHI) and failed to terminate former workforce members’ access to ePHI.
Reproductive health data breaches have been another priority over the last year. On November 26, 2024, HHS announced a settlement with Holy Redeemer Family Medicine for HIPAA Privacy Rule violations linked with disclosure of a female patient’s entire medical record to a prospective employer. The disclosure allegedly included the patient’s obstetric and gynecological history, as well as “other sensitive health information concerning reproductive health care.” The HHS complaint stated that Holy Redeemer Family Medicine violated the HIPAA privacy rule because it lacked the adequate consent for the release of the full medical record. Under the settlement, Holy Redeemer Family Medicine agreed to pay a fine and implement a comprehensive corrective action plan requiring it to submit breach notification reports to HHS, develop policies for compliance with the Privacy Rule, and train employees on HIPAA compliance.
Lastly, HHS also ramped up enforcement under OCR’s Risk Analysis Initiative, announcing its first enforcement action under the initiative in October 2024. A 2022 ransomware attack affected the PHI of 14,273 patients at Bryan County Ambulance Authority (BCAA), prompting OCR’s investigation into the entity’s alleged failure to conduct a proper risk analysis. HHS found that the entity had failed to conduct a compliant risk analysis to determine the potential risks to its ePHI systems. The parties reached a settlement requiring BCAA to pay $90,000, implement a corrective action plan to ensure HIPAA Security Rule compliance, and submit to a three-year OCR monitoring.
The Department of Homeland Security (DHS), together with the European Commission’s Directorate-General for Communications Networks, Content, and Technology, released a joint report comparing cyber incident reporting frameworks, further expanding on its earlier efforts in standardizing reporting processes. By identifying key similarities and differences, the report aims to inform future evaluations of cyber incident reporting processes and enhance alignment between U.S. and EU cybersecurity measures, in particular through a comparative analysis of the recommendations from the U.S. Cyber Incident Reporting Council, the 2023 DHS report on Harmonization of Cyber Incident Reporting to the Federal Government, and the EU’s NIS2 Directive (Directive 2022/2555). Further input has also been provided by the Cybersecurity and Infrastructure Security Agency (CISA) and the European Union Agency for Cybersecurity (ENISA).
The DHS’s CISA has also published several updated guidelines, including an updated “Trusted Internet Connections (TIC) 3.0 Catalog,” providing a list of deployable security controls, security capabilities, and best practices, along with multiple updates to its “Public Safety Communications and Cyber Resiliency Toolkit” or the “Marine Transportation System Resilience Assessment Guide.” It has recently also published a revised “National Cyber Incident Response Plan,” to which stakeholders from across public and private sectors could provide their input by January 15, 2025. Additionally, CISA has been involved in investigations regarding allegations that the People’s Republic of China (PRC) targeted commercial telecommunications infrastructure. CISA notified affected companies, rendered technical assistance, and shared information to assist potential victims. Lastly, CISA is also investigating the recent cybersecurity incident at the U.S. Department of the Treasury.
Final Rule on Foreign Adversaries’ Access to Sensitive Data. On December 27, 2024, the Department of Justice (DOJ) issued a Final Rule aimed at restricting foreign adversaries’ access to Americans’ sensitive personal and government-related data. Previously, in February 2024, the Biden administration already directed federal agencies to halt the transfer of sensitive American data to China, Russia, and other foreign adversaries via a corresponding executive order.
This Final Rule now grants the DOJ authority to prohibit or impose stringent conditions on transactions involving such data when they pose a national security threat. Among other things, the rule bans transfer of three types of data to parties affiliated with the target countries: (1) bulk U.S. sensitive personal data, which includes covered personal identifiers, precise geolocation data, biometric identifiers, human genomic data, and personal financial data; (2) U.S. government-related data, which includes any data that is either precise geolocation data for certain locations, or sensitive personal data linked or linkable to certain government employees or contractors; and (3) human genomic or biospecimen data.[102]
Additionally, companies handling personally identifiable information, financial data, healthcare records, and biometric data are therefore advised to review their cross-border data transfer agreements and conduct data risk assessments, ensure localization of critical datasets, and implement sufficient contractual protections when dealing with international data partners. In short, this rule requires U.S. companies to be able to identify any transaction that could allow access to covered data by a foreign entity, in particular from China, Cuba, Iran, North Korea, Russia, and Venezuela.
Children’s Privacy Violations. In August 2024, the DOJ, with urging from the FTC and Congress, filed a civil lawsuit in the U.S. District Court for the Central District of California against a social media company over violations of children’s privacy laws. Allegations include unauthorized data collection, application of digital tools to surveil minors, and other non-compliance with COPPA. In particular, according to the complaint, from 2019 to the present the company knowingly permitted children to create regular accounts (i.e., not accounts created in the so-called “Kids Mode”) and interact with adults, collected their personal information without parental consent (even for those accounts which were created in Kids Mode), and failed to delete this data upon parental request, while having inadequate policies to manage children’s accounts. The complaint further alleges that the company also violated a 2019 Permanent injunction, in part by neglecting its mandate to preserve records about activities from minors below the age of 13 on the platform.
Civil Cyber-Fraud Initiative. Initiated in 2021, the DOJ’s Civil Cyber-Fraud Initiative (CCFI), which is intended to encourage disclosure and to hold accountable entities and individuals that put U.S. information or information systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches, gained significant momentum in 2024, leading to multiple settlements with government contractors and private companies accused of failing to meet cybersecurity standards.[103] Such failure to comply can take multiple forms, including outright violations of legal provisions, falsified cybersecurity certificates, or an inability to fulfill contractual obligations.
While multiple cases concerning disputes over compliance with federal cybersecurity requirements have been settled, United States ex rel. Craig v. Georgia Tech Research Corp remained ongoing, supported by an intervention from the DOJ in August 2024, at the time of the publication of this article. Companies contracting with the US Government must adhere to National Institute of Standards and Technology (NIST) cybersecurity frameworks to mitigate enforcement risks (also, see below, section A.5.c. Department of Commerce).
Cybercrime and Dark Web Marketplaces. The DOJ has intensified efforts to enforce against cybercrimes relating to cryptocurrencies, and dismantle cybercrime marketplaces selling stolen data, hacking tools, or illicit goods. Key operations included the takedowns of the dark web marketplaces Nulled and Cracked (which impacted at least 17 million victims from the United States), and the takedown of Rydox (which sold, amongst others, sensitive data from thousands of victims residing in the United States), along with arrests regarding Incognito Market, an extensive dark web effort to traffic illicit drugs to the United States and around the world.
Furthermore, the DOJ, often in collaboration with international partners, also successfully targeted ransomware groups responsible for major cyberattacks, including, amongst others:
- Together with its international partners and the FBI, the DOJ disrupted the LockBit ransomware group, one of the most active ransomware groups in the world that has targeted over 2,000 victims, received more than USD 120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars. Actions against LockBit included seizing numerous websites and servers managed by LockBit administrators. These were complemented by indictments against key figures, the issuing of the search warrants, and the development of decryption capabilities to restore systems encrypted by the LockBit ransomware variant.
- An alleged North Korean government-affiliated cybercriminal was charged for attacks targeting U.S. hospitals and critical infrastructure.
In October 2024, the U.S. Department of Commerce (DOC), through the Bureau of Industry and Security’s (BIS) Office of Information and Communications Technology and Services (OICTS), issued a landmark decision prohibiting the use of Kaspersky’s antivirus software and cybersecurity products in the United States or by U.S. persons, “due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.” The decision marked the first time OICTS exercised its authority with regards to Information and Communications Technology and Services (ICTS) supply chain regulations. While it was based on an interim final rule implementing an Executive Order from the Biden administration, the corresponding final rule was issued in December 2024.
Additionally, cybersecurity risks stemming from supply chains have in particular been under heightened scrutiny of the DOC—although the impact of the new Trump administration on these remains to be seen:
- For example, the BIS issued a Notice of Proposed Rulemaking regarding a rule banning the import and sale of connected vehicles from China (including Hong Kong) and Russia, citing risks related to espionage, cyber threats, and unauthorized data collection, which has been finalized while still under the Biden administration on 19 January 2025. The rule also restricts key vehicle software and hardware deemed to pose “undue or unacceptable risks” to national security, with certain software restrictions beginning in 2027 and hardware restrictions following in 2029.
- Furthermore, BIS has announced an Export Control Framework to further strengthen the U.S.’s cybersecurity capabilities from a hardware perspective. The framework is aimed at limiting the spread of advanced artificial intelligence technologies while tightening restrictions on advanced computing. It specifically imposes strict controls on the export, reexport, and transfer of advanced computing integrated circuits and the model weights of leading AI systems.
- BIS has also proposed a new rule imposing restrictions on U.S. Infrastructure-as-a-Service (IaaS) providers, in particular cloud service providers, concerning their role in training large AI models. The rule would require IaaS providers to implement Customer Identification Programs (CIPs) to collect “Know Your Customer” (KYC) information, and is ultimately aimed at preventing foreign adversaries from accessing advanced AI capabilities.
Separately, in February 2024, the DOC’s National Institute of Standards and Technology (NIST) released Version 2.0 of its Cybersecurity Framework (CSF). The updated CSF is now organized around six key functions: Identify, Protect, Detect, Respond, and Recover, along with CSF 2.0’s newly added “Govern” function, emphasizing the importance of cybersecurity governance and risk management. It also now addresses explicitly all organizations and not just those in critical infrastructure, its original target audience.
Lastly, in December 2024, the DOC released a strategic report titled “The Decisive Decade: Advancing National Security at the Department of Commerce.” The report outlines key policy objectives in the digital space, emphasizing U.S. leadership in critical technologies, international security collaborations, and private-sector partnerships to enhance cybersecurity. It serves as a roadmap for maintaining economic security and technological dominance while addressing threats from foreign adversaries.
Cybersecurity continues to be a point of emphasis underpinning power systems and critical infrastructure resilience. In 2024, the U.S. Department of Energy (DOE) released and endorsed various implementation strategies and adoption guidelines intended to drive the voluntary adoption of uniform cybersecurity practices across the energy sector.
In March 2024, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) partnered with the National Association of Regulatory Utility Commissions (NARUC) to publish “Cybersecurity Baselines” for distributed energy resources (DERs) and their electric distribution systems. Intended for asset scoping and baseline prioritization, the Cybersecurity Baselines are intended to enhance system resilience and provide a starting point from which a solid cybersecurity foundation can be built and later expanded upon, following a risk-informed roadmap. The final version of the accompanying Implementation Guidance is expected to be published in mid-2025.
Cybersecurity also remains a critical pillar of DOE’s efforts to protect clean energy infrastructure. In particular, a key focus has been modernizing and securing U.S. hydropower plants, which is central to the DOE’s cybersecurity strategy. The DOE has also issued several cybersecurity guidelines, including those for energy procurement and introduced new Supply Chain Cybersecurity Principles, developed in collaboration with Idaho National Laboratory.
In addition, the Energy Threat Analysis Center (ETAC)—a public-private partnership that convenes experts from the federal government and the U.S. energy sector—became operational in Q4 2024. Jointly managed by CESER and the DOE’s Office of Intelligence and Counterintelligence, and in partnership with the national laboratories, and in close coordination with the Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborative (JCDC), it is aimed at strengthening the collective defense, response, and resilience of the U.S. energy sector, improve national security in the energy sector, enhance analysis capabilities and facilitate an increased sharing of information.
In addition to providing external guidance and support, the DOE has also continued efforts to enhance its own cybersecurity following recent cyberattacks. In particular, in January 2024, the DOE issued its Cybersecurity Strategy. Other governmental bodies also highlighted the importance of the DOE and its mission to protect sensitive data and critical infrastructure as well as ensuring supply chain security. For example, the Office of the Inspector General (OIG) noted that a crucial role for this will fall on the recently established Vetting Center, where a Vetting Center Policy Group has been established in 2024. Assessing the outcome of this will be crucial for contractors and vendors doing business with the DOE, as they should anticipate increased emphasis on and scrutiny of their cybersecurity practices in 2025.
In October 2024, the Department of Defense (DoD) finalized a much anticipated rule implementing its Cybersecurity Maturity Model Certification (CMMC) program for defense contractors, broadly aimed at increasing the security of controlled, unclassified information within the defense industry.[104] The CMMC will set three “levels” of cybersecurity requirements based on the nature of information held by contractors, with the aim of creating a baseline level of cybersecurity for almost all DoD contract solicitations. These requirements include confirming that Cloud Service Providers used by contractors meet certain risk standards, protocol for processing, storing, and transmitting controlled unclassified information; and submitting annual compliance self-assessments.
In addition to enhancing the cybersecurity of its supply chain, the DoD announced its plan to prioritize strengthening its Defense Industrial Base (DIB), which is a network of foreign companies and organizations that support the DoD and other U.S. defense requirements. In March 2024, the DoD announced a cybersecurity strategy aimed at improving the DIB’s cybersecurity capabilities and its IT interoperability and integration with the DoD, and in May 2024, the DoD’s Chief Information Officer released a playbook for implementing shared security authorization packages across DoD systems to make system assessments more efficient. In June 2024, the Pentagon released a blueprint for the DoD to prioritize providing joint warfighting IT capabilities between U.S. forces and mission partners, modernizing information networks, optimizing IT governance, and cultivating a digital workforce.
As noted in the 2023 update, the Federal Communications Commission (FCC) announced its new Privacy and Data Protection Task Force in June 2023. Since its inception, the Task Force has been active in various enforcement and rule–making efforts.
Enforcement. The FCC also levied large fines and settled several claims related to company data practices. In April 2024, the FCC fined American wireless carriers nearly $200 million for allegedly sharing their customers’ location data without consent. The FCC Enforcement Bureau investigation found that the carriers sold location data access to aggregators, who then resold the access to third parties, in an alleged attempt to offload their obligation to obtain customer consent.
In June 2024, a leading Latin American telecommunications company agreed to pay $100,000 to resolve allegations that the company failed to report a data breach in a timely manner in violation of FCC rules and conditions of Liberty’s license. In July 2024, the FCC announced a $34.6 million settlement and consent decree with a phone captioning company to resolve allegations that the company unlawfully retained call content beyond the duration allowed and submitted inaccurate information to the Telecommunications Relay Service (TRS) Fund Administrator. Also in July 2024, the FCC announced a $16 million settlement with an American wireless prepaid service provider to resolve allegations that the company failed to reasonably protect customer information in connection with multiple data breaches. In September 2024, a major American wireless carrier entered into a $13 million settlement with the FCC regarding a data breach of a cloud vendor for the carrier, exposing customer information that the vendor was supposed to have destroyed. The FCC faulted the carrier for failing to ensure the vendor had destroyed the data. Also in September 2024, another major American wireless carrier reached a $31.5 million settlement with the FCC to resolve investigations into multiple data breaches, including access to the names, addresses, dates of birth, and Social Security numbers for 47.8 current, former, and prospective customers. The $31.5 million settlement consisted of a $15.75 million penalty and a $15.75 million investment by the carrier into its cybersecurity infrastructure.
TCPA Rulemaking. The FCC continued its focus on curtailing robocalls and robotexts by adopting new rules in February 2024. While previous rules have made it clear that consumers have a right to revoke their consent to receive automated calls and messages, the new rules require that revocation requests be honored within a reasonable time, not to exceed 10 business days from receipt. The rules also codified the FCC’s previous ruling that consumers can revoke their consent through any reasonable means.
Approved in December 2023, TCPA rules requiring lead generators, comparison shopping websites, and similar companies to obtain a consumer’s prior express written consent to receive automated calls from each marketing partner went into effect on January 25, 2025.[105] A February 3, 2025 decision from the Eleventh Circuit Court of Appeals recently vacated this “one-to-one consent rule” under the TCPA, which may create uncertainty for other recent TCPA regulations.[106]
Cyber Trust Mark. In March 2024, the FCC voted to create a voluntary cybersecurity labeling program for devices that meet certain cybersecurity and privacy standards. Qualifying products will bear a label including a new “U.S. Cyber Trust Mark” to help consumers differentiate trustworthy products and will also include a scannable QR code with additional product information. Examples of eligible products include smart home appliances and fitness trackers.
State attorneys general continued to lead the charge as privacy regulators in 2024, enforcing both existing consumer protection laws and comprehensive data privacy laws that an increasing number of states are enacting. Attorneys general have not been alone in their work, however, as other state agencies, including new dedicated privacy regulatory agencies, work in tandem with attorneys general. State agencies and state attorneys general are expected to be particularly active and continue the trend in 2025 in light of the Trump administration’s predicted reduction in enforcement activity at the federal level.
In 2024, the California Privacy Protection Agency (CPPA) began to take a more active role in privacy regulation and enforcement in California. In January 2024, the agency launched a website dedicated to enlightening the public regarding privacy rights and, throughout the year, announced partnerships and initiatives related to strengthening privacy protections. The CPPA also published its first two California Consumer Privacy Act (CCPA) enforcement advisories, addressing the application of data minimization to consumer requests and avoidance of dark patterns, respectively. Along with the enforcement advisories, the CPPA and AG have issued confidential notices of violation to various companies, including, but not limited to the scope of their enforcement advisories.
Additionally, the CPPA announced changes to its leadership. After over three years leading the CPPA, Executive Director Ashkan Soltani stepped down from his position, effective January 2025. Tiffany Garcia, the former Chief Deputy Executive Director of the CPPA, will serve as Interim Executive Director until a permanent replacement is named. Before joining the CPPA, Garcia served for four years as Deputy Secretary for Fiscal Policy and Administration at the California Business, Consumer Services and Housing Agency.
On January 1, 2024, the California Department of Justice transferred administrative responsibility for the state’s data broker registry to the CPPA. In October 2024, the CPPA announced a public investigative sweep of data broker registration compliance. The CPPA subsequently announced a series of settlement agreements with data brokers resolving claims that the companies failed to register and pay required fees, which is subject to a $200 fine per day. In December 2024, the CPPA voted to adopt regulations substantially increasing the fees for data broker registration from $400 to $6,600 and clarifying procedural requirements under California’s Delete Act, which requires data brokers to register with the CPPA.
In November, the CPPA advanced draft CCPA regulations on cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT) to the formal rulemaking process. The notice and comment period was open from November 22, 2024 until February 19, 2025. In addition to adding rights and requirements for the use of ADMT (described in detail in the ), the proposed regulations would revise the existing CCPA regulations to require businesses to conduct cybersecurity audits and risk assessments. These changes include an expansion of the definition of sensitive personal information, additional requirements for implementing consumer rights, and updates to the opt-out framework. Gibson Dunn has laying out the significant issues with the draft regulations.
Though the CPPA has begun privacy enforcement in California, the California Attorney General (CA AG) continued to play an active role in enforcing the CCPA in 2024. In January 2024, the CA AG announced an investigative sweep focused on streaming services. The CA AG also announced two settlement agreements under the CCPA in 2024. The first, with a major tech company, handled by Gibson Dunn, addressed the CCPA’s requirement that a business disclose and provide consumers the right to opt out of the selling or sharing of their personal information. The settlement agreement required a low settlement penalty of $375,000 and injunctive terms that reiterated existing requirements of the law but notably did not require any changes to business practices. The second settlement, which the CA AG brought with the Los Angeles City Attorney, resolved claims that a mobile game company violated the CCPA and COPPA by failing to obtain parental consent for collecting and sharing children’s data from a mobile app. In addition to a $500,000 civil penalty, the settlement agreement requires the company to obtain consent for processing children’s and teen’s personal information, provide a just-in-time notice when children’s data is sold or shared, and properly configure third-party software-development kits to comply with children’s data legal requirements.
In 2024, state attorneys general in other states began to enforce their recently enacted state comprehensive privacy laws and build out privacy enforcement infrastructure. For example:
- The Texas Attorney General (Texas AG) has been particularly active in enforcing Texas’s data protection laws. In June 2024, the Texas AG announced the launch of a data privacy and security initiative, establishing a dedicated data privacy protection team. Focused on the sale of geolocation data, the Texas AG opened an investigation into car manufacturers’ collection and sale of driver data and subsequently brought a lawsuit against a car manufacturer under the Deceptive Trade Practices Act. The Texas AG issued notices of violation to multiple other companies for allegedly sharing sensitive user data without proper notice and consent under the recently effective Texas Data Privacy and Security Act and notifications of apparent failure to register as data brokers to over 100 companies a few months after the close of the Texas Data Broker Law’s initial registration period. Gibson Dunn has advised clients in response to many confidential investigations and notices over the past year. The Texas AG also filed a complaint against a popular social media platform under the SCOPE Act, alleging that the company failed to obtain parental consent before sharing, disclosing, or selling a minor’s personal information and failed to offer required parental controls.
- In February 2024, the Connecticut Attorney General (CT AG) published a report describing enforcement actions under the Connecticut Data Privacy Act in the first six months since the law took effect. The report states that the CT AG has issued numerous warning letters, received 30 complaints, issued inquiries and cure notices addressing deficiencies in privacy policies, sensitive data, teen data, and data brokers.
- In December 2024, the Colorado Department of Law adopted rules updating language in the Colorado Privacy Act Regulations to include newly adopted definitions of biometrics and adding a process for issuing opinions and guidance. Additionally, as part of a roll-out process, the Colorado Attorney General recognized Global Privacy Control (GPC) as the first universal opt-out mechanism to meet the CPA’s standards, and required businesses to implement GPC opt-outs by July 2024.
- The Oregon and Virginia Attorneys General have initiated confidential investigations into compliance with their newly effective state privacy laws, some of which have been handled by Gibson Dunn.
- Ahead of the January 1, 2025 effective date of the New Hampshire Data Privacy Act, the New Hampshire Department of Justice announced the creation of a data privacy unit. Delaware created a Personal Data Privacy Portal in anticipation of the Delaware Personal Data Privacy Act, which also took effect January 1, 2025.
III. Civil Litigation Regarding Privacy and Data Security
Data breaches and cybersecurity incidents have continued to pose a threat to businesses, resulting in substantial economic losses and putting companies at risk of litigation. According to the Identity Theft Research Center (ITRC), although there were fewer data breaches in 2024 than in 2023—2,850 as opposed to 3,122 total data breaches—due to the scale of some of the 2024 breaches, the number of data breach victims actually increased by 257% from 2023. We summarize a few of the notable data breach suits below.
A large telecommunications company faced multiple class action lawsuits stemming from a data breach that allegedly resulted in the exposure of approximately 73 million account holders’ personal data.[107] These class actions have now been transferred to and consolidated in the Northern District of Texas, alleging claims for, among other things, negligence, breach of contract, and unjust enrichment.[108] The class actions also allege that the telecommunications company violated state consumer protection laws, deceptive and unfair trade practices laws, and personal consumer information laws.[109]
A federal court denied a pharmaceutical wholesaler’s motion to dismiss, finding that plaintiffs had adequately pleaded standing in seeking damages for the risk of future harm resulting from a data breach.[110] Specifically, the court found that, because the plaintiff had pleaded actual attempted misuse, standing had been adequately pleaded, even though the attempted misuse was prevented by the Social Security Administration.[111]
A pair of recent decisions also provide insight into the role that fiduciary duty claims play in data breach litigation. In November 2024, the Supreme Court of Alabama affirmed a lower court dismissal of a data breach class action against a management consulting firm, which had allegedly collected sensitive personal and health information from employees, patients, and vendors; and where the submission of sensitive personal information is a pre-requisite for employment.[112] The court affirmed the dismissal of the case due to lack of standing and failure to sufficiently plead claims, including because the plaintiff failed to plead that a fiduciary duty existed between her and her former employer.[113] Specifically, the court held that while Griggs argued that as NHS has influence and dominion over Griggs and her data, under Alabama precedent, a principal or employer is not the fiduciary of the agent or employee, and Griggs failed to provide any support for the court to provide an exception in her case. In a July 2024 decision out of the Northern District of Georgia, a court found that a plaintiff had sufficiently pleaded evidence to show a fiduciary relationship existed between a company that retained health information.[114] Unlike the Alabama case, the Georgia case did not involve an employer-employee relationship. The Northern District of Georgia court allowed breach of fiduciary duty claims, determining that “in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law.”[115] Additionally, 2024 saw a number of significant data breach settlements that will shape what new cases are filed and negotiation in existing cases:
- A health network agreed to a $65 million settlement, which was later approved by the court, to resolve the claims of nearly 135,000 patients and employees whose personal data was breached due to a ransomware attack, including more than 600 patients who had their personal medical-record photos posted on the internet after the health network refused to pay the ransom.
- A personal genomics company agreed to a $30 million settlement to resolve a multi-district class action brought on behalf of more than six million customers who claimed that their personal data was stolen, including, for a small set of customers, information about their health based on the analysis of their genetic data.
- A mobile payment company and its subsidiary agreed to a $15 million settlement to settle claims stemming from two separate data breaches, one by a former employee and another by third parties that used old phone numbers to access users’ accounts, that allegedly exposed the personally identifiable information, account numbers, and trading activity of more than 8.2 million users.
B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
The flood of lawsuits brought under federal and state wiretapping statutes continued in 2024, with hundreds of cases being filed, frequently by the same plaintiff law firms. Many technology companies offer web- and app-based tools (such as software development kits, pixels, chat features, or similar tools) that web and app developers can use to track users’ activity on their website or app. Plaintiffs have brought lawsuits alleging that the use of these tools in a variety of different sectors (such as healthcare, video, finance, and more) violates federal and state wiretapping statutes by “recording” (or “eavesdropping” on) plaintiffs’ activity on websites and apps (which plaintiffs characterize as their “communications” with web and app developers). For example, plaintiffs have alleged that third-party technology companies were able to “wiretap” and “eavesdrop” on their online chat communications with businesses through the technology used to implement those chat features.[116] Some of these lawsuits were filed directly against the developers that own the websites and apps at issue.[117] Others were filed against the companies that offer this technology to web and app developers and allegedly receive the communications at-issue.[118]
As described in last year’s Review, the plaintiffs in these cases often bring claims under both the federal Wiretap Act and state wiretapping laws, which can carry high penalties for violations. The federal Wiretap Act is a one-party consent statute, so there is no liability if even one party to a communication consents to share it unless the communication is intercepted for the purpose of committing a crime or tortious act.[119] The Act provides for statutory damages consisting of $100 a day for each day of violation or $10,000, whichever is greater.[120] Some states have adopted more restrictive two-party (or all-party) consent statutes while also providing for high statutory damages. For example, California’s wiretapping and eavesdropping laws prohibit wiretapping or eavesdropping on communications without the consent of all parties involved and provide for $5,000 in statutory damages per violation.[121]
These claims continue to be especially difficult to defend against at early stages of the case, as courts in 2024 have sometimes refused to consider a defendant’s privacy policy to show consent at the motion-to-dismiss stage.[122] A significant number of these cases have continued to survive past the pleadings stage, though several others have been dismissed outright.[123] In one significant decision, a California federal district court dismissed wiretapping and other privacy-based claims against a technology company based on the plaintiffs’ failure to plausibly allege that the company intended for third parties to use its pixel technology to send sensitive health information (contrary to the company’s instructions).[124] This decision teed up an intra-District split on the proper standard for assessing intent for wiretapping claims in the Northern District of California, where many of these cases are brought.[125] In addition, the caselaw has continued to develop regarding what sort of harm plaintiffs must show to pursue a claim, with some courts finding a statutory violation sufficient (based on an asserted privacy injury)[126] and others requiring more in light of a 2021 U.S. Supreme Court decision.[127]
There were more decisions in 2024 at the summary judgment stage as well, with mixed results. For example, a California federal court granted summary judgment for the defendant web developer on the plaintiff’s California wiretapping claim.[128] The plaintiff alleged the defendant violated California’s wiretapping statute when she visited the defendant’s website, because her keystrokes were recorded by computer code embedded on the website.[129] The plaintiff claimed that this recording violated the California wiretapping statute’s prohibition on “read[ing] or attempt[ing] to read or learn the contents or meaning of electronic communications” without the consent of all parties to the communication.[130] The court held the defendant did not “read, attempt to read, or to learn the contents or meaning” of the communications because the keystrokes were immediately “hashed,” or transformed into an “incomprehensible alphanumeric string called a hash,” and the unhashed information was not retained anywhere.[131] As another example, another California federal court granted summary judgment for the defendant social media companies on the plaintiffs’ federal and California wiretapping claims.[132] The plaintiffs alleged the defendants’ web-based tools collected and sent their information when they visited websites that used those tools.[133] The court held plaintiffs had not produced any evidence that the defendants had intercepted the “contents” of their communications as required under the federal and California wiretapping claims, and that even if plaintiffs had done so, it did not appear the defendants had obtained any communications “during transmission” as to one of the two tools.[134] By contrast, another California federal court denied in substantial part a technology company’s motion for summary judgment in a lawsuit where the plaintiffs alleged their private health information entered into a period-tracking app was surreptitiously shared with the technology company through the company’s software development kit embedded on the app.[135] The court permitted the plaintiffs’ federal and California wiretapping claims to proceed, finding “factual disputes” existed regarding “the alleged transmission of data via [the defendant]’s SDK, and its subsequent use vel non.”[136]
In 2024, certain tracking technology cases also reached preliminary or final settlements encompassing wiretapping claims. For example, the plaintiffs filed an unopposed motion for final approval of the parties’ proposed class action settlement in a case based on a technology company’s purported surreptitious tracking of users’ web-browsing activity even when users browsed in “Incognito mode.”[137] Included as part of this “groundbreaking settlement that yields substantial benefits” for class members are the technology company’s agreements to rewrite its disclosures to inform users that it collects private browsing data, to “delete and/or remediate billions of data records that reflect class members’ private browsing activities,” and to permit users in Incognito mode to block third-party cookies by default.[138] Under the terms of the settlement, class members retain their right to sue the defendant individually for damages, including for the “significant statutory damages available under the federal and state wiretap statutes.”[139]
The federal Computer Fraud and Abuse Act (CFAA) generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[140] As described in last year’s Review, the U.S. Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), subsequent cases, and the Department of Justice’s decision in 2022 to narrow its CFAA enforcement policies have limited the CFAA’s legal and practical scope. Decisions this past year have continued to grapple with the proper scope of the CFAA and similar state statutes, such as California’s Comprehensive Data Access and Fraud Act (CDAFA).
In 2024, courts continued to confront questions about the scope of “authorization” under the CFAA. For example, in July 2024, a federal jury in Delaware found that an online travel agency violated the CFAA by using an airline’s website without authorization or in excess of its authorized access.[141] The airline characterized the travel agency’s unauthorized use of its website as “screen scraping,” which the airline defined as “using an ‘automated system or software . . . to extract data from [the airline’s] website for commercial purposes,’ such as selling [the airline’s] flights on websites other than [the airline]’s.”[142] According to the airline, the travel agency continued screen scraping even after the airline sent cease-and-desist letters and developed a program to block such unauthorized activity.[143] The jury awarded $5,000 to the airline, which represented the amount of “actual economic harm” caused by the travel agency’s violation of the CFAA.[144] Following the jury verdict, the travel agency filed a motion for judgment as a matter of law, arguing in part that the airline failed to prove that it suffered a loss of at least $5,000 in any one-year period, as required under the CFAA.[145] The court agreed, granting judgment in favor of the travel agency.[146] The court entered an amended judgment in accordance with its ruling on January 31, 2025.[147] This was one of the first civil trials involving a CFAA claim.
Other 2024 decisions similarly addressed the meaning of “authorization” under the statute. In a case before the Sixth Circuit, an IT administrator created company email accounts for potential buyers of the company to use.[148] When the potential purchase fell through, the IT administrator searched the buyers’ email accounts to preserve certain emails for litigation purposes.[149] The Sixth Circuit held that the IT administrator’s actions were not “without authorization” because, as the manager of the email accounts, he had undisputed authorization to access them.[150] The Sixth Circuit next considered whether the IT administrator’s actions “exceed[ed] authorization,” observing that “[d]etermining the parameters of authorization . . . is not always easy to pin down.”[151] But the court ultimately did not decide the issue, finding the IT administrator did not violate the statute because the CFAA prohibits only “intentionally” exceeding unauthorized access, and the administrator “lack[ed] notice that his access [was] unauthorized.”[152] The Sixth Circuit thus affirmed summary judgment in favor of the defendants.
As another example, in a federal Idaho case, a company alleged that three of its former employees improperly accessed its internal healthcare record system to obtain confidential and proprietary information to form a competing business.[153] While they were employed by the company, the three defendants were all issued credentials to access the system.[154] After one defendant was fired, he allegedly increased another defendant’s permissions in the system, which the latter defendant used to access material he was not otherwise authorized to access. The court pointed to Van Buren v. United States, 593 U.S. 374 (2021), noting the Supreme Court had indicated “the question of authorized access is a ‘gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.’”[155] The court went on to note that the Supreme Court “left open the issue of ‘whether [the authorization] inquiry turns only on technology (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.’”[156] Because one defendant had allegedly wrongfully expanded the other defendant’s access beyond what was authorized, the court held it could not conclude at the motion-to-dismiss stage that such conduct fell outside the scope of the CFAA.
Courts have also grappled with issues under state-law analogs to the CFAA, which plaintiffs sometimes invoke alongside wiretapping and other privacy-related claims. One such statute, the CDAFA, is California’s version of the CFAA, and its provisions “generally prohibit[] tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.”[157] The CDAFA creates a private right of action against any person who commits certain listed violations “for compensatory damages and injunctive relief or other equitable relief.”[158] “Access” under the statute means to “cause output from” the “logical, arithmetical, or memory function resources of a computer.”[159] Only someone who has “suffer[ed] damage or loss by reason of a violation” of the statute may bring a civil action.[160]
As was the case last year, in 2024, several district courts considered CDAFA claims as part of the recent wave of litigation related to website tracking technologies. Of particular note is what appears to be a growing divide among the district courts on the issue of whether the loss of value in a plaintiff’s data can qualify as “damage or loss” under the statute.
Most courts have held that the loss of value of personal data is not enough to show “damage or loss” under the CDAFA.[161] For example, a California district court dismissed the plaintiffs’ CDAFA claim in a case where the plaintiff alleged her interactions with her medical center’s online patient portal, including her private medical data, were surreptitiously forwarded to certain third parties due to the center’s use of tracking pixels on its website.[162] The plaintiff argued the loss of value of her data constituted “damage or loss” under the CDAFA. The court rejected that argument, holding that the “loss of the right to control [one’s] data, the loss of the value of [one’s] data, and the loss of the right to protection of the data” are not losses covered by the CDAFA.[163]
Some courts, however, have accepted the lost-value-of-data theory. For example, in a federal California case, the plaintiff alleged that his personal information entered into a chat feature on the defendant’s website was surreptitiously shared with other companies due to the code used to support the chat feature.[164] The court declined to dismiss the plaintiff’s CDAFA claim, holding the plaintiff had sufficiently alleged that the defendant “has a stake in the value of his misappropriated data.”[165] The court pointed to the Ninth Circuit’s decision in In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir. 2020), for support, reasoning that the Ninth Circuit had found the plaintiffs in that case “had sufficiently alleged their [data] carried financial value” under the CDAFA.[166]
Originally enacted in 1991, the Telephone Consumer Protection Act (TCPA) regulates certain forms of telemarketing activities and the use of automatic telephone dialing systems (ATDS).[167] TCPA litigation historically centered on issues concerning the technical definition of an ATDS, but in 2021, the Supreme Court clarified and restricted the definition in its 2021 opinion in Facebook Inc. v. Duguid, in which the Court endorsed a narrow definition that limited the definition of ATDS to devices that store or produce telephone numbers by using a random or sequential number generator.[168] With the definition of an ATDS largely resolved, the interpretation of other key provisions in the TCPA has become the focus of ongoing litigation.
In one notable decision in 2024, the Fourth Circuit reversed a motion to dismiss a putative class action, holding that the plaintiff alleged facts sufficient to state a claim that the defendant’s fax invitation to attend a free webinar constituted an “unsolicited advertisement” under the TCPA.[169] The court held that it is reasonable to infer that the free webinar had a “commercial character,” even though specific products were not mentioned in the fax.[170] The court further reasoned that, by accepting the defendant’s fax invitation, the plaintiff would have potentially provided contact information and consent to future promotional materials—which gave the fax the requisite “commercial nexus” to the defendant’s business.[171]
On the other hand, the Fourth Circuit held in a different case that the TCPA does not apply to faxes that are received through online fax services.[172] The court reasoned that because an online fax service does not receive an electronic signal “over a regular telephone line” or have the capacity to transcribe text or images “onto paper,” it does not meet the statute’s definition of a “telephone facsimile machine.”[173]
Looking ahead, the Supreme Court is expected to issue a decision in a case that addresses whether the Hobbs Act, which limits the judicial review of FCC final orders to appellate courts, requires a federal district court to accept the FCC’s interpretations of the TCPA.[174] Because the FCC’s interpretations can affect how courts evaluate claims and defenses in TCPA actions, this decision could have a significant impact on how these cases are litigated and resolved.
The CCPA provides a limited private right of action, allowing consumers, individually and as a class, to pursue civil litigation when their personal information falls subject to “unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”[175] The CCPA provides for the greater of either statutory damages—between $100 and $750 per consumer per incident—or actual damages, plus injunctive or declaratory relief, and any other relief a court deems appropriate.[176] In practice, this private right of action is used almost exclusively to address data breaches. While there was not significant movement in 2024 on these issues, some courts have issued rulings supporting an expansive interpretation of what constitutes a “data breach” subject to the private right of action. Moreover, in 2024, several courts focused on the threshold consideration of whether defendants qualified as a “business” subject to the CCPA, as well as defenses to the CCPA. The details of these rulings are summarized below.
In several suits over the past year, courts did not reach the merits of alleged violations of the CCPA because they first assessed whether a defendant was subject to the private right of action. Courts generally interpreted the statute to require that the defendant qualify as a “business”—an entity that collected or otherwise made determinations about how to process plaintiffs’ personal data—to be subject to the statute’s private right of action, though they differed on whether a traditional service provider could be sufficiently subject to those requirements.[177] For example, in a putative class action against a debt collection and accounts receivable management company, the court dismissed the CCPA claim, holding that though plaintiffs did plead that the company “obtained” and “received” the plaintiffs’ PII, the complaint did not allege that the defendant “determined how and why [plaintiffs’] PII should be processed.”[178] In another suit, the court held that a cloud-based software company did not qualify as a “business” because enabling the secure transfer of files by hosting them on the company’s file-sharing software did not amount to “determin[ing] why and how consumers’ PII was processed.”[179] However, in a suit against a health information technology company, the court held that the defendant’s use of plaintiffs’ PII “to develop, improve, and test” the defendant’s services—a common type of processing by “service providers”—was sufficient to make it subject to the CCPA.[180]
Another court addressed the scope of a data breach, effectively doubling down on prior courts’ broadening of the common understanding of the triggering event required for the private right of action. In that case, plaintiffs brought a putative class action against a mental healthcare company that was alleged to have been disclosing users’ mental health information to a third party without providing notice to users.[181] The company moved to dismiss the plaintiffs’ CCPA claim, arguing that CCPA’s private right of action applies only to traditional data breaches.[182] The court disagreed and denied the motion to dismiss the claim, holding that courts have allowed CCPA claims to “survive a motion to dismiss where a plaintiff alleges that defendants disclosed plaintiff’s personal information without his consent due to the business’s failure to maintain reasonable security practices.”[183]
In 2024, defendants continued to invoke CCPA defenses, such as narrow exemptions and the statute’s notice requirement, with varying success.
International Law Firm. After an international law firm discovered a significant cybersecurity breach of its systems, plaintiffs brought a putative class action lawsuit against the firm asserting multiple claims, including violations of the CCPA.[184] The firm argued in part in its motion to dismiss that because the named plaintiff was employed by one of the defendant’s clients, the “business-to-business” exception applied because the defendant received his data as part of a business-to-business transaction.[185] Though this exemption expired on January 1, 2023, it was in place at the time of the 2021 data breach, so the court dismissed the plaintiff’s claim with prejudice.[186] Though defendants can no longer rely on this exemption for data breaches taking place in 2023 and beyond, this case serves as a reminder that it remains a viable defense to breaches occurring before that time.
Hotel and Casino Entity. A hotel and casino entity was subject to a data breach in November 2022, in which the PII of thousands of customers was accessed by hackers.[187] A class action suit was brought against the entity asserting multiple claims, including violations of the CCPA.[188] The entity contended plaintiffs’ claim for statutory damages under the CCPA was barred because notice of the CCPA claim was untimely.[189] One of the named plaintiffs had filed his individual complaint—which did not assert a CCPA claim—and mailed a CCPA pre-suit notice on the same day.[190] Several months later, plaintiffs filed a consolidated complaint which included a statutory damages CCPA claim.[191] The court held that the plaintiffs had satisfied the notice requirement because the defendant was provided with the required cure period before the plaintiff brought the claim to court.[192] The court further held that the allegations in plaintiff’s letter were sufficient to provide statutory notice and that the defendant’s measures taken after receipt of the letter did not cure the unauthorized release of the plaintiffs’ data and were instead designed to address future threats.[193]
2024 was another active year for Illinois’s Biometric Information Privacy Act (BIPA). There were both plaintiff- and defense-friendly developments, as well as a novel, significant settlement. Of note for plaintiff-friendly developments, courts permitted a complaint against a cloud service provider to survive a motion to dismiss, and concluded that plaintiffs located outside Illinois may be able to bring BIPA claims against defendants who allegedly process their data within Illinois. The year also saw some of the most important pro-defendant developments in recent years, which collectively limit the scope of BIPA to a considerable extent. Most notably, the Ninth Circuit held that biometric data must be capable of identifying the plaintiff to be subject to BIPA, and the Illinois state legislature amended BIPA to greatly reduce the likelihood that a plaintiff may recover an astronomical damages award. In addition, district courts recognized limitations on BIPA, including that the statute doesn’t apply when the defendant doesn’t control the data at issue, and that a plaintiff has to plead specific facts in order to rely on a theory that her biometric data was included in an AI model’s training dataset.
In a putative class action against a cloud service provider in the U.S. District Court for the Western District of Washington, a plaintiff alleged that the cloud service provider violated BIPA by allowing a third-party video game publisher to use its cloud computing services to facilitate the use of biometric data.[194] Specifically, the complaint alleged that a feature offered by the video game publisher, which allowed users to upload facial images that the game publisher then used to create a customized player resembling the user, involved the creation of a scan of face geometry (a biometric identifier under BIPA) and that the provider received the plaintiff’s scan from the video game publishers, transmitted it to third-party gaming platforms, and stored it on its servers. A magistrate judge recommended that the provider’s motion to dismiss be denied. The court reasoned that, despite the provider’s assertion that it “had no ability to access users’ biometric data and [was] unaware of [its] receipt of such information,” the court must take as true the allegation that the provider “knowingly obtained” the data and that it remained in the provider’s “control” as the provider “disseminate[d] and store[d] it” on its servers.[195] Thus, the court concluded that the plaintiff had plausibly alleged both the provider’s “possession” and “collection” of biometric data, even absent any allegation that the provider itself had “extracted Plaintiff’s face geometry.”[196] The district court ultimately adopted the magistrate judge’s report and recommendation,[197] and shortly thereafter, the parties reported that they had reached a settlement.[198] The outcome of this case may signal an increased risk faced by service providers based on conduct undertaken by their clients.
Customers of a sandwich chain filed a putative class action against the company, alleging that it violated BIPA by recording its drive-through customers’ voice interactions and, using technology located at its corporate headquarters in Illinois, extracting from each recording a unique voiceprint.[199] The company moved to dismiss, arguing in part that BIPA shouldn’t be applied extraterritorially to two of the named plaintiffs, who visited the company’s drive-throughs in Indiana and Tennessee rather than Illinois. The district court denied the motion to dismiss, reasoning that the two named plaintiffs who never used a drive-through in Illinois had nonetheless “alleged that the extraction, collection, analysis, and use of their voiceprints all occurred at Defendant’s headquarters in Illinois” and that such allegations provided a sufficient nexus to Illinois.[200] However, the court was careful to qualify that “discovery may reveal that the connection to Illinois is sufficiently tenuous as to warrant revisiting the matter at the summary judgment stage.”[201] The decision could lead other plaintiffs located outside the borders of the State of Illinois to bring BIPA claims under a theory that the defendant processed their biometric data within the state. It remains to be seen, however, whether other courts will be receptive to such a theory.
iii. Biometric Data Must Be “Capable of Identifying” the Plaintiff
In a notable case before the Ninth Circuit this year, a non-user of a social media platform who appeared in user-uploaded photos that the platform processed with facial-recognition technology in an effort to identify consenting users in connection with a feature that helped users tag their photos argued for a sweeping interpretation of BIPA: that the social media company needed to obtain consent to the use of facial recognition from every anonymous non-user who appeared in a photo uploaded by a user.[202] The plaintiff’s reading effectively would have outlawed facial-recognition technologies like defendant’s, as well as many popular biometric identification technologies, such as most biometric security systems.
In the first appellate ruling of its kind, the Ninth Circuit affirmed the district court’s judgment for the defendant on the ground that BIPA applies only to data that can be used to identify the plaintiff, and therefore does not apply to the anonymous data that the company created from photos of non-users for the purpose of determining whether they were users of the service who had consented to identification. The decision effectively overruled earlier rulings from courts within the Ninth Circuit, which had held that data is covered by BIPA so long as it meets the plain meaning of a “scan of face geometry”—a type of “biometric identifier” under the statute.[203] The ruling is potentially a watershed development. By its terms, the ruling significantly cabins the reach of BIPA, curtailing the ability of individuals anonymous to the defendant (such as non-users of a product or service) to bring suit under the statute.
District courts have since applied this ruling to the same effect. One court in the Northern District of Illinois dismissed a BIPA claim against a consumer electronics company.[204] The plaintiff had alleged that the company collected data subject to BIPA when its technology analyzed photos on users’ phones and tablets to create “unique . . . digital face templates” for each person’s face, which it used to recognize the same face in multiple photos and group together photos of that same face.[205] Relying on the Ninth Circuit’s ruling, the court explained that the plaintiffs failed to allege that the company had created data “capable of identifying a person’s identity.”[206] Although the technology “group[ed] unidentified faces together,” it was the device’s users who had the option to “add names to the face[]” groupings.[207]
The Ninth Circuit’s ruling is a significant, defense-friendly development, and its precise contours will continue to be developed through litigation at the district court level.
In a sweeping decision, the Illinois Supreme Court held in 2023 that a BIPA violation accrues each time a private entity collects or discloses biometric data without prior informed consent, not just upon the first collection or disclosure.[208] The court acknowledged the defendant’s concerns that this broad reading of the statute could lead to “annihilative liability” but determined that “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.”[209] The court concluded its decision with a “respectful[] suggest[ion] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”[210]
In 2024, the legislature heeded the Illinois Supreme Court’s call and amended BIPA to address companies’ concerns about astronomical damages awards.[211] As amended, BIPA now clarifies that a plaintiff can recover from a defendant only once under section 15(b) for violations involving the collection of “the same biometric identifier or biometric information from the same person using the same method of collection” and once under Section 15(d) for violations involving the disclosure of “the same biometric identifier or biometric information from the same person to the same recipient” where such data was collected “using the same method of collection.”[212] The amendment greatly reduces the likelihood that an individual plaintiff can recover an outsized damages award under the statute. However, courts are currently split on the question of whether the amendment applies retroactively.[213]
A plaintiff brought a putative class action against a software company under sections 15(a) and 15(b) of BIPA, alleging that the company “acquired [her facial scan] when third parties viewed her photograph with a device running the [] operating system owned and controlled by [the defendant].”[214] Notably, the plaintiff did “not allege that her biometrics were physically stored on [the defendant’s] hardware.”[215]
The Northern District of Illinois granted the defendant’s motion to dismiss. The court rejected the plaintiff’s argument that the company “possess[ed]” or “collect[ed]” the alleged facial scans simply because it (1) “designed, licensed, and updated the facial scan software on users’ devices”; (2) “exercised control over the device users’ ability to access and use the facial scan software”; and (3) “retained the ability to control whether and how a user could use the facial scan software.”[216] As the court explained, “control of the facial scan software is not the same as control of the facial scan data that is collected using the software” onto users’ own devices.[217] In other words, offering “a tool that can be used to collect a facial scan is not the same as actually doing the collecting.”[218]
The court’s decision is notable. It paves the way for defendants to seek dismissal of BIPA claims when it is clear from the face of the complaint that the alleged data at issue remains on physical devices or other hardware controlled by third parties and the defendant does not itself exercise any control over the data.
A plaintiff brought suit under BIPA against the developer of a mobile app that generates avatars from photos that users upload.[219] The plaintiff had never used the defendant’s app or personally uploaded his photos to it. Rather, his theory was that the defendant violated section 15(b) by training the AI model that powered the app on a publicly available dataset of five billion photos that allegedly included images of him.
Without reaching the merits of the plaintiff’s claims, the court dismissed the complaint for lack of standing. The court accepted the defendant’s argument that the plaintiff failed to provide a sufficient basis to conclude that his photos were even included in the dataset at issue. The plaintiff simply speculated that they might be, since the dataset was purportedly assembled by scraping popular social media sites that he uses.
The court’s decision confirms that a plaintiff must allege facts that make it at least plausible that his photos are at issue when predicating a lawsuit on an AI model-training theory.
In a multidistrict litigation, a group of plaintiffs brought a consolidated class action complaint against a facial recognition company, alleging (among other things) that the company “covertly scraped over three billion photographs of facial images from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted to harvest the individuals’ unique biometric identifiers and corresponding biometric information.”[220] The district court denied the defendant’s motion to dismiss with respect to the plaintiffs’ BIPA claims, concluding that the statute applies to “biometric data extracted from photographs.”[221]
Then, this year, the court granted preliminary approval of a global settlement of the litigation.[222] The proposed settlement is noteworthy for its novel terms: it would provide the class members a 23% stake in the company. At then-current potential valuations, the class members’ stake was estimated to be worth roughly $52 million. Counsel for the plaintiffs issued a statement that the defendant lacked the funds needed to pay a large settlement, so the parties worked instead to find “a creative solution.”[223] The settlement is yet to receive final approval.
In the first-ever lawsuit filed by the Texas Attorney General under Texas’s Capture or Use of Biometric Identifier Act (CUBI), Texas claimed a large social media company violated the statute by allegedly collecting biometric data without adequate consent from photos and videos that users uploaded to the platform as part of a suite of now-deprecated features relying on facial recognition technology.[224] The case had been set to go to trial in June 2024, but the parties ultimately settled, with the defendant agreeing to pay $1.4 billion without admitting liability.
Beyond BIPA and CUBI, there were also noteworthy decisions involving New York City’s Biometric Identifier Information Law this year.[225] A pair of decisions, one from the Southern District of New York and the other from the Western District of Washington, held that the prohibition on “profiting” from biometric data in New York City’s law is limited to transactions involving the data itself and does not extend to other benefits that the defendant may derive from the use of that data.
First, earlier this year, a plaintiff filed a complaint against a major live-entertainment company, alleging that the company violated New York City’s law by using facial recognition software to identify and exclude from its venues attorneys employed by law firms that are involved in litigation against it.[226] The law applies where a defendant “profit[s] from the transaction of biometric identifier information,” so the “question presented,” the court explained, was whether the “defendant profits when it shares biometric data with a third-party vendor to facilitate” the attorneys’ exclusion.[227] The court granted the defendant’s motion to dismiss. It concluded that the complaint failed to allege that the defendant profited from the transaction itself, as the statute requires.[228] Rather, the complaint asserted that the defendant “profits when it purchases a product or service,” a theory of liability that “defies common sense.”[229]
Second, a group of plaintiffs filed a putative class action against two retailers, alleging that their technologies that enable customers to simply walk out of their stores with their chosen products without queuing up at the checkout line violate New York City’s law.[230] The complaint alleged that one of the defendants profited from the plaintiffs’ biometric data by “sharing, leasing, trading or selling its . . . devices and databases by . . . allow[ing] [the defendant] to link individuals’ biometric information to other valuable forms of information[,] . . . allowing [the defendant] (or other third parties willing to pay [the defendant] for such packaged data) to make more targeted advertising, marketing, pricing, and promotional decisions.”[231] The court granted the defendants’ motion to dismiss. Citing the decision involving the live-entertainment company, the court rejected the plaintiffs’ argument regarding the statute’s profit element, concluding that “the profit Plaintiffs allege appears to ‘flow from [the defendant’s] employment of [a] broader program, albeit one advanced by biometric data sharing’”—an “unpersuasive” theory.[232] The court dismissed the plaintiffs’ claims against the other defendant as well, reasoning that they “fail to allege sufficient facts that [the defendant] plays any part in the control of the . . . technology or otherwise share in biometric identifier information as defined” under the statute.[233]
Daniel’s Law Ruled Constitutional. In 2024, a federal judge rejected a constitutional challenge to Daniel’s Law, a New Jersey privacy statute enacted in 2020 in response to the tragic murder of the son of a federal judge. The statute allows law enforcement officials and their immediate family members (Covered Persons) to request that any person, business, or association not disclose their home address or unpublished telephone numbers.[234] In 2023, amendments to the statute permitted Covered Persons to assign a Daniel’s Law claim to a third party, and provided for actual damages (set at a minimum of $1,000 as liquidated damages) for each violation, punitive damages upon a showing of willful or reckless disregard of the law, and reasonable attorneys’ fees and other litigation costs—triggering a surge of litigation against a wide range of businesses that interact with New Jersey residents.[235] In a suit involving a third-party assignee, defendants moved to dismiss the claims on the basis that Daniel’s Law is unconstitutional on its face on the basis that it violated the First Amendment and that it is a strict liability statute.[236] In November 2024, the District Court of New Jersey denied the motion to dismiss and held that Daniel’s Law is constitutional.[237] As a threshold matter, the court held that Daniel’s Law is a privacy statute, so its content-based regulation of speech was not subject to strict scrutiny.[238] Instead, the court applied the three-factor test that the Supreme Court has used for balancing the right of privacy against the right of free speech and concluded that Daniel’s Law passed this test.[239] The defendants also argued that the law was unconstitutional on its face as a strict liability statute, that it provides for actual or liquidated damages for non-compliance without regard to fault.[240] The court rejected this argument as well, concluding that “Daniel’s Law must be read as imposing liability only if a defendant unreasonably disclosed or made available the home addresses and unlisted telephone numbers of covered persons after the statutory deadline had expired.”[241] Due to the exposure created by the statutory penalty of actual damages or $1,000 per violation and the short response window, this ruling has significant implications for any business interacting with New Jersey residents, and businesses should implement policies and procedures for complying with take-down requests in the 10-day window. Shortly after the ruling, the court issued an order permitting the defendants to appeal,[242] so we will continue to monitor this case in 2025.
Cellular Data as Property. In the first appellate decision addressing whether cellular data is property, the Ninth Circuit held that cellular data can be categorized as property that is subject to conversion.[243] Plaintiffs in a class action suit sued a major technology company alleging the company performed passive data transfers using plaintiffs’ cellular data without their knowledge or consent, asserting a claim for conversion under California law.[244] The court held in connection with a motion to dismiss that cellular data can constitute property for purposes of a conversion claim—which requires a showing that there is a property right at issue—because even though the data is intangible, it allows access to a cellular network, can be limited by a user’s data plan, is capable of exclusive possession or control, and can be valued, bought and sold.[245] The court also held that the plaintiffs plausibly alleged the company used their data in a way that was inconsistent with their own property interests.[246] The court observed that when the company transfers information from its own servers, the data spent during that transfer is allocated to the customer, and accordingly is treated by the wireless carrier as if it is data that the customers themselves used.[247] Therefore, the company’s use of plaintiffs’ cellular data to transfer the information prevented plaintiffs from using all the cellular data they purchased and was inconsistent with the plaintiffs’ property interests.[248]
Video Privacy Protection Act (VPPA) Litigation. Courts continued to determine the scope of the VPPA in 2024. One notable case focused on a narrow liability exception under VPPA and the level of scrutiny that should apply to VPPA. The Massachusetts District Court denied a motion to dismiss a class action suit filed against a broadcasting company where plaintiffs alleged the company disclosed their PII and viewing history to third parties without their consent.[249] The company argued that their actions fell within the narrow exception for disclosures made “incident to the ordinary course of business,” but the court held that the alleged “marketing, advertising, and analytics” uses of the data did not fall within the exception’s permissible uses.[250] The court also held that the alleged disclosures of consumers’ PII constituted commercial speech for First Amendment purposes and required application of intermediate scrutiny to VPPA, which it passed.[251]
Another federal district court also dismissed a class action suit against a casino and entertainment company that owns and operates a website that offers online video games that users can access by registering for an account with their personal information.[252] The company installed a tracking tool on its website that the plaintiff alleged shares information about a users’ gaming history with a third party.[253] The court held the VPPA was inapplicable because the company did not qualify as a video tape service provider under the statute.[254] The court reasoned that video games do not constitute prerecorded content that is subject to the VPPA unless the video game is interlaced with “cut scenes” that are similar to prerecorded video clips.[255]
A California state court, meanwhile, denied class certification in a case asserting claims for invasion of privacy and for violations of the federal Wiretap Act, CIPA, and related common law claims arising from Meta’s offering of “Business Tools” to HBO and its alleged tracking of users’ video-viewing activities.[256] The court denied class certification because there was no classwide method to prove whether any particular video was viewed by a class member or by someone using their account: “an individualized inquiry is necessary to determine whether the data . . . reflects a particular class or subclass member’s own video-viewing behavior rather than the video-viewing behavior of a friend or family member who has accessed that individual’s HBO account.”[257]
A Georgia federal court, however, granted class certification in a VPPA case based on a similar theory as the California case above.[258] Plaintiff alleged that WebMD violated the VPPA, because by installing the “Facebook Pixel” on webmd.com, WebMD allegedly disclosed the video-viewing activity of its users to Facebook without their consent.[259] In granting Plaintiffs’ motion for class certification, the court rejected WebMD’s argument that an individualized inquiry would be required, noting that scenarios a user might have allowed someone else to use their computer or a video was not working at the time when the user clicked on the link were the “exceptions,” not the rule.[260] Specifically, the court wrote, “WebMD does not point to any instances in which its concerns became a reality nor does it point to any evidence regarding these concerns being anything more than exceedingly rare potential exceptions . . . the idea that class certification should be denied merely due to a possibility at this stage that a website gave a 404 error or a family member used someone else’s computer seems absurd.”[261]
State Video Privacy Statutes. The Ninth Circuit upheld district court dismissals of two class action suits against two major technology companies that alleged each company violated two state privacy statutes by unlawfully retaining users’ PII: The New York Video Consumer Privacy Act and the Minnesota Video Privacy Law.[262] Plaintiffs alleged that both state privacy statutes provide a private right of action for the unlawful retention of personal information, but the Ninth Circuit disagreed, holding that neither of the privacy statutes had such a private right of action.[263]
In 2024, the privacy and cybersecurity landscape in the U.S. continued to be defined by an expansion of state comprehensive privacy laws, and regulatory and enforcement activity led by federal and state agencies, as well as civil litigation brought by private plaintiffs. This was driven in large part by the rapid development and advances in data-intensive technologies like generative AI, the unrelenting cyber threat posed by malicious actors and foreign adversaries, and an increasing focus on protecting biometric data and children’s online privacy. We expect these trends to continue in 2025 as existing data-intensive technologies and use cases take hold and new ones emerge. In the absence of comprehensive federal legislation, we expect federal and state agencies to continue to lead the charge on the regulatory front and continue to aggressively pursue enforcement actions against companies and individuals. However, given the shift at the federal level driven by the Trump administration’s focus on deregulation, pro-innovation, and reversal of Biden-era policies around content moderation, AI, and digital assets, we expect a significant alteration in policy and enforcement priorities at the state and federal levels. We will continue to track and analyze these developments in the year ahead.
[1] Del. Code, tit. 6, § 12D-103(c)(13) (Delaware Personal Data Privacy Act).
[2] Iowa Code § 715D.1 to 715D.9 (Iowa Consumer Data Protection Act).
[3] See N.J. Rev. Stat. §§ 56:8-166.1(9)(a)(9); Mont. Code § 30-14-2801 to 30-14-2817; Colo. Rev. Stat. Ann. § 6-1-1309(1).
[4] “Sensitive data” is defined as “a category of personal data that includes the following:
- Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law.
- Generative or biometric data that is processed for the purpose of uniquely identifying a natural person.
- The personal data collected from a known child.
- Precise geolocation data.” Iowa Code § 715D.1 (26).
[5] Md. Code Ann., Com. Law § 14-4605(b)(7)(iii) (Maryland Personal Information Protection Act).
[6] Id. § 14-4607(A)(4).
[7] See N.J. Rev. Stat. §§ 56:18-1 to 56:18-14 (New Jersey Data Privacy Act); Neb. Rev. Stat. § 87-1102(25) (Nebraska Consumer Data Privacy Act); Fla. Stat. § 501.701-22 (Florida Digital Bill of Rights); Conn. Gen. Stat. Ann. § 42-520 (Connecticut Data Privacy Act); Tex. Bus. & Com. Code §§ 541.001 to 541.205 (Texas Data Privacy and Security Act).
[8] Minn. Stat. §§ 325O.01 to 325O.14 (Minnesota Consumer Data Privacy Act).
[9] N.J. Rev. Stat. §§ 56:18-1 to 56:18-14 (New Jersey Data Privacy Act).
[10] Tenn. Code §§ 47-18-3301 to 47-18-3315 (Tennessee Information Protection Act).
[11] Id. § 47-18-3213(a)(1)(A).
[12] Cal. Civ. Code § 1798.100 et seq. (California Consumer Privacy Act/California Privacy Rights Act); Colo. Rev. Stat. Ann. § 6-1-1308 et seq. (Colorado Privacy Act); N.J. Stat. Ann. § 56:18-1 et seq. (New Jersey Data Privacy Act).
[13] See, e.g., Virginia provides an opt out right of “the processing of the personal data for the purposes of . . . profiling [which is to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements automated decisionmaking] in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Va. Code Ann. § 59.1-575, 577.
[14] Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Fla. Stat. § 501.701; Ind. Code § 24-15-1-1; Md. Code Ann., Com. Law § 14-4601; Mont. Code Ann. § 30-14-2801; Neb. Rev. Stat. § 87-1102; N.H. Rev. Stat. Ann. § 359-T:1; R.I. Gen. Laws § 6-48.1-1; Tenn. Code Ann. § 47-18-3301; Tex. Bus. & Com. Code § 541.001.
[15] Cal. Civ. Code § 1798.100; Colo. Rev. Stat. Ann. § 6-1-1308; Ky. Rev. Stat. § 367.390; Minn. Stat. § 3250.01; N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570; Va. Code Ann. § 59.1-575.
[16] Iowa Code § 715D.1; Utah Code Ann. § 13-61-101.
[17] California’s law does not directly provide a right to opt out, but instructs the California Privacy Protection Agency (CPPA) to issue regulations “governing access and opt-out rights with respect to a business’ use of automated decisionmaking technology.” Cal. Civ. Code § 1798.185(a)(15). The CPPA has drafted regulations on automated decisionmaking that include the right to opt-out, but the regulations are not yet final.
[18] Cal. Civ. Code § 1798.100; Colo. Rev. Stat. Ann. § 6-1-1308; Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Fla. Stat. § 501.701; Md. Code Ann., Com. Law § 14-4601; Minn. Stat. § 3250.01; Mont. Code Ann. § 30-14-2801; Neb. Rev. Stat. § 87-1102; N.H. Rev. Stat. Ann. § 359-T:1; N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570; R.I. Gen. Laws § 6-48.1-1; Tex. Bus. & Com. Code § 541.001.
[19] Ind. Code § 24-15-1-1; Iowa Code § 715D.1; Ky. Rev. Stat. § 367.390; Md. Code Ann.; Tenn. Code Ann. § 47-18-3301; Utah Code Ann. § 13-61-101; Va. Code Ann. § 59.1-575.
[20] 16 C.F.R. § 312.5(a)(1) (2013) (requiring operators to “obtain verifiable parental consent before any collection, use, or disclosure of personal information from children”).
[21] Cal. Civ. Code § 1798.100; Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Minn. Stat. § 3250.01; Mont. Code Ann. § 30-14-2801; N.H. Rev. Stat. Ann. § 359-T:1.
[22] N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570.
[23] Md. Code Ann., Com. Law § 14-4601.
[24] Colo. Rev. Stat. Ann. § 6-1-1308; Fla. Stat. § 501.701; Ind. Code § 24-15-1-1; Iowa Code § 715D.1; Ky. Rev. Stat. § 367.390; Neb. Rev. Stat. § 87-1102; R.I. Gen. Laws § 6-48.1-1; Tenn. Code Ann. § 47-18-3301; Tex. Bus. & Com. Code § 541.001; Utah Code Ann. § 13-61-101; Va. Code Ann. § 59.1-575.
[25] There is an implicit exception if businesses must retain data in order to comply with federal or state laws or regulations. Both statutes contain a blanket statement that nothing in the law should be construed to interfere with a business’s ability to comply with federal or state laws or regulations.
[26] As a representative example, Virginia provides that businesses may comply with a request to delete by “opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter.” Va. Code Ann. § 59.1-577(b)(5).
[27] States with requirement: Cal. Civ. Code § 1798.100; Colo. Rev. Stat. Ann. § 6-1-1308; Conn. Gen. Stat. Ann. § 42-515; Del. Code Ann. tit. 6, § 12D-101; Md. Code Ann., Com. Law § 14-4601; Minn. Stat. § 3250.01; Mont. Code Ann. § 30-14-2801; Neb. Rev. Stat. § 87-1102; N.H. Rev. Stat. Ann. § 359-T:1; N.J. Stat. Ann. § 56:18-1; Or. Rev. Stat. § 646A.570; Tex. Bus. & Com. Code § 541.001.
[28] States with requirement: Del. Code Ann. tit. 6, § 12D-101; Minn. Stat. § 3250.01; Or. Rev. Stat. § 646A.570; R.I. Gen. Laws § 6-48.1-3(a) (requiring that “all third parties to whom the controller has sold or may sell customers’ personally identifiable information” be identified in a “conspicuous location on its website”).
[29] States with requirement: Del. Code Ann. tit. 6, § 12D-104(c)(5); N.J. Stat. Ann. § 56:8-166.10.
[30] Fla. Stat. § 501.1736(2)(b)(1), 501.1736(3)(a).
[31] Id. § 501.1736.
[32] Id.
[33] Id. § 501.1738(1).
[34] Id. § 501.1738(2).
[35] Id.
[36] Id.
[37] Ga. Code. Ann. § 39-6-1(3).
[38] Id. § 39-6-2(c).
[39] Id. § 39-6-2(a).
[40] Id. § 39-6-1.
[41] Id. § 39-6-2(e).
[42] Id. § 39-6-3.
[43] Md. Code Ann., Com. Law § 14-4801(e).
[44] Id. §§ 14-4804(b); 14-4807.
[45] Id. § 14-4801(c).
[46] Id. § 14-4805(a).
[47] Complaint, NetChoice v. Brown, Case No. 1:25-cv-00322-RDB (Feb. 3, 2025).
[48] N.Y. General Business Law § 1500.6.
[49] Id. § 1500.1; § 1501.
[50] Id. § 1502.
[51] Pub. Act 103-0769.
[52] Id.
[53] Cothron v. White Castle System, Inc., 216 N.E.3d 918, 929 (Ill. 2023).
[54] The bill defines biometric data as “one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes.” The bill defines “biometric identifiers” as “data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual.” H.B. 24-1130, 74th Gen. Assemb., Reg. Sess. (Colo. 2024).
[55] Colo. Rev. Stat. Ann. § 6-1-1314(3).
[56] Id. § 6-1-1314(2).
[57] Id. § 6-1-1314(2)(III).
[58] Id. § 6-1-1314(6).
[59] Id. § 6-1-1314(4)(a).
[60] Id. § 6-1-1314(4)(b).
[61] Id. § 6-1-1314(5).
[62] Id. § 6-1-1314(4)(c).
[63] H.B. 24-1130, 74th Gen. Assemb., Reg. Sess. (Colo. 2024).
[64] A.B. A836, 2023-2024 Leg., Reg. Sess. (N.Y. 2024); S.B. S2518-A, 2023-2024 Leg., Reg. Sess. (N.Y. 2024).
[65] N.Y. Labor Law § 201.
[66] Id. § 201-i(1)(d).
[67] Id. § 201-i(1)(c), (6).
[68] Id. § 201-i(2)(a).
[69] Id. § 201-i(3)(a).
[70] Id. § 201-i(5)(c).
[71] Id. § 201-i(2)(b).
[72] Id. § 201-i(5)(a)(i), (ii).
[73] Cal. Health & Saf. Code § 27000.5(b)(1).
[74] Id. § 27002(a)(1).
[75] Id. § 27005.
[76] NetChoice, LLC v. Bonta, No. 5:24-cv-07885-EJD (9th Cir.).
[77] Colo. Rev. Stat. Ann. § 6-1-1313(16.7); Cal. Civ. Code § 1798.140(ae)(1)(G)(ii).
[78] Colo. Rev. Stat. Ann. § 6-1-1313(16.7).
[79] Cal. Civ. Code § 1798.140(ae)(1)(G)(ii).
[80] H.B. 24-1058, 74th Gen. Assemb., Reg. Sess. (Colo. 2024); S.B. 1223, 2023-2024 Leg., Reg. Sess (Cal. 2024).
[81] Colo. Rev. Stat. Ann. § 6-1-1313(2.5).
[82] American Privacy Rights Act of 2024, H.R. 8818, 118th Cong. § 2 (2024).
[83] Id.
[84] Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50(I)(2)(a).
[85] Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50(I)(2)(c)(4).
[86] Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50(I)(2)(c)(8).
[87] H.R. 7690, 118th Cong. (2nd Sess. 2023).
[88] H.R. 7621, 118th Cong. (2nd Sess. 2023).
[89] H.R. 7841, 118th Cong. (2nd Sess. 2023).
[90] H.R. 8293, 118th Cong. (2nd Sess. 2023).
[91] S. 4075, 118th Cong. (2nd Sess. 2023).
[92] S. 4697, 118th Cong. (2nd Sess. 2023).
[93] S. 3661, 118th Cong. (2nd Sess. 2023).
[94] S. 5218, 118th Cong. (2nd Sess. 2023).
[95] On February 20, 2025, the FTC issued a Request for Information on “how technology platforms deny or degrade … users’ access to services based on the content of the users’ speech or their affiliations.”
[96] FTC v. NGL Labs, LLC, No. 2:24-cv-05753-JLS-PVC (C.D. Cal. 2024).
[97] Nat’l Treasury Employees Union v. Vought, No. 1:25-cv-381.
[98] Mayor & City Council of Baltimore v. Vought, No. 25-cv-00458.
[99] Mayor & City Council of Baltimore v. Vought, No. 25-cv-00458 (MJM) (Feb. 28, 2025, D. Md.).
[100] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023).
[101] Designation of size depends on the type of Covered Institution. See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer, 89 FR 47688, Table 3 (June 3, 2024) (to be codified at 17 C.F.R. pts. 240, 248, 270, 275), https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information#footnote-357-p47719.
[102] Under the rule, covered persons include 1) foreign individuals who are resident in countries of concern; 2) entities that are 50% or more owned by covered persons or by countries of concern; and 3) employees or contractors of such entities or of countries of concern.
[103] See, for example, United States ex rel. Matthew Decker v. Pennsylvania State University, Case No. 2:22-cv-03895-PD (E.D. Pa. Oct. 5, 2022).
[104] Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Program (2024), 32 C.F.R. § 170, https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170.
[105] Consumer Guide, Federal Communications Commission, One-to-One Consent Rule for TCPA Prior Express Written Consent Frequently Asked Questions (Dec. 2024), DOC-408396A1.pdf (fcc.gov).
[106] Insurance Marketing Coalition, Ltd. v. Federal Communications Commission, No. 24-10277, 2025 WL 289152 (11th Cir. Jan. 24, 2025).
[107] Complaint, Garner et al v. AT&T Inc., No. 3:24-cv-00962-E (N.D. Tex. 2024), ECF No. 1.
[108] Id.
[109] Id.
[110] Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661 (W.D. Ky. 2024).
[111] Savidge v. Pharm-Save, Inc., 727 F. Supp. 3d 661, 675–95 (W.D. Ky. 2024).
[112] Griggs v. NHS Mgmt., LLC, No. SC-2023-0784, 2024 WL 4797211 (Ala. Nov. 15, 2024).
[114] Miller v. NextGen Healthcare, Inc., No. 1:23-CV-2043-TWT, 2024 WL 3543433, 1317–20 (N.D. Ga. July 25, 2024).
[115] Id. at 1318.
[116] See, e.g., D’Angelo v. FCA US, LLC, 726 F. Supp. 3d 1179, 1187–88 (S.D. Cal. 2024).
[117] See, e.g., id.
[118] See, e.g., Jackson v. LinkedIn Corp., 2024 WL 3823806 (N.D. Cal. Aug. 13, 2024).
[119] 18 U.S.C. § 2511(2)(d).
[120] 18 U.S.C. § 2520(2)(B).
[121] See Cal. Penal Code §§ 631(a), 632(a), 637.2.
[122] See, e.g., Yoon v. Meta Platforms, Inc., No. 24-cv-02612-NC, 2024 WL 5264041, at *4 (N.D. Cal. Dec. 30, 2024).
[123] Compare, e.g., Jackson v. LinkedIn Corp., 744 F. Supp. 3d 986 (N.D. Cal. Aug. 13, 2024) (denying defendant’s motion to dismiss California wiretapping claim), with, e.g., B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1065 (C.D. Cal. 2024) (dismissing federal and California wiretapping claims without leave to amend).
[124] Doe I v. Google LLC, 741 F. Supp. 3d 828, 840–41 (N.D. Cal. 2024); see also B.K. v. Desert Care Network, No. 2:23-cv-05021, 2024 WL 1343305, at *1, *7 (C.D. Cal. Feb. 1, 2024).
[125] See Doe I, 741 F. Supp. 3d at 841 (noting “[i]t’s possible that this ruling is contrary to Judge Orrick’s analysis of intent in a similar pixel case”).
[126] See, e.g., D’Angelo, 726 F. Supp. 3d at 1193 (“The Court recognizes that there is a disagreement in this District about whether TransUnion undermined In re Facebook’s holding that a violation of CIPA is sufficient to allege an injury-in-fact.”).
[127] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021).
[128] Williams v. DDR Media, LLC, No. 22-cv-03789, 2024 WL 4859078 (N.D. Cal. Nov. 20, 2024).
[129] Id. at *1.
[130] Id. at *2.
[131] Id. at *5.
[132] Griffith v. TikTok, Inc., No. 5:23-CV-00964-SB-E, 2024 WL 5279224, at *3, *12 (C.D. Cal. Dec. 24, 2024).
[133] Id. at *1–2.
[134] Id. at *10.
[135] Frasco v. Flo Health, Inc., No. 21-cv-00757-JD, 2024 WL 4280933 (N.D. Cal. Sept. 23, 2024).
[136] Id. at *4.
[137] Unopposed Motion for Final Approval of Class Action Settlement, Brown v. Google LLC, No. 4:20-cv-03664-YGR-SVK (N.D. Cal. 2024), Dkt. 1098-2.
[138] Id. at 2.
[139] Id.
[140] 18 U.S.C. § 1030(a).
[141] Verdict Form, Ryanair DAC v. Booking Holdings Inc., No. 1:20-cv-01191 (D. Del. 2022), Dkt. 457.
[142] Id., Dkt. 76.
[143] Id.
[144] Id., Dkt. 457.
[145] Id., Dkt. 466.
[146] Id., Dkt. 516.
[147] Id., Dkt. 518.
[148] Abu v. Dickson, 107 F.4th 508, 513 (6th Cir. 2024).
[149] Id.
[150] Id. at 514–15.
[151] Id. at 515.
[152] Id. at 516.
[153] Moonlight Mountain Recovery, Inc. v. McCoy, No. 1:24-cv-00012-BLW, 2024 WL 4027972, at *1 (D. Idaho Sept. 3, 2024).
[154] Id.
[155] Id. at *4.
[156] Id.
[157] CTI III, LLC v. Devine, 2022 WL 1693508, at *3 (E.D. Cal. May 26, 2022).
[158] Cal. Penal Code § 502(e)(1); see also id. § 502(c) (listing violations).
[159] Id. § 502(b)(1).
[160] Id. § 502(e)(1).
[161] See Heiting v. Taro Pharms. USA, Inc., 709 F. Supp. 3d 1007, 1021 (C.D. Cal. 2023) (noting that “the majority of courts to consider the issue” have found the CDAFA “contemplates some damage to the computer system, network, program, or data contained on that computer, as opposed to data generated by a plaintiff while engaging with a defendant’s website”).
[162] Doe v. Cnty. of Santa Clara, No. 23-cv-04411-WHO, 2024 WL 3346257, at *1, *11 (N.D. Cal. July 8, 2024).
[163] Id. at *9.
[164] Esparza v. Kohl’s, Inc., 723 F. Supp. 3d 934 (S.D. Cal. 2024).
[165] Id.at 945 (noting “Plaintiff alleges there is a market for his data that Defendant . . . allegedly profit[s] from”).
[166] Id. at 945.
[167] 47 U.S.C. § 227.
[168] Facebook, Inc. v. Duguid, 592 U.S. 395 (2021).
[169] Fam. Health Physical Med., LLC v. Pulse8, LLC, 105 F.4th 567, 575 (4th Cir. 2024).
[170] Id. at 572–73.
[171] Id. at 573.
[172] Career Counseling, Inc. v. AmeriFactors Fin. Grp., LLC, 91 F.4th 202, 210 (4th Cir. 2024)
[173] Id.
[174] McLaughlin Chiropractic Assocs., Inc. v. McKesson Corp., 145 S. Ct. 116 (2024).
[175] Cal. Civ. Code § 1798.150(a)(1).
[176] Id.
[177] See Johnson v. Cornerstone Nat’l Ins. Co., No. 22-04135, 2024 WL 5265372, at *6–7 (W.D. Mo. Apr. 29, 2024) (granting motion to dismiss where plaintiffs had alleged only that a software company had helped an insurance company design and set up a system, not that it actually accessed individuals’ confidential information).
[178] In re NCB Mgmt. Serv., Inc. Data Breach Litig., No. 23-1236, 2024 WL 4160349, at *17–18 (E.D. Pa. Sept. 11, 2024).
[179] In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623, 641 (N.D. Cal. 2024).
[180] Miller v. NextGen Healthcare, Inc., 742 F. Supp. 3d 1304, 1327 (N.D. Ga. 2024).
[181] M.G. v. Therapymatch, Inc., No. 23-cv-04422, 2024 WL 4219992, at *1 (N.D. Cal. Sept. 16, 2024).
[182] Id. at *7.
[183] Id.
[184] Owens v. Smith, Gambrell and Russell Int’l, LLP, No. CV23-01789, 2024 WL 3914663, at *1 (C.D. Cal May 30, 2024).
[185] Id. at *11.
[186] Id. at *11–12.
[187] In re Eureka Casino Breach Litig., No. 2:23-cv-00276, 2024 WL 4253198, at *1 (D. Nev. Sept. 19, 2024).
[188] Id.
[189] Id. at *13.
[190] Id.
[191] Id.
[192] Id.
[193] Id. at *13–14.
[194] Mayhall v. Amazon Web Servs., Inc., No. C21-1473-TL-MLP, 2024 WL 3842563 (W.D. Wash. May 29, 2024).
[195] Id. at *5.
[196] Id. at *5–6.
[197] Mayhall v. Amazon Web Servs., Inc., 2:21-cv-01473 (W.D. Wash. Nov. 5, 2024), ECF No. 112.
[198] Mayhall v. Amazon Web Servs., Inc., 2:21-cv-01473 (W.D. Wash. Jan. 15, 2025), ECF No. 114.
[199] Polizzi v. Jimmy John’s, LLC, No. 3:23-cv-02168 (C.D. Ill. July 17, 2024), ECF No. 24.
[200] Id. at 12.
[201] Id. at 13.
[202] Zellmer v. Meta Platforms, Inc., 104 F.4th 1117 (9th Cir. 2024).
[203] See, e.g., Colombo v. YouTube, LLC, 679 F. Supp. 3d 940, 944–45 (N.D. Cal. 2023).
[204] G.T. v. Samsung Elecs. Am. Inc., 742 F. Supp. 3d 788 (N.D. Ill. 2024).
[205] Id. at 793
[206] Id. at 801.
[207] Id.
[208] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918 (Ill. 2023), as modified on denial of reh’g (Ill. July 18, 2023).
[209] Id. at 928–29.
[210] Id. at 929.
[211] 740 Ill. Comp. Stat. Ann. 14/20(b) (2024).
[212] Id. at (b)–(c).
[213] Compare Gregg v. Central Transp. LLC., No. 24 C 1925, 2024 WL 4766297, at *2–3 (N.D. Ill. Nov. 13, 2024) with Schwartz v. Supply Network, Inc., No. 23 CV 14319, 2024 WL 4871408 (N.D. Ill. Nov. 22, 2024).
[214] Bhavilai v. Microsoft Corp., 716 F. Supp. 3d 640, 641 (N.D. Ill. 2024).
[215] Id.
[216] Id.
[217] Id.
[218] Id.
[219] Brantley v. Prisma Labs, Inc., No. 23 C 1566, 2024 WL 3673727 (N.D. Ill. Aug. 6, 2024).
[220] In re Clearview AI, Inc., Consumer Priv. Litig., 585 F. Supp. 3d 1111, 1118 (N.D. Ill. 2022), clarified on denial of reconsideration, 2022 WL 2915627 (N.D. Ill. July 25, 2022).
[221] Id. at 1122–23.
[222] Preliminary Order of Approval of Class Action Settlement, In re Clearview AI, Inc., Consumer Priv. Litig., No. 21-cv-0135 (N.D. Ill. June 21, 2024), ECF No. 580.
[223] See Plaintiff’s Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement, In re: Clearview AI, Inc. Consumer Privacy Litigation, 1:21-cv-00135 (N.D. Ill. June 12, 2024), ECF No. 578, at 5.
[224] State of Texas v. Meta Platforms, Inc., No. 22-0121 (Tex. 71st Dist. Ct., Harrison Cnty.).
[225] N.Y.C. Admin. Code § 22-1202.
[226] Gross v. Madison Square Garden Ent. Corp., No. 23-CV-3380 (LAK) (JLC), 2024 WL 2055343 (S.D.N.Y. May 7, 2024).
[227] Id. at *1.
[228] Id. at *2.
[229] Id. at *1.
[230] Mallouk v. Amazon.com, Inc., No. C23-852-RSM, 2024 WL 3511015, at *1 (W.D. Wash. July 23, 2024).
[231] Id. at *5.
[232] Id. (quoting Madison Square Garden, 2024 WL 2055343, at *1).
[233] Id. at *6.
[234] N.J.S.A. § 56:8-166.1. et seq.
[235] Id.
[236] Id. at *1.
[237] Id.
[238] Id. at *7–8.
[239] Id. at *8.
[240] Id. at *10.
[241] Id. at *12 (predicting that the Supreme Court of New Jersey would construe Daniel’s Law as requiring a covered person or assignee to establish an entity’s negligence in order to obtain an award of actual or liquidated damages).
[242] See Order, Atlas Data Priv. Corp. v. We Inform, LLC, No. 1:24-cv-04037 (D.N.J. Ill. Dec. 2, 2024), ECF. No. 27.
[243] Taylor v. Google, LLC, No. 22-16654, 2024 WL 837044, at *2 (9th Cir. Feb. 28, 2024).
[244] Id.
[245] Id. at *1–2.
[246] Id. at *2.
[247] Id.
[248] Id.
[249] Saunders et al v. Hearst Television, Inc., 711 F. Supp. 3d 24, 28–29 (D. Mass. Jan. 11, 2024).
[250] Id. at 32.
[251] Id. at 32–33.
[252] Mendoza v. Caesars Ent., Inc., No. 1:23-cv-03591, 2024 WL 2316544, at *1 (D.N.J. May 22, 2024).
[253] Id. at *2.
[254] Id.
[255] Id. (citing Aldana v. GameStop, No. 22-cv-7063, 2024 WL 708589, at *6 (S.D.N.Y. Feb. 21, 2024)).
[256] McDaniel, et al. v. Meta Platforms, Inc., et al., Case No. 21-cv-383231 (Cal. Super. Ct. Dec. 30, 2024).
[257] Id.
[258] Jancick v. WebMD LLC, No. 1:22-CV-644-TWT, 2025 WL 560705 (N.D. Ga. Feb. 20, 2025)
[259] Id. at *1.
[260] Id. at *4.
[261] Id.
[262] Baptiste v. Apple Inc., No. 23-15392, 2024 WL 1086832, at *1 (9th Cir. Mar. 13, 2024).
[263] Id. at *2.
[264] Reforming Intelligence and Securing America Act, H.R. 7888, 118th Cong. (2nd Sess. 2023).
[265] U.S. v. Hasbajrami, No. 1:11-cr-623 (LDH), 2025 WL 258090 (E.D.N.Y. Jan. 21, 2025), superseded by U.S. v. Hasbajrami, No. 1:11-CR-623 (LDH), 2025 WL 447498 (E.D.N.Y. Feb. 10, 2025).
[266] See Complaint, De La Torre v. LinkedIn Corporation, 5:25-cv-00709 (N.D. Cal., Jan. 21, 2025), ECF No. 1.
[267] Id. at 5.
[268] Id. at 14–20.
[269] See Plaintiff’s Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement, In re: Clearview AI, Inc. Consumer Privacy Litigation, No. 1:21-cv-00135 (N.D. Ill. June 12, 2024), ECF No. 578.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Privacy, Cybersecurity & Data Innovation or Artificial Intelligence practice groups:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
*Ananya Subrahmanian, an associate in New York, is not yet admitted to practice law.
On March 5, 2025, the Court of Appeals for the Federal Circuit issued a decision in Lashify, Inc. v. ITC, No. 23-1245 (Fed. Cir. Mar. 5, 2025) that rewrites long-standing ITC precedent concerning what types of domestic industry investments and activities may be considered under the economic prong of the domestic industry analysis. The Lashify decision therefore greatly expands the scope of what activities may qualify a company to bring a Section 337 Investigation before the ITC.
In this case, complainant Lashify sought to bar the importation of eyelash extensions, including cases and applicators, that allegedly infringe a Lashify utility patents and two design patents. While Lashify markets and distributes its products in the United States, all its manufacturing operations occur abroad, and its products are imported. Based on certain findings related to technical domestic industry and, for economic domestic industry, the nature of Lashify’s domestic activities and investments, the ITC concluded that Lashify had not proven a violation of Section 337. As to economic domestic industry, the ITC concluded that Lashify’s investments directed to sales, marketing, warehousing, quality control, and distribution—as opposed to manufacturing—were insufficient to prove the existence of a significant domestic industry.
For a company to bring a patent infringement action before the ITC, it must prove that it has a sufficiently “significant” or “substantial” domestic industry; essentially, a showing that a company’s investments in the United States with respect to a product practicing an asserted patent are sufficiently quantitatively and qualitatively significant. Under 19 U.S.C. § 1337(a)(3), a company may show this, for example, based on “significant employment of labor and capital” in the United States. Historically, the ITC has interpreted this requirement to exclude certain activities on their own (i.e., without corresponding domestic manufacturing) as qualifying as domestic industry; namely, costs associated with selling, advertising, and distributing in the United States.
In Lashify, the Federal Circuit rejected the ITC’s long-standing precedent and interpretation of § 1337(a)(3), holding that the language of the statute is “straightforward,” and does not limit what types of domestic activities may be considered to establish a domestic industry. Writing for the Court, Judge Taranto stated that “there is no carveout of employment of labor or capital for sales, marketing, warehousing, quality control, or distribution,” and that there is no “suggestion [in the statute] that such uses, to count, must be accompanied by significant employment or other functions, such as manufacturing.” Put differently, the Federal Circuit has held that any significant employment of labor and capital may qualify as meeting the economic prong of the domestic industry requirement.
In so ruling, the Federal Circuit has opened the proverbial floodgate for companies seeking to file Section 337 Investigations before the ITC whose only domestic investments and activities in the United States are related to marketing, sales, and distribution—without any corresponding domestic manufacturing. Assuming the Federal Circuit’s decision in Lashify stands, the ITC can expect a wave of investigations to be filed by companies who would otherwise historically would not have been able to satisfy the economic domestic industry prong. Of course, this ruling also leaves unresolved many questions including for example, what would qualify under the statute as “significant” investment in activities such as marketing and distribution of a domestic industry product. The question of significance is a highly litigated and disjointed area of ITC law, and remains ripe for debate and clarification.
Given the gravity of the Federal Circuit’s decision, we expect the ITC to request an en banc appeal of this holding.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, or the following leaders and members of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:
Brian Buroker – Washington, D.C. (+1 202.955.8541, bburoker@gibsondunn.com)
Kate Dominguez – New York (+1 212.351.2338, kdominguez@gibsondunn.com)
Benjamin Hershkowitz – New York (+1 212.351.2410, bhershkowitz@gibsondunn.com)
Mark Reiter – Dallas (+1 214.698.3360, mreiter@gibsondunn.com)
Brian Rosenthal – New York (+1 212.351.2339, brosenthal@gibsondunn.com)
Paul Torchia – New York (+1 212.351.3953, ptorchia@gibsondunn.com)
Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, tdupree@gibsondunn.com)
Allyson N. Ho – Dallas (+1 214.698.3233, aho@gibsondunn.com)
Julian W. Poon – Los Angeles (+ 213.229.7758, jpoon@gibsondunn.com)
Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, kdominguez@gibsondunn.com)
Josh Krevitt – New York (+1 212.351.4000, jkrevitt@gibsondunn.com)
Jane M. Love, Ph.D. – New York (+1 212.351.3922, jlove@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
An overview of certain recent developments and legislative changes that may affect the M&A market and the transaction business in Germany, originally published in M&A Review, 36, Volume 1-2/2025.
Gibson Dunn partner Sonja Ruttmann, of counsel Silke Beiter, and associates Maximilian Schniewind and Yannick Oberacker from our Munich office co-authored In the Play of Regulations: Outlook on Relevant Legislative Changes for the M&A Practice in 2025, originally published in M&A Review on February 13, 2025. The article gives an overview of certain recent developments and legislative changes that may going forward affect the M&A market and the transaction business in Germany.
Please click HERE to view, download or print this article in English language.
Sonja Ruttmann, Silke Beiter, Maximilian Schniewind und Yannick Oberacker aus Gibson Dunns Münchner Büro fassen in ihrem Artikel Im Spiel der Verordnungen: Ein Ausblick auf relevante Gesetzesänderungen für die M&A-Praxis 2025, der am 13. Februar 2025 in der M&A Review erschien, ausgewählte aktuelle Entwicklungen und Gesetzesänderungen mit Blick auf den M&A-Markt und das Transaktionsgeschäft in Deutschland zusammen.
Zum Beitrag in deutscher Sprache (im PDF-Format) gelangen Sie HIER.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Mergers and Acquisitions or Private Equity practice groups, or the authors in Munich:
Sonja Ruttmann (+49 89 189 33 256, sruttmann@gibsondunn.com)
Silke Beiter (+49 89 189 33 271, sbeiter@gibsondunn.com)
Maximilian Schniewind (+49 89 189 33 274, mschniewind@gibsondunn.com)
Yannick Oberacker (+49 89 189 33 282, yoberacker@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Europe
02/26/2025
European Parliament | Report | Algorithmic Discrimination
The European Parliament published a report on algorithmic discrimination under the AI Act and the GDPR.
The Parliament underlines the legal uncertainties regarding the interaction between the AI Act and the GDPR. Indeed, the AI Act allows processing of special categories of personal data to detect and correct bias, while the GDPR imposes stricter conditions on such data usage, potentially limiting AI bias mitigation efforts.
For further information: European Parliament Report
02/26/2025
Court of Justice of the European Union | Decision | Automated Decision-making System
The Court of Justice of the European Union (“CJEU”) ruled that when their data is used by automated decision-making systems, data subjects may require the controller to explain the procedure and principles actually applied when processing personal data to obtain a specific result.
The decision stems from a case filed by an Austrian customer who was denied a mobile phone contract based on an automatic decision-making system. The Court highlighted that when asked by data subjects to provide explanations, information should be provided in a “concise, transparent, intelligible and easily accessible form”. This decision also addresses the concept of trade secrets.
For further information: CJEU Decision
02/13/2025
Court of Justice of the European Union | Decision | Calculation of GDPR Fines
The Court of Justice of the European Union (“CJEU”) clarifies the calculation of the fines for undertakings (C-383/23).
The CJEU considers that the maximum amount of the fine that can be imposed on an undertaking must be determined “on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year”.
For further information: CJEU Decision
02/04/2025
Cyber Solidarity Act | Entry Into Force | High Critical Sectors Concerned
On February 4, 2025, the Cyber Solidarity Act entered into force.
This regulation enhances the EU’s capacity to prepare for, detect, and respond to cybersecurity incidents. Entities operating in highly critical sectors or other critical sectors, as defined by Directive (EU) 2022/2555 (NIS 2), may be required to undergo “coordinated preparedness testing” to verify their compliance with minimum standards and expectations for critical services and infrastructure.
For further information: Commission Website and Cyber Solidarity Act
France
02/26/2025
CNIL | Work Program | Connected Vehicles
The French Supervisory Authority (“CNIL”) published the “compliance comity” work program for 2025 on connected vehicles and location data.
The comity’s work focuses on the use of location data from connected vehicles and will lead to the drafting of a recommendation which will soon be published for public consultation. Because of the lack of legal certainty surrounding the use of dashcams and associated privacy risks, the comity’s work program for 2025 is dedicated to the use of these devices by private individuals.
For further information: CNIL Press release [FR]
02/07/2025
French Supervisory Authority | Recommendations | Artificial Intelligence
On February 7, 2025, the French Supervisory Authority (“CNIL”) published two new recommendations on how AI should be used to comply with GDPR requirements.
The CNIL’s first recommendation focuses on data subject information and essentially provides that companies must ensure individuals are given sufficient information at the appropriate moment and that the processing of their data is entirely transparent. More specifically, it provides examples of information notices to be used in relation to web scraping or development of GPAI model. The second recommendation focuses on data subject rights and provide specific details on how companies can deal with their requests whether they apply to training data or to the model more generally.
For further information: CNIL Recommendations on Right of information, and Data subjects’ rights [FR]
02/05/2025
French Supervisory Authority | GDPR | 2024 Report
The French Supervisory Authority (“CNIL”) has published a 2024 report on sanctions issued during the year.
The report provides that a total of 331 decisions were handed down, including 87 sanctions, for a total of 55,212,400 euros in fines, 180 formal notices and 64 reminders of legal obligations. The recurring breaches found usually concern commercial prospecting and health data.
For further information: CNIL Report [FR]
01/31/2025
French Supervisory Authority | GDPR | Access Right
On January 31, 2025, the French Supervisory Authority (“CNIL”) updated its guidance on employees’ right of access to their work-related data and emails.
In this update, the authority clarifies that if a request involves a very large number of emails (though it did not define what constitutes “very large”), the employer may first provide the employee with a summary table listing the relevant messages. This allows the employee to specify which content they wish to receive. However, given the lack of further clarification, it appears that if the employee does not specify the data he wants, the employer remains obligated to provide all the requested data unless the employer identifies an actual risk for third party rights. Moreover, the French Authority published a case-law summary regarding the GDPR access right.
For further information: CNIL Guidance and Case-law Summary [FR]
Germany
02/14/2025
German Supervisory Authorities | Investigation | AI and Privacy
On February 14, 2025, several German Data Protection Supervisory Authorities announced a coordinated investigation into an AI provider.
Several German state data protection supervisory authorities, including those from Rhineland-Palatinate, Baden-Württemberg, Thuringia, Saxony-Anhalt, Hesse, Bremen, and Berlin, initiated coordinated investigations into the AI provider. This collaborative effort aims to ensure compliance with Article 27(1) of the General Data Protection Regulation (GDPR), which mandates that companies not established in the European Union appoint a representative within the EU. This effort underscores the impact of GDPR enforcement on AI development. In addition to this investigation, the Lower Saxony Supervisory Authority (“LfD Niedersachsen”) published a statement on February 21, 2025, drawing attention to the risks associated with the use of the Chinese AI-powered chatbot. The LfD Niedersachsen pointed out in particular that according to the privacy policy of the company providing the chatbot, user inputs including the uploaded documents are recorded, transmitted, stored and analyzed without any restriction.
For more information: Website of the Baden Württemberg Supervisory Authority [DE] and Website of the Lower Saxony Supervisory Authority [DE]
02/12/2025
Bremen Supervisory Authority | Recommendation | AI and Privacy
On February 12, 2025, the Data Protection Authority of Bremen (LfD Bremen) provided recommendations on the use of AI applications from providers outside the European Union that have not appointed a legal representative in the EU.
The LfD Bremen recommends, in order to ensure compliance with data protection regulations and mitigate risks associated with AI applications, to select AI providers who demonstrate transparency and provide documentation confirming GDPR compliance. Before installing AI models, the user should ensure that no personal data can be leaked, for example through a secure IT environment. According to the LfD Bremen, inputs of personal or confidential data into online interfaces should be avoided unless effective protective measures are in place. Users, especially workers, should be made aware of the risks involved, and AI competence as required by Article 4 of the AI Regulation from February 2, 2025, should be ensured. If the AI provider is based outside the EU, they should appoint a representative under Article 27 GDPR to facilitate the enforcement of data subjects’ rights and failure to do so can result in fines under Article 83(4) GDPR.
For more information: Website of the Bremen Supervisory Authority [DE]
01/29/2025
German Federal Administrative Court | Judgement | Advertisement
On January 29, 2025, the German Federal Administrative Court (BVerwG) ruled on the interplay of data processing under Article 6(1)(f) GDPR and consent for advertisement necessary under German competition law.
The BVerwG ruled that processing the contact data of dental practices taken from publicly accessible sources for the purpose of telephone advertising without at least presumed consent is impermissible. The court held that merely obtaining contact details from publicly accessible directories to conduct phone advertising does not constitute a legitimate interest under Article 6(1)(f) GDPR unless there is at least implied consent from the data subjects per § 7 Sec 2 No 1 UWG. Consequently, the company’s appeal was denied, as the interest in data processing for phone advertising did not outweigh the privacy protection guaranteed by GDPR and national law. The court confirmed that the prohibition on such data processing remains justified under the current legal framework, given its alignment with the need to protect the privacy of individuals from unsolicited advertising.
For more information: Official Court Website [DE]
Sweden
02/18/2025
Swedish Supervisory Authority | GDPR Guidance | Impact Assessment
On February 18, 2025, the Swedish Supervisory Authority (“IMY”) published a guidance on impact assessments.
The guidance consists of a practical guide and an annex with legal interpretative support.
For further information: IMY Website [SV] and Guidance for Impact Assessment [SV]
02/04/2025
Stockholm Administrative Court | Fine | Cookies
In February 2025, the Stockholm Administrative Court upheld a SEK 13 million (approx. €1.16M) fine against a media company for failure to comply with the principle of lawfulness provided under the GDPR.
The company was relying on legitimate interests for the processing of personal data collected via cookies. Such data was combined with purchase history and third-party data for creating profiles, including for marketing purposes. The court ruled that legitimate interest cannot serve as a legal basis and therefore upheld the administrative fine imposed by the Swedish Supervisory Authority (“IMY”). In its decision, the IMY stated that pursuant to Article 5(3) of the ePrivacy Directive, consent was required for the collection of data via cookies. This is the first publicly known case in Sweden where IMY explicitly referenced Article 5(3) of the ePrivacy Directive in its reasoning for a GDPR fine.
For further information: Stockholm Administrative Court Website [SV]
Switzerland
02/03/2025
Federal Data Protection and Information Commissioner | Guidelines | Cookies
The Swiss Supervisory Authority (“FDPIC”) published its guidelines on data processing using cookies and similar technologies.
The FDPIC describes the data protection requirements controllers must abide by when using cookies and similar technologies.
For further information: FDPIC Website
United Kingdom
02/22/2025
Information Commissioner’s Office | Report | Technologies
The Information Commissioner’s Office (“ICO”) published its Tech Horizons report of 2025.
The ICO’s Tech Horizons report examines emerging technologies and the regulatory challenges they face from a privacy perspective. This third edition of the report focuses on four technologies: connected transport; quantum sensing and imaging; digital diagnosis, therapeutics and healthcare infrastructure; and synthetic media and its identification and detection.
For further information: ICO Website
02/10/2025
Information Commissioner’s Office| Response | Data (Use and Access) Bill
The Information Commissioner’s Office (“ICO”) published its updated response to the Data (Use and Access) (DUA) Bill.
The ICO welcomed the recent changes introduced to the Bill and expressed its position on some of the recent amendments, including those related to the protection of children’s data and the expansion of the soft opt-in in direct marketing to cover charities.
For further information: ICO Website
02/06/2025
Information Commissioner’s Office | Guidance | Employment Practices and Data Protection
On February 5, 2025, the Information Commissioner’s Office (“ICO”) issued new guidance for employers on the management of employment records.
The guidance addresses key questions employers may encounter in relation to the collection, retention and use of employment records. For instance, the guidance covers various questions including: what lawful bases might apply to employment records, when employers can share workers’ personal data with other people or organizations, and how employers can handle sickness and injury records.
For further information: ICO Guidance
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice groups:
Privacy, Cybersecurity, and Data Innovation:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
The life sciences industry entered 2025 with a largely favorable set of catalysts, but also with some larger risks that will impact companies differently.
Join our team of seasoned attorneys and industry leaders for part one of this webcast series, where we provide an integrated outlook on royalty finance in the life sciences, identifying trends and uncertainties that will shape the year ahead. For a copy of our full Life Sciences 2025 Outlook, click here.
Topics include:
- Key development in 2024: continued growth in non-dilutive financing through debt, royalty financings and synthetic royalty financings, with a deeper pool of capital on the investor-side and a favorable macro-economic environment, provided that inflation does not return, and interest rates increase
- Expected impacts of a shifting geopolitical environment and regulatory landscape under the Trump administration
MCLE CREDIT INFORMATION:
This program has been approved for credit by the New York State Continuing Legal Education Board for a maximum of 0.5 credit hour in the professional practice category. This course is approved for transitional and non-transitional credit.
Gibson, Dunn & Crutcher LLP certifies this activity is approved for 0.5 hour of MCLE credit by the State Bar of California in the General Category.
California attorneys may claim self-study credit for viewing the archived webcast. No certificate of attendance is required for self-study credit.
PANELISTS:
- Todd Trattner (Gibson Dunn)
- Ryan Murr (Gibson Dunn)
- Doug Prescott (TD Cowen)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
While the proposal is in its early stages, companies in the food industry should consider efforts to engage in any forthcoming notice-and-comment regulatory process, including by submitting comments on any proposed regulation and participating in related public meetings.
On March 10, 2025, Robert F. Kennedy, Jr., Secretary of the Department of Health and Human Services (HHS), directed the Food and Drug Administration (FDA) to explore rulemaking to require manufacturers to submit for FDA review notifications demonstrating that new food ingredients are generally recognized as safe (GRAS).[1] Such a change, if finalized, would have a significant impact on the food industry, which has relied in substantial part on manufacturers’ self-affirmations, in some cases based on review of available data by expert panels, that their ingredients are GRAS without FDA notification or review. While this proposal is in its early stages, companies in the food industry should consider efforts to engage in any forthcoming notice-and-comment regulatory process, including by submitting comments on any proposed regulation and participating in related public meetings.
The Current Framework
- A food ingredient is considered a “food additive,” unless it is generally recognized to be safe for its intended use by qualified experts based on generally available and accepted scientific data, information, or methods.[2]
- A food additive is “unsafe” unless its use is consistent with a food additive regulation.[3] In order to obtain a food additive regulation for a new food additive, a manufacturer must submit a food additive petition to FDA containing scientific data and information on the conditions for its safe use.[4] If FDA grants the petition, it publishes a final rule prescribing the conditions under which the food additive may be used in food.[5]
- At present, manufacturers can, but are not required to, notify FDA of new food ingredients they believe to be GRAS by submitting a GRAS notice, which contains, among other things, data on the ingredient’s chemical composition, manufacturing process, specifications, dietary exposure, and supporting data.[6] FDA then responds with one of three type of letters: a “no questions letter” stating that it has no questions at this time relating to the basis for the notifier’s GRAS conclusions, an “insufficient basis letter” stating that the notice does not provide a sufficient basis for a GRAS determination, or a “cease to evaluate letter” noting that FDA has ceased to evaluate the GRAS notice at the submitter’s request.[7]
- When it formally adopted the GRAS notification process in 2016, FDA stated explicitly that submission of GRAS notifications is voluntary in nature. The agency noted that the Federal Food, Drug, and Cosmetic Act (FDCA) expressly requires FDA review of food additives, but is silent on any required review for GRAS substances, which fall outside the definition of “food additive.”[8] Accordingly, manufacturers have largely “self affirmed” the GRAS status of food ingredients, maintaining scientific substantiation to support their conclusions without submitting that data and information to FDA.
How the Regulatory Landscape Could Change
- Efforts to reshape the GRAS notification process are part of Secretary Kennedy’s position on “radical transparency” regarding food ingredients.[9] President Trump’s nominee for FDA Commissioner, Dr. Marty Makary, has also expressed concerns about health risks with food ingredients and additives.[10]
- Submission of a GRAS notice entails substantial time, effort, and resources for manufacturers, as well as uncertainty with respect to FDA’s evaluation of the notice. Accordingly, a shift from voluntary to mandatory GRAS notices likely will have a significant impact on the food industry.
- It is unclear how FDA would phase in mandatory GRAS notification requirements, if adopted. For example, the HHS directive does not address whether and how FDA would grandfather in currently marketed ingredients for which manufacturers have self-affirmed GRAS status.
- It is also unclear whether any forthcoming FDA regulation would provide a grace period for GRAS notice submissions, and how a potential deluge of notices might impact FDA review timelines or other FDA activities in the foods space. The agency has faced criticism in other areas where it has been slow to act on premarket submissions following a change in the agency’s policy for submissions, such as for new tobacco products.[11] Long review timelines may delay companies’ innovations in food ingredients given the potential enforcement risk if FDA disagrees and determines that an ingredient is not GRAS, and therefore requires food additive review.[12]
- Enforcement risk likely also will increase if FDA mandates submission of GRAS notices. GRAS notices provide more touchpoints between FDA and food industry that could result in enforcement action if FDA calls into question the safety or lawful marketing status of an ingredient.
How Companies Should Prepare
- Companies that have used the self-affirmation process for food ingredients should ensure that they continue to maintain appropriate documentation of the scientific review conducted to support their conclusions that the ingredients are GRAS.
- FDA actions to mandate GRAS notices will require notice-and-comment rulemaking and may include public meetings and other opportunities for engagement before and after the publication of a proposed rule. Companies should consider submitting comments to agency notices and participating in public hearings to both shape the regulatory process and stake their positions in anticipation of potential litigation.
- Companies should also be aware that Congress could pursue legislative changes to the regulatory construct for food ingredients if it takes issue with any proposed rulemaking, or if it believes a statutory fix is ideal or required.
Gibson Dunn is closely monitoring developments within the food regulatory landscape and is prepared to help companies consider and address the implications of potential regulatory changes, including through regulatory counseling, agency and legislative engagement, and litigation.
[1] HHS, Press Release, “HHS Secretary Kennedy Directs FDA to Explore Rulemaking to Eliminate Pathway for Companies to Self-Affirm Food Ingredients Are Safe” (Mar. 10, 2025) (“HHS Press Release”).
[2] A food ingredient used in food prior to September 6, 1958, is considered a “food additive” unless it is generally recognized to be safe based on common use in food. Food additives do not include color additives. 21 U.S.C. § 321(s); 21 CFR 170.30, 570.30.
[3] 21 U.S.C. §§ 342(a)(1), (2)(C)(i), 348(a).
[4] See id. § 348(b); 21 CFR 170.39.
[5] See 21 U.S.C. § 348(c); 21 CFR Parts 172-186.
[6] See 21 CFR 170.220-170.255. When a GRAS notice is filed for review, FDA discloses the name and address of the notifier, the name of the notified substance, the intended conditions of use, and the statutory basis of the conclusion of GRAS status on its public GRAS notice database. 81 Fed. Reg. at 55022-23; 21 CFR 170.275(b); see FDA, “GRAS Notices” (last visited Mar. 12, 2025). FDA also publishes its response to a GRAS notification. See, e.g., FDA, Guidance for Industry: Regulatory Framework for Substances Intended for Use in Human Food or Animal Food on the Basis of the Generally Recognized as Safe (GRAS) Provision of the Federal Food, Drug, and Cosmetic Act (Nov. 2017), at 6; 81 Fed. Reg. at 55014-15.
[7] 81 Fed. Reg. at 55015.
[8] Id. at 54970-71.
[9] HHS Press Release.
[10] See, e.g., “Trump’s FDA Pick Made His Name by Bashing the Medical Establishment. Soon He May Be Leading It,” U.S. News & World Report (Mar. 4, 2025).
[11] See, e.g., HHS Office of Inspector General, Rep. No. A-06-22-01002, The Food and Drug Administration Needs to Improve the Premarket Tobacco Application Review Process for Electronic Nicotine Delivery Systems to Protect Public Health (Nov. 2023).
[12] 21 CFR 170.38.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Consumer Protection or FDA & Health Care practice groups:
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Katlin McKelvie – Washington, D.C. (+1 202.955.8526, kmckelvie@gibsondunn.com)
John D. W. Partridge – Denver (+1 303.298.5931, jpartridge@gibsondunn.com)
Jonathan M. Phillips – Washington, D.C. (+1 202.887.3546, jphillips@gibsondunn.com)
Carlo Felizardo – Washington, D.C. (+1 202.955.8278, cfelizardo@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Consumer protection investigations and enforcement actions are on the rise. Led by the DOJ, FTC, CFPB, and State Attorneys General, these actions create high-stakes criminal and civil risks for companies and executives. Featuring experienced practitioners and former officials from DOJ’s Consumer Protection Branch and the FTC, this webcast discusses trends in the enforcement of consumer health, safety, fraud, and privacy laws.
Presenters explain how enforcers initiate and resolve investigations, identify common pitfalls in investigative responses, and share thoughts on the management of consumer-affecting crisis situations—which often give rise to a swirl of negative press, regulatory action, class litigation, and investigations. Presenters also discuss expectations for consumer protection enforcement under the Trump Administration. This webcast provides critical takeaways for companies in the consumer products, life sciences, and tech sectors.
MCLE CREDIT INFORMATION:
This program has been approved for credit by the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour in the professional practice category. This course is approved for transitional and non-transitional credit.
Gibson, Dunn & Crutcher LLP certifies this activity is approved for 1.0 hour of MCLE credit by the State Bar of California in the General Category.
California attorneys may claim self-study credit for viewing the archived webcast. No certificate of attendance is required for self-study credit.
PANELISTS:
Gustav W. Eyler is a partner in the Washington, D.C. office. He is Co-Chair of the firm’s FDA and Health Care Practice Group and a member of the White Collar Defense and Privacy Practice Groups. An experienced litigator and a former Director of the U.S. Department of Justice’s Consumer Protection Branch, he defends companies and individuals in government investigations and enforcement actions and counsels clients on the design and implementation of compliance programs.
Svetlana S. Gans is a partner in the Washington, D.C. office where she helps clients navigate complex consumer protection (advertising, marketing, privacy, and right to repair) and competition related regulatory proceedings before the U.S. Federal Trade Commission, U.S. Department of Justice Antitrust Division, and other enforcement bodies, and provides strategic advice on related public policy issues. Svetlana is a frequent speaker on FTC policy and enforcement issues, including FTC rulemaking. She was also recently named as one of Lawdragon’s “500 Leading Litigators in America” and recognized by The Best Lawyers in America® for her work in Antitrust Litigation.
Ashley Rogers is a partner in the Dallas office. She is Co-Chair of the firm’s Consumer Protection Practice Group and a member of the firm’s Technology Litigation and Privacy, Cybersecurity and Data Innovation Practice Groups. Ashley is a nationally recognized technology-focused practitioner sought out by market-leading global companies to handle their most novel and challenging consumer protection and data privacy matters. She has particular expertise in defending clients in in Federal Trade Commission, Consumer Financial Protection Bureau, and state Attorneys General investigations and enforcement actions, as well as in class action litigation and advisory matters involving a wide range of consumer protection and data privacy issues.
Natalie Hausknecht is a partner in the Denver office, where she practices in the firm’s litigation department. She is an experienced trial and consumer protection/privacy defense attorney with experience in high-exposure representations of major technology and fintech companies, global energy leaders, and corporate executives. Her experience also has included handling high priority state and federal government investigations involving state Attorneys General, the Federal Trade Commission, and the Consumer Financial Protection Bureau. Natalie has continuously received recognition in Best Lawyers: Ones to Watch® in America since 2021.
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Jason Mendro, Matt Gregory, and Nick Harper are the authors of “Recent SEC Guidance On Memecoins Suggests Broader Policy Change,” where they discuss how the guidance may foreshadow a reappraisal of the Howey Test, which the SEC has recently used in its attempts to regulate cryptocurrencies through litigation.
Read the full article on CoinDesk.
This edition of Gibson Dunn’s Federal Circuit Update for February summarizes the current status of petitions pending before the Supreme Court and recent Federal Circuit decisions concerning exclusion of expert testimony, collateral estoppel, and patent-eligible subject matter under 35 U.S.C. § 101.
Federal Circuit News
Noteworthy Petitions for a Writ of Certiorari:
There were a few potentially impactful petitions filed before the Supreme Court in February 2025:
- Koss Corp. v. Bose Corp. (US No. 24-916): The question presented is: “When a district court grants a Rule 12(b)(6) motion to dismiss but does so without prejudice and with leave to amend, may that non-merits determination be given collateral-estoppel effect on the theory that it merged into a later with-prejudice dismissal stipulation?” The respondent waived its right to respond. The Court will consider this petition during its March 21, 2025 conference.
- Converter Manufacturing, LLC v. Tekni-Plex, Inc. (US No. 24-866): The questions presented are: “ Whether the patent challenger always has the burden of proving that the disclosures in an asserted prior art patent or printed publication are enabling of the claimed subject matter under Sections 102 and 103 of the Patent Act. 2. Whether the standard for proving a prior art patent or printed publication enables claimed subject matter under Sections 102 and 103 of the Patent Act is the one set forth in this Court’s holding in Seymour v. Osbourn, 11 Wall. 516, 555 (1870). 3. Whether this Court’s Loper Bright Enterprises v. Raimondo decision prohibits the Federal Circuit from deferring to the USPTO’s interpretation of the law of prior art enablement by silently adopting that interpretation using Fed. R. App. P. 36.” A response is due April 16, 2025.
We provide an update below of the petitions pending before the Supreme Court, which were summarized in our January 2025 update:
- In Brumfield v. IBG LLC, et al. (US No. 24-764), two amicus curiae briefs have been filed. The response is due March 20, 2025. In Celanese International Corp. v. International Trade Commission (US No. 24-635), one amicus curiae brief has been filed. The response is due March 24, 2025.
- In Lighting Defense Group LLC v. SnapRays, LLC (US No. 24-524), after SnapRays waived its right to respond, the Court requested a response, which was filed on February 10, 2025. In Parker Vision, Inc. v. TCL Industries Holdings Co., et al. (US No. 24-518), after the respondents waived their right to respond, the Court requested a response, which was filed February 14, 2025. Nine amicus curiae briefs have been filed. The Court will consider both petitions during its March 21, 2025 conference.
- The Court denied the petitions in DISH Network L.L.C. v. Dragon Intellectual Property, LLC, et al. (US No. 24-726) and Provisur Technologies, Inc. v. Weber, Inc. (US No. 24-723).
Upcoming Oral Argument Calendar
The list of upcoming arguments at the Federal Circuit is available on the court’s website.
Key Case Summaries (February 2025)
Trudell Medical International Inc. v. D R Burton Healthcare, LLC, Nos. 23-1777, 23-1779 (Fed. Cir. Feb. 7, 2025): Trudell sued D R Burton alleging infringement of a patent directed to portable devices for performing oscillatory positive expiratory pressure therapy, which loosens secretions from airways to improve respiration. In accordance with the district court’s scheduling order, Trudell submitted expert reports before the discovery deadline, but D R Burton did not. Instead, D R Burton filed an expert declaration on noninfringement with its opposition brief to Trudell’s motion for summary judgment on infringement. Trudell moved to exclude D R Burton’s expert testimony, which the court denied. The jury returned a verdict of no infringement.
The Federal Circuit (Moore, C.J., joined by Chen, J. and Stoll, J.) affirmed-in-part, reversed-in-part and remanded. The Court concluded that the district court abused its discretion in allowing D R Burton’s expert to testify regarding noninfringement at trial, because D R Burton failed to timely disclose its expert’s opinions in an expert report as required by Fed. R. Civ. P. 26 without any explanation for why such failure was either “substantially justified or harmless.” Additionally, the Court determined that to the extent the expert declaration filed with D R Burton’s opposition brief could be considered an expert report, the expert’s trial testimony exceeded the scope of his declaration and was unreliable because it was “untethered” from the district court’s claim constructions. The Court therefore vacated the jury’s verdict and remanded for a new trial.
Kroy IP Holdings, LLC v. Groupon, Inc., No. 23-1359 (Fed. Cir. Feb. 10, 2025): Kroy sued Groupon alleging Groupon infringed certain claims of its patents directed to providing incentive programs over a computer network. Groupon challenged the asserted claims in inter partes review (IPR) proceedings, and the Patent Trial and Appeal Board (Board) determined all the challenged claims were unpatentable. After the IPR filing deadline passed, Kroy amended its complaint to allege infringement of additional claims that were not included in Groupon’s IPR petitions. Groupon moved to dismiss arguing that the Board’s prior unpatentability determinations collaterally estopped Kroy from asserting the additional claims. The district court granted the motion, reasoning in part that the claims challenged in the IPR were not materially different from the newly asserted claims, and thus, the issues were “identical” for purposes of collateral estoppel.
The Federal Circuit (Reyna, J., joined by Prost and Taranto, JJ.) reversed and remanded. The Court held that a prior final written decision of invalidity from the Board reached under a preponderance of the evidence standard could not collaterally estop a patentee from asserting unadjudicated claims of related patents in a parallel district court litigation, where invalidity must be proven under a higher clear and convincing evidence standard.
US Synthetic Corp. v. International Trade Commission, No. 23-1217 (Fed. Cir. Feb. 13, 2025): US Synthetic Corp. (USS) filed a complaint with the ITC alleging that certain companies (the Intervenors) violated 19 U.S.C. § 1337 by importing and selling products that infringed USS’s patents claiming a composition known as a polycrystalline diamond compact (PDC), which is used in oil drilling tools and machinery. The patent specification discloses certain parameters of PDC, including dimensional information, and certain properties of PDC, including coercivity, magnetic saturation, and permeability. The patent claims are directed to the composition of matter as defined by those parameters and properties. After the ITC initiated its investigation, the Intervenors challenged the asserted claims as ineligible under Section 101. The administrative law judge (ALJ) held that the claims were ineligible under Section 101 in part because the claims recited magnetic properties that the ALJ determined were “merely unintended results or effects of the manufacturing process and thus abstract.” USS petitioned for Commission review, and the Commission affirmed.
The Federal Circuit (Chen, J., joined by Dyk and Stoll, JJ.) reversed-in-part, affirmed-in-part, and remanded. The Court held that the claims were patent eligible under Section 101. The Court reasoned that the claims were not directed to an abstract idea; rather, they were directed to a specific composition of matter—a PDC—that is defined by its constituent elements, particular dimensional information, and quantified material properties (such as coercivity, magnetic saturation, and permeability). The Court further explained that the recited magnetic properties, which the ITC concluded made the claims abstract, correlated to structural or physical aspects of the claimed PDC and therefore were not directed to an abstract idea.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the following authors:
Blaine H. Evanson – Orange County (+1 949.451.3805, bevanson@gibsondunn.com)
Audrey Yang – Dallas (+1 214.698.3215, ayang@gibsondunn.com)
Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, tdupree@gibsondunn.com)
Allyson N. Ho – Dallas (+1 214.698.3233, aho@gibsondunn.com)
Julian W. Poon – Los Angeles (+ 213.229.7758, jpoon@gibsondunn.com)
Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, kdominguez@gibsondunn.com)
Josh Krevitt – New York (+1 212.351.4000, jkrevitt@gibsondunn.com)
Jane M. Love, Ph.D. – New York (+1 212.351.3922, jlove@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
The accommodations provide more flexibility for certain companies to initiate registration of their securities, spin-offs, and other offering processes without making the process initially public.
On March 3, 2025, the Division of Corporation Finance of the Securities and Exchange Commission (SEC) announced that it is further expanding existing accommodations to allow more companies to confidentially submit draft registration statements for nonpublic review. These accommodations provide more flexibility for certain companies to initiate registration of their securities, spin-offs, and other offering processes without making the process initially public.
Expanded Accommodations
As discussed in greater detail below, new accommodations include the following:
- Confidential submission is available for initial registration statements under both Section 12(b) of the Exchange Act of 1934, as amended (the Exchange Act), in connection with a spin-off and Section 12(g) of the Exchange Act in connection with securities registrations upon triggering shareholder and asset value thresholds;
- Foreign private issuers now have expanded options for submitting draft registration statements, including electing to be treated as an emerging growth company (EGC) if so qualified or following earlier SEC guidance issued in May 2012;
- Issuers are able to confidentially submit registration statements regardless of how long they have been public, which would benefit non-WKSIs (well-known seasoned issuers) in the context of follow-on offerings;
- Public targets of de-SPAC transactions may now confidentially submit registration statements as if they were conducting an IPO; and
- Issuers are permitted to omit underwriter names in the initial submission of the draft registration statements, allowing the SEC review process to begin earlier.
Exchange Act Registrations
The accommodations expand the availability of nonpublic review to classes of securities registered on Forms 10, 20-F, or 40-F under both Section 12(b) and Section 12(g) of the Exchange Act (as opposed to only Section 12(b) of the Exchange Act under the prior accommodation). Section 12(b) registration is used when a company intends to list securities on a national securities exchange, often in connection with a spin-off. In addition, when a company has total assets of more than $10 million and 2,000 record holders of its equity securities (or 500 non-accredited investors) as of the last day of its fiscal year, it must register its securities under Section 12(g) of the Exchange Act.
Issuers registering under Section 12(g) of the Exchange Act should note, however, that submitting a draft for nonpublic review does not satisfy the requirement that a registration statement be filed within 120 days of the end of the issuer’s fiscal year.
In addition, issuers must continue to publicly file the registration statement and draft submissions no later than 15 days prior to a road show or, in the absence of a road show, the requested effective date. Note, however, that issuers will need to publicly file Exchange Act registration statements on Forms 10, 20-F, and 40-F so that the full 30- or 60-day period, as applicable, will run prior to effectiveness.
Foreign Private Issuers
Where desired, instead of submitting draft registration statements under these new accommodations and the prior accommodations in 2017, foreign private issuers may elect to proceed in accordance with the procedures available to EGCs (if they so qualify) or follow the guidance in the SEC’s May 30, 2012 statement (the May 2012 guidance). The May 2012 guidance applies to (a) foreign governments listing their debt securities, (b) foreign private issuers that are already listed on non-U.S. exchanges, (c) foreign private issuers being privatized by foreign governments, or (d) foreign private issuers which can show that a public filing of an initial registration statement would conflict with the law of an applicable foreign jurisdiction.
Follow-on Securities Act Offerings and Exchange Act Registrations
The accommodations also remove the requirement that draft registration statements could only be submitted confidentially within a 12-month period following the date the issuer became subject to the reporting requirements of Section 13(a) or 15(d) of the Exchange Act.
Under the prior accommodation, due to the time limit, companies that were public for more than one year were not eligible to submit draft registration statements for nonpublic review. The new guidance now permits nonpublic review regardless of how long a company has been a public company, which would be particularly useful for non-WKSI issuers. Such issuers (whose registration statements are not automatically effective upon filing) can initially submit their registration statements, including shelf registration statements, for nonpublic review when they conduct follow-on offerings.
The SEC will continue to limit its nonpublic review to the initial submission. Accordingly, amendments to registration statements responding to staff comment must be publicly filed.
An issuer submitting an initial draft registration statement for nonpublic review should confirm in its cover letter that it will file publicly its registration statement and draft submission at least two business days prior to any requested effective time and date, which is a change from the previous 48-hour requirement. The SEC noted that it will consider reasonable requests to expedite this two business-day period and encourages issuers and their advisors to review their transaction timing with the staff of the SEC.
De-SPAC Transactions
The expanded accommodations also apply to de-SPAC transactions. Previously, a SPAC usually had to file its de-SPAC registration statement publicly if the filing occurred more than one year after the SPAC’s IPO. Under the new guidance, the target company of a de-SPAC transaction may confidentially submit a registration statement as if it were conducting an initial public offering, provided that the SPAC survives as the public company and the target company is otherwise independently eligible to submit a draft registration statement. This approach reflects the SEC’s view that a de-SPAC transaction is the functional equivalent of the target company’s IPO.
Certain Omissions and Staff Processing
In a return to a prior accepted practice, the SEC will again permit issuers to omit the names of underwriters from initial draft submissions (despite the requirements under Regulation S-K Items 501 and 508), as long as the underwriters are disclosed in subsequent submissions and public filings, which would enable the registration process to start sooner.
In addition, the SEC has indicated that it will not delay its review process if an issuer omits certain financial information, so long as such issuer reasonably believes that such omitted financial information will not be required at the time the registration statement becomes publicly available.
In any of these circumstances, issuers must continue to take all steps to ensure that their draft registration statements are substantially complete when submitted.
Additional Information
The SEC will address any questions related to the use of such expanded processing procedures sent to CFDraftPolicy@sec.gov.
For additional information, please see the following documents:
- Voluntary Submission of Draft Registration Statements – FAQs
- Fixing America’s Surface Transportation (FAST) Act – C&DIs
- Securities Act Forms – C&DIs
- Jumpstart Our Business Startups Act Frequently Asked Questions – Generally Applicable Questions on Title I of the JOBS Act
- Jumpstart Our Business Startups Act Frequently Asked Questions – Confidential Submission Process for Emerging Growth Companies
Conclusion
The key effect of these accommodations is to expand the pool of issuers that can utilize the nonpublic review process, reflecting the SEC’s willingness to expedite the registration process and facilitate capital formation, as stated in the release.
Please view additional information on Gibson Dunn’s Securities Regulation and Corporate Governance Monitor Blog:
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups, or the following practice leaders:
Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, afabens@gibsondunn.com)
Hillary H. Holmes – Houston (+1 346.718.6602, hholmes@gibsondunn.com)
Stewart L. McDowell – San Francisco (+1 415.393.8322, smcdowell@gibsondunn.com)
Peter W. Wardle – Los Angeles (+1 213.229.7242, pwardle@gibsondunn.com)
Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, tkim@gibsondunn.com)
James J. Moloney – Orange County (+1 949.451.4343, jmoloney@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: The SEC announced that it will host a series of roundtables to discuss key areas of interest in the regulation of crypto assets, beginning on March 21.
New Developments
- SEC Crypto Task Force to Host Roundtable on Security Status. On March 3, the SEC announced that its Crypto Task Force will host a series of roundtables to discuss key areas of interest in the regulation of crypto assets. The “Spring Sprint Toward Crypto Clarity” series will begin on March 21 with its inaugural roundtable, “How We Got Here and How We Get Out – Defining Security Status.” The SEC indicated that initial roundtable on March 21 is open to the public, will be held from 1 p.m. to 5 p.m. at the SEC’s headquarters at 100 F Street, N.E., Washington, D.C and that the primary discussion will be streamed live on SEC.gov, and a recording will be posted at a later date. The SEC also noted that information regarding the agenda and roundtable speakers will be posted on the Crypto Task Force webpage. [NEW]
- CFTC Commissioner Christy Goldsmith Romero to Step Down from the Commission and Retire from Federal Service. On February 26, Commissioner Christy Goldsmith Romero announced she is stepping down from the Commission and will retire from federal service. Commissioner Romero extended gratitude towards President Biden for her nomination, the U.S. senate for its unanimous confirmation, and her current and former staff and CFTC for their public service.
- CFTC Releases Enforcement Advisory on Self-Reporting, Cooperation, and Remediation. On February 25, the CFTC’s Division of Enforcement issued an Advisory on how the Division will evaluate a company’s or individual’s self-reporting, cooperation, and remediation when recommending enforcement actions to the Commission and establishes the factors the Division will consider. This marks the first time the Division will use a matrix to determine the appropriate mitigation credit to apply. Commissioner Kristin N. Johnson released a statement that “any effort to adopt new reporting processes, particularly processes that require inter-division guidelines and infrastructure, must be consistent with the mandates of [the CFTC]” and consequently, that she does not support the Advisory. Additional information regarding the Advisory can be found in our client alert.
- SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors. On February 20, the SEC announced the creation of the Cyber and Emerging Technologies Unit (“CETU”). According to the SEC, CETU will focus on combatting cyber-related misconduct and is intended to protect retail investors from bad actors in the emerging technologies space. CETU, led by Laura D’Allaird, replaces the Crypto Assets and Cyber Unit and is comprised of approximately 30 fraud specialists and attorneys across multiple SEC offices. The SEC noted that CETU will utilize the staff’s substantial fintech and cyber-related experience to combat misconduct as it relates to securities transactions in the following priority areas: fraud committed using emerging technologies, such as artificial intelligence and machine learning; use of social media, the dark web, or false websites to perpetrate fraud; hacking to obtain material nonpublic information; takeovers of retail brokerage accounts; fraud involving blockchain technology and crypto assets; regulated entities’ compliance with cybersecurity rules and regulations; and public issuer fraudulent disclosure relating to cybersecurity.
- Acting Chairman Pham Announces Brian Young as Director of Enforcement. On February 14, the CFTC Acting Chairman Caroline D. Pham today announced Brian Young will serve as the agency’s Director of Enforcement. Young has been serving in an acting capacity since January 22, and previously was the Director of the Whistleblower Office. He is a distinguished federal prosecutor with nearly 20 years of service at the Department of Justice, including Acting Director of Litigation for the Antitrust Division and Chief of the Litigation Unit for the Fraud Section of the Criminal Division, and has successfully tried some of the most high-profile criminal fraud and manipulation cases in the CFTC’s markets.
New Developments Outside the U.S.
- The ESAs Acknowledge the European Commission’s Amendments to the Technical Standard on Subcontracting Under the Digital Operational Resilience Act. On March 7, the European Supervisory Authorities (EBA, EIOPA and ESMA – the “ESAs”) issued an opinion on the European Commission’s (“EC”) rejection of the draft Regulatory Technical Standard (“RTS”) on subcontracting. The EC indicated that it rejected the original draft RTS on subcontracting, which specified further elements that financial entities must determine and assess when subcontracting ICT services that support critical or important functions under the Digital Operational Resilience Act (“DORA”), on the grounds that certain elements exceeded the powers given to the ESAs by DORA. The opinion acknowledges the assessment performed by the EC and opines that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. The ESAs said that, for this reason, they do not recommend further amendments to the RTS in addition to the ones proposed by the EC. The ESAs encouraged the EC to finalize the adoption of the RTS without further delay as submitted to the ESAs. [NEW]
- EC Publishes Sustainability Omnibus Package. On February 26, the EC published the sustainability omnibus package and accompanying Q&A, alongside the Clean Industrial Deal communication and investment simplification package. ISDA said that the proposals are intended to simplify sustainability reporting and due diligence, as well as reduce administrative burdens on companies. The EC has also launched a consultation until March 26 on draft amendments to the Taxonomy Disclosures delegated act, including, inter alia, the suspension of the Trading Book Key Performance Indicator to 2027. The EC also proposed to delay the Corporate Sustainability Due Diligence Directive (“CSDDD”) transposition deadline and application date by one year to July 26, 2027 and 2028 respectively. Other CSDDD proposals include the removal of the EC review clause to evaluate whether additional due diligence requirements should be imposed on the provision of financial services and investment activities by July 26, 2026, the removal of the EU-wide harmonized civil liability regime and the deletion of the requirement to terminate business relationships. The EC’s proposed changes to the Carbon Border Adjustment Mechanism (“CBAM”) regulation include an exemption for small importers of CBAM goods and a postponement of the obligation for importers to purchase CBAM certificates to February 1, 2027. The Clean Industrial Deal further notes that the EC is working on a CBAM review report that will assess the functioning of the mechanism and potential scope extension to other emissions trading system sectors which will be presented in the autumn, followed by a legislative proposal in early 2026. The proposed amendments to the Corporate Sustainability Reporting Directive, CSDDD and CBAM will now be considered for adoption by the European Parliament and the Council. [NEW]
- IOSCO concludes Thematic Review on Technological Challenges to Effective Market Surveillance. On February 19, IOSCO published a Thematic Review on the status of implementation of its recommendations on Technological Challenges to Effective Market Surveillance issued in 2013. The IOSCO Assessment Committee conducted the review and assessed the consistency of outcomes arising from the implementation of its recommendations by market authorities in 34 IOSCO member jurisdictions. According to IOSCO, the review found that most market authorities have implemented the recommendations and have made significant progress in addressing technological challenges to market surveillance, particularly in more complex markets. However, IOSCO noted the following concerns: some regulators lack the necessary organizational and technical capabilities to conduct effective surveillance of their markets in the midst of rapid technological developments; the absence of regular review of the surveillance capabilities of market authorities; difficulties with regard to the collection and comparison of data across venues in markets with multiple trading venues; and the inability of many regulators to map their cross-border surveillance capabilities.
- ESMA Proposes Guidelines on Product Supplements. On February 18, ESMA published a Consultation Paper asking for input on Guidelines on supplements that introduce new types of securities to a base prospectus. The aim of the guidelines is to harmonize the supervision of so-called ‘product supplements’ across national competent authorities as approaches to supervision in this area have diverged in the past.
- The ESAs Provide a Roadmap Towards the Designation of CTPPs under DORA. On February 18, the European Supervisory Authorities (“ESAs”) announced advancements of the implementation of the pan-European oversight framework of critical Information and Communication Technology (“ICT”) third-party service providers (“CTPPs”) with the objective to designate the CTPPs and to start the oversight engagement this year. The competent authorities are required to submit Registers of Information on ICT third-party arrangements they received from financial entities by April 30, 2025.
- ESMA Consults on the Criteria for the Assessment of Knowledge and Competence Under MiCA. On February 17, ESMA launched a consultation on the criteria for the assessment of knowledge and competence of crypto-asset service providers’ (“CASPs”) staff giving information or advice on crypto-assets or crypto-asset services. ESMA is seeking stakeholder inputs about, notably: the minimum requirements regarding knowledge and competence of staff providing information or advice on crypto-assets or crypto-asset services; and organizational requirements of CASPs for the assessment, maintenance and updating of knowledge and competence of the staff providing information or advice. ESMA said that the guidelines aim to ensure staff giving information or advising on crypto-assets or crypto-asset services have a minimum level of knowledge and competence, enhancing investor protection and trust in the crypto-asset markets. ESMA indicated that it will consider all comments received by April 22, 2025.
New Industry-Led Developments
- ISDA Responds to FSB Consultation on Leverage In NBFI. On February 28, ISDA responded to the Financial Stability Board’s (FSB) consultation on leverage in the non-bank financial intermediation (NBFI) sector. ISDA made the following points: overly prescriptive regulatory recommendations for all NBFI-sector firms across all geographies and market sectors could be inappropriate; the ways in which the use of leverage in the NBFI sector would create financial stability risks deserve further examination; ISDA believes the FSB should undertake a deeper analysis of the impact of the proposed measures on the cost of hedging, market liquidity and liquidity needs in times of stress; and the FSB should account for how the use of derivatives and secured financing, which the FSB characterizes as leverage-inducing activities, support key functions performed by financial markets, including: financing, hedging, price discovery, and market stabilization through countercyclical behaviors. [NEW]
- ISDA and FIA Response to IOSCO on Pre-Hedging Consultation. On February 21, ISDA and FIA responded to the International Organization of Securities Commissions’ (“IOSCO”) consultation report on pre-hedging. In the response, the associations highlight that an appropriate, consistent and well-understood framework for pre-hedging is important for safe and efficient markets. The associations also noted the importance of not cutting across existing industry codes, including the FX global code, the precious metal code and the Financial Markets Standards Board’s standard for large trades, as market participants already have policies, procedures and institutional frameworks in place to comply with them.
- ISDA Responds to BoE Consultation on Fundamental Rules for FMIs. On February 19, ISDA submitted a response to a consultation from the Bank of England (BoE) on a proposal to introduce a set of rules for UK financial market infrastructures (FMIs), including central counterparties (CCPs). In the response, ISDA expresses its support for the proposed fundamental rules (FRs). ISDA said it would encourage further references to transparency throughout the rules and that it believes transparency should be one of the guiding principles that CCPs should follow in the conduct of their business, and this could be reflected under FR 1, 2 and/or 3. ISDA indicated it would also welcome further references to transparency in relation to FR 9, in the context of operational resilience, noting that market participants require adequate information on CCPs’ operational resiliency to perform their third-party risk assessments. ISDA also expressed appreciation for the addition of FR 10, which recognizes the specific nature of CCPs by requiring them to identify, assess and manage the risks that their operations could pose to the stability of the financial system. ISDA said it believes the outcome of the assessment should also be shared with CCPs’ participants, which would then be able to factor this into their own risk management. [NEW]
- ISDA and AFME Response to FCA on Transparency of Enforcement Decisions. On February 17, ISDA and the Association for Financial Markets in Europe (“AFME”) responded to the UK Financial Conduct Authority’s (“FCA”) consultation on greater transparency of enforcement decisions. The FCA’s proposal, which gives it the ability to publicly name firms at the start of an investigation, continues to cause trepidation across the industry. In the response, ISDA and AFME highlight concerns that the current proposals are harmful to UK competitiveness and growth and suggest a broader interpretation of the existing exceptional circumstances test could be used to meet the FCA’s objectives.
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)
Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)
Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)
Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)
Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)
Adam Lapidus – New York (212.351.3869, alapidus@gibsondunn.com )
Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)
William R. Hallatt , Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )
David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)
Marc Aaron Takagaki , New York (212.351.4028, mtakagaki@gibsondunn.com )
Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)
Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
There have been several recent significant developments in transnational litigation. This Update breaks down those developments and provides detail into the courts’ analyses in several key areas of transnational litigation, as listed below.
TABLE OF CONTENTS
I…Global Climate Change Lawsuits
A…Climate Change Litigation in the United States
B…Climate Change Litigation in Germany and the EU
II…Supply Chain Due Diligence in the European Union
A…EU Corporate Sustainability Due Diligence Directive
1…Scope of application and obligations
2…Enforcement and Sanctions
3…Civil Liability of Companies
III…Developments in Transnational Jurisdiction: Personal Jurisdiction
A…The Ford Motor Decision and Its Impact on Specific Personal Jurisdiction
B…The Mallory Decision and the Expansion of General Jurisdiction
C…Personal Jurisdiction and Forum Selection Clauses in Subsidiary-Parent Relationships: Binding Non-Signatory Parents or Subsidiaries
IV…The Continued Evolution of Extraterritorial Application of RICO
V…Cross-Border Discovery and Issues Related to Privileges Protections
VI…Supply Chain Litigation Under The Trafficking Victims Protection Reauthorization Act
I…Foreign Judgment Recognition and Enforcement in the UK
A…Hague Convention on Recognition and Enforcement of Foreign Judgments to Come into Force in the UK
B…English Court of Appeal judgment on sovereign immunity and ICSID Awards
II…ESG Litigation: Parent Company Liability and Supply Chain Risk
Decision regarding Greenwashing by the German Federal Court of Justice
I. Global Climate Change Lawsuits
All over the world, plaintiffs are using courts to try to hold private companies and governments liable for what they allege are the effects of global climate change. These cases underscore the legal pressures on both public and private sectors to adopt and meet stringent climate targets and the potential for significant legal and financial implications. Understanding these developments is crucial for businesses to navigate the evolving regulatory landscape and mitigate risks.
Since 2017, state and local governments across the United States have filed lawsuits in state courts against private energy companies, alleging that the companies’ worldwide extraction, production, promotion, marketing, and sale of fossil fuels has contributed to global climate change and thereby caused injury. The plaintiffs seek damages and other relief for the alleged impacts of climate change, which they allege has been caused by interstate and international emissions, the cumulative actions of billions of individuals the world over the past century. Dozens of nearly identical actions have been brought under this theory, including in San Francisco, New York City, Baltimore, and Boulder.[1] Additional suits continue to be filed.
Most state courts that have confronted the merits of these claims have concluded that federal law precludes states from using their own law to resolve claims seeking relief for injuries arising from international emissions. Those courts have held that the federal constitutional structure of the United States does not allow state law to resolve claims that are based on such inherently interstate and international phenomena, and also that the Clean Air Act preempts these state-law claims. As the Circuit Court of Maryland, Baltimore City recently held, “the Constitution’s federal structure does not allow the application of state law to” these claims; rather, they “g[o] beyond the limits of … state law.”[2] The Circuit Court for Anne Arundel County, Maryland, too, has held that “federal law precludes and preempts the application of state law” to these types of claims.[3] The Delaware Superior Court has concluded that “[t]he federal Constitution prohibits the State from using its own laws to resolve claims seeking redress for injuries allegedly caused by out-of-state emissions.”[4] And the New Jersey Superior Court came to the same conclusion, explaining that “only federal law can govern Plaintiffs’ interstate and international emissions claims because ‘the basic scheme of the Constitution so demands.’”[5] The Hawaii Supreme Court, by contrast, has held that claims of this sort are not “preempted by federal law.”[6]
The federal courts that have considered the merits, meanwhile, have unanimously held that federal law precludes state-law claims seeking redress of injuries allegedly caused by the effects of interstate and international greenhouse-gas emissions on the global climate. For example, in dismissing New York City’s lawsuit in 2021, the Second Circuit held that “such a sprawling case is simply beyond the limits of state law,” and that “municipalities may [not] utilize state tort law to hold multinational oil companies liable for the damages caused by global greenhouse gas emissions.”[7] Similarly, the U.S. District Court for the Southern District of New York held that claims of this sort “are ultimately based on the ‘transboundary’ emission of greenhouse gases,” so “our federal system does not permit the controversy to be resolved under state law.”[8] And the U.S. District Court for the Northern District of California agreed.[9]
So far, the U.S. Supreme Court has not weighed in to definitively resolve this issue of federal law. Until that Court intervenes, or until the state courts come to a consensus that state law cannot be used to resolve these disputes, States and municipalities likely will continue to bring these cases.
In the EU, too, climate-change litigation is becoming increasingly important, both for the public sector and private companies. The claims are based on new environment-related policies and legislation but also fundamental rights such as those enshrined in the European Convention on Human Rights.
The Deutsche Umwelthilfe (DUH), or “German environmental aid,” is an independent non-profit organization that brought several claims against Germany and various private companies in 2023 and 2024. First, the DUH filed two complaints in the Higher Administrative Court Berlin-Brandenburg against Germany’s 2023 Climate Protection Program, arguing that it lacked sufficient measures concerning the energy, industry, buildings, agriculture, transport sectors, and the land use sector.[10] On May 16, 2024, the Court ruled in favor of the DUH, finding that the program had failed to meet the 2030 climate target pursuant to Section 3 (1) No. 1 of the Climate Protection Act. In September 2024, the Ministry of the Environment appealed the ruling, and the case is currently pending before the Federal Administrative Court. Additionally, on July 17, 2023, the DUH filed a constitutional complaint after the German Parliament approved changes to the Climate Protection Act.[11] The DUH argued that the amendment reduces the responsibility of sectors like transport and buildings for greenhouse gas emissions. Instead of sector-specific reduction targets, the law introduces a holistic approach focusing on savings where the greatest potential exists. That case is pending.[12]
With respect to the private sector, DUH filed lawsuits i.a., against Mercedes-Benz Group AG (“Mercedes”) and BMW AG (BMW). The plaintiffs, managing directors of DUH, are claiming violations of their personal rights due to the continued production and sale of combustion engines, and are requesting that the companies produce only electric vehicles beginning in 2030. These lawsuits are based on the Federal Constitutional Court’s climate ruling from 2021, which states that the responsibility for reducing emissions must not be postponed at the expense of future generations.[13] The Stuttgart Regional Court ruled in favor of Mercedes,[14] and that decision has been affirmed by the Stuttgart Higher Regional Court.[15] The judges held that the determination of emission values or reduction targets is the task of the legislator, not the courts. The case is currently pending on appeal before the German Federal Court of Justice. Similarly, DUH failed in its climate action against BMW before the Munich Higher Regional Court: the court dismissed the claim and found that BMW was acting in accordance with applicable laws.[16] In addition, DUH has filed but meanwhile withdrawn a lawsuit against the oil and gas company Wintershall Dea—which sought to order the company to tighten its carbon-emissions target and to cease the extraction of natural gas and crude oil nationally and internationally by 2025.[17]
Additionally, Milieudefensie, a Dutch environmental organization, sued Royal Dutch Shell, alleging that Shell is at odds with global climate targets, violating its duty of care under Article 6:162 of the Dutch Civil Code—which is based on Articles 2 and 8 of the European Convention on Human Rights (ECHR) that guarantee the right to life (Article 2) and the right to private and family life, home, and correspondence (Article 8)—and failing to comply with the goals of the Paris Agreement. The first instance ruling required Shell to reduce its total CO₂ emissions by 45% by the end of 2030 compared to 2019.[18] The court identified a duty of care under Dutch law arising from the “unwritten standard of care.” The court also ruled that Shell can also be held responsible for emissions of its suppliers and end customers. In November 2024, the Court of Appeals in The Hague confirmed that Shell has a duty of care under Dutch tort law, in line with international human rights law as well as EU and international climate regulations, to take action to prevent dangerous climate change. However, the court overturned the judgment by rejecting the imposition of a specific emission reduction target for Shell, as there was not enough scientific consensus to define a precise reduction percentage, and such decisions should be made by politicians, not by courts.[19]
II. Supply Chain Due Diligence in the European Union
On July 25, 2024, the Directive on Corporate Sustainability Due Diligence, EU Directive 2020/1760 (CSDDD) entered into force.[20] The CSDDD establishes far-reaching mandatory human-rights and environmental obligations on both EU and non-EU companies meeting certain turnover thresholds. Those obligations apply with respect to a company’s own operations and those of its subsidiaries—but also to those carried out by a company’s “business partners” in the company’s “chain of activities.”[21] The EU member states are required to transpose the CSDDD into national law by July 26, 2026. However, the European Commission has presented its proposal for an “First Omnibus Package” that shall simplify and streamline reporting requirements across multiple EU sustainability laws such as the CSDDD and the Corporate Sustainability Reporting Directive (the CSRD). The First Omnibus Package is split into two separate proposals: (i) a Postponement Directive[23] to delay certain reporting obligations for two years and due diligence obligations until 2028, and (ii) an Amendment Directive[24] to revise key elements of the EU’s sustainability reporting and due diligence frameworks, including changes to the scope of the CSDDD. Since the Amendment Directive will most likely cause lengthy negotiations, we proceed below on the basis of the initial text and highlight key considerations of the First Omnibus Package.
The CSDDD will apply to EU companies that have more than 1,000 employees on average and a net worldwide turnover of more than EUR 450 million;[25] and also will apply to non-EU companies that have generated a net turnover in the EU of more than EUR 450 million.
Notably, the scope of application of the CSDDD is more limited than that of the CSRD,[26] which (save with respect to franchisors or licensors) applies lower employee and turnover thresholds. While the CSDDD is expected to apply to around 5,500 companies, the CSRD covers approximately 50,000 companies. However, with the First Omnibus Package the European Commission proposes to align the scope of the CSRD more closely with the CSDDD.
Generally, the CSDDD, one of the most debated pieces of European legislation of recent times, establishes an obligation on in-scope companies to: (a) identify (due diligence) adverse human-rights and environmental impacts; (b) prevent, mitigate, and bring to an end/minimise such adverse impacts; and (c) adopt and put into effect a transition plan for climate-change mitigation which aims to ensure—through best efforts—compatibility of the company’s business model and strategy with limiting global warming to 1.5°C in line with the Paris Agreement.
The CSDDD also sets out minimum requirements (including the ability for claims to be made by trade unions or civil society organisations) of a liability regime to be implemented by members states of the EU for violation of the obligation to prevent, mitigate and bring to an end or at least minimise adverse impacts.
The Directive requires EU member states to designate independent “Supervisory Authorities” to supervise compliance.[27] A Supervisory Authority must have adequate powers and resources, including the power to require companies to provide information and carry out investigations. Investigations may be initiated by the Supervisory Authorities’ own motion or as a result of substantiated concerns raised by third parties. Sanctions regimes adopted by EU member states must be effective, proportionate and dissuasive.
Members States must establish a civil liability regime for companies which intentionally or negligently fail to comply with the CSDDD’s obligations and where damage has been caused to a person’s legal interest (as protected under national law) as a result of that failure.[28]
EU member states must provide for “reasonable conditions” under which any alleged injured party may authorize a trade union, non-governmental human rights or environmental organization or other NGO or national human rights’ institution, to bring actions to enforce the rights of the alleged injured party.[29]
The Directive requires a limitation period for bringing actions for damages of at least five years and, in any case, not shorter than the limitation period laid down under general civil liability national regimes.
Regarding compensation, the Directive requires Members States to lay down rules that fully compensate victims for the damage they have suffered as a direct result of the company’s failure to comply with the Directive. However, the Directive states that deterrence through damages (i.e., punitive damages) or any other form of overcompensation should be prohibited.
The CSDDD’s potential civil liability exceeds that of existing supply chain legislation in Member States, such as the German Supply Chain Due Diligence Act. However, the European Commission proposes with the First Omnibus to defer the civil liability regime to the EU Member States who shall ensure that, if companies are held liable in case of non-compliance with the due diligence requirements under the CSDDD, the injured parties will have a right to full compensation.
While the full impact of the civil liability regime linked to the CSDDD is still uncertain and it remains to be seen how the Member States transpose the CSDDD, for businesses, this new regime underscores the importance of robust due diligence and risk management practices as well as compliance with the CSDDD.
On June 29, 2023, the EU’s Deforestation Regulation (EUDR)—which restricts the sale in the EU of products that may cause deforestation or the degradation of forests—entered into force.[30] The EUDR prevents certain commodities and products linked to deforestation or forest degradation from entering the European market or being exported. Accordingly, EUDR imposes on operators and traders the obligation to maintain a due-diligence system to avoid sourcing materials that are connected to deforestation or forest degradation. The Regulation therefore requires geolocational data for all forest products imported into the EU. Other countries, such as the United States and China, have objected to the EUDR as imposing impossible standards and acting as a trade barrier.[31]
In response to these criticisms, the EU Council has extended the application timeline for the EUDR until December 30, 2025 for large- and medium-sized companies, and until June 30, 2026 for micro and small companies, and the EU Parliament has confirmed the postponement.[32]
III. Developments in Transnational Jurisdiction: Personal Jurisdiction
In the past few years, the U.S. Supreme Court has issued two significant personal-jurisdiction decisions: Ford Motor Co. v. Montana[33] and Mallory v. Norfolk Southern Railway.[34] In the wake of these decisions, many lower courts have expanded the circumstances that justify the exercise of specific personal jurisdiction.
A. The Ford Motor Decision and Its Impact on Specific Personal
Jurisdiction
In Ford Motor, the Supreme Court clarified that, in certain circumstances, a claim may “arise out of or relate to” the forum state for purposes of personal jurisdiction even in the absence of direct causation. Ford Motor involved product-liability lawsuits related to accidents involving Ford vehicles that took place in the State where the lawsuits were filed, and the plaintiffs were residents of those States. Ford had significant business operations in each State, including advertising, selling, and servicing the specific vehicle models involved in the accidents. The vehicles, however, were designed, manufactured, and sold outside the State.
The Court rejected Ford’s argument that the fact that the cars involved in the accidents were not purchased or manufactured in the forum states should be dispositive as to jurisdiction. As the Court explained, “some relationships will support jurisdiction without a causal showing.”[35] While the Court was careful to caution “[t]hat does not mean anything goes,”[36] it emphasized that “[w]hen a company like Ford serves a market for a product in a State and that product causes injury in the State to one of its residents, the State’s courts may entertain the resulting suit.”[37]
In the wake of Ford Motor, federal courts of appeals have expanded the reach of specific personal jurisdiction to include numerous international corporations that hitherto may not have been subject to the personal jurisdiction of U.S. courts. For example, in Hardy v. Scandinavian Airlines System, Hardy, a U.S. citizen was injured stepping off a plane in Oslo and sued the foreign airline company.[38] The district court held that the airline’s selling the ticket to Hardy was not causally connected with her injury, but the Fifth Circuit reversed, noting that, under Ford Motor, “some relationships will support jurisdiction without a causal showing,” and holding that the airline’s “advertising in the United States and its operation of a flight out of Newark. … combined to create an unbroken causal chain that ends with Hardy’s injury.”[39]
The Sixth Circuit came to a similar conclusion in Sullivan v. LG Chem, Ltd.[40] There, a consumer sued LG, a South Korean company, in Michigan for injuries sustained when LG’s batteries exploded. LG objected to personal jurisdiction on the basis that it never sold the batteries for consumer use in Michigan. The Sixth Circuit, however, held that this argument was simply “disguising” the causation analysis that Ford Motor “rejected”; the court accordingly held that personal jurisdiction was proper because LG conducted business with Michigan companies and had shipped the batteries into Michigan.[41]
Other courts, however, have recognized the limits of Ford. In Estados Unidos Mexicanos v. Smith & Wesson,[42] the Mexican government filed a lawsuit in the District of Massachusetts against seven U.S. gun manufacturers, accusing them of designing, marketing, and selling firearms in ways that they knew facilitated arming Mexican drug cartels. The court declined to assert specific jurisdiction over the manufacturers, distinguishing the case from Ford on the grounds that none of the alleged injuries took place in Massachusetts, nor did any of the plaintiffs have a connection to that State.[43]
The Northern District of California also distinguished Ford Motor in dismissing a case against the German airline Lufthansa. In Doe v. Deutsche Lufthansa Aktiengesellschaft,[44] the plaintiffs alleged that they suffered harm because the way Lufthansa agents treated them in Riyadh revealed their sexual orientation to the Saudi Arabian government. The plaintiffs, both California residents, brought suit in California. The court recognized that Lufthansa had clearly availed itself of the privileges of conducting business in California, “regularly operat[ing] flights between Saudi Arabia and California, and regularly operat[ing] flights to and from San Francisco, Los Angeles, and San Diego.”[45] Additionally, the airline is registered to operate in California, maintains an agent for service of process in the state, employs 41 staff members there, and operates offices at the San Francisco and Los Angeles airports.[46] However, because the flights were booked in Saudi Arabia, the claims stemmed from events at the Riyadh airport, and the disclosure of their personal information occurred outside the United States, the court determined that the plaintiffs’ claims did not arise out of or relate to Lufthansa’s contacts with the state.[47] Some commentators have criticized this holding, arguing that, as in Ford Motor, Lufthansa “deliberately cultivated a market in California,” the plaintiff “was induced by Lufthansa’s market presence in California to purchase Lufthansa tickets to fly to California,” and the plaintiff’s cause of action “derive[s] from their flights bound for the state.”[48] The court, however, despite declaring it a “close call,” found this line of argument “too speculative” to support specific personal jurisdiction.[49]
Nevertheless, in the wake of Ford Motor, firms should be aware that many courts have interpreted Ford Motor’s rejection of a causation requirement in the specific-personal-jurisdiction analysis as broadly expanding personal jurisdiction, even for foreign companies.
B. The Mallory Decision and the Expansion of General Jurisdiction
The Court’s 2023 decision in Mallory v. Norfolk Southern Railway, meanwhile, expanded the grounds for the exercise of general personal jurisdiction over foreign defendants. In Mallory, the Supreme Court upheld as constitutional Pennsylvania’s corporate-registration statute, which provides that all out-of-state corporations that register to do business within the State consent to general personal jurisdiction. The plaintiff, a Virginia resident, sued his previous employer, incorporated and based in Virginia, in Pennsylvania, arguing that, by registering to do business in Pennsylvania, the defendant had consented to general jurisdiction.[50] The Supreme Court agreed that, because Pennsylvania’s law “is explicit” that registration is a basis for general jurisdiction[51] and because the defendant had a substantial in-state presence,[52] the requisite “fair notice” was provided under the Due Process Clause, the statute was constitutional, and jurisdiction could be asserted. Because the defendant had registered to do business in Pennsylvania, it could be sued for any claims in that State, even if they had nothing to do with the forum.
So far, the functional consequences of the Mallory decision have been fairly limited. The majority holding of Mallory was narrow, finding only that Pennsylvania’s consent-by-registration statute did not violate due process. Whether such a statute might violate other constitutional clauses was a question expressly reserved by the Court.[53] Moreover, the holding of Mallory was limited to its facts: the majority expressly refused to opine on “whether any other statutory scheme and set of facts would suffice to establish consent to suit.”[54]
Indeed, Pennsylvania’s statute appears to be the only statute that expressly provides for consent-by-registration under the standards set forth in Mallory. Thus far, courts have largely avoided reading other statutes as providing similar jurisdiction-by-registration. As one court has explained, “[t]o read Mallory more broadly would not only go beyond the decision’s scope but would also subject every registered foreign corporation, without regard to its place of incorporation, its principal place of business, or the extent of its contacts within the state, to general personal jurisdiction in almost every single state. Nothing in Mallory suggests that the Court was announcing such a sweeping sea change in personal jurisdiction.”[55] Numerous other courts have similarly declined to find Mallory’s test satisfied.[56] Thus, at least for now, the impact of Mallory may be limited to Pennsylvania, but firms should examine States’ registration statutes to see if they are distinguishable from Pennsylvania’s regime.
C. Personal Jurisdiction and Forum Selection Clauses in Subsidiary-
Parent Relationships: Binding Non-Signatory Parents or Subsidiaries
Registration to do business is not the only way that a company might consent to jurisdiction; another way is via forum-selection clauses in contracts. Under the “closely related” doctrine, courts determine whether a non-signatory can be bound by a forum-selection clause when it is so “closely related” to a contracting party or dispute that it was “foreseeable” it would be subject to the clause. The Sixth Circuit recently grappled with applying this doctrine to a non-signatory subsidiary and came out staunchly in opposition.[57]
In Firexo, a subsidiary incorporated in Florida sued its parent company, based in the United Kingdom, for breach of contract in Ohio. The parent company argued that the suit had to be litigated in England per the forum-selection clause in an unrelated Joint Venture Agreement (JVA) the parent had entered into with a resident of Ohio, even though the subsidiary was not a signatory to the JVA.
The Sixth Circuit reversed the district court’s decision that the subsidiary was so “closely related” to the JVA that it was “foreseeable” that the clause would be applied to it. After first determining under an Erie analysis that federal common law (and thus, the “closely related” doctrine) did not apply to the dispute,[58] the court went on to challenge the validity of the “closely related” test itself. Per the majority, “[i]t is not entirely apparent [that the] benefits [of the doctrine] outweigh its concerns, especially the absence of consideration under the objective theory of contracts or the absence of ‘minimum contacts’ under the constitutional personal-jurisdiction analysis.”[59] In so holding, the opinion reflected concerns that binding an unwilling non-signatory to an agreement on this basis conflicts with fundamental principles of contractual consent.[60]
Firexo represents a decisive step in the direction of preserving the contractual agency of non-signatory parents and subsidiaries.
IV. The Continued Evolution of Extraterritorial Application of RICO
Whether and when federal law can be applied extraterritorially (and the implications of such extraterritorial application) continues to be the focus of significant litigation regarding the Racketeer Influenced and Corrupt Organizations Act (RICO), 18 U.S.C. §§ 1961-1968.
In 2016, the Supreme Court in RJR Nabisco had held that RICO’s private right of action does not apply extraterritorially unless the plaintiff alleges and proves a domestic injury to its business or property as a result of a RICO violation.[61] The Court noted that, generally, the presumption against extraterritoriality can be rebutted only if (1) the statute gives a clear indication that it applies extraterritorially, or, (2) the case involves a domestic application of the statute.[62] The Court held that RICO’s private right of action did not provide a clear indication of extraterritorial application, so for RICO suits, the presumption can be rebutted only by satisfying the domestic-injury requirement.[63]
RJR Nabisco had no occasion to explain what constitutes a domestic injury, but the Court recently addressed that question in Yegiazaryan v. Smagin.[64] There, the Supreme Court ruled that, for the purposes of a domestic-injury analysis under RICO, it is not the foreign plaintiff’s place of residence that matters, but rather where the plaintiff experienced the injury. Both parties in that case were Russian citizens, and the dispute involved a real-estate deal in Moscow. The plaintiff, who remained in Russia, obtained an arbitral award in London against the defendant, who was residing in California. The plaintiff then sued in California federal court to enforce the arbitral award. After the defendant attempted to avoid enforcement through fraudulent transactions in California, the plaintiff filed a civil RICO claim against him. The Court held in the plaintiff’s favor, adopting a “context-specific inquiry” for determining whether the alleged injury “arose in the United States.”[65] As the Court explained, the inquiry involves “looking to the nature of the alleged injury, the racketeering activity that directly caused it, and the injurious aims and effects of that activity.”[66] On the facts of the case, the Court held that the plaintiff had suffered a domestic injury, given that he was “injured in his ability to enforce a California judgment, against a California resident, through racketeering acts that were largely ‘designed and carried out in California’ and were ‘targeted at California.’”[67]
Lower courts have expanded on the contextual approach adopted in Yegiazaryan in a variety of contexts involving tangible property. The Ninth Circuit was the first lower court to apply the Yegiazaryan Court’s approach to the domestic-injury requirement. In Global Master International Group, Inc. v. Esmond Natural, Inc.,[68] a Chinese firm sued its American supplier for fraudulently providing a product different from what the plaintiff had contracted to purchase. The purchase orders between the two firms provided that title to the products would pass to the Chinese firm in California before they were exported to China. On this basis, the Ninth Circuit held that there was a domestic injury. The fact that the Chinese firm “owned its injured property in the United States establishes that its injury was domestic.”[69] In the Ninth Circuit’s view, this factor outweighed the fact that the goods were later exported to China and that the plaintiff itself was located in China.[70]
In the same way, the Fourth Circuit, applying Yegiazaryan, recently held that just because a defendant’s racketeering activity took place primarily in the United States does not necessarily mean that a “domestic injury” has occurred. In Percival Partners Ltd. v. Nduom,[71] the court ruled that Ghanaian investors who transferred their money to a Ghanaian company with the intention of investing in Africa could not have reasonably anticipated or expected that their funds would later be sent to the United States. The plaintiffs thus felt their injury in Ghana, not in Virginia, where the embezzling company was located. While acknowledging that “the RICO case law, Yegiazaryan prominently included, instructs that the place of racketeering conduct may be relevant to whether an injury is domestic or foreign,” the court clarified that relying solely on the location of the conduct would contradict the essence of Nabisco, whose “whole point . . . was to separate out conduct from injury when it comes to extraterritoriality.”[72] The court further emphasized that such an approach would disregard “the Supreme Court’s instruction that ‘no set of factors can capture the relevant considerations for all cases.’”[73] Thus, the court held that the plaintiff’s injury occurred abroad and was not domestic.
These decisions demonstrate that courts will focus holistically on all the facts surrounding an alleged injury to determine its location, and will not apply a residency requirement or other bright-line rule.
V. Cross-Border Discovery and Issues Related to Privileges Protections
28 U.S.C. § 1782 enables litigants to seek discovery through federal district courts for use in “foreign or international tribunal[s]” where the target of the discovery is located in that federal district. Section 1782 has become an essential tool in transnational litigation. In recent years, courts have issued rulings refining the scope of allowable discovery under that provision.
One question courts have been considering is under what circumstances Section 1782 can apply to foreign arbitral tribunals. The Supreme Court ruled in 2022 that Section 1782 applies only to foreign tribunals that are imbued with governmental authority.[74] Under that standard, the Court held, a United Nations Commission on International Trade Law (UNCITRAL) arbitral panel did not qualify because the panel was not created by a governmental action such as a treaty, the members of the panel were not affiliated with any governmental entity, the panel received no funding from a government, and the panel had no coercive power.[75] Applying this standard, the U.S. Court of Appeals for the Second Circuit recently ruled that an International Centre for Settlement of Investment Disputes (ICSID) arbitral panel is not a governmental tribunal subject to Section 1782.[76] Even though ICSID itself is established and funded by sovereign states, the court noted, the authority of the panel derives solely from party agreement.[77] And even though there are situations in which the ICSID Chairman could appoint panel members, the court stated, those situations did not arise in that case.[78] The Second Circuit ultimately held that the ICSID panel was sufficiently similar to the UNCITRAL panel in ZF Automotive and denied the 1782 application.
The Second Circuit’s decision suggests that, in the wake of ZF Automotive, courts may interpret Section 1782 narrowly, applying it only to tribunals that are clearly governmental. It also suggests that courts likely will not apply a bright-line test to determine whether Section 1782 applies to a particular foreign or international arbitral panel, but instead will consider holistically whether the relevant nations intended “to imbue to body in question with governmental authority.”[79] Finally, as the Second Circuit did here, courts may focus on the details of the particular ad hoc panel in the context of the dispute before it, and decline to develop broadly applicable rules.
Courts have also been grappling with when district courts, in their discretion, should grant 1782 applications. The Supreme Court has explained that district courts should exercise their discretion by considering four factors: (1) whether the applicant is a participant in the foreign proceeding; (2) the character of the foreign proceeding, in particular its receptivity to foreign assistance; (3) whether the application seeks to circumvent foreign restrictions; and (4) whether the request is unduly intrusive or burdensome.[80]
Recently, the Seventh Circuit, in upholding a denial of a Section 1782 application, demonstrated the deference that courts of appeal give district courts’ 1782 application of these factors.[81] Venequip, a Venezuelan heavy-equipment supplier, applied for 1782 discovery from Caterpillar, an Illinois-based machinery manufacturer, for use in breach-of-contract litigation in Switzerland.[82] The district court denied the application, noting that the third factor was particularly relevant, since the parties had contractually agreed to Swiss law, which has more circumscribed discovery procedures than U.S. law, so Venequip should not be allowed to use Section 1782 to circumvent those foreign restrictions.[83] The district court specifically noted, however, that it was open to considering a renewed 1782 application if Caterpillar was not cooperating with the discovery allowed by the Swiss tribunal.[84] The Seventh Circuit affirmed, deferring to the district court’s analysis and applauding its “wait-and-see” approach.[85]
This ruling underscores the deference accorded to district court decisions, and the importance to federal courts of respecting foreign legal systems. Litigants in Section 1782 disputes should keep in mind the importance of international comity, as well as the possibility that Section 1782 applications could be renewed based on developments in the foreign proceedings.
VI. Supply Chain Litigation Under The Trafficking Victims Protection Reauthorization Act
The Trafficking Victims Protection Reauthorization Act (TVPRA) allows victims of forced labor and other forms of trafficking to sue the perpetrators and, more generally, those who “knowingly benefit[]” from “participation in a venture” that they knew or should know engaged in conduct violating the TVPRA. In recent years, individuals who were alleged forced to work in commodities production abroad have attempted to sue multi-national corporations on the theory that those corporations participated in a venture with their suppliers or other in their extended supply chains. Courts have considered a series of questions about the meaning and scope of the TVPRA, including whether plaintiffs have standing to sue mere participants in a supply-chain venture, how to interpret key statutory language, and whether the TVPRA permits civil suits based on trafficking that occurred outside the United States.
On March 5, 2024, the U.S. Court of Appeals for the D.C. Circuit issued a significant decision rejecting a “supply-chain” venture theory of liability.[86] Plaintiffs were a group of children who alleged they were forced to work in cobalt mines in the Democratic Republic of the Congo. Their suit alleged that Apple, Alphabet, Dell Technologies, Microsoft, and Tesla “violated the TVPRA by participating in the global supply chain—a ‘venture’ that depends on forced labor.”[87] The district court had dismissed on numerous grounds, holding (among other things) that plaintiffs lacked Article III standing, that they failed to state a claim on the merits, and that the TVPRA’s civil remedies provision does not apply extraterritorially.
The D.C. Circuit affirmed dismissal. It first concluded that plaintiffs had standing to sue, holding that plaintiffs satisfied the minimal requirements to plead that their injuries were “fairly traceable” to Defendants’ alleged conduct because those Defendants were alleged to be “in a ‘venture’—as the plaintiffs understand the TVPRA—with” the entities whose were purportedly “responsible for the forced labor.”[88] But those same allegations were not sufficient to state a claim on the merits. Adopting a plain meaning interpretation of “participation in a venture,” the court reasoned that the TVPRA requires “taking part or sharing in an enterprise or undertaking that involves danger, uncertainty, or risk, and potential gain.”[89] Plaintiffs did not satisfy that definition because Defendants did not own any “interest in their suppliers” or “share in their suppliers’ profit and risks” but merely engaged “on opposite sides of an arms-length transaction” to buy and sell cobalt.[90] In short, “purchasing a commodity, without more, is not ‘participation in a venture’ with the seller” under the meaning of the TVPRA.[91]
The D.C. Circuit’s ruling is a significant limitation on “supply-chain” liability under the TVPRA. It confirms that simply purchasing a commodity that was produced using forced labor or trafficking should not be enough to subject the purchaser to liability under the TVPRA. That said, the D.C. Circuit’s opinion also leaves significant questions unresolved. For example, the court did not decide whether the district court was correct in concluding that the TVPRA’s civil remedies provision does not allow suits based on overseas trafficking.[92] With respect to standing, the court did not resolve whether plaintiffs always have constitutional standing whenever they allege a claim under the TVPRA, even if the direct perpetrators are not alleged to be part of the “venture.” And with respect to the merits, the court left the precise boundaries of supply-chain liability unresolved where purchasers have more control or involvement with their suppliers than simply an arm-length transactional relationship.
I. Foreign Judgment Recognition and Enforcement in the UK
A. Hague Convention on Recognition and Enforcement of Foreign
Judgments to Come into Force in the UK
On June 27, 2024, the UK Government ratified the Hague Convention on Recognition and Enforcement of Foreign Judgments, which is set to come into force for the UK on July 1, 2025.[93]
The Hague Convention is a multilateral convention, which provides a set of common rules for recognizing and enforcing judgments issued in civil and commercial matters, between Contracting Parties (including all EU member states (except Denmark), as well as Ukraine and Uruguay). The merits of a judgment cannot be reviewed, and recognition and enforcement can be refused only on specific grounds. While most national laws provide for the enforcement of foreign judgments, those laws differ between jurisdictions. This can make the enforcement of foreign judgments unpredictable, lengthy, and costly. By establishing common rules, the Hague Convention hopes to provide greater certainty and to reduce the complexity of that process.
This is a particularly important development for the UK because, following the UK’s departure from the European Union (Brexit), parties wishing to have UK judgments recognised and enforced in other jurisdictions could not rely on the broad-EU enforcement regimes.[94]
B. English Court of Appeal judgment on sovereign immunity and
ICSID Awards
As referenced in a recent client alert, the English Court of Appeal has confirmed that sovereign immunity does not bar the enforcement of International Centre for Settlement of Investment Disputes (ICSID) awards.[95]
On October 22, 2024, the Court of Appeal issued an important judgment in relation to arbitral award enforcement in the combined appeals of Infrastructure Services Luxembourg S.À.R.L. v. Kingdom of Spain and Border Timbers Limited v. Republic of Zimbabwe.[96] The court decided that, when the contracting states agreed to Article 54 of the ICSID Convention—which requires that an ICSID award must be enforced by a national court—this was a “written agreement” waiving State immunity and submitting to jurisdiction under the UK’s State Immunity Act 1978 (1978 Act). Section 2 of the 1978 Act provides that a State may waive its immunity by a “prior written agreement” (read together with s. 17(2) of the 1978 Act, which provides that a “prior written agreement” includes references to a “treaty, convention or other international agreement”). The Court of Appeal affirmed that such prior written agreement is found in Art. 54 of the ICSID Convention.
The decision is positive news for parties looking to enforce ICSID awards in the UK, as it re-affirms the UK’s pro-enforcement stance in relation to investor-State awards.
II. ESG Litigation: Parent Company Liability and Supply Chain Risk
In December 2024, the English Court of Appeal in Limbu v Dyson[97] held that England is the appropriate forum to determine claims brought by migrant workers in Malaysia against companies within the Dyson corporate group.
The claims—which relate to alleged abusive labor practices while manufacturing components for a third-party supplier in Malaysia—were brought by a set of migrant workers that had been employed by a Malaysian third-party supplier of components for Dyson-branded products. The claimants argued that they had been subjected to abusive and exploitative working and living conditions while working for the Malaysian supplier, and alleged that the relevant Dyson entities were liable in negligence and unjust enrichment. Two of the defendants were domiciled in England, and one was domiciled in Malaysia.
The High Court refused jurisdiction under forum non conveniens, finding that England was not the natural or appropriate forum for the dispute.[98] The High Court concluded that Malaysia was “clearly and distinctly more appropriate” as a forum because the dispute was governed by Malaysian law and the country represented the “centre of gravity” of the case due to the alleged harm occurring in Malaysia.[99]
The claimants appealed to the Court of Appeal, which reversed the first-instance decision. The Court of Appeal held that England was “clearly and distinctly the appropriate forum,” particularly in light of the claimants’ inability to secure funding for a claim in Malaysia, as well as other potential procedural difficulties and potential access-to-justice concerns in Malaysia. The Court found that Dyson’s UK domiciled corporate entity was “the principal protagonist” in the alleged breaches.
Subject to any further appeal to the UK Supreme Court, the matter will now return to the High Court to proceed on the merits, with decisions on liability, quantum of damages, and potential additional jurisdictional challenges yet to come.
Although the question of potential tortious liability for UK-domiciled parent companies for the operations of their foreign subsidiaries has previously been considered by the UK Supreme Court, those cases concerned the applicable EU jurisdiction rules.[100] Following the end of the Brexit transition period, this is the first time the Court has accepted jurisdiction when applying the English common law rules.
While it remains to be seen whether any clear jurisprudential patterns emerge following the renewed application of English common law rules on jurisdiction, parties to similar transnational disputes ought to be aware of the possibility of proceeding in UK courts. The London Bullion Market Association (LBMA), an independent association which provides accreditation to certain metal refiners, is facing a similar tortious claim in the UK for alleged human rights failings at a third-party owned Tanzanian gold mine from which an LBMA accredited refiner had sourced gold. After initially disputing the English Courts’ jurisdiction to hear the case, the LBMA withdrew its challenge in June 2024 and the trial has recently been scheduled to proceed during the summer of 2026.
Litigation Regarding the “Corporate Duty of Vigilance Law”
The Corporate Duty of Vigilance Law (2017) requires companies (i) headquartered in France with more than 5,000 employees in France or (ii) headquartered in France with 10,000 employees in France and/or abroad to establish a corporate sustainability due diligence plan.[101] This plan must include measures to identify risks and prevent serious harm to (i) human rights and fundamental freedoms, (ii) individuals’ health and safety, and (iii) the safety environment that may result from the company’s own activities or those of its subsidiaries, subcontractors or suppliers.[102] Any third party may issue a “formal notice” to any company covered by the law if they consider its corporate sustainability due diligence plan to be incomplete or insufficient.[103] The French courts may compel these companies to (i) modify their plans and/or (ii) pay damages to indemnify any harm resulting from the alleged insufficiency of the plans.[104]
In the past few years, this law has been used as a tool of transnational litigation, with third parties from within and outside of France bringing suit against France-based international corporations.
A. Notre Affaire à Tous TotalEnergies SE
On January 28, 2020, several non-governmental organizations, some French local authorities (including the city of Paris), and the city of New York subpoenaed TotalEnergies, a leading French oil company, regarding the alleged insufficiency of its corporate sustainability due diligence plan. The First Instance Tribunal dismissed the plaintiffs’ demands because the basis of the subpoena was different from the one in the formal notice they had previously issued to TotalEnergies. The plaintiffs appealed this decision to the Court of Appeal of Paris.
On June 18, 2024, the Court of Appeal deemed that the parts of the appeal brought by the NGOs and the city of Paris were admissible.[105] It dismissed the appeal by the other local authorities and the city of New York as it considered they did not demonstrate a sufficient “local public interest” to be deemed admissible.
The Court of Appeal of Paris also clarified several procedural rules: (i) a sufficiently clear formal notice must be issued prior to the subpoena; (ii) the formal notice and the subpoena do not need to include identical demands; and (iii) the formal notice and the subpoena do not need to concern the identical corporate sustainability due diligence plan if a further one is subsequently issued.
The case is now before the Judicial Tribunal of Paris which will rule on the substantive merits of the case.
B. European Center for Constitutional and Human Rights v. EDF
On October 13, 2020, two non-governmental organizations—including one from Germany—and local Mexican organizations subpoenaed EDF, the main French electricity provider, regarding an alleged failure to respect the right of the local Mexican community to consent to a wind farm project on indigenous lands in Union Hidalgo, Mexico.
On November 30, 2021, the Judicial Tribunal of Paris refused to suspend the wind farm project and declared that the request that EDF be ordered to publish a new corporate sustainability due diligence plan was inadmissible.[106]
The plaintiffs appealed this decision to the Court of Appeal of Paris. On June 18, 2024, the Court of Appeal deemed the appeal admissible and ruled on several procedural aspects.[107]
The case is now before the Judicial Tribunal of Paris which will rule on the substantive merits of the case.
C. French Human Rights League v. Suez
On June 11, 2021, two human rights organizations and two Chilean organizations subpoenaed Suez, a large French water and waste management company, regarding alleged negligence and failures in water management in Osorno, Chile in 2019. The plaintiffs claimed that some 2,000 liters of oil had spilled into a drinking water plant, owned by a 53.5% subsidiary of Suez, which led to a state of emergency for over a month.
On June 1, 2023, the Judicial Tribunal of Paris declared the case to be inadmissible as the plaintiffs had not proved that Suez was the correct defendant and the author of the corporate sustainability due diligence plan on which the claims were based.[108] The Tribunal also added that there was no evidence that the corporate sustainability due diligence plan mentioned in the formal notice was the same as the one referred to in the subpoena.
The plaintiffs appealed this decision to the Court of Appeal of Paris. On June 18, 2024, the Court of Appeal upheld the decision of the first instance tribunal and deemed the appeal inadmissible.[109]
Foreign investors seeking to invest in a French company meeting the thresholds should take into consideration these additional due diligence requirements and the judicial consequences of violating the Corporate Duty of Vigilance Law. In addition, since France was the first European country to introduce the concept of corporate due diligence, other European countries now subject to the new CSDD Directive may look to France to interpret and implement their own national law.
Decision regarding Greenwashing by the German Federal Court of Justice
In 2024, the German Federal Court of Justice (FCJ) rendered its first decision on the term “climate neutral” in connection with misleading advertising.[110] A German competition organization brought suit against the fruit gum manufacturer Katjes, arguing that the use of the term “climate neutral” in Katjes’s advertisements was misleading because it gave the impression that Katjes’s products were emission-free.
The FCJ held that the use of the term “climate neutral” is misleading because it can be understood both in the sense of a reduction of CO2 in the production process and in the sense of a mere compensation of CO2. Therefore, the court held, to prevent deception, the advertising itself must explain which specific meaning is relevant. In addition, the FCJ clarified that the risk of deception is particularly high in the area of environment-related advertising, so the strict requirements for health-related advertising—which require that the underlying meaning be “clear and unambiguous”—also apply to environment-related advertising.
The decision highlights the potential exposure of companies to environment-related claims regarding advertisements. It establishes a benchmark for communicating sustainability efforts, requiring clear distinction in consumer-facing advertising on whether climate neutrality is achieved through offsetting, reductions, or a combination of both. The ruling also underscores the growing debate that compensation for CO2 emissions is less effective than actual emission reduction, as it merely offsets emissions rather than preventing them.
[1] See, e.g., Cnty. of San Mateo v. Chevron, No. 17-3222 (Cal. Super. Ct. San Mateo Cnty.); City of Imperial Beach v. Chevron, No. 17-1227 (Cal. Super. Ct. Contra Costa Cnty.); Cnty. of Marin v. Chevron, No. 17-2586 (Cal. Super. Ct. Marin Cnty.); City of Richmond v. Chevron, No. 18-55 (Cal. Super. Ct. Contra Costa Cnty.); Cnty. of Santa Cruz v. Chevron, No. 17-3242 (Cal. Super. Ct., Santa Cruz Cnty.); City of Santa Cruz v. Chevron, No. 17-3243 (Cal. Super. Ct. Santa Cruz Cnty.); City of Oakland v. BP P.L.C., No. RG17875889 (Cal. Super. Ct. Alameda Cnty.); City & Cnty. of San Francisco v. B.P. P.L.C., No. CGC-17-561370 (Cal. Super. Ct. S.F. Cnty.); Mayor & City Council of Baltimore v. BP P.L.C., No. 18-4219 (Balt. Cir. Ct.); Pac. Coast Fed’n of Fishermen’s Ass’ns, Inc. v. Chevron, No. CGC-18-571285 (Cal. Super. Ct. S.F. Cnty.); King Cnty. v. BP P.L.C., No. 18-2-11859-0 (Wash. Super. Ct. King Cnty.); State v. Chevron, No. PC-2018-4716 (R.I. Super. Ct.); Bd. of Cnty. Comm’rs of Boulder v. Suncor Energy (U.S.A.), No. 2018-CV-030349 (Colo. Dist. Ct.); City & Cnty. of Honolulu v. Sunoco, No. 20-380 (1st Cir. Haw.); District of Columbia v. Exxon, No. 2020 CA 002892 B (D.C. Super. Ct.); Cnty. of Maui v. Sunoco LP, No. 2CCV-20-0000283 (2d Cir. Haw.); City of Charleston v. Brabham Oil Co., No. 2020-CP-10 (S.C. Ct. Com. Pl.); City of Annapolis v. BP P.L.C., No. C-02-CV-21-000250 (Md. Cir. Ct. Anne Arundel Cnty.); Anne Arundel Cnty. v. BP P.L.C., No. C-02-CV-21-000565 (Md. Cir. Ct. Anne Arundel Cnty.); State v. Exxon Mobil Corp., No. MER-L-001797-22 (N.J. Super. Ct. Mercer Cnty.). Gibson, Dunn & Crutcher LLP represents Chevron Corp. and Chevron U.S.A., Inc. in these cases.
[2] Mayor and City Council of Baltimore v. BP P.L.C., 2024 WL 3678699, at *6-7 (Md. Cir. Ct. July 10, 2024).
[3] City of Annapolis v. BP plc, No. C-02-CV-21-000250 (Md. Cir. Ct. Jan. 23, 2025); Anne Arundel County v. BP plc, No. C-02-CV-21-000565 (Md. Cir. Ct. Jan. 23, 2025), https://marylandmatters.org/wp-content/uploads/2025/01/Memorandum-Opinion-and-Order-of-Court.pdf.
[4] State ex rel. Jennings v. BP Am. Inc., 2024 WL 98888, at *8 (Del. Super. Ct. Jan. 9, 2024).
[5] Platkin v. Exxon Mobil Corp., No. MER-L-001797-22 (N.J. Super. Ct. Law Div. Feb. 5, 2025), https://climatecasechart.com/wp-content/uploads/case-documents/2025/20250205_docket-MER-L-001797-22_opinion-and-order-1.pdf.
[6] City & Cnty. of Honolulu v. Sunoco LP, 153 Haw. 326, 356 (2023).
[7] City of New York v. Chevron Corp., 993 F.3d 81, 85, 92 (2d Cir. 2021).
[8] City of New York v. Chevron Corp., 325 F. Supp. 3d 466, 471-72, 476 (S.D.N.Y. 2018), aff’d, 993 F.3d 81.
[9] City of Oakland v. BP P.L.C., 325 F. Supp. 3d 1017 (N.D. Cal. 2018), vacated on other grounds, 960 F.3d 570 (9th Cir. 2020).
[10] Press release from May 16, 2024, Judgment from May 16, 2024 -Higher Administrative Court Berlin-Brandenburg 11th Senate, 11 A 22/21, 11 A 31/22.
[11] Press release from DUH, July 16, 2024; Federal Constitutional Court 1 BvR 1699/24.
[12] German Federal Constitutional Court 1 BvR 1699/24.
[13] German Federal Constitutional Court, Judgment from March 24, 2021, 1 BvR 2656/18, 1 BvR 78/20, 1 BvR 96/20, 1 BvR 288/20); Press release, April 29, 2021.
[14] Regional Court of Stuttgart, Judgment from September 13, 2022 – 17 O 789/21. Gibson, Dunn & Crutcher LLP represented Mercedes.
[15] Higher Regional Court of Stuttgart, Judgment from November 9, 2023 – 12 U 170/22.
[16] Higher Regional Court of Munich, Judgment from October 12, 2023 – 32 U 936/23.
[17]Press release from DUH, October 5, 2021, Press release from Wintershall Dea, November 26, 2024.
[18]Vereniging Milieudefensie v. Royal Dutch Shell plc, District Court (“Rechtbank”) The Hague, Judgment of 26. May 2021 – C/09/571932 /HA ZA 19-379 (EWeRK 2021, 163).
[19]Milieudefensie et al. v. Royal Dutch Shell plc., https://climatecasechart.com/non-us-case/milieudefensie-et-al-v-royal-dutch-shell-plc/.
[20] https://www.gibsondunn.com/landmark-eu-corporate-sustainability-due-diligence-directive-imposing-human-rights-and-environmental-due-diligence-obligations-on-eu-and-non-eu-companies-approved-by-european-parliament/.
[21] Art. 1(a) of the Directive.
[22] See our client alert addressing the First Omnibus Package.
[23] COM(2025) 80 final, 2024/0044 (COD) – Directive of the European Parliament and of the Council amending Directives (EU) 2022/2462 and (EU) 2024/1760 as regards the dates from which the Member States are to apply certain corporate sustainability reporting and due diligence requirements.
[24] COM(2025) 81 final, 2024/0045 (COD) – Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2013/34/EU, (EU) 2022/2462 and (EU) 2024/1760 as regards certain corporate sustainability reporting and due diligence requirements.
[25] Turnover of branches of the relevant entity are also to be taken into account when calculating whether a threshold has been reached.
[26] See our previous client alert addressing the CSRD.
[27] Art. 24(1) of the Directive. For France and Germany, we expect the “Supervisory Authority” to be the same authority as is currently overseeing compliance with their analogous due diligence regimes.
[28] Art. 29 of the Directive.
[29] Art. 29(3)(d) of the Directive.
[30] (EU) 2023/1115.
[31] https://www.gibsondunn.com/gibson-dunn-esg-monthly-update-summer-2024/.
[32] https://www.gibsondunn.com/gibson-dunn-esg-monthly-update-december-2024/.
[33] Ford Motor Co. v. Mont. Eighth Jud. Dist. Ct., 592 U.S. 351 (2021).
[34] Mallory v. Norfolk S. Ry. Co., 600 U.S. 122 (2023).
[35] Ford, 592 U.S. at 361.
[36] Id. at 362.
[37] Id. at 355 (emphasis added).
[38] 117 F.4th 252 (5th Cir. 2024).
[39] Id. at 266.
[40] 79 F.4th 651 (6th Cir. 2023).
[41] Id. at 673-74.
[42] Estados Unidos Mexicanos v. Smith & Wesson Brands, Inc., 2024 WL 3696388 (D. Mass. Aug. 7, 2024).
[43] Id. at *11-14.
[44] Doe v. Deutsche Lufthansa Aktiengesellschaft, 2024 WL 1354523 (N.D. Cal. Mar. 29, 2024).
[45] Id. at *4.
[46] Id.
[47] Id. at *7-*8.
[48] Maggie Gardner, Saying Yes to the World, But No to Personal Jurisdiction, Transnational Litigation Blog (April 18, 2024), https://tlblog.org/saying-yes-to-the-world-but-no-to-personal-jurisdiction/.
[49] Lufthansa, 2024 WL 1354523 at *7.
[50] Mallory, 600 U.S. at 127.
[51] Id. at 134.
[52] Id. at 150 (Alito, J., concurring).
[53] Id. at 154-63 (Alito, J., concurring).
[54] Id. at 135.
[55] Madsen v. Sidwell Air Freight, 2024 WL 1160204 at *15 (D. Utah Mar. 18, 2024).
[56] See, e.g., Sahm v. Avco Corp., 2023 WL 8433158, at *4 (E.D. Mo. Dec. 5, 2023) (“absent a [state] statute providing an explicit grant of general jurisdiction over registered foreign corporations, the holding in Mallory is not applicable”); Pace v. Cirrus Design Corp., 93 F.4th 879, 899 (5th Cir. 2024) (“Mallory analyzes what a state may require; we still must examine the state law to find what it does require.”); AssetWorks USA, Inc. v. Battelle Mem’l Inst., 2023 WL 7106878, at *2 (W.D. Tex. Oct. 23, 2023) (“the holding of Mallory is narrow, and given that the Texas statute concerning registration of nonresident corporations neither mentions general jurisdiction nor mirrors the structure of the Pennsylvania statute, this Court sees no need to abandon established Fifth Circuit precedent”); Rosenwald v. Kimberly Clark Corp., 2023 WL 5211625, at *6 (N.D. Cal. Aug. 14, 2023) (Mallory “is not relevant to courts in California, because California does not require corporations to consent to general personal jurisdiction in that state when they designate an agent for service of process or register to do business”); Castillero v. Xtend Healthcare, LLC, 2023 WL 8253049, at *5 n.8 (D.N.J. Nov. 29, 2023) (“New Jersey’s registered agent statutes, unlike Pennsylvania’s, do not explicitly require a corporation to consent to personal jurisdiction”); Estate of Caviness v. Atlas Air, Inc., 693 F. Supp. 3d 1271, 1279 (S.D. Fla. Sept. 20, 2023) (“Florida law does not establish that a foreign corporation’s registration to do business in Florida amounts to consenting to general jurisdiction in Florida courts. Thus, Mallory does not apply here.”); Endo Ventures Unlimited Co. v. Nexus Pharms., Inc., 2024 WL 1254358, at *4 (E.D. Wis. March 25, 2024) (citation omitted) (“Mallory involved a consent to jurisdiction scheme that does not exist under Wisconsin’s statutes.”).
[57] Firexo, Inc. v. Firexo Grp. Ltd., 99 F.4th 304 (6th Cir. 2024)
[58] Id. at 321.
[59] Id.
[60] John F. Coyle & Robin J. Effron, Forum Selection Clauses, Non-Signatories, and Personal Jurisdiction, 97 NOTRE DAME L. REV. 187 (2021).
[61] RJR Nabisco v. Eur. Cmty., 579 U.S. 325, 346 (2016).
[62] Id. at 337.
[63] Id. at 346-50.
[64] Yegiazaryan v. Smagin, 599 U.S. 533, 536 (2023).
[65] Id. at 543-44.
[66] Id. at 544.
[67] Id. at 543.
[68] Glob. Master Int’l Grp., Inc. v. Esmond Nat., Inc., 76 F.4th 1266 (9th Cir. 2023).
[69] Id. at 1276.
[70] Id.
[71] Percival Partners Ltd. v. Nduom, 99 F.4th 696 (4th Cir. 2024).
[72] Id. at 702.
[73] Id. at 703.
[74] ZF Auto. US, Inc. v. Luxshare, Ltd., 596 U.S. 619, 632 (2022).
[75] Id. at 634-36.
[76] Webuild S.P.A. v. WSP USA Inc., 108 F.4th 138, 144 (2d Cir. 2024) (per curiam).
[77] Id. at 143.
[78] Id.at 144.
[79] ZF Automotive, 596 U.S.at 637.
[80] Intel Corp. v. Advanced Micro Devices, Inc., 542 U.S. 241, 264–65 (2004).
[81] In re Application of Venequip, S.A. v. Caterpillar Inc., 83 F.4th 1048 (7th Cir. 2023).
[82] Id. at 1052-53.
[83] Id. at 1057.
[84] Id. at 1053.
[85] Id. at 1058.
[86] Doe 1 v. Apple Inc., 96 F.4th 403 (D.C. Cir. 2024).
[87] Id. at 406.
[88] Id. at 411.
[89] Id. at 415.
[90] Id.
[91] Id. at 416.
[92] See id. at 414 n.4.
[93] https://www.hcch.net/en/news-archive/details/?varevent=985.
[94] These regimes are the Recast Brussels Regulation (Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (recast)) and the Lugano Convention (the Convention on jurisdiction and the enforcement of judgments in civil and commercial matters (2007)).
[95] https://www.gibsondunn.com/uk-court-of-appeal-confirms-sovereign-states-are-not-immune-from-enforcement-proceedings-for-icsid-awards/.
[96] Infrastructure Services Luxembourg SARL v. Kingdom of Spain and Border Timbers Ltd v Republic of Zimbabwe [2024] EWCA Civ 1257 (Sir Julian Flaux Chancellor of the High Court, Newey LJ, Phillips LJ).
[97] Limbu & Ors v. Dyson Technology Ltd & Ors [2023] EWHC 2592 (KB); [2024] EWCA Civ 1564.
[98] See Limbu & Ors v. Dyson Technology Ltd & Ors [2023] EWHC 2592 (KB), at [27]; see also Spiliada Maritime Corporation v. Cansulex Ltd. [1987] 1 AC 460.
[99] Limbu & Ors v. Dyson Technology Ltd & Ors [2023] EWHC 2592 (KB), at [102], [122] and [124] (emphases added).
[100] Okpabi & Ors v. Royal Dutch Shell Plc & another [2021] UKSC 3; Vedanta Resources PLC and another v. Lungowe and others [2019] UKSC 20; see also https://www.gibsondunn.com/okpabi-v-shell-clarification-from-the-english-supreme-court-on-jurisdiction-and-parent-company-liability/.
[101] Law No. 2017-399 (Mar. 27, 2017).
[102] Article L. 225-102-4, I. of the French Code of commerce.
[103] Article L. 225-102-4, II. of the French Code of commerce.
[104] Article L. 225-102-5 of the French Code of commerce.
[105] Paris Court of Appeal, No. 23/14348 (June 18, 2024).
[106] Paris Judicial Tribunal, No. 20/10246 (Nov. 30, 2021).
[107] Paris Court of Appeal, No. 21/22319 (June 18, 2024).
[108] Paris Judicial Tribunal, No. 22/07100 (June 11, 2023).
[109] Paris Court of Appeal, No. 23/10583 (June 18, 2024).
[110] German Federal Court of Justice, Judgment from June 27, 2024 – I ZR 98/23.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of Gibson Dunn’s Transnational Litigation, International Arbitration, or Judgment and Arbitral Award Enforcement practice groups, or the following:
Transnational Litigation:
William E. Thomson – Los Angeles (+1 213-229-7891, wthomson@gibsondunn.com)
Susy Bullock – London (+44 20 7071 4283, sbullock@gibsondunn.com)
Perlette Michèle Jura – Los Angeles (+1 213-229-7121, pjura@gibsondunn.com)
Markus S. Rieder – Munich (+49 89 189 33-260, mrieder@gibsondunn.com)
Andrea E. Smith – New York ( +1 212.351.3883, aesmith@gibsondunn.com)
International Arbitration:
Penny Madden KC – London (+44 20 7071 4226, pmadden@gibsondunn.com)
Rahim Moloo – New York (+1 212.351.2413, rmoloo@gibsondunn.com)
Judgment and Arbitral Award Enforcement:
Matthew D. McGill – Washington, D.C. (+1 202.887.3680, mmcgill@gibsondunn.com)
Robert L. Weigel – New York (+1 212.351.3845, rweigel@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Gibson Dunn’s Workplace DEI Task Force aims to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).
Key Developments:
On February 27, the Federal Communications Commission (FCC) opened an investigation into corporate diversity practices at Verizon. In a letter to Verizon’s CEO Hans Vestberg, FCC Chairman Brendan Carr wrote that he “expected” all companies regulated by the FCC “to end invidious forms of DEI discrimination,” and he was “concerned by the apparent lack of progress” at Verizon to end its DEI programs. In the letter, Carr cited to Verizon’s public facing materials that “show the company’s continued promotion of DEI,” including a company statement regarding its commitment to diversity. Carr also cited materials allegedly obtained by a whistleblower. In a similar letter to Comcast’s CEO, Brian Roberts, Carr wrote “[t]he FCC will be taking fresh action to ensure that every entity the FCC regulates complies with the civil rights protections enshrined in the Communications Act . . . including by shutting down any programs that promote invidious forms of DEI discrimination.”
On February 21, the United States District Court for the District of Maryland preliminarily enjoined enforcement of key aspects of EO 14151 (“Ending Radical and Wasteful Government DEI Programs and Preferencing”) and EO 14173 (“Ending Illegal Discrimination and Restoring Merit-Based Opportunity”). The case is Nat’l Ass’n of Diversity Officers in Higher Educ., et al., v. Donald J. Trump, et al., No. 1:25-cv-00333-ABA, Dkt. 44–45 (D. Md. 2025). Specifically, the court halted enforcement of EO 14173’s requirement that federal contractors and grant recipients certify they do not “operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws” and “agree that [their] compliance in all respects with all applicable federal anti-discrimination laws is material” for purposes of the False Claims Act. The court also enjoined the government from freezing or terminating existing “equity-related” contracts and grants under EO 14151. And while the court did not enjoin the Attorney General from “engaging in investigation” of DEI programs, it enjoined the enforcement provision of EO 14173, including the requirement that the Attorney General take “appropriate measures to encourage the private sector to end illegal discrimination and preferences.”
The injunction only applies to the ten agencies identified as defendants in this complaint, as well as “other persons who are in active concert or participation with Defendants.” On February 27, the plaintiffs filed a motion for clarification as to whether “other persons who are in active concert or participation with Defendants” extends to other non-defendant agencies. The government filed a motion to stay the ruling on February 27, which the court rejected on March 3. The government has also filed a notice of appeal with the Court of Appeals for the Fourth Circuit, and on March 4 filed a motion for stay pending appeal. For more information on this case, please see our February 24, 2025 client alert.
On February 14, America First Legal (AFL) sent a letter to Acting Secretary of Labor Vince Micone and Acting Director of the OFCCP Michael Schloss to “encourage” the U.S. Department of Labor to “immediately exercise” authority to “enforce nondiscrimination provisions of federal regulations” in light of EO 14173, which rescinded prior Executive Order 11246 and takes the position that “race- and sex-based employment practices” including those “under the guise of” DEI, “can violate the civil-rights laws of this Nation.” AFL’s letter states that Acting Secretary Micone has already directed the Department to “[c]ease and desist all investigative and enforcement activity” under the rescinded order, but urges the Department to “go further,” and enforce the “equal opportunity clause” contained in all federal government contracts. AFL urged the Department to use these equal opportunity clauses to initiate enforcement actions against contractors AFL has “identified” as engaged in “prohibited discrimination” based largely on the “contractors’ own public statements.” In an appendix and exhibits attached to the letter, AFL identifies Lyft, Mars, PricewaterhouseCoopers LLP, Twilio Inc., CBS Broadcasting, Meta Platforms, and Northwestern University as entities purportedly engaged in “prohibited discrimination.”
On February 28, the Department of Education published guidance entitled “Frequently Asked Questions About Racial Preferences and Stereotypes Under Title VI of the Civil Rights Act.” The guidance includes fifteen questions and answers addressing a range of issues relating to DEI initiatives in educational institutions. Among other things, the guidance notes that “a school’s responsibility not to discriminate against students applies to the conduct of everyone over whom the school exercises some control,” including third party contractors. It explains that Title VI extends to school procurement policies, including hiring substitute teachers, special education providers, and cafeteria services. It states that application essay prompts that “require applicants to disclose their race” are illegal. And it sets forth a “non-exhaustive list” of evidence that may raise an inference of discriminatory intent, including “(1) whether members of a particular race were treated differently than similarly situated students of other races; (2) the historical background or administrative history of the policy or decision; (3) whether there was a departure from normal procedures in making the policy or decision; (4) whether there was a pattern regarding policies or decisions towards members of a particular race; (5) statistics demonstrating a pattern of the policy or decision having a greater impact on members of a particular race; and (6) whether the school was aware of or could foresee the effect of the policy or decision on members of a particular race.” In response to another frequently asked question on whether Title VI permits schools to teach about race or DEI, the document says that the Department “enforces federal civil rights law consistent with the First Amendment,” and that federal statutes independently “prohibit the Department from exercising control over the content of school curricula.” But the document adds that schools are still prohibited from creating a “racially hostile environment” through the materials they teach, which depends on “the facts and circumstances” of individual cases. The guidance describes materials that characterize students of a certain group as “oppressors” or “deliberately assign[s] them intrinsic guilt based on the actions of their presumed ancestors” as potentially creating a hostile environment if those materials were used at an elementary school, but would be “less likely to create a racially hostile environment” “in a class discussion at a university.” The guidance also described “more extreme practices at a university,” including “privilege walks,” segregated “presentations and discussions with guest speakers,” and “mandating courses, orientation programs, or trainings that are designed to emphasize and focus on racial stereotypes” as “forms of school-on-student harassment that could create a hostile environment under Title VI.”
Media Coverage and Commentary:
Below is a selection of recent media coverage and commentary on these issues:
- Wall Street Journal, “Supreme Court Signals Minority Groups Get No Edge in Bias Suits” (February 26): Wall Street Journal’s Erin Mulvaney and Jess Bravin report on the Supreme Court’s recent oral argument in Ames v. Ohio Department of Youth Services, a case that could make it easier for plaintiffs to bring reverse-discrimination lawsuits. In that case, plaintiff Marlean Ames claims she was denied a promotion and demoted at the Ohio Department of Youth Services because she is heterosexual, while gay employees were promoted to the positions she sought. A federal appeals court in Cincinnati dismissed her lawsuit, finding that she had failed to prove the existence of “background circumstances” suggesting that the employer was hostile towards heterosexual employees, a test not typically applied in cases filed by plaintiffs from underrepresented groups. Federal appeals courts are divided on the question of whether this additional “background circumstances” showing is required in reverse-discrimination cases, with five courts imposing the test and three courts rejecting it. This case is part of a broader debate over reverse discrimination, fueled by growing challenges to DEI programs. In their article, Bravin and Mulvaney cited to research by Gibson Dunn to note that “[l]awsuits alleging that DEI programs discriminate against white people and other members of majority groups are mushrooming.” The authors note that Gibson Dunn’s survey found that 40 such cases were filed between October 2019 and the Supreme Court’s decision in SFFA v. Harvard, but that nearly 100 lawsuits have been filed since, with 60 in 2024 alone. Bravin and Mulvaney further cite legal experts who predict that a ruling in favor of Ames could lead to a further surge in similar claims, intensifying the debate over DEI initiatives in the workplace.
- Reuters, “JPMorgan CEO Jamie Dimon reaffirms DEI commitment despite industry shift, CNBC reports” (February 24): Reuters’ Niket Nishant reports that JPMorgan Chase CEO Jamie Dimon reaffirmed the bank’s commitment to DEI efforts, despite a growing trend of corporate retreat from such initiatives. Dimon confirmed that the bank will continue its outreach to Black, Hispanic, LGBT, veteran, and disabled communities. Nishant reports that, earlier this month, the bank said it expects “to be criticized by activists, politicians and other members of the public” concerning the positions it takes regarding DEI and other public policy issues.
- CNN, “Target is getting hit from all sides on DEI” (February 21): CNN’s Nathaniel Meyersohn reports that Target faces a lawsuit filed by Florida Attorney General James Uthmeier and America First Legal, alleging that the company concealed the financial risks of its DEI initiatives, including its 2023 Pride Month merchandise collection. The lawsuit follows Target’s decision to scale back its DEI policies in response to conservative activist pressure and backlash against its Pride-themed products, particularly “tuck-friendly” swimsuits for transgender customers. Gibson Dunn partner Jason Schwartz commented on the “new and growing trend of using securities lawsuits to attack corporate DEI programs” by “challenging whether risk disclosures were adequate.” Although these lawsuits are difficult to prove, according to Schwartz, “[t]his kind of public-private partnership with state attorneys general will likely pave the way for others to follow.” Meanwhile, Meyersohn reports, Target also has been subjected to “fierce . . . blowback from DEI supporters” and has seen decreased foot traffic in its stores.
Case Updates:
Below is a list of updates in new and pending cases:
1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:
- Desai v. PayPal, No. 1:25-cv-00033-AT (S.D.N.Y. 2025): On January 2, 2025, Andav Capital and its founder Nisha Desai sued PayPal, alleging that PayPal unlawfully discriminates by administering its investment program for minority-owned businesses in a way that favors Black and Latino applicants. Desai, an Asian-American woman, alleges PayPal violated Section 1981, Title VI, and New York state anti-discrimination law by failing to fully consider her funding application and announcing first-round investments only in companies with “at least one general partner who was black or Latino.” She seeks a declaratory judgment that the investment program is unlawful, an injunction barring PayPal from “knowing or considering race or ethnicity” in administering the program, and damages.
- Latest update: On February 21, the court granted a motion to extend the time to file an answer. PayPal is represented by Gibson Dunn in this matter.
- Kleinschmit v. University of Illinois Chicago, No. 1:25-cv-01400 (N.D. Ill. 2025): On February 10, 2025, a former professor at the University of Illinois Chicago sued the university, alleging that it unlawfully discriminated against white male faculty candidates and discriminated and retaliated against the plaintiff by firing him after he objected to the school’s “racial hiring programs.” The plaintiff raises claims under Sections 1981 and 1983.
- Latest update: The docket does not yet reflect that the defendants have been served.
- Landscape Consultants of Texas, Inc. et al. v. City of Houston, Texas et al., No. 4:23-cv-03516-DH (S.D. Tex. 2023): White-owned landscaping companies challenged the City of Houston’s government contracting set-aside program for “minority business enterprises” under the Fourteenth Amendment and Section 1981. On November 29, 2024, plaintiffs and defendant Midtown Management District filed cross-motions for summary judgment. Midtown Management argued that the plaintiffs failed to show the unconstitutionality of the programs. The City of Houston filed its own motion for summary judgment on November 30, contending that the plaintiffs lack standing and that the programs satisfy the requirements of the Equal Protection Clause.
- Latest update: On February 11, 2025, the court denied all motions for summary judgment in a single page order. Trial is scheduled to commence April 21, 2025.
- Strickland et al. v. United States Department of Agriculture et a.l, No. 2:24-cv-00060-Z (N.D. Tex. 2024): On March 3, 2024, plaintiff farm owners sued the USDA over the administration of financial relief programs that allegedly allocated funds based on race or sex. The plaintiffs alleged that only a limited class of socially disadvantaged farmers, including certain races and women, qualify for funds under these programs. On June 7, 2024, the court granted in part the plaintiff’s motion for a preliminary injunction. The court enjoined the defendants from making payment decisions based directly on race or sex. However, the court allowed defendants to continue to apply their method of appropriating money, if done without regard to the race or sex of the relief recipient.
- Latest update: On February 10, 2025, the parties requested a 30-day stay of proceedings to discuss a resolution following the USDA’s determination to “no longer employ the race- and sex-based ‘socially disadvantaged’ designation” in light of recent Executive Orders. The court granted the request on February 11, 2025.
2. Employment discrimination and related claims:
- Diemert v. City of Seattle, et al., No. 2:22-cv-01640 (W.D. Wash. 2022): On November 16, 2022, the plaintiff, a white male, sued his former employer, the City of Seattle. The plaintiff alleged that the City’s diversity initiatives, which allegedly included mandatory diversity trainings involving critical race theory and encouraging participation in “race-based affinity groups, caucuses, and employee resource groups,” amounted to racial discrimination in violation of Title VII and the Fourteenth Amendment. The plaintiff also alleged that he had been subjected to a hostile work environment. On August 16, 2024, the City filed a motion for summary judgment, arguing that the plaintiff had “resigned voluntarily because he had already moved to Texas and did not wish to return to in-person work.” The City further argued that while it required employees to complete two diversity activities per year, it did not penalize employees who did not fulfill the requirement. On September 7, 2024, the plaintiff filed his opposition to the motion for summary judgment, arguing that he experienced discrimination that the City failed to remediate.
- Latest update: On February 10, 2025, the court granted the City’s motion for summary judgment, holding that a reasonable juror could not find the City’s diversity initiatives created a hostile work environment or that the plaintiff experienced discrimination or retaliation. On February 24, 2025, the plaintiff filed a notice of appeal to the Ninth Circuit.
- EEOC v. Battleground Restaurants, No. 1:24-cv-00792 (M.D.N.C. 2024): On September 25, 2024, the U.S. Equal Employment Opportunity Commission (EEOC) filed a lawsuit against a sports bar chain, Battleground Restaurants, in federal district court in North Carolina. The lawsuit alleges that the chain refused to hire men for its front-of-house positions, such as server or bartender jobs, in violation of Title VII. On November 25, 2024, Battleground Restaurants moved to dismiss or strike an improperly named defendant. Battleground Restaurants argued that the EEOC’s pattern or practice claims are “insufficiently pled, conclusory, and not plausible on their face,” and that the EEOC failed to conduct a “reasonable investigation” or give “adequate notice” to Battleground Restaurants.
- Latest update: On February 24, 2025, the court denied the defendant’s motion to dismiss, finding the EEOC complied with notice requirements, plausibly alleged a pattern or practice of disparate sex discrimination, and can properly include Battleground Restaurants as a defendant.
3. Challenges to statutes, agency rules, and regulatory decisions:
- Chicago Women in Trades v. President Donald J. Trump, et al., No. 1:25-cv-02005 (N.D. Ill. 2025): On February 26, 2025, Chicago Women in Trades (CWIT), a non-profit organization, sued President Trump, challenging Executive Order 14151, “Ending Radical and Wasteful Government DEI Programs and Preferencing,” and Executive Order 14173, “Ending Illegal Discrimination and Restoring Merit-Based Opportunity.” CWIT alleges that, because of the orders, its federal grant funding was frozen and although the funding was restored following a temporary restraining order issued in another proceeding, “CWIT’s grants remain under threat of termination.” CWIT claims that these executive orders violate principles of separation of powers, the First and Fifth Amendments, and the Spending Clause of the U.S. Constitution.
- Latest update: The docket does not yet reflect that the defendants have been served.
- Do No Harm v. Edwards, No. 5:24-cv-16-JE-MLH (W.D. La. 2024): On January 4, 2024, Do No Harm sued then-Governor Edwards of Louisiana over a 2018 law requiring a certain number of “minority appointee[s]” to be appointed to the State Board of Medical Examiners. Do No Harm brought the challenge under the Equal Protection Clause and requested a permanent injunction. On February 28, 2024, Governor Edwards answered the complaint, denying all allegations including allegations related to Do No Harm’s standing. On December 20, 2024, Governor Jeff Landry—who replaced Governor Edwards—moved to dismiss for lack of subject matter jurisdiction. He contended that, because he signed a declaration indicating that he does not intend to enforce the challenged law, the plaintiff’s claims are moot. Governor Landry also argued that the suit is barred by sovereign immunity. On January 10, 2025, Do No Harm filed an opposition to the motion to dismiss, asserting that Governor Landry’s declaration did not moot the case because the statute remains on the books and a “future governor will be bound to enforce the racially discriminatory aspects of [the law] regardless of Governor Landry’s declaration.” On January 30, 2025, Do No Harm filed a motion for summary judgment, arguing: (1) Do No Harm has organizational standing, (2) the claim is not moot because all future governors are bound to enforce the law, and (3) the law does not satisfy strict scrutiny.
- Latest update: On February 20, 2025, Governor Landry filed an opposition to the motion for summary judgment, asserting again this his declaration mooted Do No Harm’s claims, and that the suit is barred by sovereign immunity because Governor Landry “lacks a sufficient enforcement connection by reason of his vow to withhold enforcement.”
- Do No Harm v. Cunningham, No. 25-cv-00287 (D. Minn. 2025): On January 24, 2025, Do No Harm sued Brooke Cunningham, Commissioner of the Minnesota Department of Health, challenging a state law that requires the Commissioner to consider race in appointing members to the Minnesota Health Equity Advisory and Leadership Council. Do No Harm alleges that state law requiring that the board include representatives from either “African American and African heritage communities,” “Asian American and Pacific Islander communities,” “Latina/o/x communities,” and “American Indian communities and Tribal governments and nations,” violates the Fourteenth Amendment. Plaintiffs seek a permanent injunction and declaratory relief.
- Latest update: On February 20, 2025, Cunningham answered the complaint, denying all allegations related to the violation of the plaintiff’s constitutional rights. She asserted five affirmative defenses: (1) the complaint fails to state a claim; (2) the plaintiff lacks standing; (3) the claims are unripe, (4) the plaintiff has suffered no harm or damages as a result of the Defendant, and (5) the claims are barred by sovereign immunity.
- Doe 1 v. Office of the Director of Nat’l Intel., No. 1:25-cv-00300 (E.D. Va. 2025): On February 17, eleven unnamed employees of the Office of the Director of National Intelligence and the Central Intelligence Agency sued their employers after they were put on administrative leave from their DEI-related positions. They assert that the decision to put and leave them on administrative leave violates the Administrative Leave Act, the Administrative Procedure Act, and the First and Fifth Amendments of the U.S. Constitution. On February 17, plaintiffs moved for a temporary restraining order on February 17. The court then entered an administrative stay to allow additional briefing on the motion. On February 24, plaintiffs filed an amended complaint adding eight new unnamed plaintiffs to the case.
- Latest update: The court held a hearing on plaintiffs’ motion for a temporary restraining order on February 27. That same day, the court denied the motion in a single page order and lifted the administrative stay.
- Nat’l Urban League et al., v. President Donald J. Trump, et al., No. 1:25-cv-00471 (D.D.C. 2025): On February 19, the National Urban League, the National Fair Housing Alliance, and the AIDS Foundation of Chicago filed a complaint against the Trump Administration, alleging that the President’s recent Executive Orders targeting DEI (EO 14151, EO 14168, and EO 14173) infringe on the organizations’ rights to free speech and due process by penalizing them for “expressing viewpoints in support of DEIA and transgender people.” The organizations allege that orders are “extraordinarily vague” because they “equate banned ‘DEIA’ with any equity-related work,” which could include work authorized by civil rights law. The plaintiffs allege that the Executive Orders attempt to “chill and censor their speech,” as well as “intimidate, threaten, and ultimately stop Plaintiffs from performing services central to their missions.” The complaint also alleges that the Executive Orders have a clear discriminatory purpose: “to malign the targeted communities,” including people of color, LGBTQ people, and people with disabilities. Plaintiffs seek declaratory relief and a permanent injunction barring enforcement and implementation, including a court order that all agency-wide directives implementing the Executive Orders be permanently rescinded. Plaintiffs filed a motion for a preliminary injunction on February 28.
- Latest update: Defendants’ opposition to the preliminary injunction order is due March 12.
- San Francisco AIDS Foundation et al. v. Donald J. Trump et al., No. 3:25-cv-01824 (N.D. Cal. 2025): On February 20, several LGBTQ+ groups filed suit against President Trump, Attorney General Pam Bondi, and several other government agencies and actors, challenging the President’s recent Executive Orders targeting DEI (EO 14151, EO 14168, and EO 14173). The complaint alleges that these EOs are unconstitutional on several grounds, including the Equal Protection Clause of the Fifth Amendment, the Due Process Clause of the Fifth Amendment, and the Free Speech Clause of the First Amendment. It also argues the EOs are ultra vires and exceed the authority of the presidency. Plaintiffs seek preliminary and permanent injunctive relief.
- Latest update: On March 3, plaintiffs filed a motion for preliminary injunction.
4. Board of director or stockholder actions:
- Craig v. Target Corp., No. 2:23-cv-00599-JLB-KCD (M.D. Fla. 2023): America First Legal sued Target and certain Target officers on behalf of a shareholder, claiming the board falsely represented that it monitored social and political risk, when instead it allegedly focused only on risks associated with not achieving ESG and DEI goals. The plaintiffs allege that Target’s statements violated Sections 10(b) and 14(a) of the Securities Exchange Act of 1934 and that Target’s May 2023 Pride Month campaign triggered customer backlash and a boycott that depressed Target’s stock price. On December 4, 2024, the district court denied defendant’s motion to dismiss, concluding that the plaintiffs sufficiently pleaded both their Section 10(b) and Section 14(b) claims. On January 6, 2025, the court entered a stay pending mediation between the parties. On January 17, 2025, Target filed a status update regarding the parties’ proposed mediation, asserting that plaintiffs “would only provide dates of availability to mediate if [Target] agreed to do so on a class-wide basis.” In its filing, Target argued that the case is not a class action, the Private Securities Litigation Reform Act prohibits plaintiffs from “purporting to act on behalf of a hypothetical class,” and the law requires “shareholders who file a class action complaint to provide notice to other shareholders” which plaintiffs have not done. Target asked the court to “direct Plaintiffs to provide their availability to mediate” on an individual basis. On January 21, 2025, plaintiffs filed a Response to Target’s Status Update and a Motion to Lift the Stay. Plaintiffs asserted that Target “misrepresent[ed] the dialogue between the parties,” and moved to lift the stay to “enable Plaintiffs to pursue, among other things, (1) amending the complaint to add class allegations; and (2) determining the lead plaintiff under 15 U.S.C. § 78u-4(a)(3).” Plaintiffs asked the court to reopen the action, lift the stay, and cancel the mediation conference. On January 31, 2025, Target filed an opposition to plaintiffs’ motion to lift the stay, asserting that plaintiffs failed to “satisfy the applicable good cause standard for canceling a court-ordered mediation.”
- Latest update: On February 11, 2025, the court denied the motion to lift the stay, stating that it “will entertain briefing on Plaintiffs’ request to amend their Complaint before ruling on whether to lift the stay.”
- State Board of Administration of Florida v. Target, No. 2:25-cv-00135 (M.D. Fla. 2025): On February 20, 2025 the State Board of Administration of Florida sued Target and certain Target officers on behalf of a class of Target stockholders, claiming the Target board of directors represented that it monitored social and political risk, when instead it allegedly focused only on risks associated with not achieving ESG and DEI goals. The plaintiff alleges that Target’s statements violated Sections 10(b),14(a), and 20(a) of the Securities Exchange Act of 1934 and that Target’s May 2023 Pride Month campaign triggered customer backlash and a boycott that depressed Target’s stock price. This suit relates to, and arises out of the same operative facts as, Craig v. Target Corp., No. 2:23-cv-00599-JLB-KCD (M.D. Fla. 2023).
- Latest update: As of this update, the defendant has not yet been served.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:
Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)
Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)
Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, mdenerstein@gibsondunn.com)
Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, zswilliams@gibsondunn.com)
Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, msenger@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Class and collective actions are expanding globally. Our “International Class Action Update” highlights recent developments in the EU and UK.
In this edition we discuss new developments on the EU level which will incentivize future class actions. The new EU Product Liability Directive expands strict liability to software and AI products and will lend itself to private enforcement through class actions. A recent trend to allow lump-sum damages for data privacy violations will also attract class action plaintiffs.
Additionally, we update you on the status of collective redress in the UK and selected EU jurisdictions (Germany, France, Italy, Belgium, Spain).
I. New Class Action Incentives in EU Law
The EU’s Directive (EU) 2020/1828 on Representative Actions mandates collective redress in all member states. Even though not all states have implemented compliant regimes yet, the EU continues to expand the substantive basis for class actions. We also note a trend towards using lump-sum damages, facilitating class actions for plaintiffs.
A. New EU Product Liability Directive
The new Product Liability Directive (EU 2024/2853) incentivizes class actions by easing the burden of proof, reducing liability limits, and including software and AI under the strict liability regime. The Directive also introduces a discovery mechanism, allowing both parties to demand evidence from each other that is relevant to their case. Member States must implement the Directive by December 9, 2026.
B. Non-material Damages in Data Privacy Litigation
On January 8, 2025, the General Court of the European Union ruled that the EU Commission must compensate an individual EUR 400 for non-material damage after personal data was transferred to the US upon visiting an EU webpage (Case T-354/22). The court assessed the compensation solely based on equity.
This decision, which can still be appealed, will further encourage class actions in the data privacy sector. If plaintiffs do not need to demonstrate individual material damages, class actions for widespread breaches become more attractive to qualified entities and litigation funders. In Germany, the Federal Court of Justice recently issued a similar decision, setting the amount for non-material damages after a data breach at EUR 100 (see below).
II. Germany
A. New “Leading Case Procedure”
In late 2024, Germany introduced a “Leading Case Procedure” at the Federal Court of Justice to clarify legal issues in mass proceedings. The court can designate a case as a “Leading Case” and decide it even if parties settle or withdraw their appeal. This non-binding decision guides lower courts on similar legal questions.
Immediately after the new procedure was in effect, the Federal Court of Justice selected its first “Leading Case” out of a swath of consumer claims alleging illegal data scraping from a social media website. On November 18, 2024, the Federal Court of Justice ruled that the consumer was entitled to a lump sum of EUR 100 without having to show actual harm (the decision is published under docket number VI ZR 10/24).
Shortly after the Federal Court of Justice’s decision, Germany’s best known consumer protection agency filed a Representative Action against the social media website, inviting all potentially affected consumers to join. This showcases the future interplay between representative actions and the new “Leading Case Procedure”: When the Federal Court of Justice issues a Leading Case Decision in favor of consumers, qualified entities will be quick to file new Representative Actions, compelling companies to defend against both individual mass claims and the Representative Action simultaneously.
B. Status of Representative Actions
Implemented in 2023, the German Representative Action allows Qualified Entities to seek damages for consumers or small businesses (for an in-depth discussion see our previous alert). Since 2023, seven new Representative Actions have been filed, adding to the approximately 30 collective actions already pending under the previous procedural regime introduced in 2018. Almost all cases under the new regime concern unilateral customer price increases in video streaming, telecommunications, energy, and insurance contracts.
III. France
France is currently broadening its class action regime. On December 15, 2022, a bill (“Proposition de loi relative au régime juridique des actions de groupe”, no. 639) was submitted and subsequently amended several times. It was debated in public session on February 6, 2024. The latest version (Text no.°154, transmitted to the Assemblée Nationale on July 23, 2024) is currently undergoing its second reading in the Assemblée Nationale.
The bill, while complying with European law, aims to encourage class actions and unify applicable legal procedures:
- Class actions may seek the cessation of a failure or compensation for damages in any matter, with exceptions for health and work.
- While the current legislation provides for compensation for specific damages, the bill would allow for all damages to be compensated.
- The bill introduces the possibility of cross-border class actions.
Meanwhile, several class actions are pending under the existing regime. Google, involved in a class action launched by UFC-Que-Choisir in June 2019, ultimately avoided a potential EUR 27 billion penalty due to the inadmissibility of the class action.
IV. Italy
Italy transposed the EU Collective Redress Directive through Decree No. 28 on March 23, 2023. This Decree complements Italy’s pre-existing class action system, resulting in a dual-track approach to collective redress.
The first mechanism, the “Azione di Classe”––which is governed by Law 31/2019––has been in force since 2021 and applies to claims based on homogeneous individual rights. The second, the Representative Action, was introduced by Decree as a direct transposition of the EU Directive. Notably, the new framework expands consumer protection beyond homogeneous individual rights, allowing for a broader range of claims. It also enables qualified entities from other Member States to initiate proceedings in Italy, strengthening cross-border collective redress.
The impact of this reform is already evident in recent legal actions. Consumer associations, such as Movimento Consumatori, have used the Representative Action to challenge abusive clauses in rental agreements. Cases against Goldcar, Sicily by Car, and Sixt targeted excessive penalties and unfair fees imposed on consumers. Italian courts ruled in favor of the claimants, ordering the removal of unlawful clauses and requiring companies to notify affected customers and publicize the rulings.
These cases highlight how Italy’s dual-track system provides distinct but complementary tools to challenge allegedly unfair business practices. The Class Action allows individuals with similar claims to seek collective redress, while the Representative Action broadens the scope by enabling consumer organizations to act on behalf of a wider range of affected parties.
V. Belgium
Belgium transposed the EU Directive on Representative Actions effective June 10, 2024. It expanded the scope of its pre-existing class action system to include all consumer protection provisions required under the Directive on Representative Actions.
Consumers now have to opt-in to participate in Representative Actions. Before implementing the EU Directive, Belgian judges had to decide between an opt-in or opt-out system on a case-by-case basis.
Eleven class action cases have been filed to date in Belgium, most led by Test-Achat/Test-Aankoop, the main consumer protection organization. These actions were brought in various sectors (e.g., transportation, telecom, culture, energy, electronic goods), usually against large Belgian or globally operating companies.
All these eleven cases were still filed under the pre-existing procedural regime.
VI. Spain
Spain has not yet transposed the EU Collective Redress Directive on representative actions into its national legal framework, despite the deadline expired in December 2022.
This delay has drawn criticism from consumer organizations. For example, in December 2024, the Financial Users Association, supported by European Consumer Organization, filed a complaint against Spain before the European authorities for failing to transpose the directive within the established timeframe. It remains to be seen how and when Spain will fully transpose the Directive.
VIII. United Kingdom
The United Kingdom continues to see a huge growth in collective litigation even though it does not have a fully-fledged US-style class action regime. In particular and most akin to US-style class actions, there is currently a large number of (mostly) opt-out antitrust class actions at various stages before the UK’s specialist competition tribunal (the Competition Appeal Tribunal) across a wide range of sectors (particularly the technology sector) that are increasingly testing the boundaries of competition law. The actions have a combined alleged value of between £100 – £200 billion.
However, two recent developments suggest that these claims may face increased scrutiny going forward:
First, in December 2024, the Competition Appeal Tribunal dismissed the first antitrust class action to proceed to full trial in Le Patourel v BT Group (docket number 1381/7/7/21). The Class Representative had sought damages of over £1.1 billion arguing that BT’s prices for telephony services were excessive and unfair. The Competition Appeal Tribunal ruled that BT’s prices were not unfair and, in doing so, made it clear the difficulties class representatives may face in proving unfairness in these types of cases.
Second, in January 2025 in Christine Riefa Class Representative Limited v Apple Inc. & others (docket number 1602/7/7/23), the Competition Appeal Tribunal refused, for the first time, the certification of a class action, on the basis that the class representative was unsuitable. This was because the Competition Appeal Tribunal found that the class representative did not understand her own funding arrangements and there were questions about her ability to act independently and in the interests of the class members. The decision makes it clear that class representatives “cannot be, merely a figurehead for a set of proceedings being conducted by their legal representatives” and that future class representatives, and their funding arrangements, will face greater scrutiny going forward.
Whilst these two developments are not expected to dampen activity, 2025 will be a key year for the regime given that trials and judgments in a number of class actions are expected to provide further insight into the Competition Appeal Tribunal’s operation of its class action regime.
There is a growing body of examples of class settlements in connection with the Competition Appeal Tribunal’s antitrust class actions regime, most notably the approval by the Competition Appeal Tribunal on February 21, 2025 of a £200 million settlement of the largest class action claim to date, brought in respect of a class of 44 million UK consumers in relation to Mastercard’s interchange fees.
In addition, there are outstanding appeals in the Court of Appeal and Supreme Court relating to the certification test and enforceability of litigation funding that will be heard this year that are likely to further shape the regime.
Beyond class actions stricto sensu, the UK remains relatively fertile ground for collective actions generally, with an active slate of cases currently before the High Court under Group Litigation Orders, a case-management device allowing large numbers of similar claims to be heard together, in relation to matters involving financial sector wrongdoing, diesel emissions cases, product liability claims, environmental breaches (in the UK and overseas), industrial and transportation accidents, misfeasance by public officials, etc.
Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:
Frankfurt:
Alexander Horn (+49 69 247 411 537, ahorn@gibsondunn.com)
Munich:
Markus Rieder – Munich (+49 89 189 33-260, mrieder@gibsondunn.com)
Friedrich A. Wagner (+49 89 189 33-262, fwagner@gibsondunn.com)
Paris:
Eric Bouffard (+33 1 56 43 13 00), ebouffard@gibsondunn.com)
Brussels:
Yannis Ioannidis – (+32 2 554 72 08, yioannidis@gibsondunn.com)
London:
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Dan Warner (+44 20 7071 4213, dwarner@gibsondunn.com)
United States:
Theodore J. Boutrous, Jr. – Los Angeles (+1 213.229.7000, tboutrous@gibsondunn.com)
Christopher Chorba – Co-Chair, Class Actions Group, Los Angeles (+1 213.229.7396, cchorba@gibsondunn.com)
Theane Evangelis – Co-Chair, Litigation Group, Los Angeles (+1 213.229.7726, tevangelis@gibsondunn.com)
Lauren R. Goldman – Co-Chair, Technology Litigation Group, New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Kahn A. Scolnick – Co-Chair, Class Actions Group, Los Angeles (+1 213.229.7656, kscolnick@gibsondunn.com)
Bradley J. Hamburger – Los Angeles (+1 213.229.7658, bhamburger@gibsondunn.com)
Michael Holecek – Los Angeles (+1 213.229.7018, mholecek@gibsondunn.com)
Lauren M. Blas – Los Angeles (+1 213.229.7503, lblas@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
We are pleased to provide you with the February edition of Gibson Dunn’s digital assets regular update. This update covers recent legal news regarding all types of digital assets, including cryptocurrencies, stablecoins, CBDCs, and NFTs, as well as other blockchain and Web3 technologies. Thank you for your interest.
ENFORCEMENT ACTIONS
UNITED STATES
- SEC Dismisses Crypto Enforcement Actions
The SEC has agreed to dismiss several crypto enforcement actions, including those against Coinbase, Consensys, and Cumberland DRW. These requested pauses on crypto litigation under acting SEC Chairman Mark Uyeda signals a potential shift in enforcement priorities. Coinbase; Coindesk; The Block. - SEC Closes Investigations into OpenSea, Robinhood Crypto, Uniswap Labs, and Gemini
On February 21, OpenSea announced that the SEC officially closed its investigation into the non-fungible token marketplace without pursuing enforcement action. According to OpenSea, the SEC Staff had issued it a Wells notice in August 2024, in which the SEC Staff stated that the SEC was planning to pursue an enforcement action against the platform, alleging OpenSea may have been operating as an unregistered securities marketplace. On February 24 and February 26, Robinhood, Uniswap, and Gemini made similar announcements that the SEC had closed investigations into their platforms. X (OpenSea); Robinhood; Uniswap; X (Gemini). - HashFlare Operators Plead Guilty to Crypto Fraud
On February 12, two operators of HashFlare, a defunct cryptocurrency mining service, pleaded guilty to charges of conspiracy to commit wire fraud, in the U.S. District Court for the Western District of Washington, in connection with their operation of a crypto Ponzi scheme affecting hundreds of thousands of individuals globally. From 2015 to 2019, HashFlare allegedly sold more than $577 million in mining contracts despite not possessing the required computing capacity to perform the mining it purported to perform. The two operators agreed to forfeit assets worth more than $400 million. Sentencing is scheduled for May 8. DOJ; The Block. - Las Vegas Business Owner Indicted for Alleged Crypto Ponzi Scheme
On February 14, Brent Kovar, owner of Profit Connect, was arrested pursuant to an indictment charging him with wire fraud, mail fraud, and money laundering, between 2017 and 2021. Kovar allegedly misrepresented that Profit Connect used artificial intelligence powered by a supercomputer to mine cryptocurrency, paid a fixed rate of return, and provided a 100% money-back guarantee while, in reality, Kovar allegedly used investor funds for his personal benefit, to operate Profit Connect, and to repay other investors as if such proceeds came from crypto mining. DOJ; The Block. - Canadian Man Indicted for Alleged $65 Million Fraudulent Scheme
On February 3, a criminal indictment was unsealed in the U.S. District Court for the Eastern District of New York, charging Andean Madjedovic with, among other things, wire fraud and money laundering. Madjedovic allegedly exploited vulnerabilities in two decentralized finance protocols to obtain approximately $65 million in digital assets from investors in the protocols between 2021 and 2023. According to the indictment, Madjedovic borrowed hundreds of millions of dollars in tokens to engage in deceptive trading that he knew would cause the smart contracts underlying the protocols to falsely calculate key variables, which allowed Madjedovic to withdraw millions of dollars of investor funds at artificial prices. According to the government, Madjedovic is currently at large. DOJ; Indictment. - Market Maker CLS Global Agrees to Plead Guilty to Charges Relating to Cryptocurrency “Wash Trading”
On January 21, DOJ announced that CLS Global, a financial services firm that functioned as a market maker, agreed to resolve criminal charges in the U.S. District Court for the District of Massachusetts relating to its fraudulent manipulation of cryptocurrency trading volume. According to the terms of the plea, which was accepted by a judge on February 7, 2025, CLS Global will pay $428,059 to the government, and will be prohibited from participating in U.S. cryptocurrency markets. On January 21, CLS Global also agreed to resolve parallel claims brought by the SEC. DOJ. - U.S. Attorney’s Office for the District of Massachusetts Files Civil Forfeiture Action to Recover Proceeds of Cryptocurrency Fraud Scheme
On February 19, the U.S. Attorney’s Office for the District of Massachusetts filed a civil forfeiture action to recover various cryptocurrencies, with an estimated value of more than $1 million, which are alleged to be proceeds of an online investment fraud scheme, sometimes called a “pig-butchering” scheme. According to DOJ, the civil forfeiture action stems from an investigation into a social media group called “Financial Independence Forum,” that instructed victims to transfer funds to an allegedly fraudulent trading platform. DOJ; Complaint.
REGULATION AND LEGISLATION
UNITED STATES
- Senate Votes to Repeal IRS DeFi Broker Rule
In a major bipartisan win for the crypto industry, the Senate voted 70-27 to pass a joint resolution under the Congressional Review Act that would repeal a Biden-era rule requiring DeFi platforms to report user transactions to the IRS. The resolution is expected to pass in the House and be signed by the President. Once enacted into law, the resolution will not only effectively repeal the DeFi broker rule but also will prohibit the IRS from issuing a new rule that is “substantially the same” as the repealed rule absent new legislation. The resolution will not repeal the IRS’s July 2024 broker rule applicable to custodial digital asset trading platforms. Coindesk. - Former CTFC Commissioner Brian Quintenz Nominated to Lead the CFTC
On February 12, Brian Quintenz was nominated as Chairman of the Commodity Futures Trading Commission (CFTC). Quintenz previously served as a CFTC Commissioner between 2017 and 2021 and most recently worked as head of policy for the cryptocurrency arm of venture-capital firm a16z. Known as a crypto advocate, Quintenz stated in his announcement on X that the CFTC is “well poised to ensure the USA leads the world in blockchain technology and innovation.” On February 25, the CFTC announced that Democratic Commissioner Christy Goldsmith Romero will step down upon Quintenz’s confirmation, after which the Commission will be comprised of three Republicans and one Democrat. X; CoinDesk; Cointelegraph; CFTC Press Release. - SEC Guidance Says Meme Coin Transactions Generally Do Not Implicate Federal Securities Laws
On February 27, the SEC’s Division of Corporation Finance published a staff statement stating its “view that transactions in the types of meme coins described in this statement, do not involve the offer and sale of securities under the federal securities laws.” The SEC defined meme coins as “a type of crypto asset inspired by internet memes, characters, current events, or trends for which the promoter seeks to attract an enthusiastic online community to purchase the meme coin and engage in its trading.” As defined in the guidance, meme coins “typically share certain characteristics,” including that they “typically are purchased for entertainment, social interaction, and cultural purposes,” and “typically have limited or no use or functionality.” “In this regard, meme coins are akin to collectibles.” Based on these characteristics, the guidance concludes that transactions in meme coins do not involve “investment contracts” under the Howey test. Among other reasons, the guidance says, “meme coin purchasers are not making an investment in an enterprise” because “their funds are not pooled together to be deployed by promoters or other third parties for developing the coin or a related enterprise.” In addition, “any expectation of profits that meme coin purchasers have is not derived from the efforts of others,” but rather “from speculative trading and the collective sentiment of the market, like a collectible.” The guidance does “not extend to the offer and sale of meme coins that are inconsistent with the descriptions set forth above, or products that are labeled ‘meme coins’ in an effort to evade the application of the federal securities laws by disguising a product that otherwise would constitute a security.” SEC Guidance. - New Proposed Legislation Would Establish Stablecoin Regulatory Framework
On February 4, Chairman Tim Scott (R-S.C.) joined Senate Banking Committee members Senators Bill Hagerty (R-Tenn.) and Cynthia Lummis (R-Wyo.), as well as Senator Kirsten Gillibrand (D-N.Y.), in introducing the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act. This legislation seeks to establish a clear regulatory framework for payment stablecoins by defining “payment stablecoins and set[ting] up the procedures for issuing them, including establishing the Federal Reserve as watchdog for the big bank issuers and the Officer of the Comptroller of the Currency as regulator for nonbank issuers of more than $10 billion.”“Passing clear and sensible regulations for stablecoins is critical to maintaining U.S. dollar dominance, promoting responsible innovation, and protecting consumers,” said Senator Gillibrand. Senate; CoinDesk. - Jonathan Gould, Former Bitfury Executive, Nominated to Lead the OCC
On February 11, President Trump nominated Jonathan Gould, former chief legal officer of Bitfury (a blockchain technology company), to head the Office of the Comptroller of the Currency (OCC), which regulates U.S. national banks and federal savings associations. If confirmed by the Senate, Gould would lead the OCC for a five-year term. The Block; Cointelegraph. - SEC Commissioner Peirce Sets Out Plans for New Crypto Task Force
On February 4, SEC Commissioner Hester Peirce, head of the SEC’s new Crypto Task Force, issued a release that sets out priorities and plans for the newly established Crypto Task Force. The Task Force will focus on registered offerings, custody solutions for investment advisers, security status, crypto lending and staking, crypto exchange-traded products, cross-border experimentation, clearing agencies and transfer agents, and special purpose broker dealers. Peirce also urged crypto companies to be patient as the SEC decides how to “disentangle” itself from the litigation initiated under former Chair Gary Gensler. SEC Release; Thomson Reuters; CoinDesk. - The SEC Announces Creation of the Cyber Fraud Unit
On February 20, the SEC announced the creation of the Cyber and Emerging Technologies Unit (CETU), which will focus on combatting cyber-related misconduct and fraud. The CETU will replace the Crypto Assets and Cyber Unit and will be led by Laura D’Allaird, who was the co-chief of the Crypto Assets and Cyber Unit. The CETU will consist of fraud specialists and attorneys who will focus on, among other things, fraud involving blockchain technology and digital assets. SEC Press Release; The Block. - State Legislatures Continue to Propose State-Level Strategic Crypto Reserve Bills
During the month of February, at least 14 states introduced bills to establish frameworks for investing in digital assets within their respective state treasuries. While no such bill has been enacted, it has been proposed to the state legislature in a total of at least 26 states. Many bills include the stipulations that the amount of crypto investments by the state may not exceed a certain percentage of the total size of public funds and that the state may invest only in digital assets with a minimum market cap ($500 billion in Utah, for example). Bills in some states (such as Ohio) aim to establish a strategic reserve for bitcoin specifically. The Block.
INTERNATIONAL
- Czech Republic Attempting to Eliminate Long-Term Crypto Gains Taxes
On February 7, Czech President Petr Pavel signed a bill exempting crypto users from paying taxes on digital assets that are held for three years. Additionally, transactions up to CZK 100,000 ($4,136) do not need to be reported to Czech taxing authorities. This bill was not well received by the President of the European Central Bank, Christine Lagarde. Lagarde said that she is confident that bitcoin won’t be entering the reserves of any of the EU central banks. CoinDesk. - Hong Kong’s SFC Proposes Expanding Crypto Regulatory Staff
On February 3, Hong Kong’s Securities and Futures Commission (SFC) proposed hiring eight new staff members as part of its budget for the next fiscal year. These hires are to focus on crypto regulatory regimes, market surveillance, and enforcement investigations. Hong Kong has opened its doors to crypto firms, and it appears to be continuing its drive to become a crypto hub. The Block ; CoinDesk . - Hong Kong SFC Sets Out New Roadmap to Develop Hong Kong as a Global Virtual Assets Hub
On February 19, Hong Kong’s SFC published its five-pillar “ASPIREe” roadmap that outlines 12 major initiatives to enhance the security, innovation and growth of Hong Kong’s virtual asset market. The 12 initiatives include establishing licensing regimes for virtual asset OTC trading and virtual asset custody services, exploring changes to the custody requirements for licensed virtual asset trading platforms, exploring a regulatory framework for professional investor-exclusive token listings and virtual asset derivative trading, and considering allowing staking and borrowing/lending services, among many other initiatives. The roadmap represents a welcome, forward-looking commitment to addressing the virtual asset market’s most pressing challenges in Hong Kong, thus encouraging digital-asset firms to set up or expand in Hong Kong. SFC. - U.S., UK, and Australia Jointly Sanction Zservers
On February 11, the U.S. Department of Treasury’s Office of Foreign Assets Control, Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign Commonwealth and Development Office jointly sanctioned Zservers, a Russia-based bulletproof hosting (BPH) provider, for its involvement with ransomware attackers, including LockBit, which notably extracted $120 million in Bitcoin from victims. BPH providers are known to sell tools to mask locations, identities, and activities online. Department of Treasury Press Release ; Cointelegraph ; Decrypt. - Dubai Virtual Assets Regulatory Authority Warns of Meme Coin Risks and Market Manipulation
On February 13, Dubai’s Virtual Assets Regulatory Authority (VARA) issued a consumer alert on the risks of investing in meme coins, citing their speculative nature, volatility, and susceptibility to market manipulation. All virtual asset activities in Dubai must comply with VARA regulations, and unauthorized promotions may face enforcement action. VARA; Cointelegraph. - Dubai Financial Services Authority Adds USDC and EURC to List of Recognized Crypto Tokens
On February 17, the Dubai’s Financial Services Authority (DFSA) expanded its list of Recognized Crypto Tokens—which currently includes Bitcoin, Ethereum, Litecoin, Toncoin and Ripple—to include the stablecoins USDC and EURC. Recognized Crypto Tokens are digital assets which can be used or transacted in the Dubai International Financial Centre. DFSA. - The UAE’s Securities and Commodities Authority Seeks Feedback on Draft Regulations for Security and Commodity Tokens
On January 22, the UAE’s Securities and Commodities Authority (SCA) published a draft regulation on security tokens and commodity tokens, inviting industry stakeholders to provide feedback. This marks a milestone in the country’s capital markets, integrating securities and commodities with modern financial technologies. The draft, which includes 18 articles, outlines issuance, trading, settlement, and compliance obligations for these tokens. SCA.
CIVIL LITIGATION
UNITED STATES
- The SEC Files a Motion to Voluntarily Dismiss Dealer Rule Appeal
On February 19, the SEC filed an unopposed motion to voluntarily dismiss its appeal in the Fifth Circuit in the “Dealer Rule” case. The SEC had appealed two rulings in related cases by Judge Reed O’Connor that vacated the SEC’s Dealer Rule on the ground that the rule improperly expanded the definition of “dealer” under the Exchange Act. One of the cases was brought by the Crypto Freedom Alliance of Texas and Blockchain Association; the other was brought by the National Association of Private Fund Managers, Alternative Investment Management Association, Ltd., and Managed Funds Association. Motion to Dismiss Appeal; Crypto Freedom Alliance District Court Opinion; National Association of Private Fund Managers District Court Opinion; CoinDesk. - The FDIC Releases Documents in Response to Coinbase FOIA Request Showing FDIC Debanking of Crypto
On February 5 and February 21, in response to a FOIA lawsuit directed by Coinbase, the FDIC released 183 documents spanning hundreds of pages revealing the agency’s systematic attempts during the prior Administration to pressure banks into debanking digital-asset firms. In a statement, Acting Chairman Travis Hill stated that the documents show that banks’ requests to engage in crypto-related activities “were almost universally met with resistance, ranging from repeated requests for further information, to multi-month periods of silence…, to directives from supervisors to pause, suspend, or refrain from expanding all crypto- or blockchain-related activity.” Hill explained that “these and other actions [by the FDIC] sent the message to banks that it would be extraordinarily difficult—if not impossible—to move forward. As a result, the vast majority of banks simply stopped trying.” Hill additionally noted that the FDIC is actively reevaluating its supervisory approach to provide a pathway for institutions to engage in such activities while still adhering to safety principles. FDIC. - The Second Circuit Rules for Uniswap in Securities Class Action Appeal
On February 26, the Second Circuit affirmed the dismissal of federal securities law claims brought against Uniswap Labs, a decentralized cryptocurrency exchange, in an April 2022 class-action lawsuit. The Second Circuit affirmed the district court’s ruling that Uniswap was not a statutory seller under Section 5 of the Securities Act because it does “not hold title to the tokens placed in the liquidity pool by third party users of the platform.” In rejecting claims under Section 29(b) of the Exchange Act, the Second Circuit said that “it ‘defies logic’ that a drafter of a smart contract, a computer code, could be held liable under the Exchange Act for a third-party user’s misuse of the platform.” The Second Circuit also remanded for the district court to consider the plaintiffs’ state-law securities claims, which Uniswap did not contest. Summary Order.
INTERNATIONAL
- Ex-CEO of Crypto Exchange Wins Wrongful Dismissal Claim Against Crypto Exchange Three Fins
On February 19, the General Division of the High Court of Singapore ruled in favor of Georg Höptner, the former CEO of crypto exchange Three Fins, in a wrongful-dismissal lawsuit. Höptner was awarded nearly $2.5 million after alleging his termination was orchestrated to avoid fulfilling contractual bonus obligations. His contract stipulated a significant bonus upon completing two years or a termination bonus if dismissed without cause before that period. In October 2022, he was summarily dismissed for alleged unauthorized relocations and fund misappropriation. Judge Chua Lee Ming determined the dismissal was unjustified, noting Höptner had informed relevant parties about his relocations without objections. The court concluded the termination aimed to evade substantial bonus payments and awarded Höptner damages covering unpaid salary, allowances, notice period compensation, and the termination bonus. ICLG; Court Judgment. - Singapore Court Recognizes Terraform Labs’ Chapter 11 Liquidation Plan
On February 21, the Singapore International Commercial Court (SICC) issued a written judgment granting Terraform Labs’ application for recognition of its U.S. Chapter 11 liquidation plan and a U.S. court order confirming the plan. In reaching its decision, the SICC held that the chapeau of Art 21(1) of the UNCITRAL Model Law on Cross-Border Insolvency as adopted in Singapore gives the court an expansive and open-ended discretion to grant appropriate relief and allows the court to be guided by principles of comity and a spirit of cooperation with foreign courts. Court Judgment. - Robinhood to Launch Crypto Offerings in Singapore
Robinhood Markets Inc. plans to introduce cryptocurrency trading services in Singapore later this year, following the anticipated completion of its $200 million acquisition of European digital-assets exchange Bitstamp Ltd. The acquisition is expected to conclude in the first half of 2025, with the rollout of crypto offerings commencing shortly thereafter. Bitstamp had previously secured in-principle approval (IPA) from the Monetary Authority of Singapore to provide digital asset-related services in the country. This strategic move aims to leverage Bitstamp’s IPA, allowing Robinhood to provide a regulated crypto offering in the country and facilitating Robinhood’s broader expansion into the Asian market. Blockhead; Coindesk.
SPEAKER’S CORNER
UNITED STATES
- Federal Reserve Chair Confirms the Fed Will Not Issue a CBDC
At the February 11 Senate Banking Committee meeting, Federal Reserve Chair Jerome Powell confirmed that the Fed would not issue a Central Bank Digital Currency (CBDC) during his tenure, which is scheduled to end in May 2026. This follows opposition to a CBDC from President Trump and current lawmakers due to privacy and other concerns. Cointelegraph; Senate Banking Committee.
INTERNATIONAL
- Bank of England Governor: Bitcoin and Stablecoins Require Different Regulatory Approaches and UK exploring CDCS
In a Q&A session following a speech delivered on February 11 at the University of Chicago Booth School of Business, the Governor of the Bank of England, Andrew Bailey, stated that Bitcoin and stablecoins require different approaches to regulation. According to Bailey, stablecoins in particular should be regulated more stringently because they are primarily used for payments and users expect them to function like money. Governor Bailey also confirmed a central bank digital currency was still also being considered by the UK. Bank of England.
OTHER NOTABLE NEWS
- CFPB Directed to Suspend Supervision Activity and Declines Future Funding
On February 9, Russell Vought, the acting head of the Consumer Financial Protection Bureau (CFPB) announced that the bureau will not be taking its next draw of funding from the Federal Reserve, signaling a wind down of CFPB operations. The CFPB was directed by Vought to stop work on proposed rules, to suspend effective dates on any rules finalized but not yet effective, and to cease all supervision and examination activity. Cointelegraph; The Associated Press; NPR. - Hackers Steal $1.5 Billion in Digital Assets from Cryptocurrency Exchange Bybit
On February 21, hackers stole approximately $1.5 billion in digital assets from Bybit’s Ethereum “cold wallet,” an offline storage system. The attackers gained control of the cold wallet and transferred over 400,000 ETH and stETH to an unidentified address. Bybit assured users that all other cold wallets are secure, that withdrawals are functioning normally, and that Bybit has more than enough assets to cover the loss and will use a bridge loan to ensure availability of user funds, if necessary. It is suspected that the hackers are connected to North Korea’s Lazarus Group. Bybit. - Standard Chartered Bank, Animoca Brands and Hong Kong Telecom Establish Joint Venture to Issue Hong Kong Dollar-Backed Stablecoin
On February 17, Standard Chartered Bank announced that it, Animoca Brands and Hong Kong Telecom have agreed to establish a joint venture with the intention to apply for a license from the Hong Kong Monetary Authority to issue an Hong Kong Dollar-backed stablecoin after the passage of the Stablecoins Bill. The Stablecoins Bill was introduced by the Hong Kong government on December 6, 2024, and proposes to introduce a licensing regime applicable to persons who issue fiat-referenced stablecoins in Hong Kong, or who issue fiat-referenced stablecoins that purport to maintain a stable value with reference to Hong Kong Dollar, or who actively market their issuance of fiat-referenced stablecoins to the Hong Kong public. Standard Chartered; Hong Kong government.
The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Kendall Day, Jeff Steiner, Sara Weed, Sam Raymond, Nick Harper, Amanda Goetz, Nicholas Tok, Cody Wong, and Chad Kang.
FinTech and Digital Assets Group Leaders / Members:
Ashlie Beringer, Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Michael D. Bopp, Washington, D.C. (+1 202.955.8256, mbopp@gibsondunn.com
Stephanie L. Brooker, Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Jason J. Cabral, New York (+1 212.351.6267, jcabral@gibsondunn.com)
Ella Alves Capone, Washington, D.C. (+1 202.887.3511, ecapone@gibsondunn.com)
M. Kendall Day, Washington, D.C. (+1 202.955.8220, kday@gibsondunn.com)
Sébastien Evrard, Hong Kong (+852 2214 3798, sevrard@gibsondunn.com)
William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Martin A. Hewett, Washington, D.C. (+1 202.955.8207, mhewett@gibsondunn.com)
Sameera Kimatrai, Dubai (+971 4 318 4616, skimatrai@gibsondunn.com)
Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)
Stewart McDowell, San Francisco (+1 415.393.8322, smcdowell@gibsondunn.com)
Hagen H. Rooke, Singapore (+65 6507 3620, hhrooke@gibsondunn.com)
Mark K. Schonfeld, New York (+1 212.351.2433, mschonfeld@gibsondunn.com)
Orin Snyder, New York (+1 212.351.2400, osnyder@gibsondunn.com)
Ro Spaziani, New York (+1 212.351.6255, rspaziani@gibsondunn.com)
Jeffrey L. Steiner, Washington, D.C. (+1 202.887.3632, jsteiner@gibsondunn.com)
Eric D. Vandevelde, Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin Wagner, Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Sara K. Weed, Washington, D.C. (+1 202.955.8507, sweed@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
This alert provides a high-level summary of the Advisory and related considerations for participants facing potential enforcement actions.
On February 25, 2025, the Commodity Futures Trading Commission’s (the “CFTC”) Division of Enforcement (the “Division”) issued an enforcement advisory (the “Advisory”) regarding the evaluation of a company’s or an individual’s (a “Person”) self-reporting, cooperation, and remediation when recommending enforcement actions to the CFTC and setting forth the factors the Division will consider in determining proposed penalty reductions in cases involving self-reporting, cooperation, and remediation.[1] The Advisory sets out a credit-based system that the Division will use to determine appropriate penalty reductions based on a Person’s self-reporting, cooperation, and remediation in enforcement actions and investigations.[2] The Advisory replaces prior policies, including the Division’s May 2020 Enforcement Manual, and is now the sole policy of the Division.
Overview
The Advisory provides a mechanism for achieving the Division’s goals of promoting compliance with the law and ensuring accountability for those who violate the law by attempting to incentivize self-reporting, cooperation, and remediation.
- Regulatory Consistency. The Advisory indicates that it is consistent with the CFTC’s broader regulatory scheme. Thus, the Division will recognize self-reports made to the pre-existing operating division, such as the Division of Clearing and Risk, the Division of Market Oversight, and the Market Participants Division, as applicable (the “Operating Division”).
- Transparency. The Advisory contains tiered scales to evaluate self-reporting and cooperation (including remediation) and provides examples and explanations of activities that would fall into each tier.
- Clarity. The Advisory aims to provide those who might seek a reduced penalty based on their self-reporting, cooperation, and remediation (“Mitigation Credit”) a clear understanding of the potential benefits of such activities by providing a matrix outlining the credit that may be applied to reduce a civil monetary penalty and details factors that may contribute to the recommendation of a public declination.
Self–Reporting
The Advisory indicates that Mitigation Credit may be awarded when a Person self-reports a potential violation and that the Division will apply a three-tier scale in evaluating such reporting. The factors that underlie the tier system are discussed below.
- Voluntariness. The self-report must be a voluntary disclosure, rather than made on account of an imminent threat of negative enforcement action or exposure. The Division will consider the likelihood that it could have learned of the violation independently of the self-report.
- Made to the CFTC. The self-report must be made to an appropriate division of the CFTC. A division will be considered appropriate if it is the primary division that is responsible for the potentially violated regulation. The Division of Enforcement is considered an appropriate division for all reports. If a potential violation relates to multiple divisions, a report to a single appropriate division will suffice. The Advisory notes that “[t]he Division, together with the Operating Divisions, will be developing a future public enforcement advisory to set forth transparent and consistent criteria for enforcement referrals by an Operating Division to the Division of Enforcement.”
- Timeliness. The self-report must be prompt, considering the facts and circumstances of the potential violation.
- Completeness. The disclosure must include all material information known to the Person at the time the report is made. To encourage early disclosure, the Division will consider a report to be complete if the Person made best efforts to determine relevant facts before reporting, continued to investigate, and disclosed additional relevant facts as they were identified.
- Safe Harbor for Good Faith. The Division will provide a safe harbor for good-faith self-reporting if a Person voluntarily self-reports, the report is later found to be inaccurate after further investigation by the Person, the report was made in good faith, and the inaccurate information is promptly supplemented and corrected.
The Advisory contained the following chart, setting forth the self-reporting tiers and a non-exhaustive description of the self-reporting that exemplifies each tier.
| Tier | Self-Reporting |
| Tier 1: No Self-Report | No timely self-report
Self-report was information already known from other sources Self-report that was not reasonably related to the potential violation or not reasonably designed to notify the CFTC of the potential violation |
| Tier 2: Satisfactory Self-Report | Self-report to an appropriate division
Notified the CFTC of the potential violation Did not include all material information reasonably related to the potential violation that the reporting party knew at the time of the self-report |
| Tier 3: Exemplary Self-Report | Self-report to an appropriate division
Notified the CFTC of the potential violation Included all material information reasonably related to the potential violation that the reporting party knew at the time of the self-report Included additional information that assisted the Division with conserving resources in the Division’s investigation |
.
Cooperation
The Advisory indicates that Mitigation Credit may be awarded for cooperation in the Division’s investigation and that the Division will apply a four-tier scale in evaluating such cooperation. In determining which tier to apply, the Division noted that it will consider all relevant facts and circumstances, including whether the cooperation materially assisted the investigation, whether the cooperation conserved the Division’s resources, the timeliness of the cooperation, and the quality and extent of cooperation. Other factors that the Division said that it will consider include truthfulness, specificity, credibility, completeness, reliability, and voluntariness.
However, even if a Person has cooperated with the Division, uncooperative action may offset the Mitigation Credit awarded. The Division said that it will employ a standard of objective reasonableness in evaluating whether conduct is uncooperative. Examples of conduct that may be considered uncooperative include impeding the Division’s investigation in bad faith, untimely subpoena compliance, failure to preserve material information after its discovery, and bad faith attempts to shape the testimony of a Person’s agent. Failure to self-report a violation that involves willful misconduct or abuse of a party, harm to a client, counterparty, or customer, or significant financial losses will be deemed uncooperative. Significantly, the Division indicated that the discovery of a material violation without subsequent corrective action or a self-report, as appropriate, may suggest the absence of acceptance of responsibility and could be deemed uncooperative.
The Advisory contained the following chart, setting forth the cooperation tiers and a non-exhaustive description of the cooperation that exemplifies each tier.
| Tier | Cooperation |
| Tier 1: No Cooperation | No substantial assistance beyond required legal obligations |
| Tier 2: Satisfactory Cooperation | Provided substantial assistance
Voluntary production of documents and information Arranging for voluntary witness interviews Basic presentations on legal and factual issues |
| Tier 3: Excellent Cooperation | Meet the expectations for Satisfactory Cooperation
Consistently provided substantial assistance Internal investigations or reviews Thorough analysis of potential violation, root cause, and corrective action for remediation Use of internal or external expert resources and consultants as appropriate |
| Tier 4: Exemplary Cooperation | Meet the expectations for Excellent Cooperation
Consistently provided material assistance Proactive engagement and use of significant resources Significant completion of remediation Use of accountability measures, as appropriate |
.
Remediation
The Division will only recommend Mitigation Credit where the Operating Division, in consultation with the Division, has concluded that the potential violation and its root cause have either been remediated or that there is a remediation plan in place that is appropriate given the facts and circumstances.
In evaluating remediation, the Division will consider whether a Person has engaged in substantial efforts to prevent a future violation. Actions that will positively impact this analysis include performing a gap analysis to identify similar violations in the future, implementing an appropriate remediation plan that prevents future violation through procedural changes, personnel accountability measures, and providing the Division with an explanation as to how the remediation plan is reasonably designed to prevent a future violation.
Mitigation Credit
If a matter is eligible for Mitigation Credit for self-reporting and/or cooperation, the Advisory indicates that the Division will presumptively recommend a discount from its initial civil monetary penalty calculation based on the following matrix:
| Tier 1: No Cooperation | Tier 2: Satisfactory Cooperation | Tier 3: Excellent Cooperation | Tier 4: Exemplary Cooperation | |
| Tier 1: No Self- Report | 0% | 10% | 20% | 35% |
| Tier 2: Satisfactory Self-Report | 10% | 20% | 30% | 45% |
| Tier 3: Exemplary Self Report | 20% | 30% | 40% | 55% |
.
Departure from Previous Policy.
The Advisory represents a significant shift in the Division’s approach to enforcement. Previous guidance, as articulated in the Division’s 2023 Advisory Regarding Penalties, Monitors and Consultants, and Admissions in CFTC Enforcement Actions (the “2023 Advisory”) emphasized imposing penalties that would serve as strong deterrents to future violations.[3] In the 2023 Advisory, the Division expressed the view that civil monetary penalties would be seen as the rational cost of doing business if not severe enough to outweigh the potential benefit of misconduct, providing guidance on determining whether such penalties are sufficient and emphasizing the importance of admissions of fault in deterring future violations.
The Advisory evinces a departure from the adversarial approach of the 2023 Advisory in favor of a collaborative process, a shift that some in the industry have characterized as a change from “stick to carrot.”[4]
CFTC Comments
Acting Chairman Caroline D. Pham praised the policy changes, stating that the clear expectations described in the Advisory will incentivize firms to self-report and resolve cases faster with reasonable penalties and emphasized that this approach will enable the CFTC to “do more with less.”[5] However, Commissioner Kristin N. Johnson released a statement announcing her lack of support for the Advisory, expressing trepidation with respect to the departure from prior guidance and emphasizing that such changes must be consistent with the CFTC’s mandates.[6]
Conclusion
The Advisory marks a significant shift in the CFTC’s enforcement policy and provides market participants with clear information on the potential benefits of proactive self-reporting, cooperation and remediation in CFTC investigations.
[1] CFTC Press Release, CFTC Releases Enforcement Advisory on Self-Reporting, Cooperation, and Remediation (Feb. 25, 2025), available at https://www.cftc.gov/PressRoom/PressReleases/9054-25.
[2] The Advisory notes that it provides only internal guidance regarding the Division’s recommendations to the CFTC and does not bind the CFTC.
[3] CFTC Press Release, CFTC Releases Enforcement Advisory on Penalties, Monitors and Admissions (Oct. 17, 2023), available here.
[4] Jessica Corso, Trump CFTC Shifts Enforcement Stance From Stick to Carrot, Law360.com (Feb. 26, 2025, 90:08 PM) available here.
[5] CFTC Press Release, CFTC Releases Enforcement Advisory on Self-Reporting, Cooperation, and Remediation (Feb. 25, 2025), available at https://www.cftc.gov/PressRoom/PressReleases/9054-25.
[6] Statement of Commissioner Kristin N. Johnson on the Enforcement Advisory on Self-Reporting, Cooperation and Remediation (Feb. 25, 2025), available here.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or any of the following:
Jeffrey L. Steiner, Washington, D.C. (+1 202.887.3632, jsteiner@gibsondunn.com)
David P. Burns, Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Amy Feagles, Washington, D.C. (+1 202.887.3699, afeagles@gibsondunn.com)
Adam Lapidus, New York (+1 212.351.3869, alapidus@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Gibson Dunn is available to help Japanese clients understand what this and other possible policy changes will mean for them and how to navigate the shifting regulatory environment.
Navigate to the English version here
トランプ大統領による中国原産輸入品への関税賦課に関する大統領令:米国による執行が日本の製造業者および輸出業者に与える影響
ギブソン・ダン法律事務所は、この大統領令およびその他の可能性のある政策変更が日本のクライアントにどのような影響を与えるか、また、変化する規制環境をどのように乗り切るかについて、日本のクライアントの皆様をサポートいたします。
2025年2月1日、トランプ大統領は「中華人民共和国における合成オピオイドのサプライチェーンに対処するための関税賦課に関する大統領令」を発令しました。この大統領令は、今後連邦官報で発表される予定の「中華人民共和国の製品であるすべての物品」に対して、10%の従価税関税を課すものです。発表された関税は、国際緊急経済権限法(IEEPA)に基づき、トランプ大統領が裁量で判断する「国家緊急事態」が終息するまで継続されます。
関税は、2024年2月4日午前12時1分(東部時間)以降、「消費を目的として輸入された、または消費を目的として倉庫から出荷された」すべての物品に適用されます。 また、この関税は、トランプ政権発足時に中国からの輸入品4つのカテゴリーリストに対して課された最大50%の関税を含む、既存のすべての関税に上乗せされます。これらの関税は現在も有効であり、バイデン政権下で延長および追加され、バッテリー部品、電気自動車、半導体、鉄鋼およびアルミニウム製品など、他の分野にも適用されています。
大統領令には、具体的に対象となる品目のリストは含まれていません。詳細は、政府が連邦官報に命令を掲載するか、またはその後の連邦官報通知を掲載する際に、技術的な付属文書に記載される可能性が高いと思われます。
大統領令では、中国が独自の報復関税を課した場合、トランプ大統領は「本命令に基づき課された関税を増額または範囲を拡大することができる」と規定されています。2025年2月2日、中国の商務省はWTOに提訴し、それに対応する「対抗措置」を実施すると発表しました。これを受けて、2025年2月4日、中国財務省は、2025年2月10日より、米国からの石炭および液化天然ガスの輸入品に15%、原油、農業用機器、および特定の車両に10%の追加関税を課すことを発表しました。
さらに、2025年2月27日、トランプ大統領は、中国からの輸入品すべてに10%の追加関税を課す意向を発表しました。追加関税は、カナダとメキシコからの輸入品に予定されている25%の関税とともに、3月4日火曜日に発効する予定です。これを受けて、ワシントンD.C.の中国大使館は、中国はトランプ大統領の懸念に対処するために米国と協力していると発表しました。
関税回避に対する米国の調査環境の強化—偽証罪法
新たな関税の直接的な影響として、中国で製造または組み立てを行っている企業、あるいは中国を拠点とするサプライチェーンを持つ企業に対する規制当局の監視が強化されることが挙げられます。また、このコスト増の環境下で関税回避の疑いがある企業に対しては、米国当局が偽証法(False Claims Act、FCA)を主な執行手段として用いることになります。FCAは、虚偽の情報を提示することによる米国政府に対する金銭的義務の回避を禁じています。
また、米国司法省(DOJ)は、今後も継続してFCAの厳格な執行が期待できることを示唆しています。DOJ民事部の商業訴訟部門の副次官補であるマイケル・グランストン氏は最近、「司法省は、新政権が掲げる政府の効率化と無駄、不正、乱用の根絶という方針に沿って、今後も引き続き積極的に偽請求取締法を執行していく方針であることを明確にしたい」と述べています。グランストン氏は特に、FCAは「違法な外国貿易慣行」に対抗する「強力なツール」であると指摘し、これにはトランプ政権が発表している拡大関税体制の違反も含まれると予想しています。さらに、、FCA違反の疑いを報告した個人(現従業員および元従業員を含む)には、「キー・タム」(ラテン語の法律用語)または内部告発者による訴訟を通じて、相当額の金銭的インセンティブが提供されます。
製造、調達、または組み立ての関係の一部が中国と結びついている企業にとって、法執行措置のリスクは特に深刻です。これは、問題となる原材料、部品、および製品の仕上げに応じて、製品の原産地を決定するルールが異なるためです。例えば、日本企業が日本で完成品とみなしている商品であっても、一部に中国から調達した部品が組み込まれている場合、米国当局は、新たな執行や規制の解釈、アプローチ、優先順位を考慮して、関税目的で中国原産と判断することがあります。 第三国における「実質的変更」が商品の原産地を変える可能性があることは事実ですが、米国当局は、単なる「粉飾」を目的とした積み替えに対して、ますます疑いの目を向けるようになっています。
この分野における現在進行中の積極的な調査について、私たちは認識しています。また、中国のサプライチェーンの問題が関わる数百万ドル規模のFCA和解の最近の例としては、以下が挙げられます。
1. ニュージャージー州の化学品輸入業者と中国のサプライヤーの間で関税回避の共謀があったとされる事件について、2024年3月に米国司法省が調査を行い、310万ドルの和解が成立しました。
2. 2024年1月の米国司法省による調査と300万ドルの和解金支払い。中国製自動車部品メーカーが関税を故意に支払わないようにしていたという疑惑の解決。
カナダとメキシコへの関税を同時に課す大統領令
さらに、 これまで多くの日本企業を含む一部の企業が、北米自由貿易協定(NAFTA)および2020年に発効する後継協定である米国・メキシコ・カナダ協定(USMCA)を活用し、米国での立ち上げコストと比較して両国でのコスト削減を最大限に図ることを目的として、カナダやメキシコでの製造業務を推進してきましたが、2月1日付の大統領令の一環として、トランプ大統領は同時にカナダおよびメキシコ原産の製品に25%の関税を課すことを発表しました。2月4日時点で、これらの関税は30日間保留されていますが、この地域的なコスト軽減戦略は結局は阻止されるか、あるいは執行当局により厳しく精査される可能性があります。
リスクの軽減
このような新たな貿易環境を踏まえ、日本企業は関税回避に対する米国の調査環境が厳しくなっていることに留意し、バリューチェーン全体における原産地関連のコンプライアンスや記録管理プロセスを監査するなど、適切な予防措置を講じる必要があります。
それでもなお、関税回避を理由にFCA違反の可能性があるとして米当局による強制調査の対象となった場合、あるいは内部告発者からそのような不正行為を告発された場合、企業はFCA違反弁護の経験を持つ米国弁護士の支援を求めることをお勧めします。
ギブソン・ダンのFalse Claims Act / Qui Tam Defense(偽請求防止法/クイ・タム弁護)およびSanctions and Export Enforcement(制裁および輸出執行)の各業務グループは、この分野の動向を常に注視しており、日本語でのサポートを含め、FCA(偽請求防止法)および貿易関連の調査および執行措置について、日本企業の皆様に理解していただき、対応していただくためのサポートを提供しています
Winston Y. Chan – Global Co-Chair, False Claims Act / Qui Tam Defense and White Collar Defense and Investigations Practice Groups, based in our San Francisco office
(+1 415.393.8362, wchan@gibsondunn.com)
Eli M. Lazarus – Of Counsel, White Collar Defense and Investigations Practice Group, based in our San Francisco office
(+1 415.393.8340, elazarus@gibsondunn.com)
Justin Lin – Associate Attorney, False Claims Act / Qui Tam Defense and White Collar Defense and Investigations Practice Group, based in our San Francisco office
(+1 415.393.4653, jolin@gibsondunn.com)
Gabriela Li – Associate Attorney, False Claims Act / Qui Tam Defense and Securities Regulation and Corporate Governance Practice Groups, based in our San Francisco office
(+1 415.393.4602, gli@gibsondunn.com)
On February 1, 2025, President Trump issued an Executive Order Imposing Duties to Address the Synthetic Opioid Supply Chain in the People’s Republic of China. The Executive Order imposes a 10% ad valorem tariff on “all articles that are products of the PRC,” to be defined in a forthcoming Federal Register notice. The announced tariff is to stay in place until President Trump determines the “national emergency,” as assessed in his discretion under the International Emergency Economic Powers Act (IEEPA), is over.
The tariff applies to all “goods entered for consumption, or withdrawn from warehouse for consumption,” on or after 12:01 a.m. Eastern Time on February 4, 2024. And the tariff is cumulative to all existing tariffs, including the up to 50% tariffs imposed during the first Trump administration on four category lists of Chinese imports. Those tariffs remain in effect and were extended and supplemented under the Biden administration, including (among other sectors) to battery parts, electric vehicles, semiconductors, and steel and aluminum products.
The Executive Order does not include a list of specifically covered goods. The full details are likely to be included in a technical annex when the government publishes the order to the Federal Register or publishes a follow-up Federal Register notice.
The Executive Order states that if China imposes its own retaliatory tariffs, President Trump “may increase or expand in scope the duties imposed under this order.” On February 2, 2025, China’s Ministry of Commerce announced it would file a complaint to the WTO and implement corresponding “countermeasures.” Accordingly, on February 4, 2025, China’s Ministry of Finance announced, starting February 10, 2025, the imposition of additional tariffs of 15% on coal and liquified natural gas imports from the United States and a 10% tariff on crude oil, agricultural equipment, and certain vehicles.
Additionally, on February 27, 2025, President Trump announced that he intended to add an additional 10% tariff on all Chinese imports—with the additional levy to go into effect on Tuesday, March 4, alongside scheduled 25% tariffs on imports from Canada and Mexico. The Chinese Embassy in Washington, D.C. announced in response that China was working with the United States to address President Trump’s concerns.
Heightened U.S. Investigatory Environment for Tariffs Evasion—False Claims Act
One direct consequence of the new tariffs will be increased regulatory scrutiny of companies with manufacturing or assembly operations in China, or who have a China-based supply chain. And for those companies suspected of evading tariffs in this higher-cost environment, the False Claims Act (FCA) is a primary enforcement tool wielded by U.S. authorities. The FCA prohibits the avoidance of monetary obligations to the U.S. government by the presentation of false information.
And the U.S. Department of Justice (DOJ) has indicated that continued robust FCA enforcement can be expected in the years ahead. Michael Granston, Deputy Assistant Attorney General in the Commercial Litigation Branch of DOJ’s Civil Division, stated recently that “[t]he department wants to make clear—consistent with the new administration’s stated focus on achieving governmental efficiency and rooting out waste, fraud and abuse—that the department plans to continue to aggressively enforce the False Claims Act.” Granston noted in particular that the FCA is a “powerful tool” in combating “illegal foreign trade practices,” which can be expected to include violations of the expanded tariff regime announced by the Trump administration. Additionally, the FCA provides substantial monetary incentives to private individuals—including current and former employees—who report suspected FCA violations, through “qui tam” or whistleblower lawsuits.
The risk of enforcement action is particularly acute for companies with some but not all of their manufacturing, sourcing, or assembly relationships tied to China. This is because different rules for determining product origin apply depending on the raw materials, components, and product finishing in question. For example, goods that a Japanese company may consider as finished in Japan but that partially incorporate China-sourced components may be determined by U.S. authorities to have Chinese-origin for tariff purposes in light of new enforcement and regulatory interpretations, approaches, and priorities. And while it is true that “substantial transformation” in a third country can alter the origin of products, U.S. authorities have grown increasingly suspicious of transshipment undertaken merely as “window dressing.”
We are aware of ongoing active investigations in this area, and examples of recent multi-million-dollar FCA settlements involving Chinese supply chain issues include:
- A March 2024 U.S. Department of Justice investigation and settlement of $3.1 million for an alleged conspiracy to avoid customs duties between a New Jersey chemicals importer and Chinese suppliers.
- A January 2024 U.S. Department of Justice investigation and settlement of $3 million to resolve allegations that an automobile parts manufacturer intentionally failed to pay tariffs on Chinese-manufactured products.
Simultaneous Executive Orders Imposing Canada and Mexico Tariffs
In addition, whereas some companies—including many Japanese companies—had previously pursued manufacturing operations in Canada and Mexico, in part to leverage the North American Free Trade Agreement (NAFTA) and its 2020 successor, the United States-Mexico-Canada Agreement (USMCA), and to maximize cost savings in both countries relative to startup costs in the United States, as part of the February 1 Executive Order, President Trump simultaneously announced 25% tariffs on Canada- and Mexico-origin goods. Although these tariffs have been paused for 30 days as of February 4, this regional cost-mitigation strategy may end up being foreclosed, or otherwise highly scrutinized by enforcement authorities.
Mitigating Risk
Given this new trade environment, Japanese companies should be attuned to the heightened U.S. investigatory environment for tariff evasion and take appropriate precautions, such as auditing origin-related compliance and recordkeeping processes throughout their value chains.
In the event that companies nevertheless become the subject of enforcement investigations by U.S. authorities for tariff evasion-based potential violations of the FCA or are accused of such misconduct by a purported whistleblower, companies are advised to seek the assistance of U.S. counsel with FCA defense experience.
With its market-leading False Claims Act / Qui Tam Defense and Sanctions and Export Enforcement Practice Groups, Gibson Dunn continues to monitor developments in this area and is available to help Japanese clients understand and navigate FCA and trade-related investigative and enforcement actions, including with support in Japanese language.
Winston Y. Chan – Global Co-Chair, False Claims Act / Qui Tam Defense and White Collar Defense and Investigations Practice Groups, based in our San Francisco office
(+1 415.393.8362, wchan@gibsondunn.com)
Eli M. Lazarus – Of Counsel, White Collar Defense and Investigations Practice Group, based in our San Francisco office
(+1 415.393.8340, elazarus@gibsondunn.com)
Justin Lin – Associate Attorney, False Claims Act / Qui Tam Defense and White Collar Defense and Investigations Practice Group, based in our San Francisco office
(+1 415.393.4653, jolin@gibsondunn.com)
Gabriela Li – Associate Attorney, False Claims Act / Qui Tam Defense and Securities Regulation and Corporate Governance Practice Groups, based in our San Francisco office
(+1 415.393.4602, gli@gibsondunn.com)
False Claims Act/Qui Tam Defense Practice Group:
Washington, D.C.
Jonathan M. Phillips – Co-Chair (+1 202.887.3546, jphillips@gibsondunn.com)
Stuart F. Delery (+1 202.955.8515,sdelery@gibsondunn.com)
F. Joseph Warin (+1 202.887.3609, fwarin@gibsondunn.com)
Jake M. Shields (+1 202.955.8201, jmshields@gibsondunn.com)
Gustav W. Eyler (+1 202.955.8610, geyler@gibsondunn.com)
Lindsay M. Paulin (+1 202.887.3701, lpaulin@gibsondunn.com)
Geoffrey M. Sigler (+1 202.887.3752, gsigler@gibsondunn.com)
Joseph D. West (+1 202.955.8658, jwest@gibsondunn.com)
San Francisco
Winston Y. Chan – Co-Chair (+1 415.393.8362, wchan@gibsondunn.com)
Charles J. Stevens (+1 415.393.8391, cstevens@gibsondunn.com)
New York
Reed Brodsky (+1 212.351.5334, rbrodsky@gibsondunn.com)
Mylan Denerstein (+1 212.351.3850, mdenerstein@gibsondunn.com)
Denver
John D.W. Partridge (+1 303.298.5931, jpartridge@gibsondunn.com)
Ryan T. Bergsieker (+1 303.298.5774, rbergsieker@gibsondunn.com)
Monica K. Loseman (+1 303.298.5784, mloseman@gibsondunn.com)
Dallas
Andrew LeGrand (+1 214.698.3405, alegrand@gibsondunn.com)
Los Angeles
James L. Zelenay Jr. (+1 213.229.7449, jzelenay@gibsondunn.com)
Nicola T. Hanna (+1 213.229.7269, nhanna@gibsondunn.com)
Jeremy S. Smith (+1 213.229.7973, jssmith@gibsondunn.com)
Deborah L. Stein (+1 213.229.7164, dstein@gibsondunn.com)
Dhananjay S. Manthripragada (+1 213.229.7366, dmanthripragada@gibsondunn.com)
Palo Alto
Benjamin Wagner (+1 650.849.5395, bwagner@gibsondunn.com)
Sanctions and Export Enforcement Practice Group:
United States:
Matthew S. Axelrod – Co-Chair, Washington, D.C. (+1 202.955.8517, maxelrod@gibsondunn.com)
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, asmith@gibsondunn.com)
Ronald Kirk – Dallas (+1 214.698.3295, rkirk@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Donald Harrison – Washington, D.C. (+1 202.955.8560, dharrison@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, ctimura@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, cmbrown@gibsondunn.com)
Asia:
Kelly Austin – Denver/Hong Kong (+1 303.298.5980, kaustin@gibsondunn.com)
David A. Wolber – Hong Kong (+852 2214 3764, dwolber@gibsondunn.com)
Fang Xue – Beijing (+86 10 6502 8687, fxue@gibsondunn.com)
Qi Yue – Beijing (+86 10 6502 8534, qyue@gibsondunn.com)
Europe:
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Patrick Doris – London (+44 207 071 4276, pdoris@gibsondunn.com)
Michelle M. Kirschner – London (+44 20 7071 4212, mkirschner@gibsondunn.com)
Penny Madden KC – London (+44 20 7071 4226, pmadden@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
On March 2, 2025, the Department of the Treasury issued guidance announcing that it will not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners pursuant to the Corporate Transparency Act (CTA). This guidance also announces that when the Department of the Treasury issues a proposed rulemaking regarding the CTA in the future, the rulemaking “will narrow the scope of the rule to foreign reporting companies only.”[1]
Entities that may be subject to the CTA that have not filed BOI reports should consult with their CTA advisors as necessary, now that the Department of the Treasury has announced it will suspend enforcement of the penalty provisions of the CTA and will propose amendments to the reporting rule providing that it will apply only against “foreign reporting companies.”
During litigation that temporarily enjoined enforcement of the CTA from December 2024 until February 18, 2025, the Financial Crimes Enforcement Network (FinCEN) issued guidance extending the required deadlines for companies subject to the CTA to deadline to March 21, 2025 or later.[2] On February 27, 2025, FinCEN then suspended the March 21, 2025 deadline, instead stating its intention to issue an interim final rule before March 21, 2025 that will extend beneficial ownership information (BOI) reporting deadlines for those companies required to submit such information.[3] Under the 2022 Reporting Rule that instituted the CTA, “each reporting company” – both domestic and foreign – was required to file BOI information by certain deadlines.[4]
The Department of the Treasury’s latest statement on March 2 announces that the Department will propose revisions to the reporting rule “that will narrow the scope of the rule to foreign reporting companies only.”[5] As currently defined, a “foreign reporting company” is “any entity” that is “[f]ormed under the law of a foreign country”; and “[r]egistered to do business in any State or tribal jurisdiction by the filing of a document with a secretary of state or any similar office under the law of a State or Indian tribe.”[6]
For additional background information, please refer to our Client Alerts issued on December 5, December 9, December 16, December 24, and December 27, 2024, January 24, 2025 February 19, and February 28, 2025.
[1] https://home.treasury.gov/news/press-releases/sb0038.
[2] https://fincen.gov/sites/default/files/shared/FinCEN-BOI-Notice-Deadline-Extension-508FINAL.pdf.
[3] https://www.fincen.gov/news/news-releases/fincen-not-issuing-fines-or-penalties-connection-beneficial-ownership.
[4] 31 C.F.R. § 1010.380(a).
[5] https://home.treasury.gov/news/press-releases/sb0038.
[6] 31 C.F.R. 1010.380(c)(ii); see also 31 U.S.C. 5336(a)(11)(A)(ii).
Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, the Corporate Transparency Act, other AML and sanctions laws and regulations, and challenges to Congressional statutes and administrative regulations.
For assistance navigating white collar or regulatory enforcement issues, please contact the authors, the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Anti-Money Laundering, Administrative Law & Regulatory, Investment Funds, Real Estate, or White Collar Defense & Investigations practice groups.
Please also feel free to contact any of the following practice group leaders and members and key CTA contacts:
Anti-Money Laundering:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202.955.8220, kday@gibsondunn.com)
David Ware – Washington, D.C. (+1 202.887.3652, dware@gibsondunn.com)
Ella Capone – Washington, D.C. (+1 202.887.3511, ecapone@gibsondunn.com)
Sam Raymond – New York (+1 212.351.2499, sraymond@gibsondunn.com)
Administrative Law and Regulatory:
Stuart F. Delery – Washington, D.C. (+1 202.955.8515, sdelery@gibsondunn.com)
Eugene Scalia – Washington, D.C. (+1 202.955.8673, dforrester@gibsondunn.com)
Helgi C. Walker – Washington, D.C. (+1 202.887.3599, hwalker@gibsondunn.com)
Matt Gregory – Washington, D.C. (+1 202.887.3635, mgregory@gibsondunn.com)
Investment Funds:
Kevin Bettsteller – Los Angeles (+1 310.552.8566, kbettsteller@gibsondunn.com)
Shannon Errico – New York (+1 212.351.2448, serrico@gibsondunn.com)
Greg Merz – Washington, D.C. (+1 202.887.3637, gmerz@gibsondunn.com)
Real Estate:
Eric M. Feuerstein – New York (+1 212.351.2323, efeuerstein@gibsondunn.com)
Jesse Sharf – Los Angeles (+1 310.552.8512, jsharf@gibsondunn.com)
Lesley V. Davis – Orange County (+1 949.451.3848, ldavis@gibsondunn.com)
Anna Korbakis – Orange County (+1 949.451.3808, akorbakis@gibsondunn.com)
White Collar Defense and Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Winston Y. Chan – San Francisco (+1 415.393.8362, wchan@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, fwarin@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.