News Briefs

FCC Proposes Sweeping Rules on Foreign Call Centers: Onshoring Mandates, Consumer Protections and Robocall Deterrence

Thu, 09 Apr 2026 17:27:00 Z

FCC Proposes Sweeping Rules on Foreign Call Centers: Onshoring Mandates, Consumer Protections and Robocall Deterrence

On March 27, 2026, the Federal Communications Commission (FCC) released a Notice of Proposed Rulemaking (Call Center NPRM) seeking comment on a broad package of rules governing foreign call centers. The rulemaking addresses three distinct objectives: encouraging the onshoring of call center operations to the United States; establishing quality and security standards for foreign call center operations that remain; and deterring unlawful robocalls originating from foreign countries through financial mechanisms, such as bonds and fees.

The proposed rules would apply to providers of telecommunications services, commercial mobile radio services (CMRS), interconnected voice over internet protocol (VoIP), cable television, and direct broadcast satellite (DBS) services, as well as their affiliates that provide internet access service. The FCC also seeks comment on extending some or all of these rules more broadly, including all calls covered by the Telephone Consumer Protection Act (TCPA), which could subject a range of commercial entities to new FCC requirements. Companies that use or rely on foreign call centers for customer service, sales or telemarketing should evaluate these proposals and consider participating in the comment process.

Key proposals

Cap on foreign-handled calls

The FCC proposes to limit the percentage of customer service calls that providers may route to or answer at foreign call centers. The NPRM uses 30% as an illustrative threshold and seeks comment on whether this cap should apply separately to inbound and outbound calls or on a combined basis. The FCC asks about the appropriate measurement period (annual, quarterly, monthly or daily) and whether to phase in the cap over time to allow providers to build domestic capacity.

English proficiency requirements

The proposed rules would require providers using offshore call centers to ensure that all calling staff are proficient in both spoken and written American Standard English. The FCC emphasizes that proficiency must extend beyond vocabulary to include understanding of tone, idioms and cultural context. The NPRM seeks comment on which testing regime should apply (referencing the OET, TOEFL and TOEIC as potential models) and whether the FCC should assess compliance per employee or on an aggregate basis. The FCC also asks how these requirements would apply to call centers serving non-English-speaking US customers.

Consumer right to transfer to a US-based representative

Upon consumer request, the proposed rules would require providers to transfer any call that a foreign call center is handling to a representative located in the US. Providers would need to ensure that wait times for transferred calls are no longer than for calls they initially route domestically.

Mandatory disclosure of foreign call center use

The proposed rules would require providers to inform customers at the beginning of each call that a representative outside the US is handling the call. The FCC proposes specific disclosure language that would include the name of the country where the call center operates and notification of the consumer’s right to request transfer to a US-based representative. The disclosure requirement would apply to both inbound and outbound calls.

Sensitive transactions: Domestic-only requirement

The FCC proposes to require that US-based call centers exclusively handle customer interactions involving sensitive data like passwords, multifactor authentication information, Social Security numbers, and bank account or credit card numbers. This requirement would apply regardless of the communication channel used (voice, chat, email or text) and proposes to exclude calls handling sensitive data from any percentage-cap calculation.

Prohibition on call centers in foreign adversary nations

The NPRM proposes to prohibit covered providers from using call centers located in “foreign adversary” nations, as defined under existing Commerce Department regulations. Foreign adversary nations include China, Russia, Iran, North Korea, Cuba and Venezuela. The FCC further seeks comment on an even broader prohibition –barring the use of any call center, wherever located, that employs citizens or residents of a foreign adversary nation. This is a hard prohibition, not a cap.

Broadband label and transparency disclosures

The FCC proposes to amend its broadband consumer label rules to require display of the percentage of customer service calls handled by US-based representatives. For providers of non-broadband services covered by the proposed rules, the FCC asks whether providers should publish comparable information on their websites.

Compliance tracking and reporting

The proposed rules would require providers to track and report to the FCC their compliance with all adopted rules. Reports would cover English proficiency testing results, call volumes by location (domestic versus foreign), transfer rates, wait times and dropped call data. The FCC seeks comment on reporting frequency (monthly, quarterly or annually) and whether the FCC should make compliance reports public.

Extension to nonvoice channels

Beyond the sensitive-transaction requirement (which already extends to all channels), the FCC asks whether all of the proposed rules should apply to nonvoice customer communications, including online chat, text messages, email and video conferencing.

Bond and fee requirements for robocall deterrence

In a separate but related set of proposals, the FCC seeks comment on requiring providers that transmit calls from foreign countries to the US, particularly international gateway providers, to post bonds. The FCC asks detailed questions about bond amounts, drawdown triggers, due process safeguards, replenishment obligations and administration. As an alternative, the FCC also asks about government-imposed fees on unlawful traffic.

Comment dates will be set after publication in the Federal Register. If you have questions about this proceeding or are considering submitting comments, please contact one of the Cooley lawyers listed below.

Washington State Expands Personality Rights Law to Cover AI-Generated Deepfakes

Thu, 09 Apr 2026 07:00:00 Z

Washington state expanded its existing property rights law to address use of a person’s “forged digital likeness” without the person’s consent. Substitute Senate Bill 5886 (SSB 5886), signed into law by Gov. Bob Ferguson on March 16, 2026, amends Washington’s Personality Rights Law to address the growing use of artificial intelligence to create realistic but deceptive audio and video, and impacts those that rely on such technology to create content. The law takes effect on June 11, 2026.

What changed?

The Personality Rights Law already prohibited the use of an individual’s name, voice, signature, photograph or likeness without their consent. The amended law expands that list to include a person’s “forged digital likeness,” defined as:

A visual representation which is either persistent or transmitted in real-time of an actual and identifiable individual, or an audio recording which is either persistent or transmitted in real-time of an actual and identifiable individual’s voice, which: (a) has been digitally created, adapted, altered, or modified to be indistinguishable from a genuine visual representation or audio recording of the individual; (b) misrepresents the appearance, speech, or conduct of the individual; and (c) is likely to deceive a reasonable person into believing that the visual representation or audio recording is genuine.

This property right applies to both living and certain deceased individuals.

Strengthened remedies

In addition to the potential for injunctive relief, actual damages and recovery of attributable profits and reasonable attorneys’ fees, the law significantly increases the potential consequences violators face:

Doubled civil penalty: Under the prior law, violators could be subject to financial penalties of $1,500 or actual damages, whichever was greater. The amended law raises the potential civil penalty to $3,000. There remains the potential recovery of actual damages and any attributable profits.
Noneconomic damages for deepfake violations: Where the violation involves a forged digital likeness, the violator is also responsible for noneconomic damages, such as mental or physical pain and suffering, or injury to reputation and humiliation.

Broader legal landscape

SSB 5886 is part of a broader national trend. Washington had already passed a law extending the state’s criminal impersonation statute to cover the distribution of someone’s forged digital likeness with the intent to defraud, harass or threaten them. Other states, such as California, New York and Tennessee, have passed legislation regulating digital likenesses.

Key takeaways and next steps

Businesses and content creators should act now to prepare for the June 11, 2026, effective date. In particular:

Review content workflows. Any use of AI tools to generate, alter or reproduce audio or visual representations of real individuals should be audited for compliance.
Update consent frameworks. Existing consent language in contracts, talent agreements and terms of service may not be sufficient to cover AI-generated digital likenesses under the new statutory definition.
Assess liability exposure. The expanded civil penalty and the addition of noneconomic damages for deepfake-specific infringements substantially raise the stakes of noncompliance.

Areas requiring further clarification include how courts will interpret the “likely to deceive a reasonable person” standard in practice, and how the law will interact with First Amendment protections for satire, parody and commentary.

UK Competition and Consumer Regulator Sets Key Regulatory Priorities for 2026 – 2027

Wed, 08 Apr 2026 14:02:22 Z

The UK’s Competition and Markets Authority (CMA) published its Annual Plan for 2026 to 2027 on 23 March 2026 setting out its strategic priorities for the coming year. This is the first detailed plan for implementation under its 2026 – 2029 Strategy, which seeks to put into practice some of the regulator’s longer-term objectives of protecting consumers and promoting competition in the wake of its mandate to help drive economic growth and improve household prosperity.

The plan was published against the backdrop of a government consultation on refining the UK competition regime, which seeks to speed up and streamline market investigations, provide clarity on merger control thresholds and implement a new decision-making model for in-depth mergers (see our February alert). It further embeds the CMA’s framework for acting with pace, predictability, proportionality and process (the 4Ps) in order to make the UK economy a more business-friendly environment and to “put money back” in people’s pockets.

In terms of key initiatives, the plan is notable for a strong shift in the CMA prioritising its enforcement of UK consumer protection laws, potentially to a greater extent than its competition law enforcement, a focus on encouraging innovation by supporting small and medium-sized enterprises (SMEs) and startups, policing public procurement markets for signs of anticompetitive conduct, and aligning its interventions to support the UK government’s eight Industrial Strategy sectors.

Key objectives

The plan reiterates the CMA’s key objectives from its 2026 – 2029 Strategy, namely:

Remaining a strong advocate for, and independent enforcer of, effective competition across the UK economy.
Championing consumers.
Helping government deploy tailored pro-competition interventions to support growth, innovation and investment-related policies.
Contributing to a UK regulatory landscape which instils business confidence and acts as a magnet for investment.
Delivering tangible benefits for the UK economy, citizens and businesses.

These key objectives contrast with those set out in previous annual plans, which had a stronger focus on competition in digital and fast-growing markets, complex (often digital) merger review, and sustainability. This shift has arisen not only from the Strategic Steer received from the government in 2025, but also from the coming into force of the Digital Markets, Competition and Consumer Act (DMCCA), which bolstered the CMA’s consumer protection enforcement powers. Under this regime, the CMA can act more quickly and investigate and impose fines directly, without having to go through lengthy UK court procedures.

We set out the CMA’s key areas of focus for the year ahead and what this means for businesses below.

1. Consumer protection

Under the DMCCA, the CMA received new enforcement powers to protect consumers against unfair commercial practices (see our April 2025 alert). The plan states that implementing the enhanced consumer protection regime under the DMCCA is a core priority, combining support for business compliance with enforcement action. The CMA highlights that this approach is intended to “put money back in people’s pockets” and strengthen consumer confidence.

The plan explains that the CMA will continue to prioritise areas of essential spend to help people struggling with pressure on household budgets, focusing in particular on the following behaviours:

Providing objectively false information to consumers
Fake reviews
Hidden fees
Aggressive sales practices
Imbalanced and unfair contract terms

In addition, the plan also sets out that the CMA will drive at behavioural change in businesses and across sectors through the use of advisory letters, noting that this approach has already driven behavioural change without the CMA needing to deploy a full case team to an enforcement investigation.

Takeaways

The CMA is clearly prioritising its enforcement of UK consumer protection laws. This is a continuation of the CMA’s 2025 strategy, which saw the agency send more than 100 advisory letters to businesses that it considered to be out of compliance with their consumer law obligations. It also launched its first investigations under the regime. For the remainder of 2026, we expect to see further enforcement of consumer issues, with the CMA seeking decisive resolutions for consumers.

In addition to the enforcement priorities named above, the DMCCA also sets out new obligations on businesses in relation to subscriptions, which we expect to come into force during the course of 2026. Businesses are advised to review their existing subscription offers to check if these fall within the remit of the DMCCA, and if so, put in place a compliance plan.

2. Competition enforcement

The plan sets out the CMA’s targeted focus for competition enforcement as follows:

Tackling anticompetitive conduct in key growth sectors and areas that may help to improve household prosperity; as part of this, the CMA will actively target anticompetitive activity which prevents startups and scale-ups from growing
Facilitating pro-growth, legitimate business collaboration, particularly in the eight Industrial Strategy priority sectors – advanced manufacturing, clean energy industries, creative industries, defence, digital and technologies, financial services, life sciences, and professional and business services – and in relation to sustainability agreements
Prioritising action against bid-rigging in the public sector and using AI and data science tools to support evidence gathering
Ensuring that AI is not used to impede competition in the UK, including through algorithmic collusion; in this context, the CMA is also making further investments into its detection tools, including AI, to scan public data and identify suspicious activity in all areas of focus, and the CMA’s recent guidance on Complying with Consumer Law When Using AI Agents supports this as a key area of focus in the consumer space as well (see our March 2026 alert).

Takeaways

The CMA’s competition enforcement focus is clearly targeted to support the government’s growth agenda. Notable is the emphasis both in the plan and in public statements currently being made by the CMA with regards to identifying how the CMA can support startups to scale up in the UK. These reflect a wider programme of work commenced in Autumn 2025 in which the CMA looked at the role of competition policy to encourage startup growth and investment in the UK, including tackling sector-specific barriers, such as public-sector procurement and regulation, the role of data and interoperability in scaling in the UK and from a merger control perspective, and the role of consolidation to achieve scale. Now, more than ever, the CMA is likely to be receptive to complaints by SMEs regarding market structures or the behaviours of competitors.

Also notable are how AI developments are now shaping the CMA’s workplan – both with regards to new tools that it is using to monitor market behaviour, such as in public-sector markets and to detect cartels, but also with regards to the use of algorithms and AI where these tools enable market collusion. Whilst to date the CMA has confined itself to issuing guidance on the use of AI and algorithms, and decisions are awaited, companies that use pricing algorithms and other AI tools to gather information are strongly recommended to review the compliance position of these.

3. Markets

With regard to the CMA’s markets work, while the agency has the ability to investigate entire markets, even in the absence of consumer or competition law breaches, the plan confirms a continued focus on those markets that are consumer facing. The plan specifically calls out the progression of the CMA’s market study into the private dentistry sector, along with implementation of remedies that result from its veterinary services market investigation, which concluded on 24 March 2026 and resulted in, amongst others, a price cap on prescriptions.

The plan further provides that the CMA will use its market function to support the government’s Industrial Strategy to help reduce cross-economy barriers to growth, supporting interoperability and access to data. The UK government’s proposed reforms to the competition regime also include changes to the CMA’s markets regime, which seek to replace the existing market study and market investigation model with a new single-phase market review tool and ensure market remedies remain necessary and proportionate. In implementing these aims, the plan seeks to be mindful of not placing more burden on business than necessary – for example, by focusing on light-touch and fast interventions, being guided by proportionality, and ensuring an effective monitoring of remedies, including removing remedies that are no longer needed.

Takeaways

The CMA continues to focus its market function on key areas of consumer need and spend, and we expect to see extensive use of this tool in the coming year. For example, on 20 March 2026, the CMA launched a market study into the supply of heating oil as an area of essential spend following the sudden rise in oil prices caused by the current conflict in the Middle East. On 24 March 2026, the Chancellor set out a plan to help protect households from unfair price increases set for profiteering during the crisis. As part of this, the government may act to give time-limited, targeted powers to the CMA so it can clamp down on “price gouging”.

4. Digital markets

In the digital realm, the plan sets out the CMA’s priorities in implementing its digital market regulation powers, including its work on its first designations of strategic market status (SMS) under the DMCCA in relation to search and mobile platforms. The CMA has recently indicated that it will open its next SMS investigation in May 2026.

Takeaways

We expect the CMA to focus on delivering a pragmatic approach to the regulation of digital markets with a focus on ensuring a level playing field for startups and scale-ups across the UK tech sector, particularly in areas like fintech and digital wallets, browsers, and platforms, with a particular focus on choice architecture, data access and interoperability. Commitments in the current designation process came into force on 1 April, and we expect at least one further designation to land in 2026. We therefore do not expect the regulator to put its current focus on digital regulation on the backburner just yet, particularly in areas where technology intersects with essential consumer spend, such as banking and finance.

5. Merger control

The CMA plans to apply its merger control powers in a targeted way, emphasising that most mergers do not raise competition concerns, but that it wants to be a strong advocate for effective competition across the UK economy. As part of this, the CMA will continue implementing its wait-and-see approach to global mergers.

Takeaways

On 20 January 2026, the UK government opened a consultation on legislative changes to the UK merger control regime aimed at enhancing predictability for businesses in support of economic growth which we wrote about in February. This came on the heels of a number of reforms and significant shifts in the CMA’s enforcement and merger review priorities, emphasising its alignment with the UK government’s pro-growth, pro-business agenda. As part of this, we expect:

Mergers involving global markets, but with only peripheral UK-specific overlaps, to be less likely to attract scrutiny, with more concentration on those transactions with a clear UK nexus.
More deals to continue to be cleared through the briefing-paper route with less full Phase 1 reviews.
A more flexible approach to remedies following the removal of the presumption against behavioural remedies at Phase 1 review.

The government consultation proposes to refine this further, with more streamlined investigations, greater certainty on notification thresholds and more time for businesses to agree remedies following a Phase 1 merger investigation.

What’s next?

Overall, the draft Annual Plan highlights the CMA’s ambition to be a consumer champion and enabler of economic growth in the UK. It also reinforces the CMA’s role in shaping markets – not just policing them – offering both risks and opportunities for businesses with UK operations.

In particular, while much of the commentary focuses on increased enforcement, the plan also presents strategic opportunities. The CMA is explicitly seeking to facilitate investment, sustainability initiatives and pro‑growth collaboration, including in the government’s priority sectors. Firms that understand how to operate within this framework can gain an advantage, particularly where regulatory clarity or market opening measures create new avenues for innovation.

If you would like to discuss what this means for your business, please do not hesitate to get in touch with a member of the Cooley team listed below.

CFTC Issues No-Action Relief to Self-Custodial Crypto-Wallet Application

Wed, 08 Apr 2026 07:00:00 Z

On March 17, 2026, the Market Participants Division (MPD) of the US Commodity Futures Trading Commission (CFTC) issued a no-action letter to Phantom Technologies, a self-custodial crypto-wallet software company, recommending that the CFTC should not take enforcement action against Phantom for failing to register as an introducing broker (IB) under Section 4d(g) of the Commodity Exchange Act (CEA), or for certain of its personnel failing to register as associated persons (APs) under Section 4k of the CEA (no-action relief).

Phantom’s proposed activities

Phantom has developed one of the most popular self-custodial crypto-wallets for use on Solana and several other major blockchains. Phantom’s software enables users to generate and manage cryptographic credentials for viewing, storing and conducting self-directed crypto transactions. In a request letter to the CFTC, Phantom proposed to offer a front-end interface that enables users to access trading in CFTC-regulated derivatives, including event contracts, perpetual contracts, on registered designated contract markets (DCMs) or through registered futures commission merchants (FCMs) or IBs (collectively, collaborators). Phantom does not hold, control or custody user assets, generate express “buy” or “sell” signals, or exercise discretion with respect to the routing or execution of user orders. It merely provides software on the user’s mobile device or via a browser extension to enable users to transmit their orders directly to the collaborators. Phantom may receive a portion of the revenue of the collaborators and may also charge a transaction-based fee to users.

Registration requirement for introducing brokers

Under Section 4d(g) of the CEA, any person that, for compensation or profit, is engaged in soliciting or accepting orders for the purchase or sale of, among other financial products, any commodity for future delivery, is required to be registered as an IB with the CFTC. The phrase “soliciting or accepting orders” has been interpreted broadly to encompass solicitation of customers or acceptance of their orders for referral to FCMs for the execution of those orders. In addition, any individual associated with an IB as a partner, officer, employee or agent (or similar status) involved in solicitation or acceptance of customers’ orders (other than in a clerical capacity) or the supervision of persons so engaged is required to be registered as an associated person of the IB.

Prior CFTC staff letters had established that certain independent software vendors (ISVs) need not register as IBs, subject to specified requirements. Phantom’s proposed activities satisfy most of the conditions set out in those prior letters but depart in two key respects. First, Phantom would recommend, propose or encourage its users to use particular collaborators; and second, Phantom might contract with those collaborators to share a specified portion of their relevant revenues in exchange for Phantom providing its software to the collaborators’ users. Phantom therefore sought no-action relief.

Conditions for no-action relief

The CFTC granted the no-action relief to Phantom subject to the following conditions:

Collaborator liability undertaking

Phantom and each collaborator execute a written undertaking to be jointly and severally liable for any violations of the CEA or CFTC regulations in connection with Phantom’s proposed activities and to consent to the jurisdiction of the CFTC for relevant enforcement actions. Such undertakings shall be filed with the MPD.

User onboarding and disclosures

Phantom provides and each user acknowledges receipt of:
- Disclosures regarding Phantom’s relationship with the collaborators, addressing potential conflicts of interest (including fees).
- A risk disclosure statement meeting specific requirements for the relevant trading activities, unless such risk disclosure statement has been provided by the collaborator.
Users are onboarded with the collaborator and retain the ability to access the collaborator independently of Phantom.

Business conduct and notifications to the CFTC

Phantom adopts and enforces policies and procedures reasonably designed to ensure compliance with applicable CFTC and National Futures Association (NFA) rules regarding communications with the public and marketing as if Phantom were registered as an IB.
Phantom does not engage in advertising or promotions that would require preapproval by NFA if Phantom were registered as an IB.
Phantom, its principals and any individual engaged in soliciting users as part of the proposed activities are not subject to certain statutory disqualifications under the CEA. Phantom shall promptly notify the MPD of the relevant facts should any such person become subject to statutory disqualification.
Phantom provides notice to the MPD if it becomes insolvent or enters a bankruptcy proceeding.
Phantom maintains records regarding its compliance with these conditions and its business involving CFTC-regulated activity.
Phantom files a notice with the MPD agreeing to satisfy these conditions and consenting to be subject to the CFTC’s jurisdiction for related enforcement actions.

Key takeaways

The no-action relief opens the door for the development of “super apps” that allow users to access multiple trading venues through a single software application. For noncustodial crypto-wallet providers considering entry into CFTC-regulated derivatives markets, the no-action relief provides a useful pathway of entry without being subject to IB registration and ongoing compliance obligations. The CFTC’s relief builds on the reasoning in SEC v. Coinbase, Inc., No. 23 Civ. 4738 (KPF) (SDNY Mar. 27, 2024), in which Judge Katherine Polk Failla of the US District Court for the Southern District of New York dismissed the Securities and Exchange Commission’s claim that Coinbase acted as an unregistered securities broker through its self-custodial Coinbase Wallet application. Judge Failla found that the factual allegations concerning Coinbase Wallet were insufficient to support the plausible inference that Coinbase “engaged in the business of effecting transactions in securities for the account of others” through its wallet application, noting in particular that Coinbase does not maintain custody over user assets and does not exercise discretion over the routing or execution of transactions, and that the provision of pricing comparisons and access to third-party decentralized exchanges does not rise to the level of brokerage activity. Taken together with the CFTC’s no-action relief, noncustodial wallet providers now have meaningful guidance under both the commodities and securities regulatory frameworks that the provision of self-custodial software infrastructure facilitating user-directed access to trading venues may not, without more, constitute broker activity requiring registration.
In granting the no-action relief, the CFTC emphasized Phantom’s passive involvement in order submission. Noncustodial software providers seeking similar relief should ensure that their platforms do not generate express “buy” or “sell” signals or exercise discretion with respect to the routing or execution of user orders, and that users will continue to have direct access to collaborating DCMs, FCMs or IBs.
In addition, noncustodial software providers seeking similar relief should proactively update user agreements and conflict-of-interest and risk disclosures, implement internal policies regarding marketing and public communications, and include appropriate liability undertakings when negotiating collaboration arrangements with DCMs, FCMs and IBs.
Lastly, it is worth noting that, in addition to a transaction-based fee to be paid by users, the no-action relief allows Phantom to receive a portion of the revenue from the collaborators, so long as Phantom’s relationship with the collaborators, potential conflicts of interest and fees are adequately disclosed.

Is FDA Moving the Goalposts on 483 Responses? What the New Draft Guidance Means for Your Company

Mon, 06 Apr 2026 07:00:00 Z

The US Food and Drug Administration (FDA) has issued new draft guidance giving drug manufacturers – for the first time – formal guidance on how the agency expects firms to respond to a Form FDA 483 following a drug current Good Manufacturing Practice (cGMP) inspection. The guidance is broad in scope and applies to both foreign and domestic facilities that manufacture human or animal drugs regulated by the Center for Drug Evaluation and Research (CDER), Center for Biologics Evaluation and Research (CBER) or Center for Veterinary Medicine (CVM), extending to combination-product manufacturers when CDER or CBER is the lead center. Until now, companies have largely relied on experience and institutional knowledge to determine what a “good” response looks like. This draft guidance puts structure around the process, signaling that FDA now expects 483 responses to follow a more consistent structure and be clearly tied to the strength and reliability of a facility’s broader quality system.

FDA also explicitly asks manufacturers to identify the response preparer and, if the preparer is not the company itself, to provide a letter of authorization from the consultant or outside counsel who prepared the response on the manufacturer’s behalf. Moreover, FDA is specific in its requests for large-scale compliance efforts, such as reports covering global pharmacovigilance investigations. In this way, the new guidance articulates what FDA insiders have often advised: FDA wants to see that a company has not only addressed, or is actively addressing, the observations in a 483, but is also fully assessing and correcting any underlying systemic issues.

Recommended practices

The draft guidance highlights several elements FDA views as important for a robust response. Several of these elements relate to format or other logistical requirements – a table of contents, a copy of the 483, identity of the response preparer and letters of authorization if the company retained a consultant or outside counsel. More substantively, FDA recommends an executive summary of all remediation activities followed by a more detailed description of each observation and associated remediation plans, including risk assessments of the observations, detailed investigation reports and signed attachments to support the company’s response.

Disagreements

FDA recommends that companies seek clarification and address disagreements related to scientific or technical issues during an inspection with FDA investigators. If a significant disagreement is not resolved before issuance of the 483, companies should communicate these concerns in their 483 response. Companies will want to describe the contested facts and provide scientific data and supporting information to allow FDA to better evaluate the concern. Moreover, companies should reference applicable laws, regulations and guidance that support their position.

Preliminary results and interim reporting

FDA recommends that, if there are remediation activities that are not complete at the time a company submits its response (which is often the case), the company should submit preliminary results with a timeline for completion. Companies should also highlight interim measures put in place until the corrective actions and preventive actions (CAPAs) are complete. FDA expects CAPA plans to be measurable and verifiable, and companies can expect such plans to be evaluated by FDA in a future inspection to ensure the planned actions were effectively implemented.

Importance of timing

The 15-business-day time frame for a 483 response is critical. Although a company is not required to provide a response within this time frame, timely submission improves a company’s likelihood of avoiding a compliance or enforcement action. That said, some corrective actions, particularly those of the holistic nature FDA expects, cannot be accomplished in a 15-day time frame. Moreover, FDA states in the draft guidance that it will not typically delay a regulatory action, such as issuing a warning letter, particularly if FDA observed significant deficiencies concerning product quality or patient safety during the inspection. This leaves companies in the hard position of promising comprehensive corrective actions on a broader scale and wanting to submit complete responses within the 15-day time frame that reflect the actions the company has taken in that time period. In this way, the guidance may not actually achieve FDA’s goals, leaving manufacturers to determine the best strategy for the 483 response in light of their specific timelines for corrective actions.

See the big picture

While the draft guidance clarifies what FDA expects to see in an individual response, it also makes clear that the agency is looking for companies to conduct systemic investigations and assess observations in the context of their overall quality system. Specifically, FDA encourages companies to explain “conditions or systemic issues that led to the observations,” and to include information about “the scope of the issue, effect on other drugs, and whether the observation is an isolated incident or is systemic in nature.” Put simply, FDA wants to understand whether a finding reflects a one off problem or evidence of a broader breakdown. The guidance also notes that firm management plays an important role in ensuring the quality system can support this kind of evaluation and in maintaining the overall effectiveness of the system.

Manufacturers should be prepared for FDA to continue to take a broad view of their operations as it evaluates the response. FDA will consider not only the observation itself, but also what the company’s assessment and supporting information reveal about the strength and effectiveness of its quality system.

Practical concerns

The guidance raises some practical concerns that may warrant submission of comments for the agency’s consideration. For example, as discussed above, the tension between the 15-business-day response window and the breadth of information FDA expects in the initial response, coupled with the agency’s position that it will not ordinarily delay regulatory action to review late-submitted responses, could disadvantage many small and mid-size companies. Although the guidance encourages interim reporting, it does not expressly commit FDA to consider such submissions in its enforcement decision-making. This dynamic could encourage companies to rush comprehensive investigations to avoid having their assessments and corrective actions disregarded.

Bottom line: Companies should continue to prioritize submitting as comprehensive a response as possible within the 15-business-day window. A timely, well-organized submission that acknowledges ongoing remediation efforts can demonstrate good faith and may position a company more favorably if FDA initiates further enforcement action. This is particularly important in the context of more serious enforcement tools, such as injunctions. To obtain injunctive relief, FDA must show, among other things, a likelihood of recurring violations, and that the company is unwilling or unable to comply with the law. A company’s documented efforts to investigate and remediate 483 observations –including interim reports and CAPA implementation timelines – may be directly relevant to that analysis and could undermine FDA’s ability to satisfy this standard. In addition, the guidance appears to take an expansive view of quality investigation requirements. It recommends that companies prepare an investigation plan that includes a detailed protocol and methodology, a scientifically justified and risk-based scope, and justification for excluding any part of an establishment’s operations from the investigation.

These recommendations – together with the guidance’s recommendation that a comprehensive investigation plan be prepared to address FDA’s 483 observations by including identification of any related trends, linking any connected FDA 483 observations, assessing risks and analyzing root cause – appear to go beyond what is currently required under existing regulations. Thus, this particular area seems to merit industry comments, as the guidance’s detailed recommendations concerning the form and substance of the 483 response may set a higher bar than current regulations warrant.

Looking ahead

In short, while the draft guidance provides a helpful framework,¹ it leaves important questions unanswered, including the role of interim submissions and how FDA will weigh ongoing remediation efforts in its enforcement decision-making.

The Cooley team, including former FDA enforcement attorneys, is available to help you assess how this draft guidance may affect your operations and prepare for evolving FDA expectations. FDA is accepting public comments on the draft guidance through May 8, 2026, and submitting by that date will ensure your feedback is considered as the agency works on the final guidance. Please reach out with any questions or if you would like assistance preparing comments.

Note

This draft guidance does not apply to medical devices and, thus, device companies should continue to follow 21 CFR Part 820 and related guidance concerning device inspections. However, some key points from the draft guidance, including the importance of submitting a 483 response within 15 business days and developing comprehensive, risk-based CAPA plans with root-cause analysis, provide useful guidance for device firms as well.

New York’s Frontier AI Law Gets a California Makeover – With Some Key Differences

Wed, 01 Apr 2026 15:31:00 Z

New York is joining California in regulating the most advanced forms of artificial intelligence – frontier models – and creating a state-led US AI regulatory approach in the absence of federal legislation. On March 27, 2026, Gov. Kathy Hochul signed an amended version of the Responsible AI Safety and Education (RAISE) Act, substantially overhauling the original law she signed in December 2025. The result closely tracks California’s Transparency in Frontier Artificial Intelligence Act (TFAIA) in many respects but diverges in a few important ways.

Hochul signed the original RAISE Act with an approval memo flagging concerns and conditioning her signature on an agreement with lawmakers to adopt chapter amendments in 2026. Those amendments are now law. Most changes align the RAISE Act with the TFAIA, which took effect January 1, 2026, as the first state law requiring standardized safety and transparency disclosures from frontier model developers. But the amended RAISE Act also makes important additions related to incident response, ownership disclosures, penalties and regulatory oversight.

These state laws are emerging as the federal government considers its own AI regulation. As we discussed on March 25, the White House is urging Congress to preempt state AI laws, which could have an impact on the RAISE Act and the TFAIA. However, until Congress or courts act, both laws remain in force, and frontier AI companies should ensure their compliance programs are prepared.

Below, we outline the most notable changes in the amended RAISE Act and where those changes align with or diverge from the TFAIA.

Notable RAISE Act changes aligning with the TFAIA

New framework and transparency requirements

The amended RAISE Act replaces the original law’s requirement to publish and maintain a “safety and security protocol,” with a new obligation to publish a “frontier AI framework” – the same term used in the TFAIA. Under the original RAISE Act, the safety and security protocol had to specify protections to reduce the risk of “critical harm,” describe cybersecurity measures, detail testing procedures, and designate senior compliance personnel. The amended law instead requires large frontier developers to publish a frontier AI framework describing how the developer handles “catastrophic risk” thresholds, mitigations, third-party evaluations, cybersecurity practices, critical safety incidents, and internal governance. These framework requirements, including the defined term “catastrophic risk,” are copied from the TFAIA.

The amended RAISE Act introduces a transparency report requirement that has no counterpart in the original law and mirrors the TFAIA. Before or concurrently with deploying a new frontier model or a substantially modified version of an existing one, frontier developers must publish a report disclosing the model’s release date, supported languages, output modalities, intended uses, and any restrictions on use. Large frontier developers must additionally include summaries of catastrophic risk assessments and the extent of third-party evaluator involvement. In the industry, these reports are often referred to as model cards.

Dropped audit requirement

The original RAISE Act required large developers to annually retain a third party to perform an independent compliance audit and publish a redacted version of the resulting report. The amended law dropped this audit requirement entirely, aligning with the TFAIA, which contains no audit mandate.

Deployment restriction removed

The original RAISE Act prohibited large developers from deploying a frontier model if doing so would “create an unreasonable risk of critical harm.” The amended law removes this prohibition. Like the TFAIA, the amended RAISE Act focuses on transparency and reporting rather than imposing prescriptive deployment restrictions.

Revised definitions for key terms

The amended RAISE Act overhauls several key definitions. The original law’s “critical harm” threshold meant death or serious injury of 100 or more people or at least $1 billion in damages arising from specific types of frontier model conduct related to chemical, biological, radiological or nuclear (CBRN) weapons or autonomous conduct. In the amended law, this term is replaced by “catastrophic risk,” which is defined as a foreseeable and material risk of death or serious injury to more than 50 people or more than $1 billion in damage. In addition, the “catastrophic risk” definition relies on the same general categories of model conduct but revises the language to specify harm from a single incident involving a frontier model providing expert-level CBRN weapon assistance, engaging in specified criminal conduct without meaningful human oversight, or evading developer or user control. This definition of “catastrophic risk” is also found in the TFAIA.

The amended RAISE Act also revises which companies are covered. The original law defined “large developers” by compute cost, meaning those spending more than $5 million on a single frontier model and more than $100 million in aggregate. The amended version instead covers “large frontier developers,” defined – as in the TFAIA – that, together with their affiliates, had annual gross revenues exceeding $500 million in the preceding calendar year.

The amended RAISE Act also changed the definition of “frontier model,” tracking California’s approach. The original RAISE Act captured any AI model trained using more than 10²⁶ computational operations and costing more than $100 million in compute, or any model derived through knowledge distillation from a frontier model. The amended law removed both the dollar-cost threshold and the knowledge distillation prong, leaving in its place the compute threshold for the most advanced, emerging models. Under the amended law, a “frontier model” is now a “foundation model” trained using computing power of more than 10²⁶ operations, which includes “any subsequent fine-tuning, reinforcement learning, or other material modifications.” That definition is lifted nearly verbatim from California’s TFAIA. For developers, the explicit inclusion of fine-tuning and reinforcement learning runs in the compute count means post-training modifications could push a model across the threshold even if the original pre-training run did not.

Catastrophic risk assessment submissions

The amended RAISE Act adds a requirement for large frontier developers to transmit summaries of catastrophic risk assessments from internal use of their frontier models to the regulator every three months or on another reasonable schedule agreed upon with the regulator. This matches the TFAIA’s requirements.

Federal reciprocity for incident reporting

The amended RAISE Act introduces a federal reciprocity provision permitting frontier developers to satisfy the law’s “critical safety incident” reporting requirements by complying with federal laws, regulations, or guidance documents that impose “substantially equivalent” or stricter standards, as designated by the New York regulator. Developers electing the reciprocity path must send copies of any federal incident reports to the New York regulator concurrently. This mechanism mirrors the TFAIA’s approach.

Notable RAISE Act changes diverging from the TFAIA

Reduction of monetary penalties

The amended RAISE Act reduces maximum civil penalties from the original law’s $10 million for a first violation and $30 million for subsequent violations to $1 million and $3 million, respectively. While this is a significant reduction, the RAISE Act still permits higher penalties than the TFAIA, which caps all violations at $1 million per violation, regardless of whether it is a first or subsequent offense.

Removal of frontier-specific whistleblower and employee protections

The original RAISE Act contained a dedicated section protecting employees, including contractors, subcontractors, and corporate officers, from retaliation for reporting safety concerns to the developer or the New York attorney general. The amended law removes this section entirely. This is a notable departure from the TFAIA, which includes frontier-specific whistleblower protections, prohibiting frontier developers from retaliating against covered employees who disclose information about catastrophic risks or TFAIA violations, and requiring large frontier developers to maintain an anonymous internal reporting process.

Shorter incident reporting timelines

The amended RAISE Act retains the original version’s 72-hour window for reporting critical safety incidents but adds a 24-hour reporting requirement for incidents posing an “imminent risk of death or serious physical injury.” The RAISE Act’s 72-hour baseline is significantly shorter than the TFAIA’s, which provides a longer baseline window of 15 days for critical safety incident reports. However, the TFAIA also requires 24-hour disclosure for incidents posing imminent risk of death or serious physical injury.

New large frontier developer disclosure requirement

The amended RAISE Act adds a “large frontier developer disclosure” provision with no parallel in the TFAIA. Under the RAISE Act, large frontier developers may not develop, deploy or operate a frontier model in New York without filing a current disclosure statement with the regulator and paying a required assessment. Disclosure statements must be renewed at least every two years and identify the developer’s corporate names, New York addresses, certain beneficial owners, and designated points of contact. Large frontier developers will also be required to pay a fee to defray the regulator’s operating expenses. The regulator is required to publish a list of developers who file disclosure statements.

New effective date

The amended RAISE Act takes effect on January 1, 2027, which is one year after the TFAIA’s effective date of January 1, 2026. This gives frontier developers additional time to prepare for compliance in New York, though companies already subject to the TFAIA will have had a year of experience with substantially similar requirements.

Oversight shift and rulemaking authority

The amended RAISE Act shifts regulatory oversight from the New York Division of Homeland Security and Emergency Services to a new office within the New York Department of Financial Services (DFS Office). The DFS Office will receive disclosures, incident reports and catastrophic risk assessment summaries, with authority to share reports with other governmental entities, including the New York attorney general. The amended law also grants the DFS Office broad rulemaking authority to implement the law, including the power to consider “additional reporting or publication requirements.” DFS already oversees a range of cybersecurity matters, including experience with cyber incident reporting for covered entities, and is an active regulator. The TFAIA does not have a similar grant of rulemaking authority to the administrating agency.

Territorial scope

The RAISE Act is explicitly limited to frontier models “developed, deployed, or operating in whole or in part in New York state.” The TFAIA contains no express territorial limitation. California courts generally apply a presumption against extraterritoriality of state law.

Academic exemptions

The RAISE Act exempts accredited colleges and universities in New York engaged in academic research, as well as the Empire AI consortium, a public-private AI research partnership. The TFAIA contains no comparable exemptions for academic institutions.

Key takeaways

The amended RAISE Act signals a meaningful convergence with California on how to regulate frontier AI, aligning two of the country’s largest and most influential state economies in the absence of federal legislation. Companies developing or deploying frontier models may consider several practical implications.

First, the substantial alignment between the RAISE Act and the TFAIA suggests that a harmonized compliance approach is feasible, but developers must account for key differences. In particular, the RAISE Act includes shorter incident reporting timelines, higher penalty ceilings for repeat violations, and new ownership disclosure requirements, and the DFS Office’s rulemaking authority may introduce further distinctions.
Second, while the RAISE Act primarily targets developers, companies that fine-tune, retrain or otherwise materially modify frontier models should assess whether those activities bring them within the law’s scope.
Finally, with the White House urging AI legislation to preempt state laws, companies should maintain compliance with existing state laws while closely monitoring developments in Washington that could reshape the regulatory landscape.

Supreme Court Confirms Limits on Contributory Liability for Copyright Infringement

Fri, 27 Mar 2026 18:59:00 Z

On March 25, 2026, in a unanimous decision, the US Supreme Court held that an internet service provider (ISP) was not contributorily liable for copyright infringement committed by its subscribers. Under the Supreme Court’s ruling, the intent required for contributory liability can be shown only if the service provider induced the infringement, or the provided service is tailored to that infringement. Justice Clarence Thomas penned the majority opinion in Cox Communications, Inc., et al., v. Sony Music Entertainment et al., 607 US ___ (2026). Justice Sonia Sotomayor filed the concurrence, which Justice Ketanji Brown Jackson joined.

Background of the dispute

Cox Communications is an ISP that serves millions of subscribers. In 2018, Sony and other copyright owners brought suit against Cox and its subsidiary for copyright infringement on the theory that ISPs are secondarily liable – including under theories of both contributory and vicarious infringement – for internet users using an ISP’s internet services to illegally reproduce and download copyrighted works.

Over a two-year period, Cox received notice of 163,148 incidents of infringement and implemented its 13-warning plan for each, but ultimately terminated only 32 subscribers’ accounts. Sony argued that this showed Cox was contributorily liable because it continued to provide internet services to subscribers it knew were infringing. Sony also contended that Cox was vicariously liable for the infringement because the ISP had a right and ability to supervise the infringers, and it financially benefitted from the acts of infringement.

Cox countered that the knowledge an ISP has about its users and their individual activities is limited. This is because, although ISPs assign an Internet Protocol (IP) address to each user’s account, a single IP address may cover a house, coffee shop, university or geographic region. It is therefore difficult to ascribe an activity to a particular user of an IP address, even if the ISP is aware of the IP address where infringement is occurring. Cox also argued that its users contractually agreed to not use its services for infringement purposes, and that it merely provided a service for which a substantial number of uses are non-infringing. There was no evidence that Cox had advertised the ability to infringe via its services.

After a trial in the US District Court for the Eastern District of Virginia, the jury found in favor of Sony on both contributory and vicarious liability. It also found that Cox’s infringement was willful and awarded Sony $1 billion in statutory damages. The district court denied Cox’s post-trial motion for judgment as a matter of law.

Cox appealed to the US Court of Appeals for the Fourth Circuit, where the court affirmed the ruling in part, finding Cox was contributorily liable for continuing to provide internet to known infringers. The Fourth Circuit reversed the vicarious liability finding because Cox did not financially benefit directly from the infringement, vacated the damages award and remanded for the jury to reassess damages based on contributory liability alone.

Both sides petitioned the Supreme Court for review. The Supreme Court granted Cox’s petition concerning contributory liability but denied Sony’s petition concerning vicarious liability.

Earlier cases on contributory liability

Unlike the Patent Act, the Copyright Act does not include a provision for contributory infringement (i.e., liability for infringement committed by another). Nevertheless, the Supreme Court has recognized the doctrine of contributory liability in the copyright context on multiple occasions.

In Sony Corp. of America v. Universal City Studios, Inc., 464 US 417 (1984), the Supreme Court found Sony was not contributorily liable for selling Betamax videotape recorders, which many consumers were using to create infringing copies of copyrighted works. The Supreme Court held that the sale of copying equipment, like the sale of other articles of commerce, does not constitute contributory infringement if the product is widely used for legitimate, unobjectionable purposes. The Betamax machines were capable of substantial non-infringing uses, and the sale of such equipment to the general public therefore did not constitute contributory infringement of the respondents’ copyrights.

More recently, in MGM Studios, Inc. v. Grokster, Ltd., 545 US 913 (2005), the Supreme Court found that peer-to-peer file sharing companies could be contributorily liable for inducing copyright infringers in the context of distribution of a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement.

In the wake of these Supreme Court decisions, some courts went a step further. For example, the US Court of Appeals for the Ninth Circuit held that, in the online context, a “computer system operator” is liable under a “material contribution theory of infringement ‘if it has actual knowledge that specific infringing material is available using its system, and can take simple measures to prevent further damage to copyrighted works, yet continues to provide access to infringing works’” (Perfect 10, Inc. v. Giganews, Inc., 847 F.3d 657, 671 (9th Cir. 2017)).

The Cox decision

The Supreme Court sided with Cox, holding that a service provider is contributorily liable for a service user’s infringement only if it induced the infringement or provided a service tailored to the infringement. Citing Grokster, the Supreme Court clarified that a service is tailored to infringement if it is not capable of “substantial” or “commercially significant” non-infringing uses. In doing so, the Supreme Court reinforced its long-standing precedent that service providers cannot be held liable for copyright infringement merely because they have knowledge that some users will exploit their service for that purpose. Here, the Supreme Court observed, Cox did not induce or encourage its subscribers to infringe, and in fact it repeatedly discouraged copyright infringement by users. While the case will be remanded, the Supreme Court has effectively put an end to Sony’s bid to revive its $1 billion award.

In reversing the Fourth Circuit’s ruling on contributory liability and remanding, the Supreme Court also confirmed that the Digital Millennium Copyright Act (DMCA) does not create liability for ISPs that continue to provide services to known infringers; rather, terminating repeat infringers to qualify for the DMCA safe harbor merely gives rise to a defense on which service providers can rely. Failure to comply with the DMCA safe harbor provisions does not itself create a basis for liability.

In the concurrence, Justice Sotomayor criticized the majority’s decision for limiting common law doctrines that she would have left open as possible theories of liability, like aiding and abetting. However, Justice Sotomayor concurred in the decision because Sony could not prove that Cox had the requisite intent to be liable on a common law aiding-and-abetting theory under the facts of this case.

Significance

This case is a significant win for ISPs and other service providers that may face copyright claims relating to the actions of their users. The Supreme Court’s decision confirms limits on contributory liability in the copyright context. To the extent that other theories of contributory liability had begun to emerge in the lower courts, whether under a “material contribution” theory or other common law theories, the Cox decision rejects such expansion of the doctrine of contributory infringement. However, service providers should continue to manage risk by maintaining reasonable policies and avoiding the paths to contributory liability left open by the Supreme Court’s decision.

Fifth Circuit Holds FTC Adjudication of Deceptive Advertising Claims Is Unconstitutional

Fri, 27 Mar 2026 07:00:00 Z

On March 20, 2026, the US Court of Appeals for the Fifth Circuit delivered a major decision in Intuit, Inc. v. FTC, holding that the Federal Trade Commission’s internal administrative adjudication of deceptive advertising claims violates the constitutional separation of powers. By vacating a 20-year cease-and-desist order against Intuit over its TurboTax “Free Edition” marketing, the Fifth Circuit has fundamentally disrupted the FTC’s enforcement playbook in that circuit.

This decision has important implications for the agency’s ability to obtain monetary relief and signals a potential shift in how the FTC will undertake its enforcement mission.

Background: The shadow of AMG

For decades, the FTC routinely used Section 13(b) of the FTC Act to go directly to federal court to obtain equitable monetary relief (like restitution and disgorgement). The US Supreme Court’s 2021 decision in AMG Capital Management, LLC v. FTC definitively stripped the FTC of this power, ruling that Section 13(b) only allows for injunctions, not monetary awards.

Post-AMG, the FTC was forced to rely on an arduous workaround to obtain money in most scenarios: Section 19 of the FTC Act. This required a two-step process. First, the FTC had to successfully sue a company in its own in-house administrative court to obtain a final cease-and-desist order. Then, the agency had to take that administrative order to federal court and prove the conduct was of a kind that a reasonable person would have known under the circumstances was dishonest or fraudulent, in order to secure monetary redress.

The holding

In Intuit, the Fifth Circuit essentially dismantled step one of that Section 19 workaround for deceptive advertising claims. Relying heavily on the Supreme Court’s recent decision in SEC v. Jarkesy, which held that the Securities and Exchange Commission’s use of administrative tribunals for fraud claims violated the Seventh Amendment right to a jury trial, the Fifth Circuit applied the same logic to the FTC. The court concluded that deceptive advertising claims under Section 5 of the FTC Act closely mirror the common law torts of fraud and deceit. Because these claims implicate traditional “private rights” rather than “public rights,” the Constitution requires them to be adjudicated in an Article III federal court, not by an in-house administrative law judge (ALJ).¹

Narrowing the path to monetary relief

This ruling is a major development because it effectively forecloses the FTC’s primary pathway to obtaining monetary relief in the Fifth Circuit for deceptive advertising practices in cases where:

No specific statute or trade regulation rule independently authorizes monetary remedies.
The company lacked actual knowledge that its conduct was unfair or deceptive (precluding civil penalties under Section 5(m)(1)(B)).
The FTC must therefore rely on the Section 19 administrative-order-first process to reach monetary redress.

If the FTC cannot constitutionally adjudicate deceptive advertising claims in its own administrative courts, it cannot secure the foundational administrative cease-and-desist order required to trigger Section 19. Without that order, the FTC cannot go to federal court for monetary redress in these cases in the Fifth Circuit.

The FTC’s remaining options

Because the administrative route to create new orders is now constitutionally suspect – at least in the Fifth Circuit – for deceptive advertising, the FTC will likely lean into alternative avenues to maintain its ability to obtain money through enforcement. We anticipate the agency will explore several strategic workarounds:

Aggressive enforcement of specific statutes and rules

The FTC will likely double down on enforcing specific federal statutes and their implementing regulations, such as the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA) and trade regulation rules. Violations of these statutes and rules allow the agency to seek civil penalties and consumer redress directly in federal district court, circumventing the administrative adjudication process entirely.

A surge in ‘Notices of Penalty Offenses’

Under Section 5(m)(1)(B), the FTC can seek civil penalties directly in federal court if a company engages in conduct it knows has been condemned in prior FTC administrative orders. By sending out “Notices of Penalty Offenses” – which attach older, finalized administrative decisions to hundreds of companies – the FTC can attempt to establish the requisite “actual knowledge” to seek monetary penalties. The FTC has used this mechanism in the past to enhance its ability to obtain monetary penalties for specific types of deceptive practices, such as unsubstantiated “Made in the USA” labeling claims, deceptive claims about money-making opportunities, unsupported claims about job placement rates for graduates of for-profit universities, deceptive endorsements and testimonials, and unfair practices related to commercial surveillance and data security. Expect the FTC to consider expanding its use of this tool.

A narrow reading of ‘advertising’

The Fifth Circuit specifically addressed “deceptive advertising,” but the FTC regulates an array of deceptive conduct. The decision leaves open whether general misrepresentations – for example, in a company's privacy policy – constitute “advertising" subject to the ruling. Where such a statement is designed to induce a consumer to use a service, it closely resembles common law fraud and likely falls into the Jarkesy “private rights” bucket, barring administrative adjudication. However, expect the FTC to argue that misstatements in privacy or data security disclosures are not advertising and distinct from common law deceit.

Pivoting to ‘unfairness’ claims

Section 5 prohibits both “deceptive” and “unfair” acts. While the court found deception has a common law analogue in fraud, “unfairness” (defined as practices causing substantial, unavoidable consumer injury not outweighed by benefits) is arguably a modern regulatory construct without a direct common law twin. The FTC may attempt to pivot to unfairness claims, arguing these implicate “public rights” and therefore survive the Jarkesy framework.

Coordination with state regulators

State attorneys general wield broad authority under state-level “little FTC Acts” – unfair or deceptive acts or practices (UDAP laws) – to seek monetary relief, including restitution and civil penalties, directly in state or federal court. With its own administrative avenues for monetary relief restricted in the Fifth Circuit, the FTC could increase its collaboration with state attorneys general, resulting in more joint enforcement actions or direct referrals to state authorities to ensure financial consequences for deceptive conduct.

The FTC retains its authority under Section 13(b) to go directly to federal court to seek preliminary and permanent injunctions. However, this power is statutorily limited. Section 13(b) only applies when the agency has reason to believe a company “is violating, or is about to violate” the law. The FTC can use this direct-to-court avenue to halt ongoing or imminent harm, but it cannot use it to pursue companies for purely past conduct that has already ceased, nor can it use this avenue to extract monetary settlements.

Echoes of AMG and looming circuit splits

The genesis of this decision strongly mirrors how the AMG decision came about. For nearly 40 years, appellate courts universally accepted the FTC’s Section 13(b) monetary authority – until the Seventh Circuit broke from that consensus, creating a circuit split that the Supreme Court ultimately resolved against the agency.

We are likely to witness a similar trajectory regarding the FTC’s administrative adjudication. Companies currently facing FTC administrative proceedings (whether for data privacy, dark patterns or false advertising) will quickly assert this Article III defense. As these cases are appealed to the DC, Ninth or other circuits, the potential for a circuit split is high, making this an issue ripe for Supreme Court review.

The concurrence: A roadmap for constitutional attack

Going further than the majority, the concurrence broadly questioned the fundamental constitutionality of the FTC itself. Specifically, Judge James Ho questioned whether the combination of legislative (rulemaking), executive (enforcement) and judicial (adjudication) powers in a single agency is consistent with the separation of powers principles embedded in the Constitution. His opinion serves as an open invitation for future litigants to mount existential structural challenges against the agency.

What you need to know now

The Intuit decision is a major strategic victory for targets of FTC investigations. Companies facing FTC scrutiny should reassess their litigation leverage, as the agency’s threat of a grueling, yearslong administrative proceeding just lost significant credibility – at least in the Fifth Circuit. However, companies should also brace for FTC counter-maneuvers, including a heavier reliance on rulemaking, unfairness claims, characterization of deceptive practices as violations of rules or statutes, Notices of Penalty Offenses and more coordinated enforcement with state partners.

If you have questions about how this decision impacts your business or your interactions with the FTC, please reach out to the Cooley lawyers listed below.

Note

While the FTC’s Rules of Practice technically permit the FTC itself, or individual commissioners, to preside over adjudicative hearings instead of an ALJ (16 CFR § 3.42), using this mechanism would almost certainly face the exact same constitutional defect. The Fifth Circuit’s ruling is rooted in the requirement for an Article III court and a jury trial for “private rights” claims; keeping the adjudication within the executive branch, regardless of who presides, fails to cure this violation.

Lessons From the Skies for Executive Compensation Programs

Fri, 27 Mar 2026 07:00:00 Z

As seasoned pilots know, a downward spiral often starts gradually, almost imperceptibly, unless you heed the early warning signs. If those signs are missed or ignored, trouble compounds. It’s often tough to know whether you’re really in a spiral until it starts to tighten, and at some point – sometimes seemingly suddenly – breaking free may no longer be possible.

So, you’re thinking, what does that have to do with the design and administration of executive compensation programs? Although the nexus is perhaps not immediately obvious, the hard lessons from the sky have something to teach us.

Unfortunately, unlike pilots with instruments tailored to reveal an incipient spiral, those responsible for making decisions about executive compensation programs don’t have specialized tools that can reliably identify external factors that could cause the program to misfire and fail to achieve its intended purpose. Most commonly those external factors relate to the broader macroeconomic climate – for instance, the 2008 financial crisis or, more recently, the COVID-19 pandemic. The volatility caused by financial or geopolitical shocks can easily disrupt compensation programs, leading them to a spiral toward dysfunction – for example, because of unanticipated swings in equity value or the depletion of cash reserves.

So is a spiral for compensation programs tightening? No one knows of course. The only thing that’s certain is that something will happen, even if that something is simply not much of anything. That realization will cause its own reckoning.

The lesson for executive compensation programs is to be prepared for the uncertainty and whatever may (or may not) come out of it. The playbook for that preparation is becoming well-worn, but it’s worth reviewing, particularly with the incentive award season in full swing.

As a refresher, some levers to keep at the ready are briefly described below along with some related considerations brought to the fore by volatility and its attendant uncertainty. Which levers to pull, if any, is a balancing act because compensation decision-makers (be that the board, compensation committee or a manager) must always remain focused on providing properly calibrated incentives with appropriate performance metrics and a reasonable assessment of performance against those metrics after taking volatility impacts into account among all other relevant factors. In a similar vein, compensation decision-makers need to be sensitive to how hard they pull on the levers to avoid overcorrection and ensure that the action is narrowly and otherwise appropriately tailored to the circumstances.

1. Consider the availability of company discretion to determine whether corporate or individual performance targets are met.

Companies may need to rely on, or build in more, discretion within their bonus plans or performance-based equity awards to provide flexibility to address volatility. Treatment of currently active compensation programs will differ from planning for programs that have not yet been established, because existing programs may have been established with limited flexibility in that regard. In any event, any actual use of discretion can risk adverse stockholder or proxy advisory firm reaction, particularly if the rationale for its use is not well articulated to stakeholders. It’s worth bearing in mind that when to exercise discretion – during a performance period or upon its completion – can sometimes be just as important as how it’s exercised.

2. Consider using stock price averages to determine the number of shares subject to incentive equity awards.

The impact of stock price fluctuations and market volatility can be reduced by using a trailing average stock price when determining the number of shares subject to an equity incentive award. For public companies, because the value shown for an award in the executive compensation table pursuant to Securities and Exchange Commission rules may differ from the award value communicated to executives based on the trailing average price, expectations may need to be managed. Stock price fluctuations can create especially acute problems when periodic share grants are denominated by a share number rather than dollar value, as is sometimes the case with director compensation programs – though of course a converse issue is that stock price declines can exhaust share reserves more quickly than anticipated where a target value is delivered.

3. Assess adequacy of share reserves.

Companies should confirm the number of shares available under their equity incentive compensation plans, including employee stock purchase plans (ESPPs), if applicable, to ensure that sufficient shares remain available, particularly if there has been a steep drop in price since the share pool was last assessed (or, in the case of an ESPP, since the commencement of the current offering period). Similarly, any individual or aggregate award limits under a plan based on share number may need to be revisited.

4. Preserve company cash if appropriate.

Uncertainty can often strain a company’s cash resources or at least require prudent cash flow management. Companies should consider whether they have the flexibility to settle awards in equity rather than cash, being mindful that doing so can trigger significant securities law, accounting and disclosure consequences. In addition, companies can explore the feasibility of limiting net settlement for exercise price payment or tax withholding purposes, with public companies perhaps providing it only to individuals subject to Section 16 reporting requirements.

5. Consider whether recent events have impacted the company’s 409A valuation.

Private companies should consider whether they may still rely on an Internal Revenue Code Section 409A valuation issued within the past 12 months. If a company’s situation is rapidly changing, it may make sense for the company to briefly pause new stock option grants and obtain a new 409A valuation once there’s more clarity around future developments.

6. Avoid or address underwater stock options.

If a company is concerned about a falling stock price, granting full value awards (e.g., restricted stock units) instead of stock options will avoid underwater options (i.e., options with exercise prices above the current market value). Stock option repricing and exchange programs can be powerful tools in the context of a prolonged market downturn, but they should be carefully considered before implementation.

7. Keep track of vesting and changes in employment status.

Companies anticipating workforce reductions should ensure that records of vested and unvested equity awards at the time of termination are current and accurate. It is also important to keep track of applicable provisions in equity awards that may be implicated when an award holder takes a leave of absence, transitions from full-time to part-time employment status or ceases employment entirely.

8. Reduced services now may have a lasting impact.

Section 409A generally measures a “separation from service” by reference to the average level of services performed by an employee or other service provider over the 36-month period immediately preceding the purported termination of employment or services. Companies maintaining any deferred compensation arrangements subject to Section 409A (which commonly include equity awards granted in the form of restricted stock units) should keep detailed records of any reduced service levels to avoid future disputes or IRS challenges.

* * *

Sometimes the only thing scarier than what’s in the rearview mirror is what you don’t yet know about the road up ahead. Being prepared for whatever you might run into is key to a smoothly and appropriately functioning executive compensation program. Cooley’s compensation and benefits group is ready to help you navigate that road ahead – and safely help pull you out of any spiral along the way.

Global Alliances: Structuring Successful Cross-Border Life Sciences Partnerships

Fri, 27 Mar 2026 00:23:06 Z

Cross-border life sciences partnerships have become one of the most powerful and complex routes to innovation. As deal activity involving Chinese biotech assets accelerates, companies are facing faster timelines, more sophisticated structures, new sources of pricing and regulatory uncertainty – reshaping how these transactions are crafted and executed.

While innovation remains the catalyst, success increasingly depends on execution. Successful companies are adapting quickly: rethinking the way deals are sourced, negotiated and structured to keep up with the evolving realities of the related marketing.

Life sciences leaders pursuing cross-border partnerships in this increasingly complex landscape should keep in mind the below themes when approaching the table:

Cross-border deal activity is accelerating.

There has been a significant improvement in the quality and maturity of assets emerging from China over the past decade, particularly in oncology and biologics. Faster generation of human clinical data and strong scientific execution have made Chinese biotech a compelling source of global partnering opportunities.

Deal timelines are compressing.

Competition for differentiated assets has led to increasingly compressed deal timelines. Parties often move quickly from initial evaluation to exclusivity, with negotiations that once took many months now closing in weeks. While speed can preserve momentum, it puts pressure on diligence and documentation.

Innovation is increasing structural complexity.

Advances in biologics are adding complexity to deal structures. Agreements must now address sophisticated development paths, manufacturing considerations and governance mechanisms tailored to these modalities.

MFN-related uncertainty is reshaping negotiations.

Emerging most-favored-nation (MFN)-style concerns related to pricing and policy have injected new uncertainty into dealmaking. Parties are increasingly negotiating trigger-based adjustments, conditional shifts in control, and financial consequences tied to future regulatory or pricing developments.

Cross‑border life sciences partnerships are no longer the exception – they are a core strategy for accessing innovation. The challenge is building them for resilience: balancing speed with structure, competition with collaboration and short‑term deal pressure with long‑term operational reality.

Preparing for a global alliance and ready to learn more about Cooley’s services? Get in touch with us.

FCC Moves to Prevent New Foreign Routers

Thu, 26 Mar 2026 15:26:45 Z

On March 23, 2026, the FCC’s Public Safety and Homeland Security Bureau took the sweeping step of adding all “routers produced in a foreign country” to the FCC’s Covered List. This action follows a national security determination that these devices –specifically those intended for residential or “small office/home office” use – pose an unacceptable risk to US infrastructure. This action takes effect immediately.

The determination explicitly links foreign-produced routers to recent high-profile cyber campaigns, including Volt Typhoon and Salt Typhoon, which targeted American energy and water systems. By placing these products on the Covered List, the FCC is effectively preventing any new foreign-produced router models from being authorized for sale or marketing in the US.

Products that are on the Covered List cannot receive FCC authorizations; therefore, any routers that were previously approved can continue to be sold in the US, but no new foreign-produced routers can be marketed or sold in the US without a waiver. Companies that produce routers outside the US can seek conditional waivers from the Department of War or Department of Homeland Security (DHS). The FCC also announced an additional waiver that permits previously authorized routers to receive basic software and firmware updates to maintain usability until March 1, 2027. Finally, the FCC released an FAQ with more information about the effect of its action to add foreign-produced routers to the Covered List.

The FCC defined “routers” to mean consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol packets, between networked systems. The FCC also defined “production” broadly to include any significant stage of the process by which the device is made, including manufacturing, assembly, design and development.

This latest action follows several other recent FCC efforts to mitigate perceived undue risks raised by foreign actors. For example, the FCC recently banned drones manufactured outside the US, withdrew recognition from several test labs and implemented stringent disclosure requirements for entities with ties to foreign adversaries.

Practical actions for affected companies

If your company manufactures, distributes or integrates these products, you should consider the following immediate steps:

Audit your roadmap and supply chain

Identify country of origin: Determine exactly where your current router inventory and future pipeline are manufactured. Under the new rule, even “American” brands may be affected if their physical production occurs in a foreign country.
Assess “foreign-produced” models: If only minor assembly of a product happens abroad, you may be able to demonstrate that it should not be on the Covered List.
Identify “previously authorized” models: Confirm which of your foreign-produced models already have an approved FCC ID. These can still be imported and sold.
Pipeline review: Any new models (e.g., upcoming Wi-Fi 7 releases) currently in development abroad will likely be blocked from the U.S. market unless you pivot your manufacturing strategy.

Apply for ‘conditional approval’

The FCC has provided a pathway for exemptions through the Department of War and DHS. To succeed, applicants should be prepared to provide:

A detailed bill of materials and country of origin for all components.
A US manufacturing and onshoring plan that is time-bound and overseen by a dedicated officer.
Quarterly updates on the progress of bringing production to US soil.

Secure your legacy fleet

Take advantage of the FCC Office of Engineering and Technology waiver. This allows previously authorized routers to receive software and firmware updates to mitigate security harms. This waiver is currently set to expire on March 1, 2027. Ensure you have a plan to push security updates to existing foreign-made routers before the waiver window potentially narrows or expires.

Update certifications

Going forward, all applicants for FCC equipment authorization who have a product on the “covered list” will need to self-certify, in good faith, that their device is not “covered equipment.” False certifications could lead to significant legal exposure and the revocation of existing authorizations.

How we can help

The landscape for telecommunications equipment is shifting toward a “buy American” or “produce American” mandate. If you have questions about the conditional approval application process, need assistance analyzing how this action impacts your current inventory or would like to explore legal challenges, please reach out to the Cooley lawyers listed below.

AI Agents and Consumer Law: What Businesses Need to Know

Thu, 26 Mar 2026 15:20:02 Z

What happened?

On 9 March 2026, the Competition and Markets Authority (CMA) published its guidance on Complying with Consumer Law When Using AI Agents (guidance). The guidance arrives as agentic artificial intelligence (AI) is rapidly becoming a fixture of modern business operations, with many companies deploying agentic AI systems in consumer-facing roles – including tools to handle customer queries, process refunds, recommend products and manage marketing campaigns.

As AI systems capable of taking autonomous actions on behalf of a business (such as interacting with customers, making decisions and carrying out tasks in much the same way that a member of staff would), agentic AI tools present opportunities businesses are understandably drawn to. But the CMA’s guidance delivers a key guiding principle for use of AI in deployments facing or affecting consumers: The fact that it is an AI agent, rather than a human, performing these functions does not diminish the business’s obligations under consumer protection law. The same rules apply and businesses need to be prepared.

What does the guidance say?

At its core, the guidance functions as a practical framework that businesses can follow to ensure compliance with consumer law when implementing, deploying and maintaining AI agents. Four principles permeate the CMA’s approach:

Transparency – When deploying a publicly facing AI agent, companies must be transparent with customers about when they are interacting with AI rather than a human.
Compliance by design – Businesses should ensure that the operation of their AI agent has been properly grounded in the relevant consumer rights laws (for example, through fine-tuning its operation and/or through applying guardrails and consumer protection compliance rule sets at the inference layer). The guidance also recommends A/B testing as a means of evaluating whether the AI agent’s grounding is translating into compliant customer interactions.
Human oversight – The guidance is clear that deploying an AI agent is not a “set it and forget it” exercise. Businesses are expected to maintain ongoing human monitoring of their AI agents to ensure they continue to operate as intended and within the law.
Swift remediation – Given the scale at which AI agents can operate (potentially interacting with thousands, if not tens or hundreds of thousands, of customers in a short space of time), the guidance stresses the importance of acting quickly when an AI agent is not performing correctly. The potential for harm to spread rapidly makes a prompt and effective response essential.

Critically, the guidance makes clear that it is the business deploying the AI agent, not the company that designed or trained the underlying model, that bears legal responsibility for any failure to comply with consumer protection laws.

How could AI get it wrong?

UK consumer protection law is set out across multiple pieces of legislation, including, among others:

The Consumer Rights Act 2015
The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013
The Digital Markets, Competition and Consumers Act 2024

These laws cover a range of topics – including, among others, price presentation, discounting practices, marketing claims, unfair contract terms, and returns and refunds. These obligations rely on myriad different legal tests. There are, for example, “banned practices” which are always prohibited, while other types of “misleading actions” require that a consumer made a different “transactional decision” as a result of being misled. In addition, consumers may have different remedies – e.g. in relation to refunds depending on the circumstances of their purchase.

AI agents that fail to operate in a way that effectively navigates this web of regulation properly – e.g. by not discussing unavoidable fees and charges until late into the purchasing process, creating a false sense of urgency through their interactions with a customer or miscalculating a returns deadline – can potentially expose the business that deploys them to significant noncompliance risk. The potential consequences could be severe, with maximum fines of up to 10% of worldwide turnover.

Things businesses should do if considering implementing an AI agent

If a business is considering deploying an AI agent, there are several practical steps it should be taking now.

Confirm that its operations and knowledge set are appropriately grounded in the relevant consumer protection laws (e.g. through fine-tuning its operation, applying guardrails at the inference layer, and ensuring outputs and actions are grounded in a business’s internal compliance standards and policies).
When leveraging third-party AI tooling to power AI agents, do not assume that compliance has been built in – you need to make sure this is in place. Where possible, consider introducing appropriate protections and commitments in the underlying contractual arrangements with the provider.
Conduct extensive prelaunch testing whenever changes are made to the AI agent’s implementation to ensure it continues to interact with customers in a compliant manner. Testing should not be a one-off exercise at launch; it should be an ongoing part of how the agent is managed, supported by a schedule of continuous human review and audit to catch instances of behaviours that expose the company to consumer law noncompliance risk.
Have a remediation strategy ready to deploy if consumer law breaches are identified. Where instances of noncompliant actions are identified, businesses must be able to intervene quickly and effectively. The guidance is explicit that speed matters, although businesses also need to be cognisant that forward-looking remediation is not a cure for or defence against previous breaches.

What’s next?

AI agents may be a new and evolving tool, but the consumer protection obligations that govern their use are well established – and regulators are watching. Businesses that take a proactive approach now, by asking the right questions of their providers, building compliance into their contracts, testing rigorously and maintaining meaningful human oversight, will be best placed to harness the considerable commercial benefits of agentic AI without assuming undue noncompliance risk. Those that fail to do so risk not only significant financial penalties, but reputational damage that could prove costly in the long run.

If you would like to discuss what the guidance means for your business, or how to best implement AI agents in a compliant manner, please do not hesitate to get in touch with a member of the Cooley team listed below.

FCC’s Space Bureau Reassesses Satellite Market Access Reciprocity

Thu, 26 Mar 2026 15:10:10 Z

On March 2, 2026, the Federal Communication Commission’s Space Bureau and Office of International Affairs released a Public Notice seeking comment on whether foreign jurisdictions provide domestic satellite operators with competitive opportunities that are comparable to those given to foreign operators in the domestic market. The FCC is considering the validity of its long-standing presumption that World Trade Organization-licensed satellite systems should be allowed access to domestic markets, due to changes in global regulatory approaches and its growing concern about whether domestic operators face equal treatment abroad.

The Space Bureau underscores how its current framework was built on an assumption from decades ago that trade commitments would allow for competitive satellite markets. In 1997, the FCC allowed non-US-licensed space stations to serve the domestic market, with the intent to provide more opportunities for domestic companies to enter into foreign markets and allow for a market with more global satellite services. By implementing domestic market-opening commitments in the WTO Basic Telecommunications Agreement (BTA), the FCC established a presumption in favor of granting market access to satellite systems that are licensed by WTO members for services that are covered by domestic commitments.

Regarding any satellite systems not covered by the WTO BTA, the FCC required foreign applicants who sought access to domestic markets to demonstrate that domestic-licensed operators have equally competitive opportunities to provide similar services in the relevant foreign markets, such as the country where the satellite was licensed and any country where communications between domestic earth stations will originate or terminate. This presumption required that foreign-licensed satellite operators satisfy the same technical and other applicable requirements that were imposed on domestic operators.

Thirty years after establishment of the presumption, the FCC poses that the international regulatory landscape has changed via various international treaties, thus requiring updates to the satellite framework. The FCC underscores that emerging foreign rules regarding issues such as licensing restrictions, national funding restrictions by foreign entities, fee discrepancies disadvantaging domestic operators, and ownership limits have established more barriers for domestic operators and may thus require closer FCC review of satellite market access reciprocity for foreign and domestic operators.

The FCC is looking to analyze the existing framework for the WTO-based presumption and whether it is still valid, in addition to whether the FCC should adopt more reciprocity rules or an “effective competitive opportunities” test for access to foreign markets. The FCC asks for input on how this assessment might be impacted by foreign treaty obligations, existing trade commitments and current market policies. In addition, the FCC seeks guidance on how to evaluate foreign regulations that negatively impact and disadvantage domestic satellite operators, what evidence can demonstrate that there is direct competitive harm, and how a revised approach should apply to both domestic and foreign operators.

In light of these considerations, the FCC seeks comments from satellite operators and relevant entities regarding the following issues:

Whether there are cases where a presumption is applied, but there is a lack of effective competitive opportunities to provide analogous services in the country where the foreign licensed satellite operator is authorized to provide service.
Whether the FCC should assess these competitive opportunities under a different framework than the one currently held.
Whether a competitive reciprocal opportunities test by the FCC should apply equally to WTO and non-WTO foreign licensed systems.
How this assessment may be guided by obligations under existing trade agreements.

Comments are due by April 1, 2026, and reply comments are due by April 16, 2026. If you have any questions or need assistance in drafting comments, please reach out to one of the Cooley lawyers listed below.

A Tale as Old as 2020: Landmark $2.75 Million CCPA Enforcement

Wed, 25 Mar 2026 20:08:00 Z

The California attorney general recently announced one of the agency’s largest-ever settlement agreements for alleged noncompliance with the California Consumer Privacy Act (CCPA) and alleged deception of consumers about data practices. This enforcement action is borne out of the agency’s 2024 investigative sweep scrutinizing streaming services and provides insights as to the expectations of the California attorney general related to operationalization of privacy rights. The action also underscores the agency’s key enforcement priorities, including:

Ensuring consumer requests to opt out of the “sale” or “sharing” of their personal information (opt-out requests) are fully effectuated across related devices and services.
Seeing companies honor the Global Privacy Control (GPC) signal as an opt-out request.

Specifically, the California attorney general alleged that Disney:

Associated different devices on which a consumer had logged in for cross-context behavioral advertising (targeted advertising) purposes, but did not leverage this when processing a consumers’ opt-out requests.
Implemented a disjointed opt-out system that only partially effectuated opt-out requests.
Directed users of its TV streaming apps to submit opt-out requests on other devices, while knowing that such opt-out requests would not impact the TV streaming apps’ data sharing.
Deceived consumers through the above activities by giving them tools that seemed to opt consumers out of “sale” and “sharing” of personal information, without fully opting them out.

The agreement requires Disney to:

Pay a $2.75 million civil penalty, the highest fine imposed under the CCPA to date.
Implement certain procedures for handling consumer opt-out requests.
Regularly update the California attorney general on its progress toward compliance.

Though the California attorney general now shares CCPA enforcement authority with the California Privacy Protection Agency (CPPA), which announced its first-ever enforcement actions last year, this landmark settlement shows that the California attorney general has neither ceded its role as an enforcer in this area nor lost interest in aggressively enforcing the CCPA.

CCPA’s requirements for consumer opt-out requests

The CCPA requires businesses that sell or share personal information for targeted advertising purposes to allow consumers to opt out of their data being sold or shared.¹ Businesses are required to provide at least two methods through which consumers may submit opt-out requests,² and they are required to process the GPC signal as a valid opt-out request.³ The business must treat the GPC signal as an opt-out requests for “that browser or device and any consumer profile associated with that browser or device,” as well as “for the consumer,” if known.⁴The CCPA does not explicitly address linking opt-out requests submitted via other methods across browsers or devices, but the broad mandate to cease selling or sharing a consumer’s personal information captures all personal information, regardless of its source, that the business associates with a consumer. When processing an opt-out request, a business cannot require a consumer to “create an account or provide additional information beyond what is necessary” to process such requests.⁵

Associating consumer devices when processing opt-out requests

Disney operates multiple streaming services, each of which are accessible via both streaming sites and apps. The California attorney general alleged that Disney would associate a given consumer with their different streaming services and devices based on common account logins for advertising purposes but not when processing opt-out requests. Rather, Disney would process opt-out requests on a per-service, per-device basis. This meant that a consumer would have to submit an opt-out request from each device they use, on each service they use, in order for personal information associated with that device to not be sold or shared.

The order requires Disney to:

If a consumer submits an opt-out request while logged in, associate their opt-out request across all devices and all Disney streaming services associated with that consumer.
If a consumer is not logged in when submitting an opt-out request, or doesn’t have an account, inform the consumer it may be necessary to log in to fully effectuate the request and gather the minimum personal information necessary to effectuate the request. Disney must effectuate the request to the extent possible, even if the consumer declines to provide any additional personal information.

In its initial complaint and in the final order, the California attorney general emphasized that such a practice is known to be technically feasible for Disney, because Disney already engages in such associations for advertising purposes. It’s unclear what this means for entities that do not engage in such association, for whom compliance with this standard would be technically infeasible or unduly burdensome.

Selling ad services and selling personal information

Within its sites and apps, Disney accepts opt-out requests via a webform, opt-out toggles and the GPC. However, the California attorney general alleged that opt-out requests submitted through any of these methods were not fully effectuated. Disney engages in targeted advertising both by:

Selling advertising opportunities on its online properties.
Targeting ads for Disney products on third parties’ online properties.

The California attorney general alleged that Disney would only cease one activity or the other in response to a consumer opt-out request, based on the method used to submit the request.

If a consumer submitted an opt-out request to Disney using Disney’s webform, Disney would stop selling opportunities to advertise to that consumer on Disney online properties but continue to target ads to them on third-party sites.
If a consumer submitted an opt-out request using Disney’s toggle or the GPC, Disney would stop targeting ads to that consumer on third-party sites but continue to sell opportunities to advertise to them on Disney online properties.

The order requires that Disney cease both categories of targeted advertising in response to a consumer opt-out request, regardless of the method used to submit it.

No method to opt out for certain apps

The California attorney general alleged that Disney, “citing vendor and technological limitations, did not provide an in-app opt-out mechanism in many of its connected TV streaming apps.”⁶ Instead, the Do Not Sell or Share My Personal Information pages on apps directed consumers to submit opt-out requests through Disney’s online webform. However, as discussed in the “Associating consumer devices when processing opt-out requests” section above, opt-out requests were processed on a per-device basis. Disney’s webform was only accessible using a web browser, meaning consumers would submit requests using their computers or mobile devices, and the sale of data associated with the TV would continue. The California attorney general alleged Disney “knew” such opt-out requests “would have no impact on the embedded code that transferred personal information from these connected TV streaming apps to its ad-tech partners.”⁷

Deceiving consumers about opting out

In addition to alleged violations of the CCPA, the California attorney general also brought this action against Disney under its authority to enforce California’s consumer protection law, alleging that Disney had engaged in “unlawful, unfair, or fraudulent acts or practices, which constitute unfair competition” within the meaning of the law.⁸ The California attorney general took the position that, “[w]hen a business creates a form, toggle, or other tool, and chooses to label it as an opt-out, even though it does not fully opt-out the consumers who use it, the business is engaged in deception.”⁹

The California attorney general argued that, because Disney’s opt-out forms and toggles allegedly fell short of opting a consumer out of the sale and sharing of their personal information in a manner compliant with the CCPA, offering such tools to consumers at all was a fraudulent act or practice that deceived consumers.

Its logic could, in theory, be extended to other consumer-facing aspects of CCPA compliance. Falling short of full CCPA compliance in a consumer-facing context could mean facing liability under both the CCPA and California’s consumer protection statute, potentially doubling civil liability.

General requirements related to opt-out requests

In addition, the order requires Disney to:

Provide clear and conspicuous notice that Disney conducts targeted advertising using personal information obtained from third parties.
Update all Disney streaming services to:
- Provide a clear and conspicuous opt-out link that either immediately effectuates a consumer’s opt-out request, or directs the consumer to a Notice of Right to Opt-Out of Sale/Sharing.
- Provide a Notice of Right to Opt-Out of Sale/Sharing. If the link above does not immediately effectuate the opt-out request, this notice must include a simple opt-out method, such as a toggle or checkbox.
- Format this notice for all webpages, apps and devices on which it is provided.
Provide consumers with a method to confirm their opt-out request has been processed.
Make sure other choices related to personal information do not contain dark patterns.
Direct third parties with whom Disney shares personal information to honor consumer opt-out requests that Disney receives, including by passing along the opt-out request to any further third parties with whom the consumer’s data has been shared.
When making personal information available to third parties, take reasonable and appropriate steps to ensure those third parties will use the personal information in a manner consistent with the CCPA.
Never sell or share children’s data without affirmative parental authorization.

Notes

Cal. Civ. Code § 1798.120(a)(1).
Cal. Code Regs. tit. 11, § 7026(a).
Id. at § 7025(b).
Id. at § 7025(c)(1).
Id. at § 7026(c).
Complaint, California v. Disney DTC, LLC, et al., No. 26STCV04425, ¶ 14 (Cal. Super. Ct. Feb. 11, 2026).
Id.
Complaint at ¶ 19 (citing Cal. Bus. & Prof. Code § 17200).
Complaint at ¶ 15.

White House Releases AI Regulatory Blueprint: What the National Policy Framework Means for Companies

Wed, 25 Mar 2026 16:23:55 Z

On March 20, 2026, the White House released its National Policy Framework for Artificial Intelligence ("the Framework") outlining the administration’s recommended federal approach to AI regulation. The Framework is the most concrete statement yet of where the administration wants Congress to take federal AI policy. If Congress adopts this approach, it would reshape the US AI regulatory landscape, significantly affecting how companies navigate an already complex web of state, federal and global obligations.

The Framework is a follow-through from the December 11, 2025 executive order (EO) “Ensuring a National Policy Framework for Artificial Intelligence,” which we discussed in this December 12 alert. This new set of recommendations includes many elements that have previously been advocated for by the Trump administration, including preemption of some state AI laws, which was first included in early versions of the “One Big Beautiful Bill” legislation last year. The Framework encourages Congress to pass laws protecting children and their data in the AI context, but leaves states with the ability to enforce their generally applicable child protection laws. Importantly, the Framework specifically states that Congress should not preempt consumer protection laws that may apply to AI, which is one of the primary bases on which states are regulating the consumer-facing AI industry.

In other areas, the Framework generally supports the AI industry, promotes AI adoption through measures like regulatory sandboxes, and discourages new regulatory regimes or agencies specific to AI. The Framework also states that the Trump administration believes training on copyrighted material does not violate copyright laws but recommends leaving the courts to resolve the issue in specific cases and contexts. It generally encourages Congress to enable a nonmandatory licensing framework for training data.

What the Framework proposes

The Framework is incredibly broad in its scope and covers, at a high level, seven key priority areas for the administration:

“Protecting children and empowering parents”
“Safeguarding and strengthening American communities”
“Respecting intellectual property rights and supporting creators”
“Preventing censorship and protecting free speech”
“Enabling innovation and ensuring American AI dominance”
“Educating Americans and developing an AI-ready workforce”
“Establishing a federal policy framework, preempting cumbersome state AI laws”

Clear emphasis on child safety and age assurance

What the Framework says: The Framework calls for parental account controls, privacy-protective age assurance requirements for AI services likely to be accessed by minors, and product features designed to reduce risks of sexual exploitation and self-harm. Notably, the Framework also explicitly calls for Congress to preserve state authority to enforce general child protection laws, including prohibitions on AI-generated child sexual abuse material. This is a significant carve-out from the broader preemption push discussed below.

Why it matters: Positioning child safety first in the Framework is a clear statement of political intent and is likely one of the Framework’s bipartisan entry points. The recommendations echo the child safety direction of the proposed Kids Online Safety Act, which would also mandate default safety settings and parental tools for minor users. As we discussed in this March 5 alert, this focus on online child safety issues is one that has driven regulations in other jurisdictions, including the European Union, United Kingdom and Australia, to name a few.

Infrastructure and data center energy costs

What the Framework says: The Framework recommends streamlined processes to allow for the continued development of data centers to support AI. Recognizing that this may result in increased costs to consumers, the Framework also proposes protecting residential ratepayers from electricity cost increases, noting the White House’s recent Ratepayer Protection Pledge, which secured commitments from companies to build, bring or buy their own power and cover the cost of grid upgrades. The Framework also calls for broader social investment in supporting the use of AI in communities and assisting law enforcement in combating fraud.

The administration has also made clear that there are national security considerations and concerns at play, suggesting that Congress should ensure federal agencies within the national security sphere “possess sufficient technical capacity” to understand and assess the risks around frontier AI models.

Why it matters: The Framework’s parallel emphasis on the need to support investment in AI infrastructure while translating AI into visible community benefits reflects growing public attention on the trade-offs inherent in AI. While the Framework stops short of calling for federal legislative protection of communities from the indirect impacts of AI infrastructure investment, it is significant that proposed preemption excludes state zoning laws, explicitly guarding state and local efforts.

Copyright and intellectual property

What the Framework says: The Framework states that training AI models on copyrighted material does not violate copyright law, but it recommends that Congress leave the issue to the courts to resolve. The Framework also asks Congress to consider supporting nonmandatory collective licensing systems for use of copyrighted works to train AI. And it encourages Congress to monitor developing precedents related to the application of copyright law to AI, and consider further legislative action if there are gaps in the law or if additional protection is needed for copyright owners.

In addition, the Framework asks Congress to consider establishing new federal law that protects individuals from AI-generated “digital replicas” of their likenesses, while making clear exceptions for parody, satire, news reporting and other First Amendment-protected expression.

Why it matters: The issue of whether it is a “fair use” to train AI models on copyrighted material is the subject of dozens of active lawsuits across the US. The Framework stakes out the position that Congress should – for now – take a hands-off approach and leave it to the courts to decide how to apply fair use to AI. But it leaves open the prospect of legislative intervention if, for unspecified reasons, the need arises.

Separately, the Framework tacitly supports Congress’s ongoing efforts to enact federal law directed at AI-generated digital replicas of a person’s voice, likeness or other identifiable attributes – essentially endorsing the thrust of bills like the NO FAKES Act, so long as the law is careful to preserve First Amendment expression. Currently, individuals must rely on a patchwork of state statutes and common law doctrines to protect against misappropriation of their likenesses. A federal law would create a more uniform national standard and could establish a basis for protecting celebrities and the public from malicious AI-generated impersonations.

Speech and the First Amendment

What the Framework says: The Framework focuses on preventing the federal government “from coercing technology providers, including AI providers” to suppress or alter lawful expression based on partisan or ideological agendas. The Framework recommends Congress create a mechanism for “Americans to seek redress from the Federal Government” for claims related to agencies that “censor expression on” or “dictate” information provided by AI platforms.

Why it matters: Depending on if and how such a redress mechanism is codified, AI providers may consider carefully documenting all government communications regarding AI training, outputs, and moderation policies and procedures. AI providers may find themselves caught in litigation between individuals and federal agencies if moderation actions are perceived as directed by the government. This will require nimble balancing between effectuating compliance with a federal redress mechanism (if passed) and ensuring reliable AI guardrails.

No new federal AI regulator, accelerating innovation

What the Framework says: The Framework explicitly instructs Congress not to create a new federal rulemaking body for AI. Instead, it encourages sector-specific oversight through existing regulatory bodies and industry-led standards. It also endorses the use of regulatory sandboxes. Additionally, the Framework supports expanding access to federal datasets in AI-ready formats.

Why it matters: This recommendation on the surface parallels broader deregulatory trends in the administration. However, the lack of a single authority with rulemaking or coordinating authority at the federal level risks continued, fragmented rulemaking and prioritization across the multiple existing federal government agencies with sector-specific interests.

Workforce and skills development

What the Framework says: The Framework encourages Congress to ensure existing education programs and workforce training and support programs, including apprenticeships, affirmatively incorporate AI training; study trends in task-level workforce realignment driven by AI; and support land-grant institutions providing technical assistance, launch demonstration projects and AI youth development programs.

Why it matters: This recommendation implicitly recognizes the significant transformation AI is already having, and is likely to continue to have, on the American workforce.

Preemption of state AI laws

What the Framework says: In line with its prior EO, the Framework calls for Congress to preempt state AI laws that impose “undue burdens.” In aiming to create a “minimally burdensome national standard,” rather than “fifty discordant ones,” the Framework calls on Congress to preserve three areas within state authority, while recommending three areas for federal governance.

Under the Framework’s approach, states would retain authority over:

“Traditional police powers” to enforce laws of general applicability against AI developers and users. Importantly, this would include consumer protection laws and laws protecting children (as noted above) and anti-fraud measures.
State zoning laws.
Procurement by states for their own use of AI, such as law enforcement and public education.

Conversely, under the Framework’s approach, states would not be allowed to:

Regulate AI development given AI’s “inherently interstate” dimensions and implications on foreign policy and national security.
“Unduly burden” Americans’ use of lawful activity merely because it is AI-assisted.
“Penalize AI developers” for unlawful conduct by third parties using their models.

Why it matters: This version of preemption in the Framework carves out significant authority that will remain with the states, and it is likely to give rise to complex questions about state law-making authority relating to AI safety, especially where that intersects with the training and development of AI models. Importantly, most states and their attorneys general are using existing consumer protection laws to investigate or enforce against AI developers, which the Framework leaves untouched.

What next?

The Framework is the clearest statement yet of the administration’s preferred end state for federal AI legislation: A national, innovation-oriented approach with targeted provisions on child safety, digital replicas, copyright-adjacent issues and workforce development; no new AI regulator; and preemption of certain state AI laws while leaving significant authority with states. This is a critical space to watch to see if Congress picks up this legislative proposal and moves ahead with it.

Pending legislative action, businesses should ensure they remain in compliance with existing, applicable state AI laws.

At Cooley, our cross-functional team of tech regulatory and enforcement practitioners leverages deep, hands-on experience helping businesses understand the developing AI policy landscape and navigate complex legal frameworks – including the expanse of US state AI laws and global frameworks, like the EU AI Act. Reach out for more information about how our horizon-scanning and regulatory risk management experience can support you and your team in managing AI risk.

NetChoice v. Bonta: Ninth Circuit Narrows Injunction Against California’s Age-Appropriate Design Code Act

Tue, 24 Mar 2026 15:12:00 Z

On March 12, 2026, a three-judge panel of the US Court of Appeals for the Ninth Circuit issued its second opinion in NetChoice v. Bonta, narrowing the preliminary injunction against California’s Age-Appropriate Design Code Act (CAADCA) but leaving several of the law’s most consequential provisions enjoined. The court held that NetChoice had not met the demanding standard for facial First Amendment relief as to the act’s coverage definition or its age estimation provision, but it agreed that the act’s challenged data use restrictions and dark patterns prohibition likely are unconstitutionally vague. The case now returns to the US District Court for the Northern District of California for further proceedings on age estimation and severability.

The CAADCA is a broad children’s privacy and online safety statute that imposes obligations on online services “likely to be accessed by children,” including requirements relating to age estimation, privacy defaults, data protection impact assessments, limits on profiling and data use, geolocation settings, privacy disclosures and interface design. For companies that may fall within the statute’s scope, the Ninth Circuit’s decision is significant because it allows several of the statute’s substantive obligations to take effect while litigation continues in the district court.

Prior challenges and the law’s status entering this appeal

NetChoice sued before the CAADCA took effect, asserting facial constitutional claims and federal preemption theories. In September 2023, the Northern District of California preliminarily enjoined the statute in full.

In August 2024, the Ninth Circuit vacated most of that injunction after applying the US Supreme Court’s intervening decision in Moody v. NetChoice. But it left in place the injunction against the CAADCA’s data protection impact assessment (DPIA)/risk mitigation requirement and the provisions it held were not grammatically severable from that requirement. It also left enjoined the act’s 90-day notice-and-cure provision and remanded for reconsideration NetChoice’s remaining facial theories and severability.

On remand, NetChoice amended its complaint and renewed its preliminary injunction motion. The district court again enjoined the statute in its entirety and, in the alternative, enjoined several specific provisions. The state appealed, leading to the March 12, 2026, opinion addressed here.

NetChoice’s renewed challenges

NetChoice’s renewed motion advanced both a theory that the whole statute is unconstitutional under the First Amendment and provision-specific challenges.

Whole-statute theory

NetChoice’s lead argument targeted the CAADCA’s threshold coverage definition – the provision applying the act to online services, products and features “likely to be accessed by children.” NetChoice argued that this definition is content-based, triggers strict scrutiny across the statute and renders the CAADCA unconstitutional in its entirety.

Provision-specific challenges

NetChoice also challenged specific operative provisions, including:

The age estimation requirement in Civil Code Section 1798.99.31(a)(5).
The data use restrictions in Section 1798.99.31(b)(1)-(4).
The dark patterns restriction in Section 1798.99.31(b)(7).
The policy enforcement requirement in Section 1798.99.31(a)(9).
Separately, the continued enforceability of the act’s valid remainder in light of the already enjoined 90-day notice-and-cure provision.

NetChoice also continued to press Communications Decency Act Section 230, Children’s Online Privacy Protection Act (COPPA) preemption and dormant commerce clause theories, but those arguments did not drive the panel’s merits analysis in this appeal.

What the Ninth Circuit held

NetChoice did not justify a facial injunction against the statute as a whole.

The Ninth Circuit held that NetChoice had not met its burden under Moody to mount a facial challenge based on the coverage definition. The panel emphasized that facial challengers must show the law’s “full set of applications” – what activities by what actors the law regulates – and then measure the allegedly unconstitutional applications against the statute’s legitimate sweep.

The court concluded that NetChoice had not made that showing. In the panel’s view, the CAADCA’s coverage provision is broad and applies to many businesses, including some that do not publish expressive content at all. The court stressed that the definition contains six separate indicators and does not operate identically across all covered businesses. If NetChoice’s core concern is how the law affects social media companies or publishers, the court suggested that concern may be better pursued through as-applied challenges rather than a facial attack on the statute as a whole.

The age-estimation provision is not facially invalid on the present record.

The court also vacated the injunction against Section 1798.99.31(a)(5), which requires a covered business either to estimate the age of child users with a reasonable level of certainty appropriate to the risks arising from its data management practices or apply the child-level privacy and data protections to all consumers. The panel emphasized that the provision does not, on its face, clearly restrict content; that a business can avoid age estimation by applying the relevant protections to all users; and that the record was underdeveloped as to how the provision operates in practice. The panel also faulted the district court for assuming that compliance necessarily would require collection of additional sensitive data, noting that the state had submitted evidence of less intrusive methods.

The data use and dark patterns provisions likely are void for vagueness.

The Ninth Circuit reached a different result for the data use restrictions in Section 1798.99.31(b)(1)-(4) and the dark patterns restriction in Section 1798.99.31(b)(7). It affirmed the injunction against those provisions on vagueness grounds, focusing on the statute’s reliance on open-ended terms, such as “materially detrimental,” “well-being” and “best interests of children.” The panel rejected the state’s argument that “best interests of children” could be imported from California family law, reasoning that family law uses of that standard are individualized and fact-specific, whereas the CAADCA requires companies to make prospective judgments at scale about children as a class of users. The court also held that the scienter language does not cure the notice problem, and it extended the same reasoning to the dark patterns restriction.

The district court was too quick to treat the valid remainder as inseverable.

The panel also vacated the district court’s severability ruling to the extent it enjoined the statute’s otherwise valid remainder because of the already enjoined 90-day notice-and-cure provision in Section 1798.99.35(c)(2). Applying California severability law, the Ninth Circuit held that the present record does not establish that the legislature would have preferred no statute at all over a CAADCA without that cure mechanism. It therefore vacated the injunction as to the valid remainder and remanded for further proceedings on severability.

What remains enjoined and what may now take effect

After this decision, the CAADCA remains partially enjoined.

Provisions that remain enjoined

The following substantive provisions of the law remain enjoined:

The DPIA/risk mitigation requirement, which the Ninth Circuit held likely unconstitutional in the 2024 appeal, together with the provisions previously held not grammatically severable from it, which would require covered businesses to conduct and document pre-launch DPIAs evaluating risks of harm to children and identifying mitigation measures for products or features likely to be accessed by children.
The 90-day notice-and-cure provision in Section 1798.99.35(c)(2), which would require the California attorney general to provide notice of an alleged violation and allow a 90-day opportunity to cure before initiating an enforcement action.
The data use restrictions in Section 1798.99.31(b)(1)-(4), which would impose substantive limits on how children’s personal information may be used, including prohibiting uses that are “materially detrimental” to children, restricting profiling by default, requiring data minimization tied to a “best interests of children” standard and limiting secondary uses of data absent a compelling justification.
The dark patterns restriction in Section 1798.99.31(b)(7), which would prohibit the use of interface designs or user experience techniques that encourage children to provide unnecessary personal information, weaken privacy protections or take actions deemed materially detrimental to their well-being.

Provisions that are no longer covered by the broad preliminary injunction

The panel vacated the broader whole-statute injunction, vacated the injunction against the age estimation provision in Section 1798.99.31(a)(5) and vacated the order insofar as it barred enforcement of the act’s otherwise valid remainder on nonseverability grounds. As a result, California is no longer preliminarily barred from enforcing the nonenjoined remainder of the statute, including the following provisions:

Age estimation requirement – Covered businesses must estimate the age of child users with a reasonable level of certainty or apply child-level privacy and data protections to all users (i.e., treat all users of the service as children).
High-privacy default settings – Covered businesses must configure default privacy settings for children to a high level of privacy.
Child-appropriate privacy disclosures – Privacy information, terms of service, policies and community standards must be provided concisely and in language suited to the age of children likely to access the service.
Monitoring and geolocation-related disclosures or signals – An obvious signal must be displayed to children when their online activity is being monitored or tracked or when their precise geolocation data is being collected.
Tools for privacy rights and reporting concerns – Businesses must provide prominent, accessible and responsive tools that allow children and their parents or legal guardians to exercise privacy rights and report concerns.

The panel did not reach the merits of NetChoice’s separate challenge to Section 1798.99.31(a)(9), but the opinion’s operative disposition affirms only the injunction as to Sections 1798.99.31(b)(1)-(4) and (b)(7) in this appeal, while vacating the remainder of the district court’s second preliminary injunction.

What comes next

The case now returns to the district court. The immediate issues on remand include further factual development on the age estimation provision, renewed severability analysis concerning the valid remainder and the still enjoined notice-and-cure provision, and continued litigation of NetChoice’s remaining claims. The Ninth Circuit did not decide the ultimate merits of the case; it decided only the scope of preliminary relief on the present record.

Legal implications

The decision reinforces two key points. First, after Moody, broad facial First Amendment attacks on platform regulation statutes will be difficult without a developed record addressing the law’s full range of applications. If a company’s specific service involves expressive content or unique data needs that make the CAADCA’s requirements burdensome, you should begin documenting those impacts now to support potential as-applied challenges in the future. Second, open-ended standards, such as “best interests,” “well-being” and “material detriment,” remain vulnerable to vagueness challenges if they are not tied to more concrete statutory direction.

Practical implications

With portions of the CAADCA now potentially enforceable, companies should reassess whether they are within scope as online services “likely to be accessed by children.” If so, companies should develop a compliance roadmap for the unblocked requirements of the CAADCA, including documenting the six separate indicators implicating threshold coverage, identifying a reasonably certain age estimation strategy or high-level privacy protections for all users, and implementing the child-appropriate disclosure requirements.

FTC Issues New Advance Notice of Proposed Rulemaking on Negative Option Marketing

Fri, 20 Mar 2026 19:40:00 Z

On March 11, 2026, the Federal Trade Commission (FTC) issued a request for public comment on an advance notice of proposed rulemaking (ANPRM) regarding its “Rule Concerning the Use of Prenotification Negative Option Plans,” more commonly known as the “Negative Option Rule.” The FTC is inviting consumers and industry members to share their experiences with negative option marketing to help it decide whether and how to amend the current rule.

Background

The ANPRM is the latest signal of the FTC’s focus on negative option marketing and its push to modernize the regulatory framework. In recent years, the FTC’s enforcement in this space centered on the Restore Online Shoppers’ Confidence Act (ROSCA), which governs the marketing and sale of negative option features online. But the FTC also sought to update the Negative Option Rule itself. Since being adopted in 1973, the Negative Option Rule has applied only to prenotification plans, arrangements where a seller periodically sends merchandise to consumers unless they affirmatively decline in advance.

In October 2024, the FTC amended the Negative Option Rule to cover negative option plans initiated online more generally and to add specific requirements governing misrepresentations, disclosures, consent and cancellation. That amended rule was short-lived; in July 2025, the US Court of Appeals for the Eighth Circuit vacated the amended rule in its entirety, finding that the FTC skipped required procedural steps before promulgating the rule.

Citing a high volume of consumer complaints, the FTC has now restarted the rulemaking process with this ANPRM.

Key highlights of the ANPRM

Four core requirements from the vacated rule

The FTC notes it may draw on portions of the vacated rule in proposing a new rule. The vacated rule had four key requirements:

A prohibition against misrepresenting material facts in connection with negative option offerings.
A requirement to obtain consumer consent to the negative option feature separately from other portions of the transaction and to maintain records verifying consent for three years.
A requirement to disclose important information about the negative option feature immediately next to the means of obtaining the consumer’s consent.
A requirement to provide a simple cancellation mechanism that is “at least as easy to use” as the mechanism used to obtain the consumer’s consent to the negative option feature.

The ANPRM seeks detailed cost-benefit input on each of these provisions, including how compliance costs may vary by industry, business size and over time.

The “Saves” question

One notable question in the ANPRM is whether it is unfair or deceptive to offer discounts or other incentives – referred to as “Saves” – to keep consumers enrolled in a negative option program rather than promptly processing a cancellation request. The FTC is seeking economic data on the proportion of consumers who accept Saves, the cost savings they provide and how they affect consumers’ ability to cancel. More broadly, the FTC wants to understand the impact of Saves on competition in the negative options marketplace.

Exemptions

The FTC also invites comments on whether a new rule should include exemptions. Possible approaches include adopting a petition process similar to that from the vacated rule, supplementing that process with additional requirements, exempting particular market segments or applying new requirements only to industries where unlawful practices are most prevalent.

Looking ahead

The comment period is now open, and comments must be received by April 13, 2026.

Regardless of how the rulemaking plays out, ROSCA remains fully in force for online negative option offerings, and the FTC can continue to bring enforcement actions under Section 5 of the FTC Act. Since January 2025 alone, the FTC has initiated five cases and approved six settlements related to alleged negative option misconduct. Even in the absence of an updated rule, businesses using negative option features online should make sure they comply with ROSCA and Section 5, as well as overlapping requirements of state automatic renewal laws.

If you have questions about the FTC’s ANPRM or its implications for your business, please contact any member of the Cooley team listed below.

DFPI Suspends Implementation, Enforcement of California’s VC Companies Diversity Reporting Program, Pending Rulemaking

Wed, 18 Mar 2026 19:34:13 Z

In a significant development for the venture capital community, the California Department of Financial Protection and Innovation (DFPI) announced on March 17, 2026, that it is suspending implementation and enforcement of the state’s Fair Investment Practices by Venture Capital Companies Law (FIPVCC), commonly referred to as Senate Bill 54, as amended by SB 164. The law requires certain venture capital companies (including venture capital funds) with a California nexus to register with the DFPI and to collect and annually report anonymized, aggregated demographic data about the founding team members of businesses they invest in. Covered entities will no longer be required to submit registrations or file reports by the original April 1, 2026, deadline.

Instead, the agency announced that it plans to initiate formal rulemaking to draft regulations for the law “with the goal of promoting clarity, collaboration, and transparency.” The agency will seek stakeholder input, including from venture capital companies, industry associations, founders, investors and other relevant parties before beginning such formal rulemaking, that must be completed within one year of initiation. The DFPI stated that its approach aims to “ensure that the regulations adopted are clear, practical, and effective in achieving the objectives of the law.” The DFPI has committed to notifying registrants and subscribers when formal rulemaking commences.

The DFPI’s announcement provides practical relief to the many venture capital firms and fund managers that were grappling with interpretive uncertainty in advance of the April 1, 2026, deadline. Earlier this month, Cooley submitted a letter to the DFPI requesting clarification on some of these open questions and ambiguities. The DFPI’s approach to rulemaking, along with Cooley’s direct discussions with DFPI representatives, signal that the DFPI will be responsive to practical concerns raised by the industry.

Next steps

While the suspension provides near-term relief, covered entities should remain attentive to further developments, including communications from the DFPI regarding timing and opportunities to participate in the rulemaking process. The DFPI’s announcement will provide a meaningful opportunity for venture capital firms, fund managers and other affected parties to provide input that may shape the final regulations.

We will continue to track and report on developments as they occur and are available to assist clients in assessing their obligations under the FIPVCC.

General Services Administration Proposes New DEI Certification for Federal Financial Assistance Recipients

Wed, 18 Mar 2026 14:21:00 Z

The General Services Administration (GSA) recently proposed revisions to the Financial Assistance General Representations and Certifications within the System for Award Management (SAM), the registration system through which applicants and recipients of federal financial assistance register to receive federal funding.

The proposal, “Information Collection; System for Award Management Registration Requirements for Financial Assistance Recipients,” and the GSA’s draft Supporting Statement propose to implement the January 2025 Executive Order 14173 (EO), in alignment with updated executive branch guidance, including the Department of Justice’s Guidance for Recipients of Federal Funding Regarding Unlawful Discrimination (DOJ guidance). Public comments on the proposal are due by March 30, 2026.

Background

As required by the EO, the head of each agency must include in every contract or grant award a “term requiring [the] counterparty or recipient to certify that it does not operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws” (certification provision). While both the Equal Employment Opportunity Commission (EEOC) and the DOJ have issued guidance on unlawful diversity, equity and inclusion (DEI) programs, no guidance had been issued specifically addressing the certification provision or its implementation, nor has such a certification requirement been rolled out. GSA’s proposal seeks to implement the EO and fill this gap. According to the GSA, as of January 2026, there were 222,760 entities registered in SAM for financial assistance, all of which may be affected by the proposed certification requirement.

New DEI certification

The proposal requires recipients of federal financial assistance to certify compliance with all federal laws and “relevant” executive orders “prohibiting unlawful discrimination on the basis of race or color in the administration of federally funded programs.” Notably, the proposal does not explicitly mention other categories protected under federal anti-discrimination laws, such as sex.

The proposed certification states that federal anti-discrimination laws apply to programs involving “discriminatory practices” – including DEI or diversity, equity, inclusion and accessibility (DEIA) programs. The certification provides many examples of potentially prohibited DEI practices, several of which track the DOJ guidance, including:

Granting preferential treatment based on race or color, such as race-based scholarships, preferential hiring or promotion practices, or access to facilities or resources based on race or ethnicity – including through the use of “cultural competence” requirements, “overcoming obstacles” narratives or “diversity statements.”
Segregation based on race or color, such as race-based training sessions, segregation in facilities or resources, or implicit segregation through program eligibility.
Other unlawful use of race or color as criteria, such as race-based “diverse slate” policies in hiring, race-based selection for contracts or race-based program participation or resource allocation.
Training programs that stereotype, exclude or single out individuals based on protected characteristics or create a hostile environment.
Retaliation against employees, participants or beneficiaries who raise concerns about or object to DEI practices they reasonably believe violate federal anti-discrimination laws. The certification notes that such protected activities include raising concerns or filing complaints about or objecting or refusing to participate in DEI programs or trainings.

Other certifications

The proposed certification goes beyond DEI. Notably, recipients must also certify that they will “not knowingly bring or attempt to bring to the United States, transport, conceal, harbor, shield, hire, or recruit for a fee an illegal alien; and will not induce an alien to enter or reside in the United States with reckless disregard of the fact that the alien is illegal.” In addition, recipients must also certify that they will not “fund, subsidize, or facilitate violence, terrorism, or other illegal activities that threaten public safety or national security,” though neither the types of activities contemplated under this provision nor the terms “public safety” or “national security” are further defined. Recipients must also certify compliance with the Constitution and executive branch guidance “in promoting the freedom of speech and religious liberty in the administration of federally-funded programs.”

These additional certifications are not required by the EO and are not addressed by any prior DEI-related guidance.

Enforceability and legal exposure

In a nod to ongoing litigation challenging the EO, the proposal includes a carve out providing that, to the extent any certification or representation is subject to an active court order or injunction legally binding on the recipient and the relevant awarding agency, the affected certification will be deemed inapplicable to that recipient, although other certifications will remain in force.

As we reported in February 2025, the certification provision was challenged as unconstitutional in several cases, including in National Association of Diversity Officers in Higher Education v. Trump. Most recently, on February 6, 2026, the US Court of Appeals for the Fourth Circuit vacated the US District Court for the District of Maryland’s preliminary injunction order and remanded the case, holding that while the plaintiffs had standing to challenge the certification provision, they were unlikely to succeed on the merits, because the provision requires only that recipients certify compliance with federal anti-discrimination laws – and the First Amendment does not confer a right to violate those laws.

An appeal is also pending in the US Court of Appeals for the Seventh Circuit in Chicago Women in Trades v. Donald J. Trump, et al., where the government has appealed the US District Court for the Northern District of Illinois’ preliminary injunction enjoining the Department of Labor from requiring any grantee or contractor to make any certification, and prohibiting the government from initiating any False Claims Act (FCA) enforcement action against a plaintiff pursuant to the provision. Notably, the Fourth Circuit’s decision in National Association of Diversity Officers in Higher Education left open the possibility of a legal challenge in a specific enforcement action if the “President, his subordinates, or another grantor misinterprets federal antidiscrimination law.”

The proposal further provides that the authorized official signing the certification attests to its accuracy and acknowledges that they may be subject to criminal prosecution or civil liability under the FCA for providing “false, fictitious, or fraudulent information” to the government. The FCA exposure, in particular, carries the risk of treble damages and significant penalties, heightening exposure for individuals signing such certifications.

Next steps

Recipients of federal financial assistance may wish to comment on the proposal by March 30, 2026. The GSA invites comments on whether the information collection is necessary, whether it will have practical utility, and ways to enhance the quality, utility and clarity of the information to be collected.

In the meantime, organizations that receive or apply for federal grants, loans or other financial assistance should work with legal counsel to audit existing DEI programs, with particular attention to those cited as examples of potentially unlawful practices. Organizations should also evaluate their SAM registration processes – including who within the entity should sign the revised certifications – given the potential liability risks and the government’s broad interpretation of anti-discrimination laws. Organizations should also monitor litigation developments and the finalized certification requirements. Although the proposal is limited to recipients of federal financial assistance, it is plausible that a similar certification requirement may be forthcoming for federal contractors and subcontractors as well.

Please contact a member of Cooley’s DEI strategic counseling and litigation practice if you have questions concerning how these developments affect your organization.

Court Finds AI Agent May Violate State, Federal Law by Accessing Amazon Accounts Without Authorization

Tue, 17 Mar 2026 18:18:48 Z

A court in the Northern District of California found, at the preliminary injunction stage, that when a website prohibits artificial intelligence (AI) agents from accessing user accounts, continued access by agents may violate state and federal law – even where the user has granted the agent permission. Now on appeal to the US Court of Appeals for the Ninth Circuit, the decision raises important questions for both platforms seeking to set guardrails on AI agents and makers of AI agents whose products interact with third-party websites.

The case

In Amazon.com Services LLC v. Perplexity AI, Inc., Amazon alleged that Perplexity configured its AI agent to, at the direction of Perplexity users, access the user’s password-protected Amazon accounts. Users could instruct Perplexity’s Comet agentic feature to browse products and even make purchases on their behalf. Amazon’s terms of service require AI agents to identify themselves (e.g., through a user-agent string) and limit agent access to only the public portions of Amazon’s website. Amazon alleged that Comet violated these terms by accessing Amazon’s ecommerce website in a logged-in state without identifying itself as an AI agent, and that Amazon was unable to distinguish Comet’s activity from that of a human user. Pointing to its terms of service, Amazon alleged violations of state and federal hacking laws and sought a preliminary injunction to stop Comet from accessing Amazon users’ accounts.

The decision

On March 9, 2026, Judge Maxine M. Chesney granted Amazon’s motion for preliminary injunctive relief, finding that Amazon was likely to prevail on its claims under the federal Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Computer Data Access and Fraud Act (CDAFA). A central question in the case was whether user consent to the AI agent’s access was sufficient authorization or whether the website operator’s terms of service controlled. The court sided with Amazon on this point at the preliminary injunction stage, finding that Comet’s access was not authorized by Amazon notwithstanding any permission granted by the user.

The court noted that Amazon sent cease-and-desist correspondence to Perplexity, reinforcing its position that continued access to Amazon user accounts by Perplexity’s AI agent was unauthorized. The court enjoined Perplexity from accessing “Amazon’s protected computer systems using AI agents” and from “using any accounts … for the purpose of allowing Perplexity’s AI agents to access Amazon’s protected computer systems.” The order also requires Perplexity to delete any Amazon customer data that it collected using its AI agent on password-protected areas of Amazon’s website. Perplexity appealed this decision the next day, and the Ninth Circuit may ultimately reach a different conclusion on the merits.

What this means for websites

Websites that want to prevent AI agents from accessing account data, or taking actions like making purchases on behalf of users, may want to draft explicit terms prohibiting this agentic behavior. Websites may also want to require that AI agents identify themselves as AI agents when they interact with the website, so the website can treat agent traffic differently from human visits. If AI agents violate these terms, websites may want to send cease-and-desist correspondence to further strengthen the argument that the access is unauthorized. These steps may support efforts to seek injunctions blocking the conduct (along with other downstream remedies), though the legal landscape in this area remains unsettled.

What this means for AI agents

Makers of AI agents that access password-protected accounts should be aware of this decision and its potential implications. The court’s ruling suggests that conduct violating a website’s terms of service may give rise to claims under the CFAA and CDAFA, and that user consent alone may not constitute sufficient authorization where the website operator has expressly revoked it. However, this was a preliminary ruling, and there are significant counterarguments, including whether terms of service should override a user’s affirmative decision to authorize an agent to act on the user’s own account, and whether such terms of service restrictions are enforceable in this context. The Ninth Circuit’s review on appeal may provide further clarity. In the meantime, makers of AI agents should also be mindful that both statutes not only create private rights of action but also carry potential criminal liability.

New York Enacts New Employment Laws

Tue, 17 Mar 2026 07:00:00 Z

New York employers have new legal obligations as a result of several significant recently enacted employment laws. Below, we summarize these key developments and offer compliance action items for employers.

Employment promissory notes

Following California’s lead on restricting so-called training repayment agreement provisions (TRAPs), or “stay or pay” provisions, New York’s A09452 (Trapped at Work Act) prohibits employers from requiring employees to execute, as a condition of employment, an “employment promissory note,” effective February 13, 2027. A09452 amended an earlier law enacted by Gov. Kathy Hochul in December 2025, under the condition that the legislature address and clarify certain ambiguities in the prior law.

Under the amended law, an employment promissory note is defined as “any instrument, agreement, or contract provision that requires an employee to pay the employer, or the employer’s agent or assignee, a sum of money if the employee’s employment relationship with a specific employer terminates before the passage of a stated period of time.” Any prohibited note is null and void; however, if it appears within a broader agreement, the invalidity of the note does not affect the enforceability of the agreement’s other provisions.

The broad ban on employment promissory notes specifically excludes agreements that require:

Repayment for the cost of tuition and required educational materials for a transferable credential, as long as certain specified conditions are met, including that the repayment agreement is separate from the employment contract and the transferable credential is not a condition of employment.
Payment for any employer property sold or leased to the employee, as long as the sale or lease was voluntary.
Repayment of a “financial bonus, relocation assistance, or other non-educational incentives or other payment or benefit” that is not tied to specific job performance, unless the employee was terminated for any reason other than misconduct, or the duties or requirements of the job were misrepresented to the employee.
Educational personnel comply with terms or conditions of their sabbatical leave.
Obligations pursuant to a collective bargaining agreement.

While the law does not create an express private right of action, aggrieved individuals may file a complaint with the New York Labor Commissioner. Employers face civil penalties of $1,000 to $5,000 per violation. In assessing penalties, the labor commissioner must take into account factors such as the size of the employer’s business, the employer’s history of violations, the gravity of the violation and its good faith basis to believe it acted in compliance with the law. While the law as amended provides more clarity, many ambiguities remain, such as what is meant by the terms “misconduct” or “misrepresentation” of the job for purposes of the financial bonus exception, and whether the law is retroactive such that existing prohibited agreements cannot be enforced after the effective date.

Expanded safe and sick leave

Effective February 22, 2026, NYC Int. 0780-2024 expands the city’s sick and safe time leave law – now referred to by New York City’s Department of Consumer and Worker Protection (DCWP) as “protected time” – to provide for a new 32 hours of unpaid leave to employees, which is immediately available to use at the beginning of each calendar year. This leave bank is in addition to the 40 or 56 hours already provided under the Earned Safe and Sick Time Act (ESSTA), depending on employer size. Employers are not required to carry over any unused time into the following calendar year. If an employee requests leave for an ESSTA-qualifying reason, the employer must first provide the paid leave, unless that time is exhausted or the employee specifically requests to use other leave in lieu of safe/sick time.

In addition, the law also expands the reasons for which ESSTA can be used, to include the following:

Public disaster: For closings of the workplace, or an employee’s need to care for a child whose school or childcare provider has been closed due to a “public disaster,” which includes events such as fire, explosion, terrorist attack or severe weather conditions that are declared a public emergency or disaster by a public official. ESSTA may also be taken if a public official directs people to remain indoors or avoid travel during a public disaster that prevents an employee from reporting to their work location.
Caregiving responsibilities: To provide care to a minor child or care recipient when the employee is a caregiver for such person.
Subsistence benefits/housing: To initiate, attend or prepare for legal proceedings relating to subsistence benefits or housing, or take actions necessary to apply, maintain or restore subsistence benefits or shelter for themselves, a care recipient or a family member.
Workplace violence: To seek legal or social services when an employee or family member has been a victim of workplace violence.

The law also formally incorporates DCWP’s rules regarding the new paid prenatal leave into the ESSTA. As a reminder, beginning January 1, 2025, New York employers were required to provide employees with 20 hours of paid prenatal leave during any 52-week calendar period. The codification clarifies that violations of the prenatal leave law are subject to existing penalties under the ESSTA.

Finally, the law amends the city’s Temporary Schedule Change Law, which formally required employers to grant an employee’s request for a temporary change to the employee’s work schedule up to two times a year. Now, employees may continue to request a temporary change to their work schedule, though employers are not required to agree to the requested change. Employers may also now propose an alternative temporary change, though the employee is not required to accept it.

Pay data reporting and pay equity study

With obligations likely beginning in 2028, New York City employers will be required to submit certain pay data to the city, which will then be required to conduct pay equity studies based on those submissions.

Under Int. 0982-2024-A, employers with at least 200 employees must report pay data to a designated city agency modeled on the Equal Employment Opportunity Commission’s former EEO-1 Component 2 reporting requirements for reporting years 2017 and 2018. Under Component 2 reporting, employers were required to report the total number of full-time and part-time employees by demographic categories in each of 12 pay bands listed for each EEO-1 job category based on W-2 earnings. Employers were also required to report the number of hours worked in the last year by all employees accounted for in each of the pay bands. Reports must allow employers to include explanatory remarks.

Implementation will proceed in stages. First, by December 4, 2026, the mayor must designate the lead agency to oversee the pay reporting effort. Within a year of this designation, the agency must issue a standardized form to be used by employers to submit the pay report. Employers must file within one year after the form is published and annually thereafter. Employers also must submit a signed attestation by an authorized agent confirming the submission and its accuracy. The agency will publish an annual list of noncompliant employers after notice and a 30 day cure period. First offenses receive a written warning and 30 days to cure. Uncured violations incur a $1,000 penalty, and subsequent offenses carry $5,000 penalties.

Separately, under Int. 0984-2024, within one year after employers first submit pay reports – and annually thereafter – the agency must conduct a pay equity study to assess whether compensation disparities exist by gender and race or ethnicity. The agency is required to deliver findings to the mayor, which include an analysis of data collected and recommendations “regarding employer action plans for addressing any disparities identified.”

Other notable developments

In addition to the significant legislative changes discussed above, New York employers should note the following other developments.

Disparate impact liability codified

Effective December 19, 2025, S8338 amends the state’s Human Rights Law to codify the disparate impact liability theory of discrimination. The amendment provides that an unlawful discriminatory practice may be established by a “practice’s discriminatory effect, even if such practice was not motivated by a discriminatory intent.” The amendment applies to all cases alleging employment discrimination occurring on or after December 19, 2025.

Consumer credit history ban

Effective April 18, 2026, S3072 amends the state’s General Business Law to prohibit employers and potential employers from requesting or using a job applicant or employee’s consumer credit history (defined as an individual’s credit worthiness, credit standing, credit capacity or payment history) for employment purposes, subject to certain exceptions. The amendment largely mirrors New York City’s Stop Credit Discrimination in Employment Act, enacted in 2015. Employers are permitted to request and use credit history information where required by law or regulation and are not precluded from requesting or receiving consumer credit history information pursuant to a lawful subpoena, court order or law enforcement investigation.

Anti-retaliation protection

Effective December 5, 2025, S3398, the Reasonable Accommodation Anti-Retaliation Act, amends the state’s Human Rights Law to prohibit retaliation for requesting reasonable accommodations and was intended to align the state law with federal and city counterparts.

RAISE Act

Following California’s lead with enactment of the Transparency in Frontier Artificial Intelligence Act, New York’s A6453A enacts a similar AI safety law, the Responsible AI Safety and Education (RAISE) Act, effective January 1, 2027. Among other things, the RAISE Act requires large AI developers to create and publish information about their safety protocols and report critical safety incidents to the state within 72 hours. Large developers must inform employees of their rights and obligations under the law within 90 days of the effective date or upon becoming a large developer (whichever is later), at the start of employment and by posting a conspicuous workplace notice. Covered employees are also protected from retaliation for disclosing or threatening to disclose information or concerns about unreasonable or substantial risk of critical harm. In her approval memo, Hochul noted the law’s “broad compliance obligations on large-scale models without adequate specificity” and announced an agreement with the legislature to provide further clarification, including standardized AI safety frameworks and critical incident reporting.

Next steps

New York employers should take the following steps to ensure compliance with the newly enacted laws, including:

Assess and update any training repayment, bonus or retention agreements (including offer letters and any programs or policies governing employee retention and incentive benefits programs, tuition assistance and employee relocation programs) to ensure compliance with new restrictions on “employment promissory notes.”
Review and update all policies and handbooks for the expanded safe and sick leave law, including for the new bucket of 32 hours of unpaid sick/safe leave and expanded anti-retaliation protections. In addition, employers must distribute the updated policy to all new hires and current employees. Employers should also post and distribute the updated ESSTA (or protected time off) workplace notice.
Review pre-employment background check practices that use credit reports or consumer credit information to ensure compliance with S3072, and confirm whether any roles fall within the law’s exceptions.
Stay tuned for legislative updates to the RAISE Act and guidance regarding the city’s new pay data reporting law.

Employers should also stay tuned for pending legislation that may gain traction in 2026. Key legislation to watch includes a proposed ban on noncompete agreements, which passed the New York Senate. The bill currently provides exceptions for highly compensated individuals earning more than $500,000 per year and for noncompetes in the context of the sale of a business. Notably, New York City Mayor Zohran Mamdani pledged to ban all noncompete clauses, as well as “overbroad NDAs that restrict an employee from using their general skills, knowledge, and inventive ability.” In addition, the No Severance Ultimatums Act (S372A), which also passed the Senate, seeks to require a minimum 21-day review period and seven-day revocation period for severance agreements, similar to the statutory minimums under the federal Older Workers Benefit Protection Act, which applies only to employees aged 40 and over.

If you have questions about these laws or how to comply, please contact the Cooley employment team or one of the lawyers listed below.

SEC Issues Order Exempting Directors and Officers of Certain Foreign Private Issuers From Section 16(a) Reporting Obligations, Provides FAQs

Wed, 11 Mar 2026 07:00:00 Z

On March 5, 2026, the Securities and Exchange Commission (SEC) issued an order exercising its authority under Section 16(a)(5) of the Exchange Act – added by the Holding Foreign Insiders Accountable Act (HFIA Act) – which permits the SEC to exempt any person or class of persons from Section 16(a) reporting requirements if the laws of a foreign jurisdiction impose substantially similar requirements. The SEC’s action brings meaningful relief to directors and officers of dual-listed foreign private issuers (FPIs) in Canada, Chile, the European Economic Area, the Republic of Korea, Switzerland and the United Kingdom by lifting their Section 16(a) beneficial ownership reporting obligations.

Further, on March 9, 2026, the staff of the SEC’s Division of Corporation Finance posted Frequently Asked Questions clarifying certain Section 16 reporting obligations.

The HFIA Act, signed into law on December 18, 2025, subjects directors and officers of FPIs to the insider reporting requirements under Section 16(a) of the Securities Exchange Act of 1934 (Exchange Act). The SEC’s subsequent February 27, 2026, amendments removed the prior exemption from Section 16 in its entirety, replacing it with narrower exemptions covering only Section 16(b) short-swing profit rules and Section 16(c) short-selling prohibitions, and amended Rule 16a-2 to exclude 10% holders of FPIs’ equity securities from the new Section 16(a) reporting requirements.¹

Who is exempt?

The order exempts directors and officers of any FPI that is either incorporated or organized in a “qualifying jurisdiction” and subject to a qualifying regulation of the same jurisdiction, or incorporated or organized in a qualifying jurisdiction but subject to a qualifying regulation of a different jurisdiction that is listed in the SEC’s order as a qualifying jurisdiction.

Qualifying jurisdictions

The qualifying jurisdictions are:

Canada
Chile
The European Economic Area (comprising all 27 European Union member states,² plus Iceland, Liechtenstein and Norway)
The Republic of Korea
Switzerland
United Kingdom

Cooley played an active role in this outcome, engaging with staff at the SEC regarding current regulations in the jurisdictions considered by the SEC.

Qualifying regulations

Canada’s National Instrument 55-104 – Insider Reporting Requirements and Exemptions (supported by National Instrument 55-102 – System for Electronic Disclosure by Insiders (SEDI) and companion policies) (NI 55-104), which provides, in general, requirements that directors and officers of covered issuers promptly report their initial holdings and any changes in beneficial ownership of the issuer’s securities, including a description of the security, the nature of the transaction, and the price and volume of the transaction, and that such reports be made available to the general public.
Articles 12, 17 and 20 of the Chilean Securities Market Law (Ley de Mercado de Valores, Ley No. 18,045) and General Rule (Norma de Carácter General) No. 269, which provide, in general, requirements that directors and executive officers promptly report their initial holdings and any changes in beneficial ownership of the issuer’s securities, including a description of the security, the nature of the transaction, and the price and volume of the transaction, and that such reports be made available to the general public.
Article 19 of the European Union Market Abuse Regulation (Regulation (EU) No. 596/2014, as amended by Regulation (EU) No. 2024/2809) (including, as applicable, implementing legislation and regulations adopted by the European Union’s member states) and as incorporated into the domestic law of each European Economic Area state (EU MAR), which provides, in general, requirements that persons discharging managerial responsibilities (which includes directors and officers) promptly report to the issuer any changes in beneficial ownership of the issuer’s securities, including a description of the security, the nature of the transaction, and the price and volume of the transaction, and that such reports be made available to the general public.
Article 173 of the Republic of Korea Financial Investment Services and Capital Markets Act and Article 200 of the Enforcement Decree of the Financial Investment Services and Capital Markets Act, which provide, in general, requirements that directors and executives promptly report their initial holdings and any changes in beneficial ownership of the issuer’s securities, including a description of the security, the nature of the transaction, and the price and volume of the transaction, and that such reports be made available to the general public.
Article 56 of the Listing Rules and implementing directives of SIX Swiss Exchange as approved by the Swiss Financial Market Supervisory Authority (SIX Listing Rules), which provide, in general, requirements that members of the board of directors and members of the executive committee promptly report to the issuer any changes in beneficial ownership of the issuer’s securities, including a description of the security, the nature of the transaction, and the price and volume of the transaction, and that such reports be made available to the general public.
Article 19 of the United Kingdom Market Abuse Regulation (Regulation (EU) No. 596/2014), as it forms part of United Kingdom domestic law pursuant to the European Union (Withdrawal) Act 2018 (UK MAR), which provides, in general, requirements that persons discharging managerial responsibilities (which includes directors and officers) promptly report to the issuer any changes in beneficial ownership of the issuer’s securities, including a description of the security, the nature of the transaction, and the price and volume of the transaction, and that such reports be made available to the general public.

Conditions for the exemption

The exemption is subject to two conditions:

Any director or officer, as defined in Section 3(a)(7) of the Exchange Act and Rule 16a-1(f) of the Exchange Act, respectively, seeking to rely on the exemption must report their transactions in the issuer’s securities as required under the applicable qualifying regulation.³
Any report filed pursuant to a qualifying regulation must be made available in English to the general public within no more than two business days of its public posting. If an English version of the report cannot be filed through an appropriate regulator’s or listing venue’s online database, it may be made publicly available on the company’s website.

Why the SEC granted the exemption

The SEC determined that each qualifying regulation imposes substantially similar requirements to Section 16(a), covering the same categories of persons (directors and officers, including those performing policy-making functions), securities (equity securities and derivatives), and transactions (acquisitions, dispositions and other changes in beneficial ownership), with timely public disclosure of such changes in English. The SEC may exercise its exemptive authority in the future to extend exemptive relief to the directors and officers of FPIs incorporated or organized in other jurisdictions that set forth requirements substantially similar to Section 16(a) requirements. Likewise, the SEC may reassess and modify its order if there are future changes to the qualifying regulations such that the qualifying regulations are no longer substantially similar to the requirements of Section 16(a). We look forward to the SEC’s continued review of jurisdictions not yet covered by this order and the granting of additional exemptive relief where warranted.

FAQs

The FAQs address:

The need to file Section 16 reports electronically on EDGAR.
When the first Form 3s are due (March 18, unless the director or officer is no longer in such role on March 18, or became a director or officer after March 8, in which case the Form 3 is due 10 calendar days after becoming an officer or director).
That if a director or officer becomes subject to Section 16 because the FPI registers a class of equity securities under Section 12 of the Exchange Act on or after March 18, 2026, then Rule 16-2(a) obligates such director or officer to report on the first required Form 4 certain transactions effected prior to March 18, 2026; if the FPI was registered prior to March 18, the officer or director would not have to report such transactions.

Next steps for FPIs

FPIs should assess whether they and their directors and officers qualify for this exemptive relief (including determining whether the particular director or officer is reporting in the home jurisdiction) – and, if so, confirm that they are in compliance with all applicable qualifying regulation reporting requirements and the English-language availability condition. FPIs that do not qualify should continue their Section 16(a) compliance preparations.

Notes

See this March 3, 2026, Cooley alert, “UPDATED: US Congress Eliminates Foreign Private Issuer Exemption for Insider Reporting Obligations Under Holding Foreign Insiders Accountable Act.”
As of March 5, 2026, the 27 member states of the EU are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
This exemption is on an individual basis (rather than on an issuer basis) – that is, a particular officer or director is only exempted from Section 16 reporting if they are already reporting pursuant to one of the qualifying regulations. In a case where the list of Section 16 officers and directors (including entities that consider themselves to be “directors by deputization”) differs from the list of officers and directors subject to reporting under the qualifying regulation, whoever is not covered by the qualifying regulation would either need to report pursuant to that regulation or under Section 16.

Leading the Charge

Tue, 10 Mar 2026 20:27:00 Z

Some of the most consequential life sciences outcomes are shaped long before a transaction is announced. This conversation centers on the leadership choices that move companies forward when markets are volatile, capital is scarce and patients cannot wait.

The discussion explores risk tolerance, dual‑track strategy, board alignment and the often unseen work required to carry a company from clinical promise to acquisition.

Update on California’s Venture Capital Companies Diversity Reporting Program

Fri, 06 Mar 2026 08:00:00 Z

California’s Fair Investment Practices by Venture Capital Companies Law (FIPVCC), commonly referred to as Senate Bill 54, as amended by SB 164, requires certain venture capital companies (including venture capital funds) with a California nexus to register with the Department of Financial Protection and Innovation (DFPI) and to collect and annually report anonymized, aggregated demographic data about the founding team members of businesses in which they invest.

The first registration period began March 1, 2026, and the first annual report is due April 1, 2026.

For more information on covered entities, data collection and reporting, public disclosure and enforcement, please see our December 2024 alert on California’s Venture Capital Diversity Reporting Law and our February 2026 webinar on complying with the law.

In preparation for the upcoming deadlines, the DFPI recently established a webpage with information and resources to help covered entities comply. The posted resources include:

A standardized demographic data survey to deliver to founding team members.
The venture capital demographic data report to complete based on survey responses and submit to the DFPI.
A guide on determining whether a business is a covered entity for purposes of registration and reporting.
A link to the VCC Reporting Portal and an accompanying portal user guide outlining how to register, update information, submit reports and manage points of contact.

Covered entities may register beginning March 1, 2026, and should be registered before filing their first reports by April 1, 2026.

Remaining open questions

While these DFPI resources and the registration portal are long-awaited updates, many significant open questions and interpretive issues remain. Three with immediate practical impact are:

Whether each entity qualifying as a “covered entity” must register and file a separate report (incurring a separate filing fee for each entity), or whether a controlling entity such as a management company may file a single consolidated report on behalf of all covered entities under its common control, as contemplated by California Corporations Code Section 27501(d)(3).
Whether a venture capital company that meets the definition of “covered entity” but made no venture capital investments during the prior calendar year is required to register with the DFPI, even if it has no reporting obligation for that year.
Whether covered entities need to survey only the founding team members of businesses that received venture capital investments (with associated management rights) or if they must survey all businesses that received funding, even if only venture capital investments are subject to reporting.

Clarification on these points is critical given the imminent April 1, 2026, filing deadline. Businesses must determine how to organize their submissions, how many filings to prepare and how much to budget for compliance. Cooley has submitted a letter to the DFPI seeking clarification on these questions.

Beyond these three questions, additional open questions that covered entities must navigate ahead of the April 1 deadline include:

How to interpret undefined terms such as “significant presence” and “significant operations” for purposes of determining which entities must register and report.
Who must receive the demographic surveys, including whether former CEOs, presidents and founding team members should be included.
Whether covered entities may distribute surveys using a survey platform rather than the PDF version provided by the DFPI (and, if they are required to use the DFPI’s form PDF, how to do so in a manner that does not associate responses with individual founding team members, as required in the statute).
How to account for survey nonresponses when preparing reports, including whether nonresponses should be treated differently from respondents who expressly decline to answer demographic questions.
How to define a “principal place of business” for purposes of the report’s requirement that covered entities list as principal place of business for each business that received venture capital investments during the prior calendar year.

Next steps

Covered entities should begin registering on the DFPI’s portal, distributing the survey to founding team members, establishing internal data collection processes, and preparing to file a report by April 1, 2026. Given the remaining interpretive uncertainties, we recommend maintaining a flexible compliance approach that can be adjusted as additional guidance becomes available. We are available to assist with compliance questions and strategy.

Comprehensive Online Safety Legislation Comes to the US: How KOSA is Copying UK, EU and Australian Laws

Thu, 05 Mar 2026 21:52:11 Z

The proposed Kids Online Safety Act (KOSA) is the most significant attempt to overhaul federal online child safety laws since the passage of the Children’s Online Privacy Protection Act in 1998. If passed in any of the forms currently contemplated, KOSA would impose new requirements on tech companies and amplify an already significant global regulatory risk landscape.

KOSA is still being debated, with the Senate and House disagreeing on important aspects. Both the Senate (S.1748) and House (H.R. 6484) bills aim to protect online users under 17 from harmful design features. The Senate bill imposes a “duty of care” on platforms to prevent harms, including “compulsive usage,” eating disorders and other mental health harms, whereas the House bill requires “reasonable policies, practices, and procedures” to address more limited harms. On February 10, 2026, a coalition of 40 state and territorial attorneys general sent a letter urging passage of the Senate bill over the House version.

The analysis below focuses on the Senate bill, which would present a greater sea change in how online safety is regulated in the United States.

Cross-border convergence: Where S.1748 borrows from the European Union, UK and Australia

Over the last few years, many tech companies have invested significant resources building toward compliance with the EU’s Digital Services Act (EU DSA), the UK’s Online Safety Act (UK OSA) and Australia’s Online Safety Act (AU OSA). Companies that have invested in such compliance programs will take some relief in key similarities:

User reporting

S.1748 requires covered platforms to provide a “readily accessible and easy-to-use means” for users and visitors to report harms to a minor. Platforms must confirm receipt of the report and provide a response within specific time frames. This closely tracks the UK OSA notice and takedown requirements, which require swift processing.

Safety and privacy by default

S.1748 would require platforms to provide “readily accessible and easy-to-use safeguards” that are turned on by default for minors, including preventing communication from strangers, limiting “compulsive usage” features (e.g., auto play and infinite scroll) and restricting geolocation data. Article 28 of the EU DSA requires “a high level of privacy, safety, and security of minors” and prohibits platforms from targeting advertisements to minors using profiling. The more granular prescriptions in S.1748 track many of the European Commission’s Guidelines on Article 28. Child Safety Codes issued under the UK OSA and Industry Codes issued under the AU OSA likewise impose similar default setting requirements.

Parental tools

S.1748 mandates that platforms provide “readily accessible and easy-to-use parental tools” that allow parents to manage a minor’s privacy and account settings. These tools must also include the ability to restrict purchases and financial transactions, as well as view and restrict the total time the minor spends on the platform. For users the platform knows or should know are minors, these tools must be enabled by default. These requirements are broadly similar to the EU DSA Article 28 Guidelines, which recommend similar measures, recognizing KOSA would make them mandatory.

Algorithmic opt out

S.1748 requires platforms to provide a “prominently displayed” option for minors to opt out of personalized recommendation systems. Article 38 of the EU DSA contains the closest parallel, but the European requirement is less prescriptive – it requires very large services to provide an option for their recommender systems that is not based on profiling, which often results in a chronological or popular community feed.

Mandatory reporting and transparency audits

Across these jurisdictions, transparency is a core pillar. S.1748 would require platforms to publish, at least annually, transparency reports based on independent, third-party audits. Similarly, the EU DSA requires independent audits, systemic risk assessments and publication of transparency reports. The UK OSA requires platforms to send annual transparency reports to the UK regulator. Both the UK and Australia authorize their regulators to demand information from platforms regarding their safety systems. The independent audit requirement under the DSA has been criticized for its cost and burden, and it remains subject to focused pushback in S.1748.

US exceptions: What stands out in S.1748

There are several important ways S.1748 differs from its international counterparts – reflecting both the US legal environment and a focus on regulating platform design over restrictions on content.

Constitutional limits

S.1748 focuses on platform design – likely to avoid content-based restrictions that may violate the First Amendment. It clarifies that KOSA would not require platforms to restrict a minor from “deliberately and independently searching for … content.” Additionally, the bill explicitly prohibits regulators from enforcing KOSA based on users’ viewpoints. In contrast, the UK OSA and EU DSA more directly regulate harmful content, including “content that is harmful to children” (UK) and content that poses “systemic risks” (EU).

Duty of care

S.1748 would impose a duty on platforms to exercise “reasonable care” in the design of features to prevent foreseeable harms. At a high level, this parallels duties of care under the UK OSA to, among other things, take “proportionate measures” to mitigate and manage harm to children online and the DSA Article 35 obligation to “put in place reasonable, proportionate and effective mitigation measures” to mitigate systemic risks from their services. However, the KOSA duty is more focused on the design process, rather than directly regulating the speech outcome, likely reflecting at least in part First Amendment concerns with the latter approach. Specifically, the UK OSA mentions duties related to “illegal content” and “content that is harmful to children,” and the EU DSA identifies “illegal content” as a systemic risk, while the KOSA duty makes no mention of content and instead focuses on preventing and mitigating specific harms caused by “any design feature.”

Age verification

While Australia recently introduced laws to ban social media for those under 16 and require age verification, and the EU, UK and other countries are considering similar moves, S.1748 explicitly rejects mandatory collection of age data. Instead, S.1748 relies on a “knowledge” standard, imposing requirements if a platform knows or should know a user is a minor. This knowledge standard will raise a particular challenge for platforms that have deployed age assurance systems, but it will not necessarily require those who have not deployed age assurance systems to do so.

FTC enforcement risk

Enforcement risk under KOSA also stands out. S.1748 would authorize the Federal Trade Commission (FTC) and state attorneys general to enforce the law. The FTC is empowered to impose civil penalties of more than $50,000 per violation of KOSA. Simultaneously, state attorneys general may initiate civil actions regarding violations of KOSA’s safeguards, disclosure and transparency provisions. This creates a fragmented enforcement landscape that platforms must navigate alongside more centralized regulatory models in the UK, EU and Australia.

Takeaways

If passed, KOSA will increase the complexity of the online safety regulatory landscape and give new tools to a set of motivated regulators. In assessing positions to take on KOSA, tech companies should consider what work they have already done to meet UK OSA, AU OSA and the EU DSA – and consider where existing approaches should be revised to account for US-specific requirements and enforcement risks.

Our cross-functional team of tech regulatory and enforcement practitioners leverages deep, hands-on experience guiding tech companies through complex global frameworks – like the EU DSA, UK OSA and AU OSA – as well as navigating online safety inquiries from the FTC and state attorneys general. We are uniquely positioned to help platforms design trust and safety strategies to meet KOSA’s specific requirements, holistically assess risks and mitigations, and proactively prepare for emerging US enforcement interest.

Read our latest FTC update: Learn more about the FTC’s recent policy statement announcing that it will exercise enforcement discretion under the Children’s Online Privacy Protection Act to facilitate broader adoption of age verification technologies.

Executive Order Limits Underperforming Defense Contractors’ Ability to Conduct Stock Buybacks, Issue Dividends and Award Certain Executive Compensation

Thu, 05 Mar 2026 21:14:55 Z

On January 7, 2026, President Donald Trump issued Executive Order No. 14372, “Prioritizing the Warfighter in Defense Contracting” (EO), which targets underperforming federal contractors who, in the administration’s view, “pursue newer, more lucrative contracts, stock buy-backs, and excessive dividends to shareholders at the cost of production capacity, innovation, and on-time delivery.” The EO sets forth the federal government’s policy to “accelerate defense procurement and revitalize the defense industrial base.” To that end, effective immediately, the EO prohibits underperforming contractors from paying dividends or buying back stock “until such time as they are able to produce a superior product, on time and on budget.” The EO also seeks to limit future contracts, including renewals, by stipulating that executive incentive compensation for contractors be linked to “on-time delivery, increased production, and all necessary facilitation of investments and operating improvements.”

We summarize key provisions of the EO and outline key implications below.

Identification and notice to underperforming contractors; remediation

Section 3 of the EO sets forth a process to identify and provide notice to underperforming defense contractors who meet certain criteria established by the EO. Specifically, by February 6, 2026, the defense secretary must identify defense contractors for “critical weapons, supplies, and equipment” that are underperforming. Notably, the phrase “critical weapons, supplies, and equipment” is not defined in the EO. In addition, while the EO refers to “large” or “major” defense contractors in Sections 1 and 2 (which set forth the policy and purpose of the EO), those terms are not defined, and no such limitation is found in Section 3, which leaves ambiguity as to the universe of contractors to which the identification, notice and remediation procedures described herein apply.

The criteria for identification by the defense secretary include:

Noncompliance with their contracts.
Insufficient investment of their own capital into necessary production capacity.
Not sufficiently prioritizing US government contracts.
Insufficient production speed.

Defense contractors meeting at least one of the criteria above must also have engaged in stock buyback or other corporate distribution during the period of underperformance to be subject to the scrutiny of the EO. Once identified, the defense secretary must provide the contractor with notice, describing the nature of the underperformance or insufficient prioritization, investment or production speed, and work with the contractor through a 15-day period to resolve the issues through a remediation plan. Contractors must submit this remediation plan approved by the contractor’s board of directors for review by the defense secretary.

Enforcement options

If the defense secretary determines that a contractor’s remediation plan is insufficient, or where the defense secretary and the contractor are unable to resolve the dispute as to the underperformance within the 15-day period noted above, the defense secretary may take immediate enforcement action by way of the following:

Voluntary agreement with the contractor.
Any available enforcement actions under the Defense Production Act (50 USC 4501 et seq.).
Any available contract enforcement mechanisms within the Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement.

In addition, the defense secretary must consider whether to cease or deny advocacy efforts for underperforming contractors competing for an international foreign military or direct commercial sale, in consultation with the secretary of state and the secretary of commerce. In considering whether to initiate any available enforcement action, the defense secretary may take into account factors, such as the financial condition of the contractor, economic viability of relevant programs and “potential mutual benefits offered by robust and sustained growth opportunities from the United States Government coupled with capital investments by the contractor.”

Future contract terms with new or existing contractors

By March 8, 2026, the defense secretary is also directed to ensure that any future contracts with new or existing contractors (including renewals) contain the following provisions:

Prohibiting stock buybacks and corporate distributions during a period of contractor underperformance, noncompliance, insufficient prioritization, investment or production speed.
Stipulating that executive incentive compensation for contractors will not be tied to short-term financial metrics such as “free cash flow or earnings per share driven by stock buy-backs,” and instead linked to metrics such as “on-time delivery, increased production, and all necessary facilitation of investments and operating improvements required to rapidly expand” US stockpiles and capabilities.
Requiring executive base salaries be capped at current levels for underperforming contractors to allow the defense secretary to “scrutinize the incentive portion of executive compensation.”

SEC directive

Finally, the EO also directs the chair of the Securities and Exchange Commission (SEC) to consider whether to adopt amended regulations under Rule 10b-18 to prohibit underperforming defense contractors from using the rule’s safe harbor provisions for stock buybacks.

Key implications

The EO outlines significant new expectations for defense contractors, and they should expect increased scrutiny and oversight from the federal government in new areas in the immediate future, such as executive compensation, contract performance and corporate decision-making. Meeting the compliance obligations of this EO is made more challenging by the unclear application of the EO in many respects, including if the identification, notice and remediation processes apply only to “major” defense contractors – and, if so, what threshold limitations apply, what “critical weapons, supplies, and equipment” manufacturers are covered by the EO, and what other forms of “corporate distributions” are captured. Notably, the EO does not distinguish between public or private companies, or prime and subcontractor status.

Given this ambiguity and the short time frames in which to respond to a notice of underperformance, all defense contractors (including subcontractors and nonpublic entities) should take steps to review and assess current programs and contracts for weapons, supplies and equipment, and review whether such programs could be viewed as underperforming, such as whether they are behind schedule or over budget. If so, affected contractors should proactively review applicable processes authorizing stock buybacks and dividends, executive compensation plans and agreements, as well as any applicable metrics used to evaluate executive performance, for terms deemed problematic under the EO. Contractors should also proactively outline any steps necessary to address areas of underperformance in a remediation plan, such as whether to reallocate resources, and ensure their boards of directors are informed about the EO’s requirements and can quickly review and approve a remediation plan. Finally, public companies should stay tuned for potential regulation from the SEC to Rule 10b-18 and be mindful regarding statements in public filings regarding existing and planned defense projects, as contractors should expect increased investor scrutiny.

Navigating the New Frontier: A Comparative Analysis of Stablecoin and Crypto-Asset Regulation in the US and Hong Kong

Thu, 05 Mar 2026 14:28:10 Z

As digital assets continue to reshape the global financial landscape, regulatory frameworks balancing innovation with investor protection and market integrity are taking shape. The United States and Hong Kong – two significant financial centers – offer notable case studies, each charting distinct paths toward crypto-asset regulation.

The past year has been pivotal for both jurisdictions. In the US, the enactment of the Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act in July 2025 marked a decisive shift toward federal oversight of payment stablecoin, while proposed legislation, including the Digital Asset Market Clarity Act (CLARITY Act), aims to bring clarity to the classification of digital assets and the division of regulatory responsibilities between the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). Meanwhile, Hong Kong has advanced its “same activity, same risks, same regulation” philosophy through the implementation of its fiat-referenced stablecoin issuer regime and new licensing frameworks for virtual asset dealing, custody, advisory and management services.

This comparative analysis reveals fundamental differences in regulatory philosophy and architecture. The US has historically relied on a fragmented approach, applying existing securities and commodities frameworks to novel digital asset classes through agency guidance, enforcement actions and judicial interpretation. This fragmentation is inherent to the US federal-state system and common law tradition, where regulatory discretion and interpretive flexibility accommodate both innovation and evolving supervisory needs. The GENIUS Act represents a significant step toward harmonization in the stablecoin space, but the broader crypto-asset landscape remains in flux pending congressional action, and some degree of regulatory discretion and interpretive uncertainty will remain a structural characteristic of the US approach.

Hong Kong, by contrast, has pursued a unified, purpose-built regulatory architecture. By layering activity-specific licensing regimes over existing securities and anti-money laundering and countering the financing of terrorism (AML/CFT) frameworks, Hong Kong has created a coherent regulatory perimeter accommodating both tokenization of traditional assets and native virtual asset business models. The Securities and Futures Commission’s (SFC) “A-S-P-I-Re” roadmap provides market participants with a clear trajectory for the gradual integration of virtual asset markets with traditional financial infrastructure.

The chart below provides a comparative analysis of these two jurisdictions, examining their frameworks for crypto-asset classification, licensing, stablecoin regulation, enforcement and emerging initiatives. Understanding these developments is essential for market participants, legal practitioners and policymakers navigating the evolving regulatory terrain of digital finance.

Jurisdiction	United States (US)	Hong Kong (HK)
Regulatory approach	The US regulatory landscape for crypto-assets is primarily based on traditional frameworks, including: The SEC’s oversight of securities and the CFTC’s oversight of commodity futures, each relying on existing jurisprudence and crypto-specific guidance. State money transmission regulation. The US is maintaining existing regimes while transitioning toward new frameworks specifically tailored to crypto-assets. The GENIUS Act, enacted on July 8, 2025, establishes a federal framework for payment stablecoin that supplements or replaces state regulation of stablecoin issuance, but does not displace all state regulation of crypto-asset activities. As to digital asset market structure legislation aiming to establish a holistic regulatory framework for crypto-assets, a few versions of bills and discussion drafts have been released: The CLARITY Act, introduced by the House Committee on Financial Services, which passed the house on July 17, 2025. The discussion draft, released by the Senate Committee on Agriculture, Nutrition & Forestry on November 10, 2025, as updated by the January 21, 2026, draft (Senate Agriculture Draft), which is built on the CLARITY Act. The discussion draft, released by the Senate Committee on Banking, Housing and Urban Affairs on July 22, 2025, as updated by the September 5, 2025, draft and further updated by the January 12, 2026, draft (Senate Banking Draft). Harmonization and further discussions on substantive provisions – including the role of the SEC and CFTC and the decentralized finance provisions – will need to occur before passage of a unified bill.	Hong Kong is implementing a comprehensive, risk-based framework under a “same activity, same risks, same regulation” principle, layering activity-specific licensing and conduct standards over existing securities and AML/CFT regimes to accommodate both tokenization and native virtual asset (VA) business models, while preserving investor protection and market integrity. In addition to the dual virtual asset trading platform (VATP) licensing regime under the Securities and Futures Ordinance (SFO) and Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), a fiat-referenced stablecoin (FRS) issuer regime took effect in August 2025. In 2026, Hong Kong is advancing new AMLO licensing regimes for VA dealing and custody and consulting on regimes for VA advisory and management, aligning requirements to SFO Type 1/4/9 paradigms covering capital, fitness and propriety, governance, conduct, AML/CFT, and client asset protection. The SFC’s “A-S-P-I-Re” roadmap guides gradual integration of VA markets with traditional infrastructure, including calibrated access to global liquidity, intra‑group shared order books and progressive retail access subject to product due diligence and risk disclosures. Policy is technology neutral and substance over form to prevent regulatory arbitrage.
Key regulators	Securities and Exchange Commission (SEC): Currently regulates crypto-assets that are securities or security-based swaps, securities exchanges, broker-dealers and investment advisers. Commodity Futures Trading Commission (CFTC): Currently regulates crypto-assets that are commodity futures or swaps (but not the spot market, other than having general anti-fraud and anti-manipulation authority), designated contract markets, futures commission merchants, swap dealers, commodity pool operators, commodity trading advisors, etc. Under the CLARITY Act and the Senate Agriculture Draft, the CFTC would regulate “digital commodities,” including both the spot market and derivatives, as well as “digital commodity exchanges,” “digital commodity brokers” and “digital commodity dealers.” Stablecoin Certification Review Committee (SCRC): Oversees payment stablecoin issued in compliance with the GENIUS Act. Office of the Comptroller of the Currency (OCC): Oversees federal nonbank permitted payment stablecoin issuers. State banking departments: Regulate nonbank companies engaging in payments-related crypto activities. Financial Crimes Enforcement Network (FinCEN): Establishes and oversees anti-money laundering compliance program requirements for money services businesses (as well as other financial institution types).	Securities and Futures Commission (SFC): Primary conduct and prudential regulator for VA intermediaries, VATPs and proposed AMLO licenses for dealing, custody, advisory and management. The SFC administers licensing and ongoing supervision (financial resources, governance, internal controls, client asset protection, disclosures, suitability and product due diligence), enforces active marketing restrictions and coordinates cross‑border enforcement. Hong Kong Monetary Authority (HKMA): Prudential supervisor of authorized institutions and regulator of FRS issuers under the 2025 regime. The HKMA oversees reserve composition, redemption mechanics, segregation of backing assets, operational resilience and wallet/payment interfaces. It also runs tokenization initiatives (e.g., Project Ensemble Sandbox) and the Fintech Supervisory Sandbox. Other authorities: Companies Registry: Trust or Company Service Provider (TCSP) licensing, where applicable Hong Kong Customs and Excise Department/The Department of Justice: AML/CFT enforcement Regulators coordinate via joint circulars and consultation conclusions to align conduct expectations for intermediaries distributing VA‑related products.
Classification of crypto-assets	Under existing SEC and CFTC regulatory regimes: Security: Includes an “investment contract” (determined by the Howey test) and instruments such as stocks, bonds and transferable shares. The SEC has taken the position that bitcoin (BTC) and ethereum (ETH) are not securities, but courts have found that certain sales of tokens can be classified as securities transactions under Howey. Commodity: Broadly defined to include all services, rights and interests in which contracts for future delivery are dealt. The CFTC has taken the position that BTC and ETH are commodities. Payment stablecoin: Under the GENIUS Act, payment stablecoin means a digital asset that is, or is designed to be, used as a means of payment or settlement, the issuer of which is obligated to convert, redeem or repurchase for a fixed amount of monetary value, not including a digital asset denominated in a fixed amount of monetary value. Such issuer will maintain, or create the reasonable expectation that it will maintain, a stable value relative to the value of a fixed amount of monetary value. Under the GENIUS Act, payment stablecoin does not include a digital asset that is a national currency, a deposit, including a deposit recorded using distributed ledger technology, or a security. Payment stablecoin issued in compliance with the GENIUS Act is neither a security nor a commodity. Under existing US state money transmission and virtual currency licensing laws, definitions vary, but “virtual currency” is generally defined as a digital unit used as a medium of exchange or digitally stored value that is not government-issued money but functions like money. Under the Senate Agriculture Draft: Digital commodity: Means any fungible digital asset that can be exclusively possessed and transferred, person to person, without necessary reliance on an intermediary, and recorded on a blockchain, including “network tokens” (as defined in the SEC rule) and “meme coins.” “Digital commodities” do not include securities, security derivatives, payment stablecoin, banking deposits, traditional commodities and commodity derivatives, pooled investment vehicles, goods, collectibles and other noncommodity digital assets. Under the Senate Banking Draft: Ancillary asset: A “network token” (discussed below), the value of which is dependent upon the entrepreneurial or managerial efforts of an ancillary asset originator or related person. Ancillary asset originator: Generally means, with respect to a particular ancillary asset, a person that (whether directly or through one or more subsidiary or controlled entities) initially offers, sells or distributes the ancillary asset, or during the 12-month period beginning on the date on which the ancillary asset is initially offered, sold or distributed, controls or causes the initial offer, sale or distribution of that ancillary asset. Network token: A digital commodity that is intrinsically linked to a distributed ledger system, and that derives, or is reasonably expected to derive, its value from the use of the distributed ledger system, and is treated as a nonsecurity solely for purposes of the federal securities laws.	Security tokens: Regulated as securities if they exhibit characteristics of traditional securities (investment contract, equity, debt). Utility tokens: Generally not securities, unless they have investment-like features. Exchange tokens: Treated as a means of exchange; not securities unless features change (e.g., BTC). Stablecoin: Regulated based on structure and use; FRS subject to new licensing regime. Non-fungible tokens (NFTs): Not securities unless structured as collective investment schemes or with investment features.
Registration /licensing	SEC registrations: Currently include registration of securities offerings and classes of securities, investment advisor, national security exchange, broker- dealer, etc. The Senate Banking Draft provides that the SEC would promulgate “Regulation Crypto” to govern registration exemption for the offer and sale of ancillary assets not exceeding the greater of $50 million in annual gross proceeds for up to four years, or 10% of the total dollar value of the outstanding ancillary assets. An ancillary asset originator may not raise more than $200 million in total gross proceeds in reliance on Regulation Crypto. CFTC registrations: Currently include registration as designated contract market, futures commission merchant, introducing broker, swap dealer, commodity pool operator, commodity trading advisor, etc. Under the CLARITY Act and the Senate Agriculture Draft, new CFTC registrations would include “digital commodity exchanges,” “digital commodity brokers” and “digital commodity dealers.” The GENIUS Act establishes a federal framework for payment stablecoin issuance while preserving a path for eligible state-regulated entities. Only “permitted payment stablecoin issuers” may issue payment stablecoin in the US. Subsidiaries of insured banks may issue stablecoin subject to primary federal regulator approval. Nonbanks may qualify subject to OCC approval, and entities with outstanding issuance below $10 billion may become state-qualified issuers by meeting specified criteria. Under state money transmission laws, including virtual currency-specific laws (like New York’s BitLicense), persons receiving, holding, transmitting or exchanging virtual currencies generally require a money transmission license for covered activities involving persons in that state.	Virtual asset trading platforms (VATPs): Expected by the regulatory authorities to be licensed under both the SFO and AMLO. Virtual asset fund managers: Type 9 (asset management) license, with additional requirements for greater than 10% VA exposure. Intermediaries: Type 1 (dealing in securities) and/or Type 4 (advising on securities) licenses for VA activities. Stablecoin issuers: HKMA stablecoin license required from August 2025. Virtual asset custodians: TCSP license required.
Stablecoin regulation	Issuing, buying, selling, exchanging, custodying or transmitting stablecoin is generally subject to state money transmission and virtual currency licensing regimes in each state where customers are located. Under the GENIUS Act, stablecoin issuance is restricted to permitted payment stablecoin issuers; a state money transmission license alone is insufficient unless the state obtains certification under the GENIUS Act. While the GENIUS Act does not expressly authorize other stablecoin activities (e.g., third-party payments), state money transmission regulation is likely preempted for subsidiaries of insured depository institutions or OCC-regulated national trust companies.	The HKMA has implemented a licensing regime for FRS issuers, establishing prudential and conduct requirements for issuance and redemption to the Hong Kong public. Issuers must be incorporated in Hong Kong or be an authorized institution; maintain eligible, segregated, bankruptcy-remote reserves with clear valuation, audit/attestation and redemption-at-par standards; and implement robust governance, risk management, operational resilience, disclosure, AML/CFT and recovery/wind-down arrangements. Only HKMA‑licensed issuers may offer FRS to retail customers, with wallet/payment interfaces overseen for safeguarding and segregation. Distribution by intermediaries is subject to SFC/HKMA conduct expectations. A supervisory sandbox supports pilot issuance and use‑case testing.
Enforcement	Active enforcement by the SEC, CFTC, Department of Justice, FinCEN, the New York Department of Financial Services and Office of Foreign Assets Control. High-profile cases against exchanges, decentralized finance protocols and token issuers. There are penalties for unregistered activity, fraud, AML breaches and sanctions violations. Active enforcement of unlicensed activity by state banking departments.	The SFC actively enforces against unlicensed VATPs, misleading claims and fraud. Penalties include fines, imprisonment and public warnings. Supervisory tools include public warnings, restriction notices, license conditions and criminal referrals. Civil remedies remain available, and Hong Kong courts grant proprietary/tracing injunctions, recognize crypto as property, and entertain winding-up and receivership applications involving digital assets. Notable actions include: JPEX warnings: In September 2023, the SFC warned that no JPEX entity held or had applied for a VATP license in Hong Kong. The case was referred to police on suspicion of fraud. Binance: In July 2021, the SFC warned that Binance was offering unauthorized stock token trading services, and that no Binance entity was licensed in Hong Kong.
Use of digital assets as collateral	The Uniform Commercial Code (UCC) 2022 Amendment clarifies the use of crypto-assets as collateral in secured transactions, introducing “controllable electronic records” (which include certain digital assets) and addressing perfection and priority rules. As of February 2026, 33 states in the US have adopted the UCC 2022 Amendment. On December 8, 2025, the CFTC announced a digital asset pilot program to allow the use of certain tokenized collateral, including BTC, ETH and payment stablecoin, as margin collateral by futures commission merchants (FCMs) in their derivatives positions.	Digital assets are recognized as property under Hong Kong law and may be subject to proprietary injunctions and held on trust. They may be used as collateral subject to contract, property, insolvency and regulatory requirements. Lenders typically take security by equitable charge or assignment over VAs, coupled with control arrangements (e.g., segregated wallets or regulated custodians). Perfection is achieved via notice and control mechanisms rather than registration.
Sandbox/innovation initiatives	SEC Project Crypto: For implementation of the recommendations from the President’s Working Group on Digital Asset Markets report CFTC Crypto Sprint: In parallel to the SEC’s Project Crypto CFTC-Listed Spot Crypto Trading Initiative: Allows for trading of spot crypto-asset contracts, including leveraged spot contracts, on CFTC-registered designated contract markets Digital Asset Pilot Program: Allows the use of certain tokenized collateral, including BTC, ETH and payment stablecoin, as margin collateral by FCMs 24/7 trading: Enables 24/7 trading on CFTC-regulated designated contract markets Perpetual futures: Allows for trading of perpetual futures on CFTC-registered designated contract markets	SFC Sandbox: For VATPs and fintech firms to test new products under regulatory supervision HKMA Fintech Supervisory Sandbox: For banks and tech firms to pilot fintech/blockchain solutions Stablecoin Issuer Sandbox: For operational testing of stablecoin issuance Project Ensemble Sandbox: For tokenization market pilots in asset management IA Insurtech Sandbox: For insurance-related blockchain pilots
Recent/upcoming regulatory developments	With the GENIUS Act enacted, US regulatory focus shifts to market structure legislation – in particular, harmonizing the various proposed bills and discussion drafts to establish a tailored crypto-asset framework, clarify SEC/CFTC responsibilities and streamline registration pathways for digital asset offerings. Other possible developments include guidance on stablecoin securities versus payment stablecoin under the GENIUS Act framework, potential clarity on token launches and airdrops, and custody and disclosure frameworks that could better accommodate blockchain-native features rather than requiring full adaptation to traditional securities infrastructure.	The Financial Services and the Treasury Bureau (FSTB) and SFC have issued consultation conclusions proposing new AMLO licensing regimes for VA dealing and custody service providers, with a hard commencement date and no deeming arrangements. A further consultation proposes separate AMLO regimes for VA advisory (modeled on SFO Type 4) and VA management (modeled on SFO Type 9) service providers. Together, these initiatives complete a unified, risk-aligned framework spanning trading, custody, advisory and management, with requirements benchmarked to SFO Type 1/4/9 standards. Client VA custody is expected to be provided by SFC‑regulated custodians (with narrow self‑custody allowances for new tokens). The SFC is tightening active marketing guardrails and advancing its “A-S-P-I-Re” program, including shared order books among licensed platforms and phased connectivity to offshore liquidity under investor‑protection controls.

Jurisdiction

United States (US)

Hong Kong (HK)

Regulatory approach

The US regulatory landscape for crypto-assets is primarily based on traditional frameworks, including:

The SEC’s oversight of securities and the CFTC’s oversight of commodity futures, each relying on existing jurisprudence and crypto-specific guidance.
State money transmission regulation.

The US is maintaining existing regimes while transitioning toward new frameworks specifically tailored to crypto-assets.

The GENIUS Act, enacted on July 8, 2025, establishes a federal framework for payment stablecoin that supplements or replaces state regulation of stablecoin issuance, but does not displace all state regulation of crypto-asset activities.

As to digital asset market structure legislation aiming to establish a holistic regulatory framework for crypto-assets, a few versions of bills and discussion drafts have been released:

The CLARITY Act, introduced by the House Committee on Financial Services, which passed the house on July 17, 2025.

The discussion draft, released by the Senate Committee on Agriculture, Nutrition & Forestry on November 10, 2025, as updated by the January 21, 2026, draft (Senate Agriculture Draft), which is built on the CLARITY Act.

The discussion draft, released by the Senate Committee on Banking, Housing and Urban Affairs on July 22, 2025, as updated by the September 5, 2025, draft and further updated by the January 12, 2026, draft (Senate Banking Draft).

Harmonization and further discussions on substantive provisions – including the role of the SEC and CFTC and the decentralized finance provisions – will need to occur before passage of a unified bill.

Hong Kong is implementing a comprehensive, risk-based framework under a “same activity, same risks, same regulation” principle, layering activity-specific licensing and conduct standards over existing securities and AML/CFT regimes to accommodate both tokenization and native virtual asset (VA) business models, while preserving investor protection and market integrity.

In addition to the dual virtual asset trading platform (VATP) licensing regime under the Securities and Futures Ordinance (SFO) and Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), a fiat-referenced stablecoin (FRS) issuer regime took effect in August 2025. In 2026, Hong Kong is advancing new AMLO licensing regimes for VA dealing and custody and consulting on regimes for VA advisory and management, aligning requirements to SFO Type 1/4/9 paradigms covering capital, fitness and propriety, governance, conduct, AML/CFT, and client asset protection.

The SFC’s “A-S-P-I-Re” roadmap guides gradual integration of VA markets with traditional infrastructure, including calibrated access to global liquidity, intra‑group shared order books and progressive retail access subject to product due diligence and risk disclosures. Policy is technology neutral and substance over form to prevent regulatory arbitrage.

Key regulators

Securities and Exchange Commission (SEC): Currently regulates crypto-assets that are securities or security-based swaps, securities exchanges, broker-dealers and investment advisers.

Commodity Futures Trading Commission (CFTC): Currently regulates crypto-assets that are commodity futures or swaps (but not the spot market, other than having general anti-fraud and anti-manipulation authority), designated contract markets, futures commission merchants, swap dealers, commodity pool operators, commodity trading advisors, etc.

Under the CLARITY Act and the Senate Agriculture Draft, the CFTC would regulate “digital commodities,” including both the spot market and derivatives, as well as “digital commodity exchanges,” “digital commodity brokers” and “digital commodity dealers.”

Stablecoin Certification Review Committee (SCRC): Oversees payment stablecoin issued in compliance with the GENIUS Act.

Office of the Comptroller of the Currency (OCC): Oversees federal nonbank permitted payment stablecoin issuers.

State banking departments: Regulate nonbank companies engaging in payments-related crypto activities.

Financial Crimes Enforcement Network (FinCEN): Establishes and oversees anti-money laundering compliance program requirements for money services businesses (as well as other financial institution types).

Securities and Futures Commission (SFC): Primary conduct and prudential regulator for VA intermediaries, VATPs and proposed AMLO licenses for dealing, custody, advisory and management. The SFC administers licensing and ongoing supervision (financial resources, governance, internal controls, client asset protection, disclosures, suitability and product due diligence), enforces active marketing restrictions and coordinates cross‑border enforcement.

Hong Kong Monetary Authority (HKMA): Prudential supervisor of authorized institutions and regulator of FRS issuers under the 2025 regime. The HKMA oversees reserve composition, redemption mechanics, segregation of backing assets, operational resilience and wallet/payment interfaces. It also runs tokenization initiatives (e.g., Project Ensemble Sandbox) and the Fintech Supervisory Sandbox.

Other authorities:

Companies Registry: Trust or Company Service Provider (TCSP) licensing, where applicable

Hong Kong Customs and Excise Department/The Department of Justice: AML/CFT enforcement

Regulators coordinate via joint circulars and consultation conclusions to align conduct expectations for intermediaries distributing VA‑related products.

Classification of crypto-assets

Under existing SEC and CFTC regulatory regimes:

Security: Includes an “investment contract” (determined by the Howey test) and instruments such as stocks, bonds and transferable shares. The SEC has taken the position that bitcoin (BTC) and ethereum (ETH) are not securities, but courts have found that certain sales of tokens can be classified as securities transactions under Howey.

Commodity: Broadly defined to include all services, rights and interests in which contracts for future delivery are dealt. The CFTC has taken the position that BTC and ETH are commodities.

Payment stablecoin: Under the GENIUS Act, payment stablecoin means a digital asset that is, or is designed to be, used as a means of payment or settlement, the issuer of which is obligated to convert, redeem or repurchase for a fixed amount of monetary value, not including a digital asset denominated in a fixed amount of monetary value. Such issuer will maintain, or create the reasonable expectation that it will maintain, a stable value relative to the value of a fixed amount of monetary value.

Under the GENIUS Act, payment stablecoin does not include a digital asset that is a national currency, a deposit, including a deposit recorded using distributed ledger technology, or a security.

Payment stablecoin issued in compliance with the GENIUS Act is neither a security nor a commodity.

Under existing US state money transmission and virtual currency licensing laws, definitions vary, but “virtual currency” is generally defined as a digital unit used as a medium of exchange or digitally stored value that is not government-issued money but functions like money.

Under the Senate Agriculture Draft:

Digital commodity: Means any fungible digital asset that can be exclusively possessed and transferred, person to person, without necessary reliance on an intermediary, and recorded on a blockchain, including “network tokens” (as defined in the SEC rule) and “meme coins.” “Digital commodities” do not include securities, security derivatives, payment stablecoin, banking deposits, traditional commodities and commodity derivatives, pooled investment vehicles, goods, collectibles and other noncommodity digital assets.

Under the Senate Banking Draft:

Ancillary asset: A “network token” (discussed below), the value of which is dependent upon the entrepreneurial or managerial efforts of an ancillary asset originator or related person.

Ancillary asset originator: Generally means, with respect to a particular ancillary asset, a person that (whether directly or through one or more subsidiary or controlled entities) initially offers, sells or distributes the ancillary asset, or during the 12-month period beginning on the date on which the ancillary asset is initially offered, sold or distributed, controls or causes the initial offer, sale or distribution of that ancillary asset.

Network token: A digital commodity that is intrinsically linked to a distributed ledger system, and that derives, or is reasonably expected to derive, its value from the use of the distributed ledger system, and is treated as a nonsecurity solely for purposes of the federal securities laws.

Security tokens: Regulated as securities if they exhibit characteristics of traditional securities (investment contract, equity, debt).

Utility tokens: Generally not securities, unless they have investment-like features.

Exchange tokens: Treated as a means of exchange; not securities unless features change (e.g., BTC).

Stablecoin: Regulated based on structure and use; FRS subject to new licensing regime.

Non-fungible tokens (NFTs): Not securities unless structured as collective investment schemes or with investment features.

Registration
/licensing

SEC registrations: Currently include registration of securities offerings and classes of securities, investment advisor, national security exchange, broker- dealer, etc.

The Senate Banking Draft provides that the SEC would promulgate “Regulation Crypto” to govern registration exemption for the offer and sale of ancillary assets not exceeding the greater of $50 million in annual gross proceeds for up to four years, or 10% of the total dollar value of the outstanding ancillary assets. An ancillary asset originator may not raise more than $200 million in total gross proceeds in reliance on Regulation Crypto.

CFTC registrations: Currently include registration as designated contract market, futures commission merchant, introducing broker, swap dealer, commodity pool operator, commodity trading advisor, etc.

Under the CLARITY Act and the Senate Agriculture Draft, new CFTC registrations would include “digital commodity exchanges,” “digital commodity brokers” and “digital commodity dealers.”

The GENIUS Act establishes a federal framework for payment stablecoin issuance while preserving a path for eligible state-regulated entities. Only “permitted payment stablecoin issuers” may issue payment stablecoin in the US. Subsidiaries of insured banks may issue stablecoin subject to primary federal regulator approval. Nonbanks may qualify subject to OCC approval, and entities with outstanding issuance below $10 billion may become state-qualified issuers by meeting specified criteria.

Under state money transmission laws, including virtual currency-specific laws (like New York’s BitLicense), persons receiving, holding, transmitting or exchanging virtual currencies generally require a money transmission license for covered activities involving persons in that state.

Virtual asset trading platforms (VATPs): Expected by the regulatory authorities to be licensed under both the SFO and AMLO.

Virtual asset fund managers: Type 9 (asset management) license, with additional requirements for greater than 10% VA exposure.

Intermediaries: Type 1 (dealing in securities) and/or Type 4 (advising on securities) licenses for VA activities.

Stablecoin issuers: HKMA stablecoin license required from August 2025.

Virtual asset custodians: TCSP license required.

Stablecoin regulation

Issuing, buying, selling, exchanging, custodying or transmitting stablecoin is generally subject to state money transmission and virtual currency licensing regimes in each state where customers are located.

Under the GENIUS Act, stablecoin issuance is restricted to permitted payment stablecoin issuers; a state money transmission license alone is insufficient unless the state obtains certification under the GENIUS Act. While the GENIUS Act does not expressly authorize other stablecoin activities (e.g., third-party payments), state money transmission regulation is likely preempted for subsidiaries of insured depository institutions or OCC-regulated national trust companies.

The HKMA has implemented a licensing regime for FRS issuers, establishing prudential and conduct requirements for issuance and redemption to the Hong Kong public.

Issuers must be incorporated in Hong Kong or be an authorized institution; maintain eligible, segregated, bankruptcy-remote reserves with clear valuation, audit/attestation and redemption-at-par standards; and implement robust governance, risk management, operational resilience, disclosure, AML/CFT and recovery/wind-down arrangements.

Only HKMA‑licensed issuers may offer FRS to retail customers, with wallet/payment interfaces overseen for safeguarding and segregation. Distribution by intermediaries is subject to SFC/HKMA conduct expectations. A supervisory sandbox supports pilot issuance and use‑case testing.

Enforcement

Active enforcement by the SEC, CFTC, Department of Justice, FinCEN, the New York Department of Financial Services and Office of Foreign Assets Control. High-profile cases against exchanges, decentralized finance protocols and token issuers. There are penalties for unregistered activity, fraud, AML breaches and sanctions violations.

Active enforcement of unlicensed activity by state banking departments.

The SFC actively enforces against unlicensed VATPs, misleading claims and fraud. Penalties include fines, imprisonment and public warnings.

Supervisory tools include public warnings, restriction notices, license conditions and criminal referrals. Civil remedies remain available, and Hong Kong courts grant proprietary/tracing injunctions, recognize crypto as property, and entertain winding-up and receivership applications involving digital assets.

Notable actions include:

JPEX warnings: In September 2023, the SFC warned that no JPEX entity held or had applied for a VATP license in Hong Kong. The case was referred to police on suspicion of fraud.

Binance: In July 2021, the SFC warned that Binance was offering unauthorized stock token trading services, and that no Binance entity was licensed in Hong Kong.

Use of digital assets as collateral

The Uniform Commercial Code (UCC) 2022 Amendment clarifies the use of crypto-assets as collateral in secured transactions, introducing “controllable electronic records” (which include certain digital assets) and addressing perfection and priority rules.

As of February 2026, 33 states in the US have adopted the UCC 2022 Amendment.

On December 8, 2025, the CFTC announced a digital asset pilot program to allow the use of certain tokenized collateral, including BTC, ETH and payment stablecoin, as margin collateral by futures commission merchants (FCMs) in their derivatives positions.

Digital assets are recognized as property under Hong Kong law and may be subject to proprietary injunctions and held on trust. They may be used as collateral subject to contract, property, insolvency and regulatory requirements. Lenders typically take security by equitable charge or assignment over VAs, coupled with control arrangements (e.g., segregated wallets or regulated custodians). Perfection is achieved via notice and control mechanisms rather than registration.

Sandbox/innovation initiatives

SEC Project Crypto: For implementation of the recommendations from the President’s Working Group on Digital Asset Markets report

CFTC Crypto Sprint: In parallel to the SEC’s Project Crypto

CFTC-Listed Spot Crypto Trading Initiative: Allows for trading of spot crypto-asset contracts, including leveraged spot contracts, on CFTC-registered designated contract markets

Digital Asset Pilot Program: Allows the use of certain tokenized collateral, including BTC, ETH and payment stablecoin, as margin collateral by FCMs

24/7 trading: Enables 24/7 trading on CFTC-regulated designated contract markets

Perpetual futures: Allows for trading of perpetual futures on CFTC-registered designated contract markets

SFC Sandbox: For VATPs and fintech firms to test new products under regulatory supervision

HKMA Fintech Supervisory Sandbox: For banks and tech firms to pilot fintech/blockchain solutions

Stablecoin Issuer Sandbox: For operational testing of stablecoin issuance

Project Ensemble Sandbox: For tokenization market pilots in asset management

IA Insurtech Sandbox: For insurance-related blockchain pilots

Recent/upcoming regulatory developments

With the GENIUS Act enacted, US regulatory focus shifts to market structure legislation – in particular, harmonizing the various proposed bills and discussion drafts to establish a tailored crypto-asset framework, clarify SEC/CFTC responsibilities and streamline registration pathways for digital asset offerings.

Other possible developments include guidance on stablecoin securities versus payment stablecoin under the GENIUS Act framework, potential clarity on token launches and airdrops, and custody and disclosure frameworks that could better accommodate blockchain-native features rather than requiring full adaptation to traditional securities infrastructure.

The Financial Services and the Treasury Bureau (FSTB) and SFC have issued consultation conclusions proposing new AMLO licensing regimes for VA dealing and custody service providers, with a hard commencement date and no deeming arrangements.

A further consultation proposes separate AMLO regimes for VA advisory (modeled on SFO Type 4) and VA management (modeled on SFO Type 9) service providers. Together, these initiatives complete a unified, risk-aligned framework spanning trading, custody, advisory and management, with requirements benchmarked to SFO Type 1/4/9 standards.

Client VA custody is expected to be provided by SFC‑regulated custodians (with narrow self‑custody allowances for new tokens). The SFC is tightening active marketing guardrails and advancing its
“A-S-P-I-Re” program, including shared order books among licensed platforms and phased connectivity to offshore liquidity under investor‑protection controls.

Conclusion

As the US and Hong Kong continue to refine their digital asset frameworks, one constant remains: The regulatory environment is evolving at extraordinary speed. Both jurisdictions are iterating policy in real time, whether through congressional negotiations over market‑structure legislation in the US or Hong Kong’s rapid expansion of activity‑specific licensing regimes and integration of virtual assets into mainstream financial infrastructure. Market participants will need to remain agile, monitor developments closely and be prepared to recalibrate as regulatory expectations continue to shift. In this era of accelerated innovation and equally dynamic oversight, adaptability is not merely a competitive advantage but also a prerequisite for operating with confidence in the global digital asset ecosystem.

Download this article in Chinese (PDF).

Beyond the Online Safety Act: UK Proposes Sweeping Social Media Ban and Feature Restrictions

Tue, 03 Mar 2026 21:12:41 Z

On 2 March 2026, the UK government published a consultation on proposals that would add to existing requirements under the UK Online Safety Act (OSA).

The consultation is significant because of the breadth of measures being considered by the UK government – including a social media ban – and the government’s indication that it intends to move quickly to complete the consultation and pass new measures into law.

What the consultation covers

The UK government’s consultation covers a broad range of topics, including:

Social media ban: Should the UK impose a minimum age to use social media and, if so, what age?
Restrictions on specific features: Should the UK restrict child access to certain “risky” functionalities and design features that encourage excessive use?
Raising age of consent: Should the UK raise the digital age of consent from 13?
Age assurance: How should age verification and age assurance technologies support effective implementation of any ban/restrictions?
Mobile phones in schools: Should existing guidance on the use of mobile phones in schools be put on statutory footing?
Parental controls: How could new laws support parents in managing online experiences (e.g. clearer guidance, simpler parental controls)?

What is interesting

There are a few specific aspects of the consultation worth noting:

Big unanswered questions – While the government’s ambitions are broad, it acknowledges the risk of unintended consequences (e.g. driving children toward riskier, less-regulated platforms). It also leaves the precise regulatory perimeter undefined. For example, despite asking various questions about whether respondents support age restricting access to artificial intelligence (AI) chatbots, the consultation does not articulate a clear definition of what types of services constitute “AI chatbots”. The consultation also floats potential exemptions to any social media ban for educational or low-risk services and questions whether the rules should capture gaming sites and messaging apps. These scoping issues will ultimately be crucial to the success of any future policy intervention.
Imitation game – The consultation makes clear that the UK government is closely evaluating international precedents, specifically highlighting Australia’s recent social media ban, which requires platforms to take reasonable steps to prevent users under 16 from holding accounts. The consultation specifically asks whether the UK should align with the Australian definition of social media – an interesting question given that the Australia social media ban has been subject to various criticisms linked to its rushed development. Certain of the specific feature restrictions being contemplated also reflect measures dealt with under the European Union Digital Services Act’s Article 28 Protection of Minors Guidelines and the proposed Kids’ Online Safety Bill in the United States.
VPN circumvention – To mitigate the risk of children circumventing age restrictions, the government is also considering whether users should face mandatory age checks to access virtual private networks (VPNs). This would have significant privacy and operational implications for adult users and enterprises.
Silence on key questions – There are many interesting questions that the consultation has not asked; one of them is whether age restrictions on specific features (e.g. connecting or talking to strangers) might mitigate the perceived imperative to introduce a broader social media ban. This is a curious omission in circumstances where much of the perceived risk of social media services is expressed as stemming from such features.

Timeline

The consultation closes on 26 May 2026.
The government’s response is expected in summer 2026.
Reforms to bring “chatbots” in scope of existing UK OSA requirements are expected to be added to the already pending Crime and Policing Bill imminently.
A bill providing for new requirements may be tabled as early as autumn 2026.

Next steps

Providers wishing to provide feedback on the consultation must act quickly to prepare and submit a robust response ahead of the 26 May 2026 deadline. Informing the regulatory landscape at this early stage is critical to mitigating future compliance burdens.

For platforms taking a wait-and-see approach, we will be closely tracking the government’s response expected in summer 2026, which will provide a strong directional signal of the final requirements.

The Cooley team has extensive, market-leading experience advising global technology companies on UK OSA compliance and engaging with the UK Office of Communications (Ofcom). Please reach out to discuss how these sweeping proposals could impact your platform and to begin formulating your regulatory strategy.

UPDATED: US Congress Eliminates Foreign Private Issuer Exemption for Insider Reporting Obligations Under Holding Foreign Insiders Accountable Act

Tue, 03 Mar 2026 17:25:09 Z

On February 27, 2026, the US Securities and Exchange Commission (SEC) adopted final amendments to its rules and forms to reflect the disclosure requirements of the Holding Foreign Insiders Accountable Act, which was signed into law on December 18, 2025. Importantly, the SEC’s amendments do not go beyond the reporting obligations originally enacted by the act. Accordingly, this client alert has been updated to reflect the SEC’s recent actions.

The act subjects directors and officers of foreign private issuers (FPIs) to the insider reporting requirements under Section 16(a) of the US Securities Exchange Act of 1934, as amended (Exchange Act). Existing directors and certain officers (Section 16 officers and, together with directors, “insiders”) of FPIs will have to begin reporting under Section 16(a) effective March 18, 2026. Such insiders must timely report to the SEC their ownership of, and changes in their ownership of, the issuer’s securities.

To assist FPIs in preparing for this significant change in insider reporting obligations, we have summarized the below frequently asked questions and responses under the new law.

What amendments did the SEC adopt?

The SEC amended Rule 3a12-3(b) to be consistent with the act by removing the current exemption from Section 16 in its entirety and replacing it with exemptions from the Section 16(b) short-swing profit rules and Section 16(c) short-selling prohibition only. The SEC also amended Rule 16a-2 to exclude 10% holders of FPIs’ equity securities from the new Section 16(a) reporting requirements. The amendments also include changes to Section 16 reports, consisting of Forms 3, 4 and 5, to reflect the changes made by the act and technical amendments to the forms to accommodate a foreign trading symbol, if applicable, foreign addresses and SEC contact information.

Who will be subject to Section 16(a) reporting obligations?

Directors

All directors of the issuer are subject to Section 16(a) reporting obligations. Note that if an institutional investor has the right to “deputize” a director (director by deputization) to serve on the issuer’s board in furtherance of the institution’s interests, the institutional investor may also be subject to Section 16(a) reporting obligations.

Section 16 officers

Under SEC rules, the definition of “officers” for Section 16(a) purposes is the same as the definition used for the FPI’s clawback policy. Officers include:

The president (or CEO).
The principal financial officer.
The principal accounting officer.
Any vice president of the issuer in charge of a principal business unit, division or function.
Any other person who performs a (significant) policy-making function, regardless of title.

In practice, the individuals disclosed as officers in an FPI’s annual report on Form 20-F should generally correspond to the officers subject to Section 16(a) reporting obligations (assuming your Form 20-F names your principal accounting officer, or your chief financial officer also performs the principal accounting officer role).

The act specifically refers only to “officers and directors” of FPIs. Although Section 16(a) of the Exchange Act also applies to 10% owners, the final amendments adopted by the SEC expressly amended Rule 16a-2 to exclude 10% holders of FPIs’ equity securities from the new Section 16(a) reporting requirements. Accordingly, 10% owners of FPIs will continue to be exempt from Section 16(a) reporting obligations.

Which forms are required to be filed, and what events trigger these filings?

Form 3 (initial beneficial ownership statement)

Form 3 must be filed after becoming an insider. Form 3 must disclose all of the insider’s beneficial ownership of equity securities of the issuer (including derivatives such as options, convertible bonds and warrants). Even if the insider does not beneficially own any securities of the issuer, a Form 3 must be filed indicating “no securities beneficially owned.”

Form 4 (statement of changes in beneficial ownership)

Form 4 must be filed when an insider engages in any nonexempt transaction in equity securities (including derivatives) that results in a change in the insider’s beneficial ownership. This typically includes purchases and sales of securities, equity compensation grants, option exercises and dispositions or withholdings of securities to pay taxes or an exercise price, among others.

Form 5 (annual statement)

Form 5 is used to report transactions in the prior fiscal year that were not required to be reported on Form 4, or transactions that should have been reported on Form 3 or Form 4 but were not reported (i.e., late filings), as well as total beneficial ownership as of the end of the issuer’s fiscal year. In practice, Form 5 is commonly used to report small acquisitions, gifts, inheritances or changes in holdings resulting from dividend distributions or dividend reinvestment plans. As a best practice, transactions that are eligible for deferred reporting on Form 5 are often voluntarily reported on Form 4 in advance.

What are the filing deadlines?

Form 3

Insiders of an existing FPI will be required to report their equity holdings on a Form 3 for the first time on March 18, 2026. Thereafter, for newly appointed insiders, Form 3 must be filed within 10 calendar days after the person becomes an insider. In an initial public offering (IPO) context, Form 3 filings must be filed by the effective date of the registration statement (typically the IPO pricing date).

Form 4

Form 4 must be filed by the end of the second business day following the reportable transaction.

Form 5

Form 5 must be filed within 45 calendar days after the issuer’s fiscal year-end.

The timing of the above filings will align with the rules currently applicable to insiders of US domestic issuers. Filings will be required in all cases, by 10:00 PM ET on the due date. If a filing deadline falls on a weekend or a US federal holiday, the deadline is extended to the next business day.

What are the direct impacts on an FPI’s existing disclosure framework?

Public disclosure of equity compensation information

Currently, equity compensation for insiders of FPIs is often disclosed only on an aggregate basis unless individual disclosure is required in the issuer’s home country. After the Section 16(a) amendments become effective, insiders of FPIs must publicly report their beneficial ownership of, and changes in their beneficial ownership of, the issuer’s securities, resulting in the disclosure of information that may not previously have been publicly disclosed, such as individual award-by-award grants and changes in holdings caused by grants.

Public disclosure of beneficial ownership information

Form 20-F permits individual securities ownership of any director or senior manager to be omitted if such person owns less than 1% of the outstanding securities of the issuer, and the person’s individual securities ownership has not otherwise been disclosed to shareholders or otherwise been made public. Because the Section 16(a) amendments will require insiders of FPIs to file public reports with their individual beneficial ownership, such information will have been made public, and therefore the exemption from individualized disclosure will no longer be available. As a result, individualized securities ownership disclosure requirements for directors and officers in Form 20-F may increase.

FPIs should promptly begin compliance preparations.

Given the short runway to the March 18, 2026, effectiveness date for the enhanced reporting requirements, FPIs should kick off their compliance readiness and establish a Section 16(a) reporting compliance program, including the following key steps:

Confirm the scope of Section 16 officers. FPIs should revisit who is designated as “Section 16 officer” in their disclosure and in connection with the adoption of their clawback policies, as those same officers will now be subject to the above Section 16 reporting requirements.
Review insider trading policies. FPIs should review insider trading policies to determine whether transfers of the FPI’s stock by insiders are subject to pre-clearance in order to facilitate timely reporting of transactions.
Enroll in EDGAR Next. FPIs should ensure all insiders have obtained EDGAR filing codes (SEC electronic filing credentials).
Prepare initial Form 3 filings. Prepare initial ownership filings on Form 3 for insiders in order to be ready to file with the SEC on March 18, 2026.
Conduct internal compliance training. Conduct internal training sessions with insiders to ensure compliance with the new filing requirements and types of transactions in the FPI’s stock that are required to be reported under Section 16(a).

7.What are the consequences of late filing or not filing?

Failure to timely file Section 16(a) reports constitutes a violation of US securities laws by the insider and may also subject the issuer to regulatory scrutiny. The act also authorizes the SEC to issue additional regulations as necessary to implement the intent of the act, and it is possible that the SEC may, by reference to the disclosure approach applicable to domestic issuers, require FPIs to disclose in their annual reports the names of delinquent filers and information about untimely filings (including the number of late reports and related transactions).

If the issuer agrees to make Section 16 filings for its insiders, the issuer must determine whether it has sufficient controls and procedures in place to ensure the timely filing of Section 16 reports.

Will insiders be subject to Section 16(b) short-swing profit recovery or Section 16(c) short-selling prohibition?

No. While the act only made changes to the reporting requirements in Section 16(a) of the Exchange Act and did not address the requirements of Section 16(b)’s “short-swing” liability or Section 16(c)’s short-selling prohibition, the SEC’s final rule amendments expressly exempt insiders of FPIs from Section 16(b) and 16(c).

The SEC has authority to grant exemptions for FPIs listed in jurisdictions with substantially similar requirements.

The act grants the SEC authority to exempt insiders of FPIs that are subject to “substantially similar requirements” in a foreign jurisdiction from Section 16(a) reporting requirements. At the time of publishing the amendments, the SEC has indicated that it is still evaluating whether it will grant such exemptive relief in a separate rulemaking or order.

For further questions on US capital markets and securities regulation matters, please feel free to contact us.

Better Late Than Never? FDA Receives Long-Awaited Statutory Fix for Orphan Drug Exclusivity in Recent Appropriations Act

Mon, 02 Mar 2026 15:18:12 Z

The Consolidated Appropriations Act, signed into law on February 3, 2026, avoided another government shutdown. But notably for the US Food and Drug Administration (FDA) and drug developers, it also codified FDA’s long-standing approach toward the scope of orphan drug exclusivity that had become a subject of litigation in recent years.

The Orphan Drug Act of 1983 was intended to incentivize the development of drugs for rare diseases. Among these incentives, perhaps the most sought after is the seven-year period of exclusivity.¹ This exclusivity precludes FDA from approving another drug with the same active ingredient for the orphan disease during the exclusivity period. While the text of the Orphan Drug Act previously precluded FDA from approving another application for the same drug for the “same disease or condition,” FDA has historically narrowed the scope of orphan drug exclusivity to the use or indication for which it was approved.

Though courts have reached a different conclusion based on the plain meaning of the statute, FDA has justified this interpretation as consistent with the purpose of the Orphan Drug Act, because it incentivized sponsors to develop drugs for all persons affected by a rare disease or condition, even after approval of a drug for an indication that only affected certain subsets within a rare disease patient population.² The agency’s long-standing approach toward orphan drug exclusivity meant that FDA could approve a later-in-time application for the “same drug” if it approved the later-in-time drug for a specific indication that differed from that of the approved orphan drug despite the approved drug’s seven-year orphan drug exclusivity.

Catalyst and Neurelis decisions

In recent years, FDA faced two challenges to its approach toward orphan drug exclusivity. In both cases, the courts have held that this approach is a violation of the “clear command” of the Orphan Drug Act that ties the scope of exclusivity to the disease or condition for which the drug received orphan drug designation.³

In Catalyst Pharms., Inc. v. Becerra,⁴ the manufacturers of the amifampridine drug Firdapse challenged FDA’s award of orphan drug exclusivity to Ruzurgi. Firdapse was approved and awarded orphan drug exclusivity for Lambert-Eaton myasthenic syndrome (LEMS) in adults. During the seven-year exclusivity period for Firdapse, FDA granted approval and a separate period of orphan drug exclusivity to Jacobus’ Ruzurgi, which also contained the active ingredient amifampridine, for treatment of LEMS in patients ages 6 to 17.

Catalyst, Firdapse’s sponsor, sued FDA in the US District Court for the Southern District of Florida for its approval decision given the orphan drug exclusivity attached to Firdapse. The district court, applying the Chevron doctrine, determined that the language “same disease or condition” was ambiguous, and that Catalyst presented no authority that called into question FDA’s interpretation of the phrase.⁵ But the US Court of Appeals for the 11th Circuit rejected FDA’s interpretation of the Orphan Drug Act, noting that Congress could have written the law to tie the scope of exclusivity to the specific use or indication for which the drug was approved but chose not to use those terms.⁶ Following the 11th Circuit’s decision, FDA published an announcement explaining that while the agency complied with the court’s order in Catalyst to set aside Ruzurgi’s approval, it intended to continue to apply its regulations and tie the scope of orphan drug exclusivity to the use or indication of the approved drug for decisions beyond the scope of Catalyst.⁷

It was not long before FDA again found its interpretation of orphan drug exclusivity challenged. In August 2022, FDA approved Libervant, a buccal film formulation of diazepam, for treatment of acute repetitive seizures in patients ages 2 to 5. The following year, Neurelis, whose diazepam nasal spray Valtoco had previously been approved and received orphan drug exclusivity for treatment of acute repetitive seizures in adults, submitted a supplemental New Drug Application (NDA) seeking approval for this indication in patients ages 2 to 5.

FDA granted tentative approval for this indication due to Libervant’s exclusivity in this patient population. In the subsequent litigation, Neurelis Inc. v. Califf, the US District Court for the District of Columbia determined that FDA’s orphan drug exclusivity approval of Libervant violated the Orphan Drug Act, adopting the 11th Circuit’s opinion in Catalyst, finding that the text of the Orphan Drug Act ties the scope of exclusivity to the orphan drug designation, and that the Orphan Drug Act is “clear” and decisive” in this regard.⁸

The court also rejected novel arguments made by Libervant manufacturer Aquestive and FDA in support of FDA’s interpretation of the scope of orphan drug exclusivity. The court found Aquestive’s reliance on the word “application” in 21 USC §360cc as evidence of congressional intent to tie exclusivity to the scope of approval to be misplaced. The court also rejected arguments that Congress’ lack of action to update the scope of orphan drug exclusivity constituted acquiescence to FDA’s interpretation, finding that there was simply not enough evidence of such acquiescence.

Congress adopts FDA’s interpretation of orphan drug exclusivity

On February 3, 2026, FDA received the congressional fix it had been waiting for. Section 6605 of the Consolidated Appropriations Act of 2026 amends 21 USC 360cc, which addresses the exclusivity award that attaches upon approval of a drug designated for a rare disease or condition. Significantly, the new legislation replaces the phrase “same disease or condition” with “same approved use or indication within such rare disease or indication.” It also adds a definition for “approved use or indication” to mean the use or indication FDA approves in a submitted NDA or Biologics License Application for an orphan-designated drug. Congress also added an additional subsection to the statute to clarify that these amendments to the statute apply to any orphan-designated drug, regardless of the date on which it was designated or the date of approval.

This is not the first time Congress has instituted a legislative fix to seemingly endorse FDA’s interpretation of the Orphan Drug Act. Following the decisions in Depomed, Inc. v. HHS⁹ and Eagle Pharm., Inc. v. Azar,¹⁰ where the courts rejected FDA’s “clinical superiority” requirement for granting exclusivity to a subsequent drug that is the “same drug” for the “same disease or condition,” Congress amended the Orphan Drug Act in 2017. These amendments updated §360cc(a), replacing “such drug” with “same drug” and codifying the clinical superiority requirement, which requires a sponsor of a drug otherwise the same as a previously approved drug for the same disease or condition to demonstrate clinical superiority to the approved drug in order to obtain a period of orphan drug exclusivity. While these changes have not completely warded off legal challenges to FDA’s clinical superiority determinations, courts have upheld the clinical superiority requirement, finding that the 2017 amendments constituted congressional endorsement of this requirement.¹¹

What does this change mean for sponsors?

While Congress amended 21 USC 360cc, it left 21 USC 360bb, which addresses orphan drug designation, as is. Orphan drug designation still applies to the entire disease or condition. Critically, this avoids any tension with existing FDA regulations regarding orphan drug designation requests, which require a sponsor seeking orphan drug designation for a drug that is the same drug as an already approved drug for the same rare disease or indication to present a plausible hypothesis that its drug is clinically superior to the first. Thus, while these statutory changes could lead to more orphan drug exclusivity awards following approvals within the same orphan disease –particularly in cases where multiple sponsors currently hold orphan designation for the same drug – they may not necessarily lead to a flood of new orphan drug designation requests, particularly for previously approved drugs.

That said, current sponsors should reconsider their regulatory strategy in light of these amendments. For example, sponsors that previously planned their submission strategy based on orphan drug exclusivity that extended to the whole rare disease population will want to consider how these amendments may narrow any existing or planned exclusivity. Alternatively, this statutory change may present an opportunity for approval where another previously approved drug has orphan drug exclusivity even without comparative data demonstrating clinical superiority.

We are also interested to see how this statutory change may impact label negotiations, now that FDA is on surer footing for its statutory interpretation. We would anticipate that FDA will favor more specific labels during the approval process, which would pave the way for the agency to approve more drugs to treat rare diseases based on these amendments, particularly given their retroactive applicability.

Cooley lawyers are available to discuss how this latest update to the orphan drug provisions of the Federal Food, Drug, and Cosmetic Act may impact your regulatory strategy. Feel free to reach out to any of the attorneys listed below.

Notes

This exclusivity is different from patents, which grant the inventor exclusive rights to their invention during a 20-year patent term. Exclusivity granted by FDA provides for delays and prohibitions on the approval of competitor drugs that attach upon FDA approval of the drug. Some exclusivity periods, such as seven-year orphan drug exclusivity, run parallel to patent protections, while six-month pediatric exclusivity, attaches to the end of existing patents and exclusivities, but only extends FDA protections against competitor approvals.
76 Fed. Reg. 202, 64871 (October 19, 2011).
Neurelis Inc. v. Califf, No. 24-1576 (D.D.C., Feb. 14, 2025).
14 F.4th 1299, (11th Cir. 2021).
Catalyst at 1306.
Id. at 1309.
US Food and Drug Administration, FDA’s Overview of Catalyst Pharms., Inc. v. Becerra, (last updated Jan. 23, 2023).
Neurelis Inc., No. 24-1576 at 16.
66 F.Supp.3d 217 (D. D.C. 2014).
952 F.3d 323 (D.C. Cir. 2020).
Jazz Pharmaceuticals, Inc. v. Kennedy, No. 24-5262 (D.C. Cir. 2025).

Federal Circuit Sheds Light on Patent Eligibility for Gene Therapy Patents in Precedential REGENXBIO Decision

Mon, 02 Mar 2026 08:00:00 Z

On February 20, 2026, the US Court of Appeals for the Federal Circuit issued a precedential decision in REGENXBIO Inc. v. Sarepta Therapeutics, Inc., holding that claims directed at an “undisputedly human made” host cell containing recombinant nucleic acid molecules are patent eligible under §101 (2026 WL 479224 (Fed. Cir. Feb. 20, 2026)). The Federal Circuit reversed the US District Court for the District of Delaware’s summary judgment decision holding that the claims were patent ineligible because they were directed at naturally occurring subject matter and remanded the case back to the district court.

The Federal Circuit’s analysis in the REGENXBIO decision provides the latest guidance on patent eligibility for claims related to life sciences inventions, such as recombinantly engineered cells.

Background

Mutations or deletions in sequences of nucleotides in DNA can cause genetic disorders. Such disorders can be treated by using gene therapy that can deliver a new therapeutic gene to replace the defective or missing gene by using modified virus “vectors,” or “host cells.” REGENXBIO’s patent at issue, US Patent No. 10,526,617, is directed to genetically engineered host cells that contain a recombinant nucleic acid molecule, which was created by “chemically splicing together nucleic acid sequences from two different organisms” (REGENXBIO, 2026 WL 479224, at *1-2).

In the district court, both parties moved for summary judgment of patent eligibility under §101. Under §101, only a “new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof” is patent eligible (35 USC §101). Patent claims cannot be granted for “[l]aws of nature, natural phenomena, and abstract ideas” (Mayo Collaborative Servs. v. Prometheus Lab’ys, Inc., 566 US 66, 70 (2012) (citations omitted)).

The district court held that the REGENXBIO patent claimed subject matter that was not eligible for patenting because it covered a combination of genetic elements, each naturally occurring, that were combined in a host cell, without any other alteration. The district court reasoned that, “taking two sequences from two different organisms and put[ting] them together is no different than taking two strains of bacteria and mixing them together,” analogizing the claims to those found invalid under §101 in Funk Brothers Seed Co. v. Kalo Inoculant Co., 333 US 127 (1948) (REGENXBIO Inc. v. Sarepta Therapeutics, Inc., No. CV 20-1226-RGA, 2024 WL 68278, at *5 (D. Del. Jan. 5, 2024) (cleaned up)).

The district court further found that the invention did not claim any inventive concept under step two of the Alice/Mayo test. Under the Alice/Mayo framework, a court must first determine whether the invention claims “[l]aws of nature, natural phenomena, and abstract ideas,” which are not patentable (Mayo Collaborative Servs. 566 US at 70). If the invention is found to be unpatentable in step one, the court must then determine whether the invention contains “an inventive concept sufficient to transform the claimed abstract idea into a patent-eligible application” (Alice Corp. Pty. v. CLS Bank Int’l, 573 US 208, 221 (2014) (cleaned up) (citing Mayo, 566 US 66, 82)). Applying that framework, the district court determined that, “the claimed invention is made using well-understood, routine, and conventional steps” (REGENXBIO, 2024 WL 68278, at *6).

REGENXBIO appealed, arguing that the asserted claims are patent eligible for having “markedly different” characteristics from any natural product (REGENXBIO Inc. v. Sarepta Therapeutics, Inc., No. 2024-1408, Dkt. 15, at 19-20 (Fed. Cir. May 8, 2024)). The Parker Institute for Cancer Immunotherapy, the J. David Gladstone Institutes and the Dana-Farber Cancer Institute also filed an amicus brief in support of REGENXBIO. As nonprofit cancer research organizations, the amici stated their interest in ensuring that engineered biologic inventions remain eligible for patent protection, due to their potential to revolutionize medical research, and asserted that the district court’s decision injected “significant uncertainty” that could “seriously hinder critical advances in biotechnology” (REGENXBIO Inc. v. Sarepta Therapeutics, Inc., No. 2024-1408, Dkt. 27, at 4-5 (Fed. Cir. May 15, 2024)).

Federal Circuit review against the backdrop of §101 case law

In reversing the district court’s summary judgment finding, the Federal Circuit analyzed a line of key §101 cases involving life sciences subject matter: Diamond v. Chakrabarty, 447 US 303 (1980); Funk Brothers Seed Co. v. Kalo Inoculant Co., 333 US 127 (1948); Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 569 US 576 (2013); and ChromaDex, Inc. v. Elysium Health, Inc., 59 F.4th 1280 (Fed. Cir. 2023). In distinguishing the claims at issue from claims that had been found ineligible, the Federal Circuit provided some guidance on how to apply the “markedly different” test from Chakrabarty.

In Chakrabarty, the court held patent-eligible claims directed to a “genetically engineered bacterium that possessed the advantage of being ‘capable of breaking down multiple components of crude oil’” (REGENXBIO, 2026 WL 479224, at *3). The Chakrabarty decision reasoned that, “[n]o naturally occurring bacteria possessed the same property for breaking down crude oil” (Id. at *4). Thus, the patentee was found to have “produced a new bacterium with markedly different characteristics from any found in nature and one having the potential for significant utility” (Diamond v. Chakrabarty, 447 US 303, 310 (1980)).

By contrast, in Funk Brothers, the claims at issue were found to be patent ineligible. The claims were directed to “a mixed culture capable of inoculating the seeds of leguminous plants,” based on the discovery that “there existed in nature certain species of root-nodule bacteria which did not exert a mutually inhibitive effect on each other” (REGENXBIO, 2026 WL 479224, at *4). The Funk Brothers decision explained that, “[t]he combination of species produces no new bacteria, no change in the [] species of bacteria, and no enlargement of the range of their utility. Each species has the same effect it always had … They serve the ends nature originally provided and act quite independently of any effort of the patentee” (Funk Brothers Seed Co. v. Kalo Inoculant Co., 333 US 127, 131 (1948)). The court in Chakrabarty distinguished Funk Brothers by emphasizing that, in Chakrabarty, “the patentee’s discovery is not nature’s handiwork, but his own” (REGENXBIO, 2026 WL 479224, at *4 (cleaned up) (quoting Chakrabarty, 447 US at 310)).

Myriad was a mixed opinion, finding one set of claims patent ineligible and another set patent eligible. The first set of claims, directed to isolating an individual’s BRCA1 and BRCA2 genes, was found to be patent ineligible. The court found that it was “undisputed that Myriad did not create or alter any of the genetic information encoded in the BRCA1 and BRCA2 genes. The location and order of the nucleotides existed in nature before Myriad found them. Nor did Myriad create or alter the genetic structure of DNA” (Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 569 US 576, 590 (2013)). The court distinguished the invention from Chakrabarty’s invention, because unlike in Chakrabarty, “Myriad did not create anything” (Id.). Instead, it was analogous to Funk Brothers, because the claimed invention was discovery of the location of the BRCA1 and BRCA2, and that discovery itself did not render the invention a “new composition of matter” (Id. at 591 (cleaned up)).

On the other hand, the court found that the second set of claims directed to isolating the BRCA1 and BRCA2 genes were patent eligible because they included “creation of a cDNA sequence from mRNA [which] results in an exons-only molecule that is not naturally occurring,” observing that, “the lab technician unquestionably creates something new when cDNA is made. cDNA retains the naturally occurring exons of DNA, but it is distinct from the DNA from which it was derived” (Id. at 594-95).

Finally, in ChromaDex, the court found patent ineligible claims directed to isolating a vitamin found in milk and combining it with other elements found in milk. Although the claims at issue also claimed an increase in NAD+ biosynthesis, this did not provide characteristics “markedly different” from milk. Because natural milk has NAD+ biosynthesis, “the asserted claims do not require any minimum quantity of the isolated NR vitamin, and the claims do not attribute the claimed increase in NAD+ biosynthesis to the isolated vitamin NR” (REGENXBIO, 2026 WL 479224, at *5).

The Federal Circuit reverses district court’s summary judgment finding

Following the guidance of Chakrabarty, the Federal Circuit addressed the question of “whether the claimed host cells have ‘markedly different characteristics’ and have ‘the potential for significant utility’ from that which is naturally occurring” (REGENXBIO, 2026 WL 479224, at *6). The court concluded that the claimed host cells are “markedly different” from anything naturally occurring because, like in Chakrabarty, the claimed nucleic acid molecules were “not nature’s handiwork,” and, like in Myriad, “the lab technician unquestionably creates something new” by splicing together the nucleic acid sequences from different organisms (Id. at *6). Here, the court found that:

Genetically engineering two nucleic acid sequences from separate species into a single molecule and then transforming a host cell in order to incorporate that new molecule into it—thus fundamentally creating a cell containing a molecule that could not form in nature on its own—is materially different from growing more than one naturally occurring bacteria strain in a culture where none of the bacteria undergo any change from their natural state. (Id. at *7)

The Federal Circuit criticized the district court for apparently applying the “markedly different” test to the individual components of each nucleic acid sequence and the host cell, rather than looking at whether the claimed composition, as a whole, was naturally occurring (Id.). The fact that the host cells – rather than these individual components –claimed by the REGENXBIO patents do not and could not occur in nature was critical in concluding that the claimed host cell was not directed to ineligible naturally occurring subject matter (Id. at *9).

Lastly, while not a part of the “markedly different” test, the Federal Circuit also noted that “the potential for significant utility” may be considered. The court here found that the claimed composition “clearly” had the potential for significant utility, because “unlike [the individual, isolated] sequences on their own, various embodiments of the claimed compositions ‘are beneficial for gene delivery to selected host cells and gene therapy patients’” (REGENXBIO, 2026 WL 479224, at *7 (quoting the asserted patent)).

Conclusion

The REGENXBIO decision provides clarity on the patent eligibility of life sciences inventions, reinforcing that human-made constructs and cell lines that do not occur in nature and that display characteristics that are not naturally occurring may satisfy §101.

FTC Issues COPPA Enforcement Discretion Policy to Incentivize Use of Age Verification Technologies

Mon, 02 Mar 2026 08:00:00 Z

On February 25, 2026, the Federal Trade Commission (FTC) issued a policy statement announcing it will exercise discretion with respect to enforcement of the Children’s Online Privacy Protection Act (COPPA) to enable broader adoption of age verification technologies. As discussed in our February 4 alert regarding a recent FTC workshop, FTC leadership has acknowledged a perceived tension between implementing age assurance technologies and complying with COPPA’s prohibition against collecting personal information of children under 13 without verifiable parental consent (VPC). This new policy statement is the agency’s first step toward resolving that tension.

Background: COPPA enforcement and age verification tension

Under the COPPA Rule, operators of commercial websites and online services that are directed to children under 13 – or that have actual knowledge that they are collecting personal information from such children – must provide clear notice of information practices and obtain VPC before collecting, using or disclosing the child’s personal information, subject to narrow exceptions.

At the FTC’s January 28 workshop on age assurance technologies, agency leadership acknowledged that this leads to a “chicken-versus-egg” dilemma: COPPA’s parental consent requirement can impede deployment of technologies that are designed precisely to avoid unlawful data collection from children under 13 by learning a user’s age upfront.

The FTC’s new policy statement: What it says and what it means

The FTC states that it will not bring an enforcement action under the COPPA Rule against general or mixed audience operators that collect, use or disclose personal information solely for age verification purposes – even without first obtaining VPC – so long as the operator follows specified safeguards, including:

Limited purpose and use: Information collected for age verification must be used only to determine a user’s age and not for other purposes, such as marketing or profiling.
Data minimization and retention: Operators must retain only what is necessary to achieve age verification and promptly delete the information when no longer needed.
Third-party safeguards: Where age verification is performed with third parties, operators must take reasonable steps to ensure the third party can protect the confidentiality, integrity and security of the information.
Clear notice: Operators must provide clear notice to users – including parents and children – about the information collected for age verification.
Security: Operators must use reasonable security safeguards.
Accuracy considerations: Operators must take reasonable steps to ensure that the products, services, methods or third parties used for age verification are likely to produce reasonably accurate age determinations.

Importantly, the FTC will not “exercise its enforcement discretion [] unless the Relevant Operator is complying with the COPPA Rule’s requirements in every other respect with regard to personal information collected from children.”

Practical impact: The policy statement offers limited safe harbor protection from the risk of enforcement by the FTC and encourages deployment of age assessment tools. Operators with mixed audiences – where the risk of unknowingly collecting a child’s data is high – can adopt age verification technologies (consistent with the FTC requirements) with less concern that they may be the targets of enforcement by the FTC. For example, age verification based on the collection of images, videos or biometrics from users, without obtaining VPC in advance, now presents less risk as a result of the policy statement.

What the FTC’s new policy does not do

It does not amend COPPA or the COPPA Rule.

The policy statement is not a rulemaking and does not change statutory or regulatory text. It is a declaration of enforcement posture under the current FTC commissioners. Future commissioners may amend or withdraw the policy statement. However, when announcing the policy statement, the FTC indicated that it intends to initiate a review of the COPPA Rule to address age verification mechanisms – which companies should watch for, and Cooley will monitor.

It does not apply to state enforcement of COPPA.

Under COPPA, states – as parens patriae – may bring civil actions on behalf of the residents of the state. The policy statement does not claim to apply to actions brought by a state. Unless and until the COPPA Rule is amended consistent with the policy statement, states may continue to bring actions even under circumstances where the FTC has chosen not to enforce as a matter of discretion.

It does not help ‘primarily child-directed’ services.

Operators that are primarily directed to children remain expected to treat all users as children for COPPA purposes and provide COPPA protections across the service.

It does not waive COPPA for everything else.

The enforcement discretion is narrowly framed: It applies only to collection/use/disclosure for age verification purposes and only if the operator is otherwise in compliance with COPPA, where applicable. Once age is determined, the operator’s obligations may change materially, particularly if the operator gains “actual knowledge” that a user is under 13. Notably, the policy statement does not green light the use of personal information collected from children for age assurance purposes other than the immediate age verification of individual users. For example, it does not contemplate the collection or use of children’s information to build datasets used to train age estimation algorithms, nor does it provide new safe harbor protection for the retention of age verification information to help operators prevent future attempts to circumvent their age policies. For these types of broader age assurance purposes, operators will need to continue navigating carefully within the parameters of the existing COPPA Rule.

Practical implications for product, legal and vendor strategy

Greater comfort when using cutting-edge age verification technologies.

The policy statement is intended to encourage novel and more highly effective age verification technologies than simple age gates based on user-declared birthdates. The policy statement should give companies that felt hamstrung by COPPA increased comfort when taking advantage of technologies that leverage the collection of images, videos or biometrics from users for age verification, which are increasingly being used – and required – in foreign markets.

Age verification can create ‘actual knowledge.’

Age verification can convert uncertainty into certainty. If an age check indicates a user is under 13, the operator may gain actual knowledge, triggering COPPA obligations. Depending on the service and the circumstances, an operator that has obtained actual knowledge may be forced to obtain VPC or delete all personal information pertaining to the user in question.

Alignment with the broader ‘age assurance maze.’

As our February 4 alert noted, COPPA is only one part of the age assurance landscape; state laws and global regimes are pushing age gating and age estimation in parallel. The FTC statement helps reduce COPPA-specific friction for the age-check step, but it does not resolve the wider patchwork around when age checks are required, how they must be performed and what content or features must be gated.

Other laws may still apply.

Other laws, including comprehensive state privacy laws, may apply to the collection of personal information for age verification purposes. The policy statement does not impact the applicability of those laws. For example, if a company chooses to take advantage of the policy statement by employing biometrics-based age verification, it should remain cognizant of laws that regulate the collection and use of biometric data, including the Illinois Biometric Information Privacy Act (BIPA), which requires certain disclosures and consent, notwithstanding the policy statement.

Monitor litigation developments involving age assurance laws.

The constitutionality of age assurance and age verification laws is being actively litigated in both state and federal courts across the country. Businesses should monitor developments in these cases to inform their assessments of risk and regulator expectations.

US Congress Eliminates Foreign Private Issuer Exemption for Insider Reporting Obligations Under Holding Foreign Insiders Accountable Act

Wed, 25 Feb 2026 12:59:23 Z

On December 18, 2025, the Holding Foreign Insiders Accountable Act was signed into law, subjecting directors and officers of foreign private issuers (FPIs) to the insider reporting requirements under Section 16(a) of the US Securities Exchange Act of 1934, as amended (Exchange Act). Existing directors and certain officers (Section 16 officers and, together with directors, “insiders”) of FPIs will have 90 calendar days from the date the act is enacted to begin reporting under Section 16(a). As a result, effective March 18, 2026, such Insiders must timely report to the US Securities and Exchange Commission (SEC) their ownership of, and changes in their ownership of, the issuer’s securities. While rulemaking by the SEC will be required to carry out the amendments made by the act, on its face, the act makes changes to Section 16(a) self-executing such that they will become effective without further SEC rulemaking.

To assist FPIs in preparing for this significant change in insider reporting obligations, we have summarized the below frequently asked questions and responses under the new law.

1. Who will be subject to Section 16(a) reporting obligations?

Directors

Section 16 officers

Under SEC rules, the definition of “officers” for Section 16(a) purposes is the same as the definition used for the FPI’s clawback policy. Officers include:

The president (or CEO).
The principal financial officer.
The principal accounting officer.
Any vice president of the issuer in charge of a principal business unit, division or function.
Any other person who performs a (significant) policy-making function, regardless of title.

The act specifically refers only to “officers and directors” of FPIs. Although Section 16(a) of the Exchange Act also applies to 10% owners, the act does not expressly remove the existing FPI exemption for them. Accordingly, 10% owners of FPIs may continue to rely on the current exemption.

2. Which forms are required to be filed, and what events trigger these filings?

Form 3 (initial beneficial ownership statement)

Form 4 (statement of changes in beneficial ownership)

Form 5 (annual statement)

3. What are the filing deadlines?

Form 3

Form 4

Form 4 must be filed by the end of the second business day following the reportable transaction.

Form 5

Form 5 must be filed within 45 calendar days after the issuer’s fiscal year-end.

4. What are the direct impacts on an FPI’s existing disclosure framework?

Public disclosure of equity compensation information

Public disclosure of beneficial ownership information

5. FPIs should promptly begin compliance preparations.

Confirm the scope of Section 16 officers. FPIs should revisit who is designated as “Section 16 officer” in their disclosure and in connection with the adoption of their clawback policies, as those same officers will now be subject to the above Section 16 reporting requirements.
Review insider trading policies. FPIs should review insider trading policies to determine whether transfers of the FPI’s stock by insiders are subject to pre-clearance in order to facilitate timely reporting of transactions.
Enroll in EDGAR Next. FPIs should ensure all insiders have obtained EDGAR filing codes (SEC electronic filing credentials).
Prepare initial Form 3 filings. Prepare initial ownership filings on Form 3 for insiders in order to be ready to file with the SEC on March 18, 2026.
Conduct internal compliance training. Conduct internal training sessions with insiders to ensure compliance with the new filing requirements and types of transactions in the FPI’s stock that are required to be reported under Section 16(a).

6.What are the consequences of late filing or not filing?

7. Will insiders be subject to Section 16(b) short-swing profit recovery or Section 16(c) short-selling prohibitions?

The act only makes changes to the reporting requirements in Section 16(a) of the Exchange Act and does not address the requirements of Section 16(b)’s “short-swing” liability, which require insiders of US domestic issuers to repay companies for profits on matching trades made under a six-month period, or Section 16(c), which prohibits insiders from short selling issuer securities. Historically, insiders of FPIs have been exempt from all three subsections of Section 16. While the act does not specifically address Section 16(b) or 16(c), it does specify that the language inserted into Section 16(a)(1) should state that the inclusion of FPI insiders is “solely for the purposes of this subsection.” It is currently expected that the SEC will retain the exemption from Sections 16(b) and 16(c) for FPIs.

8. The SEC has authority to grant exemptions for FPIs listed in jurisdictions with substantially similar requirements.

The act grants the SEC authority to exempt insiders of FPIs that are subject to “substantially similar requirements” in a foreign jurisdiction from Section 16(a) reporting requirements. At this stage, however, it remains unclear whether – or how – the SEC will exercise this exemptive authority.

For further questions on US capital markets and securities regulation matters, please feel free to contact us.

Make America Artificial Color Free (Again?): New FDA Enforcement Discretion Policy Allows for Broader Use of ‘No Artificial’ Claims for Foods

Tue, 24 Feb 2026 23:37:25 Z

The US Food and Drug Administration (FDA) continues to advance the Make America Healthy Again (MAHA) strategy by limiting or prohibiting the use of petroleum-based food dyes – Federal Food, Drug, and Cosmetic Act (FD&C Act) certified colors –particularly in foods consumed by children. In September 2025, the MAHA Commission signaled that while it intended to limit certain food dyes, it wanted to enable labeling claims that convey where foods no longer contained such dyes, such as by taking a more flexible view of the claim “no artificial color.” To deliver on this commitment and encourage companies to move away from petroleum-based dyes, FDA announced on February 5, 2026, a new enforcement discretion policy for color additive labeling claims.

Under current federal law, claims such as “no artificial colors,” apply only to products with no added color whatsoever, regardless of the source of that added color. Under FDA’s new enforcement discretion policy, however, FDA will not take enforcement action against a company using the following claims, as long as the foods tied to these claims do not contain any FD&C Act certified colors listed in 21 CFR part 74:

Made without artificial food colors/colorings
No artificial color/colors/coloring
No added artificial color/colors/coloring

This policy marks a notable step by FDA to help companies transition away from petroleum‑based dyes and communicate those changes directly to consumers – without fear of enforcement consequences from FDA. Even before this announcement, this was not an area of focus for FDA warning letters; however, FDA had indicated its intent to stop foods bearing such claims at the border. For instance, FDA’s Import Alert 99‑39 previously subjected some foods labeled “no artificial colors” to detention without physical examination. Thus, this new policy is likely to have the greatest and most immediate impact in the import context.

Even with a reduced risk of drawing a federal enforcement action from FDA, as companies are all too aware, federal enforcement is just one area of risk. Food companies need to continue to be aware of risks associated with state laws and class action-related litigation, which may be premised on these claims despite FDA’s new enforcement discretion policy. For example, some states have statutory safe harbor provisions for conduct authorized by federal regulatory bodies, although some courts have been hesitant to hold some agency actions, such as FDA guidance, as authorizing conduct.¹ This trend may increase post-Loper Bright, because courts can now exercise independent judgment in their interpretation of the law and no longer give deference to agency interpretation.² And while evidence of enforcement discretion by FDA may bolster a company’s defense in state class action litigation, the weight of this defense will be dependent on the exact state law at issue and the weight it gives to FDA’s policy choices.³

Practically speaking, FDA’s enforcement discretion policy reduces federal‑level risk for food companies. It may also strengthen a company’s defenses in state class action litigation, though it does not eliminate risk altogether. Companies should continue to take a measured, strategic approach to their labeling claims.

Cooley’s life sciences and healthcare regulatory and wellness teams closely monitor FDA enforcement discretion in this space and actively work with clients on their regulatory strategy and implementation.

Notes

See Vanzant v. Hill's Pet Nutrition, Inc., 934 F.3d 730 (7th Cir. 2019), where the court held that an FDA guidance document was not considered authorizing conduct protected under the safe harbor.
See Loper Bright Enters. v. Raimondo, 603 U.S. 369, 369 (2024).
See Eli Lilly & Co. v. Revive Rx, LLC, No. CV H-23-3521, 2025 WL 3640703, at *27 (S.D. Tex. Dec. 15, 2025).

Your Brain, Their Rules: The Growing Patchwork of Neural Data Regulation

Tue, 24 Feb 2026 08:00:00 Z

According to one study, investment in the global neurotechnology market is projected to increase to more than $50 billion by 2034. While this technology promises to revolutionize human existence in a number of ways, legislators are taking note of its rapid advancement. In the first six weeks of 2026, nine bills that would regulate neural data to varying degrees have been introduced across six US states, including Alabama, California, Illinois, New York, Vermont and Virginia (2026 neural data bills). One of these bills applies exclusively to government entities. This is in addition to several other bills addressing neural data that were introduced in 2025 and are still working their way through the legislative process.

In this survey, we provide an overview of the key themes of the 2026 neural data bills to highlight issues that businesses innovating in neurotechnology should be thinking about as the regulatory landscape in this area evolves. We also provide a detailed breakdown of each proposed bill, including key definitions, applicability, obligations and enforcement.

Key themes of the 2026 neural data bills

As neurotechnology shifts from research to commercial reality, companies will need to consider a host of new requirements regulating neural data. Neural data is arguably one of the most sensitive types of personal information, offering direct and unfiltered insight into an individual’s cognitive and emotional state. While some scholars describe neural data as the final frontier of privacy, for many companies, neural data represents the next frontier in data regulation. Below we outline key issues that organizations will need to think about and that feature as common themes across the 2026 neural data bills.

Developing taxonomies of neural data

In contrast to other laws regulating personal information where many forms of data share standard definitions, legislators have not yet converged on a uniform definition of neural data. While definitions of neural data in the 2026 neural data bills generally center on information that is generated by measuring the activity of an individual’s central or peripheral nervous system, a closer read of the definitions highlights important nuances. For example, Illinois SB 2994 and New York AB 10008 and SB 9008 carve out nonneural information from their definitions. The Illinois bill provides additional color as to what constitutes nonneural information (i.e., pupil dilation, motor activity, breathing rate and other information about the downstream physical effects of neural activity), while the New York bills are silent as to what nonneural information is. Virginia HB 654 builds the definition of neural data into the existing definition of biometric data under the Virginia Consumer Data Protection Act (VCDPA). Vermont HB 814 introduces ancillary neurotechnology terms, such as “brain-computer interface,” “conscious decision making” and “conscious bypass.” Companies will need to carefully examine neural data laws to understand the finer details of the definitions and how they may apply to their neurotechnology.

Consent is key

Unsurprisingly, given the sensitive nature of neural data, the 2026 neural data bills generally require companies to obtain consent from individuals before processing neural data. The type of processing that requires consent with respect to neural data differs among the bills, but it is clear that legislators intend for individuals to be firmly in control of the collection, storage and disclosure of their neural data. Companies should implement procedures for obtaining consent from individuals that interact with their neurotechnologies and have protocols in place to respond if a consumer withdraws that consent. Certain of the proposed laws, such as Illinois HB 5179 and Vermont HB 814, require deletion of neural data within specified time frames upon revocation of consent.

Transparency ensures accountability

Many of the 2026 neural data bills require companies to provide transparency around how they will process neural data. The disclosure obligations vary widely among the proposed laws. For example, Illinois SB 2994 requires covered entities to provide clear and complete information regarding a covered entity’s policies and procedures for the collection, use and disclosure of neural data, while Alabama HB 263 requires a covered entity that transfers, discloses or uses a consumer’s neural data for certain purposes to notify the consumer before engaging in these activities and provide the consumer the opportunity to limit or prevent the processing of their neural data. Illinois HB 5179 requires companies to disclose certain information about neural devices, including health and safety risks associated with the use of a neural device and whether the neural device collects data in addition to whatever data collection is necessary to perform the advertised or described function of the neural device, among other items.

Broad regulation and sector-specific rules

Companies will need to account for the broad reach of neural data laws, some of which amend existing privacy laws and apply to many data activities, while navigating sector- and entity-specific laws. For instance, Virginia HB 654 amends the VCDPA to expand the definition of “biometric data” to include “neural data,” which in turn extends broader restrictions on the processing of “sensitive data” to “neural data.” Illinois SB 2994 amends existing obligations under the Illinois Genetic Information Privacy Act (GIPA), but these requirements are specific to insurers and employers with respect to their use of neural data for certain activities. At the same time, SB 2994 introduces additional obligations on organizations that offer neurotechnology products or collect, use and analyze neural data. NY AB 10008 and SB 9008 apply to data brokers that may process neural data. Companies innovating in neurotechnology will, therefore, need to carefully examine the reach of neural laws applicable to them and consider the industry they operate in as part of a sound compliance strategy.

Enforcement regimes vary

The 2026 neural data bills take differing approaches to enforcement, with state attorneys general serving as the primary enforcement body for the majority of the bills with the ability to bring actions in court. Some of the proposed laws, such as Illinois SB 2994 and HB 5179 and Vermont HB 814, provide individuals with a private right of action. Similar to state biometric privacy laws, companies will need to assess the risk of collecting and processing neural data from specific states where enforcement regimes are more stringent.

We provide below a detailed breakdown of the requirements discussed above. Importantly, these 2026 neural data bills are not the first laws on the books to regulate neural data. Colorado, California, Montana and Connecticut have enacted statues regulating neural data as a distinct category of personal information. For more information, see Cooley’s July 2025 article, “Comparing New Neural Data Privacy Laws in Four States.” As mentioned above, there are several other bills addressing neural data that were introduced in 2025 and are still going through the legislative process. For more information, see this “Neurotech Laws and Legislation Update.”

2026 neural data bills in detail

Alabama HB 263

Summary: Alabama HB 263 prohibits a covered entity from disclosing, transferring or taking certain other actions with regard to a consumer’s biological data or neural data without the consumer’s express consent.

Key definitions: HB 263 defines “biological data” as “data generated by (i) the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological or neural properties, compositions, or activities; or (ii) an individual’s body or bodily functions, which are used or intended to be used for identification purposes.” “Neural data” is defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous system and that can be processed by or with the assistance of a device.” A “consumer” is any individual who is an Alabama resident.

Application: HB 263 applies to any individual or entity that maintains, owns or licenses biological data or neural data in the course of the individual’s or entity’s business, vocation or occupation.

Obligations: HB 263 provides that a covered entity may not:

Transfer a consumer’s biological or neural data to a third party.
Disclose a consumer’s biological or neural data to a third party for a reason other than fulfillment of the entity’s products or services.
Use a consumer’s biological or neural data for a purpose other than what is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests the goods or services.
Market to a consumer based on their biological or neural data.

HB 263 further provides that if a covered entity transfers, discloses or uses a consumer’s biological or neural data for purposes other than those described above, it must, before the transfer, disclosure or use, notify the consumer and provide the consumer the opportunity to limit or prevent the transfer, disclosure or use.

Enforcement: Consumers can report any violation of HB 263 to the Consumer Interest Division in the Alabama Attorney General’s Office, and the attorney general may bring an action in court to enjoin conduct or practices that violate the act and seek a civil penalty of up to $3,000 for each violation.

Effective date: If passed and ultimately signed into law, HB 263 would become effective on October 1, 2026.

California AB 1883

Summary: California AB 1883 amends the California Labor Code and introduces restrictions on employers’ use of workplace surveillance tools, including collection of neural data through such tools.

Key definitions: AB 1883 defines “neural data” as “information that is generated by measuring the activity of a worker’s central or peripheral nervous system, and that is not inferred from nonneural information.” AB 1883 defines a “workplace surveillance tool” to mean “any system, application, instrument, or device that collects or facilitates the collection of worker data, activities, communications, actions, biometrics, or behaviors, or those of the public that are also capable of passively surveilling workers, by means other than direct observation by a person, including, but not limited to, video or audio surveillance, continuous incremental time-tracking tools, geolocation, electromagnetic tracking, photoelectronic tracking, or that utilizes a photo-optical system or other means.”

Application: AB 1883 applies to “employers,” which are defined as “a person or governmental entity that directly or indirectly, or through an agent or any other person, employs or exercises control over the wages, benefits, other compensation, hours, working conditions, access to work or job opportunities, or other terms or conditions of employment, of any worker, including all branches of state government, or the several counties, cities and counties, and municipalities thereof, or any other political subdivision of the state, or a school district, or any special district, or any authority, commission, or board or any other agency or instrumentality thereof.”

Obligations: AB 1883 prohibits employers from using a workplace surveillance tool that:

Prevents compliance with labor, occupational health and safety, employment and civil rights laws or regulations.
Identifies, profiles or infers information about workers engaging in activity protected by law.
Incorporates certain technologies, including emotion, facial or gait recognition technology or neural data collection.

Enforcement: AB 1883 is enforced by the Division of Labor Standards Enforcement through the labor commissioner. Public prosecutors may also bring civil actions to enforce the law, and workers have a private right of action. An employer who violates the law may be subject to a penalty of up to $500 per employee for each violation. For the same violation, recovery can constitute a statutory penalty paid to the employee or a civil penalty, but not both.

Effective date: AB 1883 is silent as to its effective date.

Illinois SB 2994

Summary: Illinois SB 2994 amends the IL GIPA to extend its protection to neural data, characterized in the bill as “neurotechnology data.” GIPA was originally enacted in 1998 to govern confidentiality and use of genetic testing and genetic information by employers and insurers. SB 2994 introduces new restrictions to:

Prohibit insurers from using neurotechnology data for nontherapeutic purposes or underwriting, subject to limited exceptions.
Prohibit employers, employment agencies, labor organizations and licensing agencies (collectively, “employers”) from requesting, requiring or using neurotechnology data in employment decisions, subject to certain exceptions.
Impose requirements on a separate category of covered entities to maintain the confidentiality of neurotechnology data.

Key definitions: SB 2994 defines “neurotechnology” as “devices capable of recording, interpreting, or altering the response of an individual’s central or peripheral nervous system to its internal or external environment.” Neurotechnology includes mental augmentation or improving human cognition and behavior through direct recording or manipulation of neural activity by neurotechnology. SB 2994 defines “neurotechnology data” as “information that is captured by neurotechnologies, that is generated by measuring the activity of an individual’s central or peripheral nervous system, or that is data associated with neural activity, the activity neurons or glial cells in the central or peripheral nervous system.” It does not include nonneural information, such as pupil dilation, motor activity, breathing rate or other information about the downstream physical effects of neural activity.

Application: SB 2994 applies to insurers, employers and covered entities. A covered “entity” means a partnership, corporation, association, or public or private organization of any character that offers consumer neurotechnology products or services directly to a consumer, or collects, uses or analyzes neurotechnology data.

Obligations: With respect to insurers, SB 2994 generally prohibits insurers from collecting, using, sharing or relying on neurotechnology data when making decisions about accident and health insurance, including for underwriting purposes. For instance, insurers can’t ask individuals to provide such data, and if insurers receive such data, they can’t use it for nontreatment purposes. If an individual voluntarily provides neurotechnology data, and the data is favorable to the individual, the insurer may consider it. Moreover, companies providing direct-to-consumer neurotechnology are prohibited from sharing any neurotechnology data about a consumer with any health or life insurance company without written consent from the consumer.

With respect to employers, SB 2994 restricts the use of neurotechnology data to make certain decisions. In particular, employers are prohibited from:

Soliciting, requesting, requiring or purchasing neurotechnology data of an individual or their family member.
Requiring an individual to use neurotechnology as a condition of employment, compensation or benefit.
Making decisions about the terms, conditions or privileges of employment or a preemployment application by relying on neurotechnology data.
Providing differential treatment to employees on the basis of their neurotechnology data.

With respect to covered entities, SB 2994 imposes a broad range of obligations. For instance, entities must disclose their policies and procedures for the collection, use and disclosure of neurotechnology data. They also must obtain consent for such processing of neurotechnology data, including separate express consent for the transfer of neurotechnology data to third parties other than the covered entity’s processors, and for the use of such data beyond the primary purpose of the entity’s neurotechnology product or service and inherent contextual uses. Express consent is required for marketing to a consumer based on their neurotechnology data, selling the consumer’s neurotechnology data, or marketing by a third party to a consumer based on the consumer having ordered or purchased a neurotechnology product or service. SB 2994 also requires covered entities to develop, implement and maintain a comprehensive security program to protect a consumer’s neurotechnology data against unauthorized access, use or disclosure, and must further provide a process for consumers to access their neurotechnology data, request and obtain destruction of such data, and revoke their consent, among other requirements.

Enforcement: GIPA provides individuals with a private right of action with damages of $2,500 or actual damages (whichever is greater) for negligent violations and damages of $15,000 or actual damages (whichever is greater) for intentional or reckless violations.

Effective date: If passed and ultimately signed into law, SB 2994 would enter into effect on January 1, 2027.

Illinois HB 5179

Summary: Illinois HB 5179, or the “Protection of Neural Data Act,” imposes disclosure and consent requirements on an entity’s use of a neural device to monitor, record, analyze or manipulate the neural data of an individual.

Key definitions: HB 5179 defines “neural data” to mean “information that (1) concerns the activity of an individual’s central nervous system or peripheral nervous systems, including the brain and spinal cord, and (2) can be monitored, recorded, analyzed or manipulated by a neural device.” A “neural device” means a “device that (1) employs an electronic, optical, magnetic, nanophysical, acoustical, or mechanical system and (2) is capable of replacing, restoring, complementing, improving, or otherwise modifying the response of the individual’s central nervous system to its internal or external environment.”

Application: HB 5179 applies to covered entities. A “covered entity” is defined as “a person that uses or facilitates the use of a neural device to monitor, record, analyze or manipulate the neural data of an individual. Individuals licensed in Illinois to provide healthcare services and that use such a neural device for a medical purpose and licensed healthcare facilities are not considered covered entities subject to the law.

Obligations: HB 5179 imposes disclosure and consent requirements on covered entities. Specifically, before using or facilitating the use of a neural device to monitor, record, analyze or manipulate the neural data of an individual, a covered entity must:

Plainly disclose on its website, if any, all user agreements, privacy agreements and other terms that the covered entity requires an individual to consent to in order to use the covered entity’s neural device.
Plainly disclose:
1. All health and safety risks associated with use of the neural device.
2. Whether the neural device collects data in addition to whatever data collection is necessary to perform the advertised or described function of the device.
3. That the covered entity may not store the individual’s neural data after the individual’s use of the neural device unless it has obtained the individual’s consent.
4. That the covered entity may not transfer possession of the individual’s neural data to any third party unless the covered entity acquires the individual’s consent.
5. How the covered entity safeguards the privacy of individuals’ neural data.

With respect to consent requirements, a covered entity may not store, retain or transfer an individual’s neural data unless it obtains the individual’s consent. Consent can be withdrawn at any time by the individual, and the covered entity must then promptly block any potential future transfer of the individuals’ neural data to any third party, and within 30 days after the individual withdraws consent, must delete all neural data of the individual and contact each third party to which the covered entity transferred the individual’s neural data and instruct the third party to delete the neural data. The third party that receives this instruction must promptly comply with it.

Enforcement: HB 5179 is enforceable by the Illinois attorney general and states attorneys. Violations of HB 5179 constitute a class 1 misdemeanor, and if a court identifies a pattern of noncompliance, it may impose a fine of up to $50,000 on the covered entity. HB 5179 also provides individuals with a private right of action. If a covered entity unlawfully transfers an individual’s neural data to a third party in violation of the act, the individual is presumed to have suffered at least $10,000 in damage. The attorney general may also adopt rules necessary to implement HB 5179.

Effective date: HB 5179 is silent as to its effective date.

New York AB 10008 and SB 9008

Summary: New York AB 10008 and SB 9008 are companion bills in the New York Legislature for the 2025 – 2026 session to enact a comprehensive state budget package and introduce legal reforms across a number of areas. Regulation of neural data falls under the proposed amendment to the New York General Business Law, introducing the Data Broker Accountability Act (DBAA), which is identical across the companion bills. The DBAA includes a wide range of definitions, many of them similar to those found in the California Consumer Privacy Act (CCPA) and other comprehensive state privacy laws, but its substantive requirements only apply to data brokers. Neural data is a subset of sensitive personal information. The obligations applicable to data brokers with respect to personal information (which subsumes sensitive personal information), by extension, encompass neural data.

Key definitions: The DBAA defines a “data broker” as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom such business either (i) does not have a direct relationship and/or (ii) does not have a direct relationship with such consumer as to personal information it sells about such consumer that it collected outside of a consumer-facing business with which the consumer intends and expects to interact.” “Sensitive personal information” means personal information that reveals, among other items, a consumer’s neural data, meaning “information that is generated by measuring the activity of such consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”

Application: While the DBAA includes a definition of a “business” that largely tracks the CCPA’s definition, in its current form, the obligations only apply to data brokers.

Obligations: The DBAA requires data brokers to register with the New York Department of Financial Services (NYDFS), respond to consumer deletion requests and disclose the number of deletion requests, among other items. The DBAA also requires NYDFS to establish an accessible deletion request mechanism, and data brokers must access the mechanism at least every 45 days and process requests and delete personal information related to consumers that submitted requests. While the DBAA does not include unique requirements specific to neural data, neural data is a subset of “sensitive personal information,” which forms part of the definition of “personal information,” and the obligations outlined above apply to “personal information.”

Enforcement: The DBAA provides the superintendent of NYDFS with broad investigatory powers, and if a company violates the law, the superintendent can impose fines, including $200 per day for failing to register as a data broker, $200 per day per deletion request if the company fails to delete data when required, and $200 per day for failing to meet website disclosure requirements.

Effective date: If passed and ultimately signed into law, the DBAA takes effect 180 days after NYDFS issues implementing regulations.

Vermont HB 814

Summary: Vermont HB 814 provides neurological rights to individuals by creating privacy standards for neural data and by prohibiting electronic devices from bypassing the conscious decision-making of individuals who have not provided consent. Separately, HB 814 regulates certain aspects of artificial intelligence (AI) in health and human services, including mental health chatbots, use of generative AI in patient communications and use of AI in utilization review.

Key definitions: HB 814 defines “neural data” to mean “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous system and that can be processed by or with the assistance of a device.” In contrast to the other bills, HB 814 provides some additional definitions specific to the neurotechnology context. HB 814 defines “brain-computer interface” (BCI) as a “device that enables its users to interact with a computer by means of brain activity only.” “Conscious decision making” means “an individual making a deliberate decision with awareness and intention,” and “conscious bypass” means “the use of neurotechnology to manipulate brain activity by applying electrical or optical stimuli without the conscious awareness of the individual whose brain activity is being manipulated.”

Application: HB 814 applies to any “person,” which is defined under the Vermont state statutes and includes a corporation.

Obligations: HB 814 prevents a person from collecting or recording an individual’s neural data gathered from a BCI unless the person provides the individual with notice explaining how it will use the individual’s neural data and subsequently receives written informed consent from the individual to collect or record their neural data. It also prevents a person from sharing with a third party an individual’s neural data unless the person provides the individual with a written request for the individual’s neural data to be shared with a third party and for what purposes, including the name and address of the third party, and subsequently receives written informed consent from the individual to share the individual’s neural data. Individuals can revoke their consent at any time.

HB 814 also prevents a person from allowing a BCI it manufactures to be used to bypass the conscious decision-making of an individual unless the person has received specific, written informed consent from the individual. “Specific” in this context means written consent for each and every category of action performed by the BCI. A person receiving written informed consent from an individual shall keep a record of the individual’s consent. HB 814 makes clear that consent obtained by using a conscious bypass is not informed consent.

Enforcement: If a person violates HB 814, it would be considered an unfair or deceptive act under Vermont’s Consumer Protection Act. Each violation can result in a civil penalty up to $10,000. The Vermont attorney general has the authority to enforce the law and can bring a civil action. Consumers also have a private right of action pursuant to the Vermont Consumer Protection Act.

Effective date: If passed and ultimately signed into law, HB 814 would become effective on July 1, 2026.

Virginia HB 654

Summary: Virginia HB 654 amends the VCDPA by expanding the definition of “biometric data” to include neural data.

Key definitions: HB 654 updates the definition of “biometric data” to mean “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, facial feature pattern characteristics, neural data, physiological activities, or other unique biological patterns or characteristics that are used to identify a specific individual.” HB 654 further specifies that biometric data includes data generated from a physical or digital photograph or a video or audio recording and data stored for healthcare treatment, payment or operations under the Health Insurance Portability and Accountability Act (HIPAA). HB 654 defines “neural data” as “data generated by measurements of the activity of an individual’s central or peripheral nervous system that can be processed by or with the assistance of technology.”

Application: HB 654 amends the VCDPA, which applies to persons that conduct business in Virginia or produce products or services targeted to residents of Virginia, and that during a calendar year, control or process data of at least 100,000 consumers (i.e., Virginia residents acting in an individual or household context), or control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

Obligations: HB 654 prohibits consumers, controllers, processors or affiliates, as those terms are defined in the VCDPA, from processing biometric data, including neural data, concerning an individual without obtaining the individual’s consent, or in the case of the processing of biometric data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act (COPPA).

Enforcement: The Virginia attorney general has exclusive authority to enforce the VCDPA and may seek an injunction to restrain violations of the act, as well as civil penalties of up to $7,500 per violation (following notice of an actual or potential violation by the attorney general to the data controller or data processor and a 30-day cure period).

Effective date: HB 654 is silent as to its effective date.

On February 4, 2026, the Technology and Innovation Subcommittee of the Virginia House of Delegates voted to lay on the table HB 654, effectively halting the bill’s advancement for the legislative session.

Vermont HB 791

The Vermont Legislature introduced HB 791, known as the “Vermont Government Data Practices Act” in January 2026. HB 791 only applies to government entities. Given the focus of this survey on neural data regulations’ applicability to commercial businesses, we will not analyze this law in detail.

USPTO Issues Revised Inventorship Guidance for AI-Assisted Inventions – Key Implications for AI-Driven Antibody Discovery

Fri, 20 Feb 2026 08:00:00 Z

The US Patent and Trademark Office (USPTO) has issued revised guidance on inventorship for artificial intelligence‑assisted inventions, completely replacing the February 2024 framework and clarifying how human contributions must be evaluated when AI tools play a role in the inventive process. In particular, the heightened inventorship standard for AI-assisted inventions outlined in the February 2024 framework has been rescinded. The current guidance reaffirms a core principle: Only natural persons can be inventors, and applicants must be prepared to demonstrate the specific human contributions that constitute conception.

For companies using AI tools to discover therapeutic antibodies, the updated guidance has immediate implications for patent drafting, prosecution and litigation risk. AI‑assisted antibody discovery is accelerating, but so is scrutiny from challengers who may argue that patents relying heavily on AI lack proper inventorship, written description or enablement.

This alert summarizes the USPTO’s key updates and provides practical strategies for strengthening the inventorship position of patents covering AI‑assisted antibody inventions.

Key takeaways from the USPTO’s revised inventorship guidance

AI cannot be an inventor.

Inventorship is limited to natural persons. AI is always a tool, and tools cannot be named as inventors or joint inventors. Applicants must identify the human(s) who conceived the claimed invention.

Human conception remains the ‘touchstone of inventorship.’

A human inventor must have formed a definite and permanent idea of the claimed invention. In the AI‑assisted context, this requires more than operating an AI tool or accepting its output. The human must contribute intellectually to at least one claim element.

When only one natural person is involved in developing an AI-assisted invention, this is a return to the traditional inventorship standard based on conception, and is in contrast to the February 2024 framework that required a heightened inventorship standard for AI-assisted inventions based on the Pannu factors.¹ However, when multiple natural persons are involved in creating an invention with the assistance of AI, the traditional joint inventorship principles apply, which includes the use of the Pannu factors to determine whether each person qualifies as a joint inventor.

Priority claims may be jeopardized if foreign filings list AI inventors.

A US application can only claim priority if the earlier filing lists at least one human inventor in common. Foreign filings that list only an AI inventor cannot support US priority. US filings must list only human inventors.

In Europe, priority is tied to ownership, not inventorship. Priority can be preserved by ensuring the priority filing includes at least one human inventor and/or human applicant, even if an AI tool is also listed. For subsequent Patent Cooperation Treaty and US filings, naming only the human inventors and/or applicants satisfies both US inventorship rules and European Patent Convention applicant identity requirements.

How litigants may attack patents covering AI‑assisted antibody inventions

Inventorship challenges are a growing vulnerability for AI-assisted antibody inventions. Opponents may argue that the AI tool, rather than the listed inventors, conceived the claimed sequences and/or functional properties, or that the listed inventors merely selected or validated AI outputs without contributing to conception. Incorrect inventorship can render a patent invalid and/or unenforceable.

Antibody patents also face written description and enablement risks, particularly when only a few sequences are disclosed, or when broad genus claims lack supporting representative species or structure-function correlations. With an AI-assisted antibody patent, such written description and enablement risks are particularly true when the patent relies on undisclosed details of an AI tool, such as training data, architecture or reproducible workflows. Potential challenges to obviousness include asserting that applying known AI tools to known antigens is routine.

Practical strategies to strengthen inventorship in AI‑assisted antibody inventions

A strong inventorship record is one of the most effective defenses against validity challenges. Applicants should document that humans defined the scientific problem, set the design constraints and directed the discovery campaign. The availability of such documentation reinforces that the AI tool was only used as a tool, within a human‑defined inventive framework.

Human decision‑making must also be evident in how AI outputs were handled. Selecting the best sequences, rejecting unsuitable ones, modifying sequences, such as complementarity determining regions (CDRs) or framework regions, and prioritizing candidates for testing are all acts of conception. Similarly, humans must design and interpret the experiments that gave rise to the claimed invention, including choosing appropriate assays to determine relevant functional properties and interpreting various data.

The patent should reflect this narrative by describing a human‑driven rationale, and the constraints and decision‑making involved, while avoiding language suggesting that the AI tool “designed” or “conceived” the invention.

Good hygiene must be practiced when keeping records. Lab notebooks, emails, internal presentations and notes explaining why certain AI outputs were accepted or rejected can make all the difference if a patent’s inventorship position is ever challenged.

Conclusion

While simplified, the USPTO’s revised inventorship guidance continues to underscore that AI‑assisted inventions, particularly in antibody discovery, require careful consideration regarding the human contribution and patent drafting strategy. AI tools can accelerate discovery, but they also create new avenues for challengers to attack patents. Regarding inventorship, applicants that proactively document human conception and practice good record-keeping hygiene will be best positioned to defend their patents in litigation.

Pannu v. Iolab Corp., 155 F.3d 1344, 1351 (Fed. Cir. 1998) setting forth the three-part test (Pannu factors) for determining inventorship: (1) The individual must contribute in some significant manner to the conception or reduction to practice of the invention; (2) the contribution must not be insignificant in quality when measured against the full invention; and (3) the individual must do more than merely explain well-known concepts or the current state of the art.

2026 Antitrust Outlook: Learnings From the First Year of ‘America First’ Enforcement

Thu, 19 Feb 2026 21:54:55 Z

Following the transition to the second Trump administration, the Department of Justice (DOJ) and Federal Trade Commission (FTC) pivoted toward a more “business-friendly” posture in many respects, while pursuing other aggressive theories of harm, reminiscent of the Biden-era antitrust enforcers.

The strategic shift toward an “America First Antitrust” policy in 2025 prioritized the “pocketbook” interests of Americans. In this review, we first explore the principles underlying the policy and analyze how these positions have a surgical approach to labor market competition and have fueled investigations into “tech censorship.” Second, we assess the state of a more deal-friendly merger environment, highlighting the return of structural remedies and early termination of certain review periods, though the agencies remain ready to litigate where remedies may not resolve the competitive concerns. Finally, we address the rising influence of state-level oversight, examining how state attorneys general and legislatures are filling perceived federal gaps through independent litigation, along with the enactment of “mini-HSR” (Hart-Scott-Rodino Act) and anti-algorithmic collusion laws.

‘America First Antitrust’: Policy shifts in 2025

With the introduction of the “America First Antitrust” policy, the second Trump administration emphasized an enforcement regime rooted in values designed to center the interests of average American workers and consumers by focusing on “pocketbook” or “kitchen-table” industries – sectors like housing, healthcare, groceries and transportation that directly impact daily life.

The origin of the term, “America First Antitrust” policy, is an early speech from now former DOJ Antitrust Assistant General Gail Slater, and so it is less clear how relevant the principles will be going forward. Even so, we can look to White House policy and enforcement actions at both the DOJ and FTC as useful bellwethers for what to expect going forward. For example, the White House directed the DOJ to investigate major meatpacking companies for potential price fixing, while the DOJ and US Department of Agriculture formalized a partnership to increase competition in agricultural inputs, like seeds and fertilizer. The FTC and DOJ have also continued their Big Tech cases. Indeed, FTC Commissioner Mark Meador shared his view that Big Tech has become as much of a kitchen-table issue as groceries or housing. Other priorities at the FTC and DOJ include protecting labor competition for workers and consumers against censorship.

Labor markets: Case-by-case enforcement over rulemaking

Labor competition remains squarely on the antitrust agencies’ radar as they pivot their strategy from rulemaking to targeted enforcement. Skeptical of what FTC Chairman Andrew Ferguson perceived to be the regulatory nature of the Biden-era’s noncompete rulemaking, the FTC under the new Trump administration withdrew its appeal of a district court decision blocking the agency’s enforcement of the noncompete rule. The FTC since announced a new Joint Labor Task Force, which aims to “root out” anticompetitive labor practices like noncompete, no-poach and no-hire agreements.

Censorship of speech as competitive harm

Under Ferguson, the FTC launched a probe into alleged collusion and coordinated boycotts among media and advertising firms. The investigation focuses on whether these entities have conspired to “ban,” “shadow ban” or “demonetize” (e.g., by withholding advertising funds) certain publishers based on political or ideological content.

These concerns are featured in the FTC’s enforcement action in Omnicom/IPG. In that matter, the FTC alleged that Omnicom’s $13.5 billion acquisition of IPG reduced the “impediments to coordinating the placement of advertisements, monitoring [other media buying services], and punishing one another for taking actions that harm them collectively.” The FTC’s complaint cited a “history of coordination” in the advertising industry, including agencies working through industry associations to potentially boycott media publishers. The final consent order prohibited the combined company from coordinating with other agencies to direct ad spending based on political viewpoints, refuse client requests based on publisher’s political content, or create or use “exclusion lists” based on political criteria.

According to court filings, the FTC is actively investigating other parts of the media advertising industry as well. The investigation came to light in a dispute between the FTC and Media Matters for America (MMfA). In June 2025, MMfA filed for an injunction barring the FTC from enforcing a civil investigative demand (CID) issued to MMfA, alleging that the CID is unconstitutional. In August 2025, a district court granted a preliminary injunction, halting the FTC’s investigation, which was affirmed by an appellate court in October 2025. In the briefing, the FTC claimed that the MMfA CID is “one of seventeen [at the time] outstanding CIDs” issued as part of the FTC’s investigation into whether “entities have conspired to withhold, degrade, increase the cost of, or otherwise diminish the quantity of advertising placed on news outlets, media platforms, or other publishers in violation of [the antitrust laws] under the guise of promoting ‘brand suitability’ and ‘brand safety’ against ‘misinformation.’”

Deal-friendlier merger enforcement in Trump 2.0

Moving away from the more aggressive posture of the Biden administration, the current administration has ushered in a more deal-friendly era. Key differences include a commitment to regulatory speed for nonproblematic deals and a renewed willingness to consider structural remedies to resolve competitive concerns.

‘Getting out of the way’ of nonproblematic deals

Ferguson summarized his view on merger enforcement: “If we think [a] merger is going to hurt Americans economically, I’m taking you to court. But if we don’t, we’ll get the hell out of the way.” Echoing this sentiment, the DOJ has also prioritized expediting reviews and redirected agency resources to identify those deals quickly and clear them without unnecessary delay.

A significant procedural update, which had been set in motion by the Biden administration, was the return to the practice of granting “early terminations” of statutory waiting periods under the HSR Act. Historically, early termination had been granted in about 80% of transactions where it was requested. There is not yet sufficient data available to assess if the cadence is similar.

Revival of structural remedies

A welcome development for dealmakers in 2025 was the return of merger remedies, often involving divestiture. Unlike the previous administration, which viewed remedies with skepticism and increasingly preferred litigation (though it did enter into some consents despite the rhetoric), current regulators are more open to addressing concerns with structural remedies in settlements.

In 2025, the DOJ and FTC brought 12 enforcement actions challenging mergers, nine of which resulted in consent orders. The agencies have tended to prefer divestitures, as reflected in the consents in Boeing/Spirit, ACT/Giant Eagle and Synopsys/Ansys, while a few other settlements involved behavioral remedies, as in Omnicom/IPG.

But the agencies are willing to litigate

While the environment is undoubtedly more hospitable to M&A, the agencies have not abandoned their enforcement mandate. In cases where they believe a proposed transaction is insufficient, including any proposed remedies, they remain willing to go to trial. In 2025, the FTC litigated two large life sciences deals with mixed success.

In GTCR/Surmodics, the FTC attempted to block a $627 million medical device merger, alleging that Biocoat, a majority stake of which is owned by GTCR, and Surmodics are the two largest players and frequent head-to-head competitors in the highly concentrated hydrophilic coating market, and that the acquisition would result in a combined market share of more than 50%. The agency rejected the merging parties’ proposed divestiture of key Biocoat assets to a medical device manufacturer, Integer, as “falling significantly short of protecting competition.”

A federal court denied the FTC’s request for a preliminary injunction, rejecting the FTC’s argument that a divestiture must “negate the anti-competitive effects […] entirely” or fully restore the market to its pre-merger state. Instead, the court ruled that the merging parties are only required to show that a divestiture “sufficiently mitigates” a merger’s anticompetitive effects. The court further rejected the idea that a remedy is inadequate simply because it is a partial divestiture rather than the sale of a complete, stand-alone business. Here, the court found that the specific Biocoat assets proposed to be divested were sufficient when combined with Integer’s existing capabilities. The court further noted that such divested assets would fill an “important capability gap” for Integer, making it an “exceptionally well-qualified” buyer. It concluded that adding these Biocoat assets would allow Integer to serve as a “one-stop shop” for the manufacturing and application of medical coatings, making it a viable competitor.

In Edwards/JenaValve, the FTC filed suit to block Edwards’ proposed $945 million acquisition of JenaValve, alleging that JC Medical, a company acquired by Edwards days before the announcement of the Edwards-JenaValve deal, and JenaValve are the only two companies with ongoing clinical trials for transcatheter aortic valve replacement (TAVR-AR) devices used to treat aortic regurgitation, and that this deal would “eliminate the vigorous head-to-head competition” between them. In January 2026, the court ruled in favor of the FTC, despite neither product yet being on market, finding that the merger would create a monopoly in the market for research, development and commercialization of transfemoral TAVR-AR devices. The court notably identified the loss of innovation competition in the development of these devices as a cognizable Section 7 harm, relying on the US Court of Appeals for the Fifth Circuit’s 2023 decision in Illumina that similarly identified competitive harm in a research and development market, in the context of a vertical merger. Edwards and JenaValve have since abandoned the deal. The decision is notable in that it marks the first successful antitrust agency action in recent history to block a merger of two pre-commercial products, as compared to most litigated merger challenges that involve marketed products.

State attorneys general aim to supplement federal enforcement

In 2025, state attorneys general and legislatures made moves to expand their role in antitrust oversight to fill the perceived gaps at the federal level. State legislatures also passed additional laws to expand the role of state laws in antitrust enforcement.

Rise of ‘mini-HSR’ laws

States have moved to enact their own premerger notification laws. Washington and Colorado led this wave, becoming the first states to implement state laws modeled after the Uniform Antitrust Pre-Merger Notification Act, requiring contemporaneous state-level notices for any deal triggering federal HSR thresholds that also meet state-specific thresholds. Several other states are considering doing the same.

Targeting ‘new frontier’ anticompetitive conduct in algorithmic pricing

States are also focusing on conduct enforcement, including in algorithmic pricing. In January 2025, the DOJ, joined by 10 states, filed an amended complaint against RealPage, alleging that RealPage’s algorithmic software enabled landlords to coordinate rental prices and artificially inflate rents for millions of tenants. In November 2025, the DOJ and RealPage reached a settlement that imposes restrictions on RealPage’s use of competitors’ nonpublic, competitively sensitive information (e.g., active lease data) to generate real-time rental price recommendations. However, the state enforcers that had joined the DOJ’s complaint refused to sign onto the federal settlement and reserved the right to continue their own legal challenges, signaling that the states did not find the relief to be sufficient. Certain states that had not originally joined the DOJ-led suit – including Arizona, Maryland and New Jersey – are also pursuing independent lawsuits against RealPage, alleging that its algorithmic pricing tools facilitated illegal rent-fixing schemes.

California also enacted the Preventing Algorithmic Collusion Act (AB 325), which went into effect on January 1, 2026. AB 325 amends the Cartwright Act, California’s primary antitrust statute, to establish two primary causes of action in relation to the use of pricing technology:

Use or distribution of artificial intelligence pricing technology that uses competitor data to set or influence prices (“common pricing algorithm”) as part of a contract, combination or conspiracy to restrain trade.
Use or distribution of a common pricing algorithm if the user coerces another party into setting or adopting a recommended price or commercial term for the same or similar products or services.

UK Merger Control in 2026 – What to Expect

Thu, 19 Feb 2026 16:18:02 Z

Key takeaways:

In 2025, the UK Competition and Markets Authority (CMA) signalled a significant shift in its enforcement and merger review priorities, emphasising alignment with the UK government’s pro-growth, pro-business agenda. In parallel, the CMA implemented a series of changes to its merger review processes to streamline and speed up reviews with pace, predictability, proportionality and process (its ‘4P’ framework). With further legislative reforms on the horizon, the UK merger-control risk assessment has shifted significantly for dealmakers.
This alert summarises key developments from the past year and explains what they mean for dealmaking in 2026. It also discusses how the CMA’s greater focus on encouraging growth and investment has had wide-ranging effects on how dealmakers engage with the agency, including on global deals. We also summarise recent revised guidance on merger remedies and consider the impact of further legislative reforms for dealmakers.
For dealmakers, the need to look beyond a purely technical analysis of filing thresholds will remain paramount when considering UK competition risk and informing the best engagement strategy with the regulator.

In 2025, the UK Competition and Markets Authority (CMA) signalled a significant shift in its enforcement and merger review priorities, emphasising its alignment with the UK government’s pro-growth, pro-business agenda. While speeches by CMA executives in previous years had emphasised the need to avoid under-enforcement, including in the context of digital mergers (as seen in the Bannerman Competition Lecture), the tone shifted in 2025: ‘The goal for merger control is simple – and this has always been the case: every deal that is capable of being cleared either unconditionally or with effective remedies should be’. The UK government’s strategic steer further directed the CMA to focus on markets that particularly impact UK-based consumers and businesses.

In parallel, the CMA implemented a series of changes to its merger review processes to streamline and speed up reviews, and amended several merger guidance documents to emphasise pace, predictability, proportionality and process (as part of its ‘4P’ framework). On 20 January 2026, the UK government opened a consultation on further legislative changes to the UK merger-control regime aimed at enhancing predictability for businesses in support of economic growth.

For dealmakers, the UK merger-control risk assessment has shifted significantly. We set out the key developments in more detail below and explain what they mean for dealmakers navigating the evolving regulatory landscape in the UK in 2026.

Greater focus on encouraging growth and investment

At the heart of the CMA’s shift in merger review priorities was the strategic steer from the UK government in May 2025, which signalled a clear expectation that the regulator should take a more pro-business approach. In particular, the CMA was instructed to:

Prioritise pro-growth and pro-investment interventions
Focus on markets and harms that particularly impact UK-based consumers and businesses
Support growth and competitiveness in the government’s industrial strategy (advanced manufacturing, clean energy industries, creative industries, defence, digital and technologies, life sciences, financial services, and professional and business services).

This was implemented across the CMA’s functions and reflected in its 2025 to 2026 Annual Plan, which aimed for the ‘competition and consumer protections regime [to] play a central role in supporting economic growth and long-term prosperity in the UK’.

Strong messaging asserting the CMA’s focus on supporting growth, innovation and investment also feature heavily in the agency’s recently published draft Annual Plan setting out its work priorities and approach for 2026 to 2027. We can therefore expect to see the CMA’s approach to mergers continue to evolve during 2026 to meet these goals.

As part of its efforts to support the government growth mission, the CMA has also investigated how competition policy can encourage scale-up growth in the UK and sought stakeholder feedback on the issue. For example, it has noted that a proactive focus on tackling sector-specific barriers, including public-procurement challenges and unblocking access to data, could help facilitate scale-up growth. Regarding M&A, the CMA has sought views on how mergers interact with the objective of encouraging UK scale-up growth. An update is expected in early 2026.

CMA retreats from intervening in global deals

In an effort not to be viewed as a blocker to investment into the UK, 2025 also saw the CMA increasingly pull back from intervening in predominantly global transactions and adopt a ‘wait-and-see’ approach when reviewing international mergers with limited UK-centric effects. This shift, which is expected to continue in 2026, suggests that mergers involving global markets but only peripheral UK-specific overlaps are now less likely to attract far‑reaching scrutiny.

Instead, the CMA is expected to continue concentrating its resources on transactions with a clearer nexus to UK markets, consumers or the sectors prioritised in the government’s industrial strategy. That being said, there has not been a wholesale retreat from examining global mergers, with the CMA currently conducting an in-depth Phase 2 review of Getty Images’ proposed acquisition of Shutterstock.

More briefing papers, fewer Phase 1 reviews

As the UK’s merger control regime is voluntary, dealmakers can choose how to engage with the CMA on a case-by-case basis. Subject to the CMA’s powers to call in deals on its own initiative, parties may either notify a merger for a full CMA review – giving them a binding decision on the deal – or submit a briefing paper outlining why the deal does not raise UK competition-law concerns and asking the CMA to confirm that it does not intend to call in the deal for a full review.

In recent years, Phase 1 reviews appear to have become the least popular option overall, with a larger proportion of deals now being reviewed through the more informal briefing paper route. In 2025, the CMA looked at 881 mergers, of which only 39 were investigated at Phase 1. This contrasts with earlier years, such as 2023, when the CMA investigated 56 mergers at Phase 1. More deals, especially those concerning global markets, are being cleared through the briefing-paper route, with only a small minority progressing to a full Phase 1 review. This shift fits with the CMA’s stated aim of acting ‘as much as an enabler of competition as an enforcer of it’.

A more flexible approach to remedies?

As part of its series of consultations, the end of 2025 saw the CMA’s revised guidance on merger remedies, which again sought to facilitate a more business-friendly approach to merger control in the UK. Most notably, the CMA signalled a softening of its stance on behavioural remedies. While structural remedies such as divestitures or an outright prohibition are still preferred, the updated guidance removes the presumption against behavioural remedies at Phase 1 and provides a list of circumstances where the agency is more likely to accept such remedies, namely where:

The remedy has a limited duration
There is an industry regulator with the ability to effectively monitor and enforce the remedies
Industry characteristics, such as market transparency, make it more likely that customers, suppliers and competitors will be able to identify and report instances of noncompliance
The remedy aligns with the existing commercial practices and norms of the industry
The industry is sufficiently mature and stable so the risk of significant changes to competitive conditions is low

The CMA has also provided further guidance on ‘carve-out’ remedies, which involve the divestiture of parts of a business that cannot effectively compete on a standalone basis, such as a collection of assets. While stating that these types of remedies present greater composition risks, dealmakers should be aware that such divestitures may still be possible where robust risk-mitigation measures can be implemented.

Proposed legislative reforms

As set out above, on 20 January 2026 the UK government opened a consultation on refining the UK competition regime with the aim of supporting economic growth and delivering more certainty for businesses. The proposals focus on faster and more streamlined investigations, providing greater certainty on notification thresholds and giving businesses more time to agree remedies following a Phase 1 merger investigation. In particular, the proposals would:

Abolish the independent CMA panels that currently take decisions on Phase 2 mergers and transfer decision-making authority to a subcommittee appointed by the CMA Board. While the government has explained that the rationale for this change is to ensure that the CMA’s leadership is held accountable for its decisions to the UK legislature, removing independent panels eliminates an important check, and a fresh pair of eyes, on the CMA’s executive decision-making powers in merger cases and weakens safeguards against potential ‘confirmation bias’. The consultation document also does not set out how the benefit of increased accountability to government will be balanced against the risk of government interference in merger-case decision-making.
Codify the changes announced by the CMA in 2025 as to how it applies its jurisdictional tests, specifically limiting the factors the CMA can take into account to measure ‘share of supply’ to value, cost, price, quantity, capacity, number of workers employed and providing a closed list of factors that the CMA may consider as part of a ‘material influence’ assessment. This is aimed at facilitating more predictable outcomes for merging parties.
Extend the period for parties to agree Phase 1 remedies with the CMA from 10 working days to up to 20 working days from the Phase 1 decision.

The consultation is due to close on 31 March 2026. As amendments to legislation will be required, changes to the mergers process will not take immediate effect.

Conclusion for dealmakers

In their totality, these developments confirm a continued shift in the CMA’s merger-control enforcement priorities towards a more business-friendly approach, emphasising the agency’s ‘4P’ framework.

For dealmakers, the need to look beyond a purely technical analysis of filing thresholds when considering their UK risk position and instead assess how a particular deal fits into this overall policy context remains paramount. For example, while engagement with the CMA through briefing papers will likely be an appropriate strategy in many deals concerning purely global markets, the CMA ‘taking a step back’ on global deals in practice means increased scrutiny of mergers that have a particular impact on UK markets. These measures should be carefully considered in contract and risk-allocation negotiations. It remains to be seen whether the government’s proposed reforms, as well as the broader discussion in Europe and the UK on merger control and resilience, will further shift this calculus.

Even where CMA scrutiny is expected, dealmakers should consider using the expanded tool kit made available by the CMA on remedies and engage early to resolve potential roadblocks at pace.

J.P. Morgan Healthcare Conference 2026 – Key Themes Shaping Life Sciences

Wed, 18 Feb 2026 21:28:54 Z

The 2026 J.P. Morgan Healthcare Conference reinforced several key signals for the life sciences and healthcare industry. Although the sector continues to face structural pressure, it also is entering a period of renewed momentum shaped by capital discipline, regulatory complexity and expanding global opportunity. Several themes emerged that will influence how companies operate, partner and lead in the year ahead.

Differentiation and credibility drive capital and partnership success

Investors and strategic partners are actively reengaging, but expectations are higher than before. Companies that show clear, data‑driven differentiation – through platform depth, clinical validation or unique modality advantages – are earning the strongest interest. Storytelling is also becoming more important. Credible milestone planning, honest risk framing and consistent communication are increasingly viewed as signs of leadership maturity.

Leadership quality is a true competitive advantage

Across discussions, leaders highlighted the value of decisiveness, operational rigor and authenticity, particularly during moments of transformational opportunity, such as M&A or major partnership negotiations. Biotech executives noted that sophisticated leadership involves more than guiding deals. It requires effective board management, maintaining team trust and balancing ambition with realistic execution planning.

Policy and regulatory forces have become strategic variables

Washington’s approach to life sciences is evolving in ways that affect pricing scrutiny, enforcement priorities and expectations for clinical and manufacturing operations. Executives can no longer treat the policy environment as a secondary concern. Companies that integrate policy awareness into business development strategy, investor communications and long‑term planning are better prepared to avoid surprise risks and maintain deal readiness.

Cross‑border alliances are becoming more complex

Global partnerships continue to increase, especially among the United States, Europe and China. At the same time, geopolitical dynamics are reshaping deal structures. To maintain momentum, companies must navigate differing regulatory systems, data governance requirements and negotiation styles influenced by cultural context. Successful alliances combine speed and flexibility with thoughtful governance design, clear decision‑rights mapping and proactive risk management across supply chain, data and IP.

The market is rewarding focus and efficiency

Even as sentiment improves, investors remain selective. Capital is moving toward companies with disciplined operations, high‑conviction pipelines and a realistic view of their competitive landscape. Leaders repeatedly emphasized that 2026 is a year to sharpen rather than expand priorities. Strengthening balance sheets, streamlining programs and forming the right alliances are central to driving value‑inflection milestones.

Final thoughts

Ultimately, JPM 2026 made clear that the companies poised to outperform are those that pair scientific differentiation with disciplined execution and an ability to navigate regulatory and geopolitical complexity. For teams shaping the future of life sciences, Cooley stands at the ready – combining dealmaking strength, regulatory depth and board‑level perspective to help innovators move fast and lead with confidence.

Florida Attorney General Launches ‘CHINA Prevention Unit’ Targeting Foreign Adversary Data Sharing

Fri, 13 Feb 2026 08:00:00 Z

On February 5, 2026, Florida Attorney General James Uthmeier announced the creation of a dedicated “Consumer Harm from International Nefarious Actors” (CHINA) Prevention Unit within the Florida Office of the Attorney General.

While the acronym is pointed, the CHINA Prevention Unit’s mandate is broad: to investigate and prosecute foreign corporations – specifically, those with ties to “foreign adversaries,” like China, that collect sensitive data from Floridians. This development marks a growing trend in state-level enforcement, moving beyond traditional consumer protection into the realms of national security and data sovereignty.

What the CHINA Prevention Unit is designed to do

Housed within the Florida Office of the Attorney General, the CHINA Prevention Unit is tasked with leveraging the Florida Deceptive and Unfair Trade Practices Act and state privacy laws to target companies whose data practices may expose Florida residents to foreign exploitation. The CHINA Prevention Unit is framed as both preventative and enforcement-oriented, with an emphasis on demanding “transparency from companies operating in Florida” with ownership or ties to China and other countries of concern.

The attorney general has already signaled his enforcement priorities by taking several immediate actions:

Subpoenas issued: The CHINA Prevention Unit apparently issued subpoenas to several companies that the attorney general suspects have relationships with China.
Healthcare audits: The CHINA Prevention Unit is apparently sending formal letters to several medical device manufacturers demanding audits to identify ties to China and verify whether sensitive biometric or patient data is being transmitted to foreign servers.
Technology scrutiny: The CHINA Prevention Unit’s work will build on previous investigations by the attorney general into foreign router manufacturers and security camera companies regarding backdoors and supply chain vulnerabilities.

These actions demonstrate that the CHINA Prevention Unit is leveraging a cacophony of state laws (e.g., consumer protection, privacy, sectoral rules and public contracting) to further its transparency and remediation goals. They also clearly signal aggressive enforcement into the data collection, processing and disclosure practices of companies with ties to China and other foreign adversaries to the state of Florida.

Key takeaways for businesses operating in Florida

Healthcare and biometrics are ground zero. The attorney general has explicitly stated that healthcare is the “primary industry” of concern, “with personal health data, the most sensitive of human data, being shared with an enemy that wants to do us harm.” If your organization manufactures, distributes or utilizes internet-connected medical devices, diagnostic equipment or health-tech platforms with any component of Chinese ownership or manufacturing, you may be in the attorney general’s crosshairs.
Enforcement over legislation. Historically, protection of national security has been the remit of the US federal government. Florida’s attorney general is clearly not waiting for new federal laws. By “repurposing” existing resources, the attorney general is using broad consumer protection statutes to conduct what are essentially national security audits. Thus, many businesses may find themselves receiving “investigative subpoenas” even in the absence of a specific data breach or security incident, as the CHINA Prevention Unit’s focus is on prevention.
Transparency is now a legal risk. The CHINA Prevention Unit is focusing on deceptive trade practices. If a company’s privacy policy or marketing materials fail to clearly disclose that data may be accessible by foreign entities or stored on foreign servers, the attorney general may view this as a deceptive or fraudulent omission. Admittedly, Florida would not be the first government agency to take this position, but businesses operating in Florida may want to consider being more transparent about any data storage outside of the US, as well as the extent of any relationships between the business and “foreign adversaries.”

Considerations for businesses operating in Florida

Audit supply chain and international data flows. Map the data journey of your products. Do your devices or software platforms communicate with servers in “countries of concern”? Of particular note, you may want to identify any Chinese-manufactured components in your IT or medical infrastructure.
Review privacy disclosures. Consider whether your privacy notices and other public disclosures should be explicit about international data transfers. Boilerplate language may no longer be sufficient to ward off state-level scrutiny in Florida.
Assess Medicaid/public funding risks. There are calls encouraging legislative momentum to condition state funding and Medicaid reimbursements on the use of “non-China-linked” equipment. Entities relying on state contracts should begin evaluating alternative domestic or “friendly-nation” technology providers.
Federal government enforcement. The Florida attorney general’s focus on China and foreign adversaries aligns with recent federal government activity. For example, this week, the US Federal Trade Commission announced it had sent letters to 13 data brokers warning them against selling, releasing, disclosing or providing access to personally identifiable sensitive data about Americans to any foreign adversary. Earlier this year, the US Department of Justice promulgated the Data Security Program, a similar federal regulatory framework that restricts or prohibits certain categories of transactions between US persons and “countries of concern” that include bulk sensitive US personal data, such as geolocation data and biometric data.

Conclusion

Florida’s move represents a “new front” in the regulatory enforcement landscape. What was once a matter of federal trade policy has now become a local enforcement priority.

If you have questions about how these new enforcement priorities affect your compliance posture, or if you have received an inquiry or investigative demand from the Florida attorney general’s office, please contact our cyber/data/privacy team.

2026 Outlook: Limited Partners Looking to Shape Fund Structures and Liquidity Strategies

Tue, 10 Feb 2026 16:14:45 Z

The private funds landscape is entering a new phase in 2026, with limited partners (LPs) exerting greater influence on fund design and prioritizing liquidity solutions. These shifts have significant implications for managers and investors aiming to stay competitive and aligned with evolving market expectations. Our latest analysis highlights key trends shaping capital deployment and structuring strategies across global jurisdictions.

1. Geographic diversification of target funds

Since 2020, we have advised on 300+ LP commitments across 15 LP jurisdictions and 12 general partner (GP) jurisdictions. Delaware continues to dominate the choice of fund domicile, accounting for approximately 57% of target funds we worked on, followed by the Cayman Islands at 24%. The remainder spans Luxembourg, Singapore, the UK, Australia, Hong Kong and other markets. This reflects LPs’ increasing comfort with cross-border capital deployment and global manager sourcing, with jurisdictional considerations becoming less of a gating factor despite geopolitical uncertainties.

2. Growing influence of LPs on fund structure

Large sovereign investors and strategic LPs are increasingly shaping fund structures rather than simply accepting pre-designed vehicles. This trend is evident in the rise of separately managed accounts (“fund of one”), customized vehicles and permanent capital structures tailored to specific investor mandates. In Asia, for example, LPs increasingly request bespoke fund solutions aligned with their internal policy mandates, governance requirements, economic terms and liquidity preferences.

3. Heightened focus on liquidity

Liquidity considerations have become more prominent compared to prior cycles. In 2025, allocations expanded into secondary opportunities and private credit funds, alongside increased interest in structured products blending venture capital and private equity and hedge strategies. While closed-end funds remain central, they now compete with credit, secondaries and hybrid products for allocation.

4. Increased use of liquidity management tools

Continuation vehicles, NAV facilities and structured secondary products have moved to the forefront of investor discussions. Notably, LPs are raising these topics at the outset of fund negotiations rather than later in the fund’s life cycle. Investors seek clarity on when such tools may be deployed, how conflicts will be managed and what protections are embedded in fund documentation.

These insights are based on our recent market observations. Please contact us if you would like to discuss these trends further or explore their implications for your fundraising or investment strategy.

Q4 2025 Venture Financing Report: Up and Flat Rounds Increased; Recapitalization, Pay to Play and Redemption Decreased

Mon, 09 Feb 2026 21:10:48 Z

Cooley handled 221 reported venture capital financings in Q4 2025, representing $8.9 billion of invested capital. In Q4, deal volume decreased slightly across Series Seed, B, D and higher rounds, while Series C deal volume doubled since Q3. Overall, invested capital decreased significantly since Q3, driven in part by a single large late-stage tech deal that closed last quarter. Invested capital increased in Q4 for Series Seed, B and C deals, with Series C showing the largest increase – from $466.5 million in Q3 to $1.4 billion in Q4.

Median pre-money valuations increased across Series A, B and C rounds, but decreased for Series Seed, D and higher rounds. Series C showed the greatest increase, with the median pre-money valuation rising from $175 million in Q3 to $367 million in Q4. Series D and higher rounds showed the most significant decrease, with the median pre-money valuation dropping from $1.3 billion in Q3 to $800 million in Q4. The percentage of deals with pre-money valuations above $100 million (across all stages) remained high and increased from 36% in Q3 to 39% in Q4.

The percentage of deals representing up and flat rounds increased, while the percentage of deals representing down rounds decreased. Up rounds represented 79.7% of deals, flat rounds represented 7.4% of deals and down rounds represented 12.8% of deals for Q4. This is compared to 77.3%, 3.3% and 19.3% for up, flat and down rounds, respectively, in Q3.

The percentage of deals involving a recapitalization decreased from 3% of deals in Q3 to 0.9% of deals in Q4. The percentage of deals with pay-to-play provisions decreased from 9.9% of deals in Q3 to 6.3% of deals in Q4.

Liquidation preference structures continued to remain favorable to companies, with 98% of deals having a “1x” liquidation preference, and 96% of deals having nonparticipating preferred stock. The percentage of deals with redemption provisions decreased from 4.3% in Q3 to 1.8% in Q4. Deals with accruing dividends increased from 3% in Q3 to 3.6% in Q4.

In PitchBook’s Q3 2025 Global League Tables, Cooley was named the #1 law firm in the US and globally for representing companies raising venture capital, a ranking the firm has held for more than five years consecutively. PitchBook also ranked Cooley #1 in the US for representing clients in venture capital financings, initial public offerings, M&A and private equity transactions. In addition, Cooley received #1 rankings for overall representation in venture capital financings across several industries and geographic regions, securing top spots in pharmaceuticals and biotech, healthcare services and systems, commercial products and services, and media. The firm received high rankings from PitchBook based on activity across all deal types, earning the #1 position for late-stage deals.

Additionally, LSEG’s Global Venture Capital Review for the first nine months of 2025 named Cooley the #1 law firm for representing companies raising venture capital based on deal count. LSEG also named Cooley the #1 law firm for representing companies in private equity transactions based on deal count.

Spotlight on technology

The deal volume for tech company venture financings saw a decrease, down to 108 in Q4 from 125 in Q3. The amount of invested capital also decreased, from $21.1 billion in invested capital for Q3 to $5.5 billion in invested capital for Q4. Similarly, the average reported deal size of venture financings for tech companies decreased, from $169 million in Q3 to $50.6 million in Q4.

Spotlight on life sciences

In Q4, both deal volume and invested capital increased for life sciences companies, from 50 reported deals representing $2.2 billion in invested capital in Q3 to 55 reported deals representing $2.4 billion in invested capital in Q4. Reported average deal sizes for venture financings of life sciences companies decreased slightly in Q4 to an average of $43.1 million, compared to $43.5 million in Q3. The percentage of life sciences company venture financings structured in tranches decreased from 26% of reported deals in Q3 to 23.6% of reported deals in Q4.

Preparing for an Equity Plan Proposal at the 2026 Annual Meeting

Mon, 09 Feb 2026 08:00:00 Z

As proxy season kicks off in earnest, we’ve reached the time of year when public companies should evaluate whether additional equity plan shares will be needed during the next 12 to 16 months – i.e., to meet any immediate share demand needs and any share demand needs arising before the 2027 annual meeting of stockholders. If more shares will be needed next year, it likely makes sense to request them from stockholders at the upcoming 2026 annual meeting. Otherwise, grants made as part of the 2027 award cycle may need to be postponed until after the 2027 stockholder meeting, or alternatively be disclosed to stockholders in next year’s proxy and be made subject to a subsequent favorable stockholder vote at the 2027 meeting.

Modeling share requirements can be a time-consuming process, involve external partners (for instance, legal counsel and compensation consultants) and require internal socialization in advance of board of directors involvement. As a result, the time to act is now.

Companies that hope to receive a favorable recommendation from Institutional Shareholder Services (ISS) and Glass Lewis will need to take their positions into account. An important ISS consideration in that regard is the expected score under its Employee Plan Scorecard (EPSC), the terms of which are reflected in FAQs updated by ISS each December.

The EPSC generally takes three different plan aspects (“pillars”) into account:

The projected cost of the plan in dollar terms (sometimes called the shareholder value transfer).
Various plan design features (“Plan Features” within the EPSC vernacular).
A company’s historical grant practices, including its average annual burn rate relative to market and industry peers

Whether ISS will recommend stockholder approval of an equity plan (including any amendments subject to stockholder approval) is a function of whether the sum of the numerical score achieved under each of the three pillars of the EPSC exceeds the specified threshold level, subject to certain negative overriding factors (such as an evergreen share reserve or permitting option repricings without stockholder approval) that will result in an adverse recommendation even with a passing score. FAQ 37 lists the overriding factors.

It is important to note that, in December 2025, ISS added an additional negative overriding factor, where a plan has an “insufficient” score under the Plan Features pillar (i.e., if the plan “lacks sufficient positive features,” as ISS puts it). As a result, ISS may recommend a vote against an equity plan proposal where the EPSC evaluation results in a Plan Features pillar score of less than seven points. Because ISS does not specify how many points are available under each of the various design aspects evaluated under the Plan Features pillar, it is not immediately clear what combination of features will avoid a potential negative override, but legal practitioners and consultants familiar with the EPSC model should be able to offer helpful guidance in that regard.

* * *

Early preparation is essential to a smooth and successful equity plan proposal at your upcoming annual meeting. Cooley’s compensation and benefits group is ready to help you navigate the process.

Statement on Tokenized Securities

Wed, 04 Feb 2026 22:33:49 Z

On January 28, 2026, the staff of the Division of Corporation Finance, the Division of Investment Management, and the Division of Trading and Markets of the US Securities and Exchange Commission (collectively, the SEC staff) issued a joint statement addressing the application of the federal securities laws to “tokenized securities” (the statement). The statement reflects the views of SEC Staff across the principal divisions responsible for securities disclosure, investment products, and market structure, but does not represent an action of the Securities and Exchange Commission (SEC) itself.

The statement is intended to provide clarity to issuers, intermediaries and market participants considering the use of blockchains to represent, record or transfer securities. The statement characterizes tokenization as a technological method of recordkeeping and transfer, rather than a legal innovation that alters the status or regulatory treatment of securities under the federal securities laws.

Key takeaways

Tokenized securities remain “securities.” The SEC staff emphasize that the determination of whether an instrument is a “security” under the Securities Act of 1933 (as amended, the Securities Act) and the Securities Exchange Act of 1934 (as amended, the Exchange Act) depends on the economic substance and legal rights associated with the instrument, not the technology used to represent ownership. A security does not cease to be a security solely because it is tokenized or recorded on a blockchain. This directly tracks Commissioner Hester Peirce’s July 2025 statement that tokenized securities are still securities.
Existing registration and regulatory requirements apply. Offers and sales of tokenized securities must be registered under the Securities Act unless an exemption is available. Market participants involved in the trading, custody, clearance or settlement of tokenized securities remain subject to applicable broker-dealer, exchange, clearing agency, transfer agent and antifraud requirements under the federal securities laws.
No new safe harbor or alternative regime. The statement does not establish any new exemptions, safe harbors or modified compliance frameworks for tokenized securities and does not alter existing statutory or regulatory obligations. Although SEC Chair Paul Atkins has hinted at a possible forthcoming “innovation exemption,” the statement does not provide such relief.

Tokenization models identified by SEC staff

The statement identifies two principal categories of tokenized securities structures:

Issuer-sponsored tokenized securities

In this model, the issuer of a security (or its transfer agent) incorporates distributed ledger technology (DLT) into its official securities ownership records, either directly or indirectly.
Transfers of the token correspond directly to changes in ownership on the issuer’s books and records.
The blockchain may function as part of the issuer’s master securityholder file, typically supplemented by off-chain information necessary to satisfy identity, compliance and recordkeeping requirements.

Third-party-sponsored tokenized securities

In this model, a third party unaffiliated with the issuer creates a crypto-asset that references an existing security.
The statement identifies two common variations:

Custodial tokenized securities, in which the token represents a security entitlement or custodial interest in an underlying security held by an intermediary.
Synthetic tokenized securities, which may take the form of linked securities or security-based swaps issued by third parties. A linked security provides synthetic economic exposure to a referenced security or related events, but is not an obligation of, and confers no rights against, the issuer of the referenced security. A security-based swap is a derivative instrument that provides similar exposure through contractual payment obligations tied to a single security, a narrow-based security index or specified issuer-related events.

Regulatory and risk considerations

Substance governs classification and treatment

Whether a tokenized security constitutes the same class of securities as its traditional counterpart depends on whether the rights, preferences and characteristics are substantially similar. Tokenization alone does not create a new class of securities.

Additional risks in third-party models

The SEC staff caution that third-party models may expose investors to additional counterparty, operational and insolvency risks. In such structures, token holders may have rights only against the intermediary, rather than against the underlying issuer.

Potential derivatives implications

Depending on their structure, certain tokenized instruments may meet the definition of a “security-based swap” or other regulated derivative under the Exchange Act, triggering additional regulatory requirements.

Why it matters

The statement provides meaningful guidance to market participants by confirming that tokenized securities are embedded within existing securities law frameworks. For issuers and intermediaries, this clarity reduces some uncertainty regarding regulatory classification while underscoring that tokenization does not provide a mechanism to avoid registration, disclosure, custody or market-structure obligations. The distinction between issuer-sponsored models and third-party models is particularly significant for assessing investor rights, regulatory exposure and risk allocation.

The big picture

The statement is consistent with the SEC’s broader approach to digital assets and financial innovation: technological modernization is permissible, but it must operate within existing statutory and regulatory boundaries. The SEC staff treats tokenization as an evolution of securities infrastructure rather than a transformation of securities law. For market participants, the message is clear that on-chain securities markets must be designed to comply with established investor protection, disclosure and market-structure principles, rather than circumvent them.

Law clerk Greg Marcus also contributed to this alert.

Protecting Grand Jury Materials From FOIA: Lessons From the Ninth Circuit’s Kalbers Decision

Wed, 04 Feb 2026 20:46:40 Z

The US Court of Appeals for the Ninth Circuit’s recent decision in Kalbers v. DOJ confirms that documents produced solely in response to a grand jury subpoena are protected from disclosure under the Freedom of Information Act (FOIA). The ruling underscores how companies and counsel can preserve the confidentiality of documents by adopting consistent, deliberate document-production practices from the outset of an investigation.

Background

In Kalbers, a professor sought nearly six million documents Volkswagen produced to the US Department of Justice (DOJ) during the so-called Dieselgate criminal investigation. Volkswagen had provided the materials in response to a federal grand jury subpoena, and almost all were stamped: “FOIA Confidential – Produced Pursuant to Rule 6(e).” Rule 6(e) of the Federal Rules of Criminal Procedure bars disclosure of “matter[s] occurring before the grand jury,” and in turn, FOIA exempts disclosure of any information protected by federal law, including Rule 6(e)’s grand jury secrecy mandate. The district court nonetheless ordered disclosure, reasoning that DOJ had not shown which documents were actually presented to the grand jury or that releasing them would necessarily reveal grand jury matters.

The Ninth Circuit reversed, holding that Rule 6(e) protects documents from FOIA disclosure when the government obtained them solely through a grand jury subpoena. The court reasoned that disclosing such documents would reveal the scope and focus of the grand jury’s investigation. It further explained that grand jury protection can be overcome only if the requester can show that the government obtained the documents from a source independent of the grand jury subpoena, the requester seeks the documents for a purpose unrelated to the grand jury investigation, and disclosure would not compromise the grand jury process. If the requestor fails to satisfy any of these factors, Rule 6(e) bars disclosure.

The court remanded for further proceedings on four documents that lacked the Rule 6(e) label.

Key takeaways

Label documents clearly and consistently

Almost all of the six million documents Volkswagen produced were stamped “FOIA Confidential – Produced Pursuant to Rule 6(e),” and the Ninth Circuit relied heavily on that labeling to conclude they were grand jury materials. The labels created a clear record tying the documents to the subpoena, and the court emphasized that DOJ could not redact them because doing so would itself disclose the connection to the grand jury investigation. Without this labeling, the government would have faced a more difficult task of demonstrating the materials’ protected status. The court remanded only as to the four unlabeled documents.

The ‘independent source’ limitation

The central inquiry is whether the government possesses the documents only because of the grand jury subpoena. Here, DOJ had no independent source for the Volkswagen materials, so disclosure was barred. The court contrasted this with cases like United States v. Dynavac, where the government possessed the same materials through a separate administrative process; in such circumstances, disclosing them does not necessarily reveal anything about the grand jury’s work. If an independent source exists, Rule 6(e) protection may not apply.

Internal investigations don’t create an escape hatch

The requester argued that Volkswagen’s internal investigation materials should fall outside Rule 6(e) because they were created for purposes independent of the grand jury proceeding. The Ninth Circuit rejected that argument. The court noted that Volkswagen had commissioned the internal investigation because of DOJ’s criminal investigation, and the materials were funneled to the government solely through the grand jury subpoena process. When internal investigation documents flow to DOJ through a subpoena, that collection is treated as grand jury material regardless of the documents’ origins.

Bottom line

The Kalbers decision makes clear that Rule 6(e) provides robust protection when documents are in the government’s possession only through a grand jury subpoena and not from an independent source. Proper labeling creates a clear record that strengthens this protection and makes it easier for the government to demonstrate protected status. Ensuring that protection requires thoughtful document handling from the onset of dealing with the government in a criminal matter.

FCC Requires Disclosure of Foreign Adversaries’ Interests in Entities With FCC Licenses or Authorizations

Wed, 04 Feb 2026 16:04:00 Z

On January 29, 2026, the Federal Communications Commission (FCC) adopted a decision on control of FCC-regulated businesses by “foreign adversaries.” Under these rules, nearly every entity that is subject to FCC regulation would be subject to new ownership reporting requirements, including entities that do not regularly report ownership today, such as cable and satellite companies, entities holding FCC equipment authorizations, and entities with private radio licenses like those used for communication in factories or office buildings or by fleet managers. Penalties for failing to comply with the reporting requirements could include fines and revocation of licenses or other authorizations.

The new rules require the disclosure of foreign adversary interests by entities with direct ties to foreign adversaries, such as those with a principal place of business in a foreign adversary nation, and those that have 10% or greater direct or indirect voting or equity interests held by foreign adversaries, entities under the control of foreign adversaries, or citizens of foreign adversaries. Under the rules, any of these interests presumptively constitutes “control” by the foreign adversary, even if an entity formally is not under formal control of the adversary. Foreign adversaries are those designated by the Department of Commerce. The current foreign adversaries are Cuba, Iran, North Korea, the People’s Republic of China, Russia and Nicholas Maduro, the deposed president of Venezuela. Entities that have interests described in the rules will be given an opportunity to rebut the presumption that they are under foreign adversary control.

The rules will divide regulated entities into three categories, each with different reporting requirements.

“Schedule A” entities will be required to report whether or not foreign adversaries have disclosable interests under the FCC’s standards. Schedule A includes all of the most significant industries regulated by the FCC – wireless providers, telecommunications companies, undersea cable operators, broadcasters, satellite companies and manufacturers of devices that require FCC approval before they can be sold in the US – as well as some other areas, such as IP-based telecommunications relay services and entities that operate licensed or registered earth stations (including receive-only earth stations).
“Schedule B” entities will be required to file reports only if they actually have disclosable interests under the FCC’s standard. Schedule B covers very small broadcasters (with fewer than six employees), as well as a variety of nonbroadband wireless services, including many private radio licensees.
“Schedule C” entities will not be required to file reports. Schedule C includes devices that are authorized under the FCC’s Supplier’s Declaration of Conformity program (which do not have to obtain approval), amateur radio, ship and airplane radio operator licenses, and the General Mobile Radio Service.

All entities subject to the filing requirement will be required to make an initial filing on a date that will be set by the FCC. Additional filings may be required if the Department of Commerce designates new foreign adversaries, if an entity enters a new line of business that is covered by the rules, if the FCC decides to change the schedules to move a type of authorization into a new category, or if there is a change in ownership of an entity that affects its status as having disclosable interests by a foreign adversary.

If an entity reports that it has a disclosable interest, it will be required to provide detailed information on its ownership. This information would be available to the public. Based on that information, the FCC could take additional action, including requiring additional reporting, referring the entity to a national security review by other federal agencies or revoking its authorizations. Companies that fail to make required filings are subject to enforcement, including revocation of their authorizations

Navigating the Age Assurance Maze: FTC Signals Potential Guidance on Harmonizing COPPA With Robust Age Assurance Technologies

Wed, 04 Feb 2026 08:00:00 Z

On January 28, the Federal Trade Commission (FTC) hosted a workshop on age assurance, where FTC leadership signaled new guidance may be forthcoming to clarify potential conflicts between age assurance efforts and federal law. At the workshop, titled, “Protecting American Children: A Workshop to Explore Age Verification Technologies,” FTC leadership acknowledged a tension between implementing age assurance technologies, which may be required to comply with state laws, and complying with the Children’s Online Privacy Protection Act (COPPA). FTC leadership indicated they are exploring solutions to resolve this tension, while also balancing competing interests of privacy, online safety, free speech and user experience. The workshop panels, which included participants from industry, state governments, the UK data protection regulator’s office and other stakeholders, highlighted how companies with an online presence face varying regulatory, privacy and security concerns as they seek to deploy age assurance methods proportional to their business’ customer profile and age-related risks.

The FTC perspective: Compatibility of compliance and innovation

In his opening remarks, FTC Chairman Andrew N. Ferguson stated that COPPA remains a top enforcement priority for the agency. He framed the workshop as a critical fact-finding exercise to explore how the FTC can apply COPPA to emerging age verification solutions. Ferguson cited recent COPPA enforcement activity to demonstrate the agency’s commitment to online child safety. He argued that innovation and compliance need not be in tension.

Ferguson’s view was echoed by FTC Commissioner Mark R. Meador, who argued that age verification is not novel. Instead, he framed age verification as a familiar, protective principle, citing parallels to age gates used for regulated physical goods, such as cigarettes and alcohol. He argued that technological solutions are necessary to support parents and protect youth online. Specifically, Meador commended the development of tools that allow for a one-time, centralized age verification process, which, once complete, can be portable and used across different platforms, thereby avoiding the need to provide raw personal data to every app and website requiring verification. He referred to these emerging technologies as “efficient,” “secure” and “the future.”

FTC Director of the Bureau of Consumer Protection Christopher Mufarrige reaffirmed the agency’s focus on COPPA enforcement, while recognizing that some age verification technologies require the collection of personal information before parental consent can be obtained – a direct source of friction with COPPA. Similarly, COPPA may serve as an impediment for companies that wish to create automated methods, including artificial intelligence-based models, to automatically identify and disallow children under 13. COPPA poses challenges for the building of such models, and companies have long hoped the FTC would provide guidance clarifying that the use of personal information of children under 13 for these purposes will not result in liability. Mufarrige clarified that COPPA should not be an impediment to age verification and stated that the agency is exploring solutions to reconcile the chicken-versus-egg dilemma between age verification and privacy.

Age assurance technology and the privacy spectrum

During the daylong workshop, technology experts and members from industry emphasized that age assurance includes a spectrum of technologies. Industry participants largely agreed on the use of a risk-based approach, applying these technologies proportionally to the privacy and safety risks posed by a particular platform. The age assurance technologies fall into three main categories, each with distinct privacy and security implications:

Self-declaration

Self-declaration of age may involve asking a user to either confirm they are above a certain age or provide their date of birth. Where a child misstates their age, this may allow them to potentially avoid triggering additional safeguards. This risk prompted at least one panelist to argue that self-declaration should not be treated as age assurance at all.

Inference/estimation

This includes approaches that infer or estimate age using behavioral signals, AI models, facial age estimation or metadata. These methods offer lower user friction but can raise concerns about accuracy and the collection of potentially linkable identifiers.

Verification

This involves stronger methods that verify age using authoritative data checks, government ID and selfie matching, or reusable digital IDs/tokens. While possibly providing greater assurance, these methods may carry the most substantial privacy risk (at least when deployed by a throng of individual platforms) and could result in significant user drop-off.

For any of these technologies, participants stressed the use of privacy by design. Solutions should aim to prove age without revealing identity or transmitting unnecessary personal details, leveraging techniques like double-blind designs, selective disclosure and zero-knowledge signaling application programming interfaces (APIs) to prevent secondary use, limit data retention and mitigate risk of identity theft.

The fragmented, global regulatory landscape

The need for clear FTC guidance is magnified by the rapidly changing – and increasingly disjointed – regulatory landscape in the United States and around the world.

Many US states have age-gating laws that require platforms to restrict minors’ access to and/or require parental consent for certain online content. States have turned to age assurance to tackle different problems, further complicating the regulatory landscape and inviting constitutional challenges.

Some states have passed laws specifically requiring age gates for websites where a certain portion of content (often one-third) is “harmful to minors,” while other states have targeted social media platforms. Some states – California, Louisiana, Texas and Utah – also passed laws placing the burden on app stores to verify a user’s age and implement certain age safeguards. A federal court preliminarily enjoined the Texas law (SB 2420) in December 2025, and the case is now on appeal before the US Court of Appeals for the Fifth Circuit.

At the federal level, the FTC’s recent amendments to the COPPA Rule are enforceable starting April 22, 2026. As amended, parents will need to opt in via a verifiable parental consent mechanism for companies to disclose children’s personal data to third parties for targeted advertising purposes. Companies must only retain children’s personal data for the purpose it was collected, with indefinite retention prohibited, and approved safe harbor organizations will need to disclose membership lists and report additional information to the FTC for increased accountability and transparency. Additionally, the definition of “covered data” will expand to expressly include government-issued identifiers and biometric identifiers.

In Europe, the Audio-Visual Media Services Directive, the EU Digital Services Act and the UK Online Safety Act impose age assurance requirements on certain online services. Most European Union member states are also actively debating social media bans – with a French bill banning social media for users under 15 likely to become law. Additionally, the EU Digital Identity Regulation requires each EU member state to implement an interoperable digital wallet that will allow individuals in the EU to prove their age (or age range) without revealing additional personal information. This regulation also requires providers of certain large services to accept the wallet for user authentication, where authentication is already required. An interoperable token-based wallet was one of the age assurance methods heavily discussed during the FTC workshop as a reliable age assurance method that is also privacy-protective and efficient.

As of December 2025, Australia’s ban on major social media platforms for Australians under the age of 16 came into effect – with providers required to take “reasonable steps” to enforce the ban. The Australian government published a detailed report in August 2025 with technical findings about various age assurance technologies. US legislators have proposed similar legislation and debated social media age restrictions as recently as January 2026.

Issues we are tracking

In preparation for potential guidance from the FTC, there are several key issues companies may consider as they assess whether age assurance is appropriate for their platform and what age assurance methods best address their risks:

A heightened standard to trigger age assurance obligations: US state and foreign laws increasingly use standards other than COPPA’s “actual knowledge” standard. Even if COPPA does not apply, companies should consider whether their online content could trigger age assurance obligations under other standards (such as the “one-third” standard used by some US states).
Risk-based approach: Different platforms have different purposes and risk profiles. An age assurance framework that is appropriate to implement in one context may not be appropriate in another. When determining how to balance safety and privacy trade-offs, it is important to calibrate the approach to the specific platform and its risk profile.
Privacy by design: Privacy is critically intertwined with age assurance. Data minimization and other privacy-preserving efforts are important foundations for deploying age checks – collecting only what is necessary, using privacy preserving techniques to process data, and deleting data quickly after use to avoid legal exposure and security risks.
Post-verification protections: Government and industry participants suggested that age assurance should be a continual process, rather than a one-time event, to address risks of circumvention later in time. Meador referred to behavioral age assurance – based on how a user interacts with a platform over time – as “one of the best uses for artificial intelligence” and an opportunity for US companies to lead the world in inferred age assurance efforts.
Scalable solutions: Interoperable solutions, such as standardized “age keys,” reusable credentials or API signaling, may provide useful means for scaling age assurance across the online ecosystem. However, these efforts may also raise privacy and security risks that require contractual and technical safeguards.

New York Enacts ‘Synthetic Performer’ Disclosure Law for Advertisements, Including Those Using Generative AI

Thu, 29 Jan 2026 21:20:02 Z

On December 11, 2025, New York Gov. Kathy Hochul signed S.8420-A/A.8887-B, a first-in-the-nation “synthetic performer” state law requiring advertisers to make a conspicuous disclosure in advertisements that include certain digitally created human images, including those generated using artificial intelligence (AI).

The law amends New York General Business Law (GBL) § 396-b and is set to take effect on June 9, 2026. Failure to comply with the disclosure requirement may result in civil penalties of $1,000 for a first violation and $5,000 per subsequent violation.

New York’s synthetic performer law builds upon the efforts of lawmakers across the US seeking to regulate emerging AI-powered technologies and follows the enactment of numerous US state laws governing AI chatbots during 2025.

Key definitions: ‘AI’ and ‘synthetic performer’

New York’s law defines “artificial intelligence” broadly to include machine-based systems that generate outputs, such as predictions or decisions using techniques including machine learning, large language models, natural language processing, computer vision and generative AI.

Critically, the disclosure obligation is not triggered by “AI use” generally, but by inclusion of a “synthetic performer.” A “synthetic performer” is a “digitally created asset” created, reproduced or modified by computer, using generative AI or a software algorithm that is “intended to create the impression that [it] is engaging in an audiovisual and/or visual performance of a human performer who is not recognizable as any identifiable natural performer.” (emphasis added)

This framing suggests the law is aimed at ads that present what appears to be a real human performance, but where the “performer” is fully synthetic and not a replica of a human celebrity or other identifiable person who would benefit from the protections of state right-of-publicity statutes and other existing laws.

Notably, under the definition of “synthetic performer,” if a digital asset that mimics a human performer is created using any “software algorithm,” with or without the use of AI, it is a “synthetic performer.” Therefore, the use of traditional non-AI-based visual effects software to create the digital human can still result in the creation of a “synthetic performer” covered by the law.

Core requirement: Conspicuous disclosure (with an ‘actual knowledge’ qualifier)

GBL § 396-b(3) provides that any person engaged in the business of “dealing in any property or service” who, for any commercial purpose, “produces or creates” an advertisement in any medium for such property or service, must “conspicuously disclose” in the advertisement that a “synthetic performer is in such advertisement” –where the person has actual knowledge. The statute does not define “conspicuous,” leaving room for enforcement and market practices to shape approaches to the content, placement and formatting of required disclosures across different advertising media. The law also does not define the terms “performer” or “performance,” but they may be construed expansively to cover not only the substitution of simulated humans for spokespeople and main actor talent appearing in ads but also the use of digital “extras.”

Notable exceptions and limitations

The law includes several important carve outs and liability limitations:

Expressive works exception: Advertisements or promotional materials for expressive works (e.g., films, TV, streaming content, documentaries and video games) are exempt if the synthetic performer’s use in the ad “is consistent with its use in the underlying work.” For example, the law likely would not require a disclosure for the appearance of an AI-generated character in an advertisement for a video game or movie if the same character also appears in the advertised creative work.
Media format/use exceptions: The law does not apply to audio advertisements or where AI is used solely for language translation of a human performer.
Publisher/platform protection: The statute states it does not apply to the media publishers that disseminate the ad (including the owners of newspapers, magazines, TV networks and stations, streaming services, cable systems, billboards and transit ad companies). Importantly, New York’s law expressly disclaims any intent “to limit, or to enlarge,” the protections afforded by Section 230 of the Communications Decency Act for content provided by another information content provider.

Practical takeaways for businesses

Companies that advertise in New York should begin preparing now, including by:

Inventorying campaigns that use “digital humans,” avatars, or simulated spokesperson or extra content.
Updating creative review checklists to flag synthetic performer uses and ensure that a conspicuous disclosure is included where required.
Tightening contracts with agencies, production studios and AI vendors to require upfront identification of synthetic performers, allocate responsibility for disclosures, and address the “actual knowledge” standard through clear internal escalation and documentation practices.

Following President Donald Trump’s December 11, 2025, executive order seeking to minimize burdensome AI regulations, the law may face federal opposition as well as private litigation challenges on First Amendment grounds. We will continue to monitor related developments.

South Korea’s AI Basic Act: Overview and Key Takeaways

Tue, 27 Jan 2026 20:12:40 Z

South Korea’s Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act) took effect on January 22, 2026, joining the European Union AI Act as a comprehensive AI regulatory regime. The AI Basic Act provides high-level requirements for transparency and addressing high-risk AI systems, and confirms its extraterritorial application. It also creates the framework for the development and promulgation of specific requirements via existing and new government organizations. The Ministry of Science and Information and Communication Technology (MSIT) is charged with finalizing the specific enforcement decrees that will provide the technical details for compliance.

Overview

Scope

The AI Basic Act applies to both businesses that develop and provide AI (“AI development business operators”) and businesses that provide products or services that incorporate AI (“AI utilization business operators”). These definitions do not correlate to the EU AI Act’s “provider” or “deployer,” and either could be a development or utilization business operator. The AI Basic Act also defines artificial intelligence broadly as an electronic implementation of human intellectual abilities, such as learning, reasoning, perception, decision-making and language comprehension.

Requirements

The AI Basic Act sets forth specific requirements for operators of generative AI, defined as AI that mimics the input data’s structure and features to produce outputs (such as text, images, sound and video), and high-impact AI, defined as AI that significantly affects human life, safety or fundamental rights. In addition, all operators of “high-performance” AI – those systems that exceed a certain compute threshold (see more below) – are subject to additional safety obligations.

1. Transparency

AI operators that provide AI-generated sound, image or video that is difficult to distinguish from human-created content must provide clear notice that the content is an output of AI. Additionally, operators of both generative AI and high-impact AI are required to notify users in advance if their product or service is developed using AI. Operators of generative AI must also include a label that informs whether content has been produced by generative AI.

2. High-impact AI

The AI Basic Act defines high-impact AI to include AI applications in critical sectors, such as healthcare, energy, transportation, hiring and biometric analysis. Operators of high-impact AI are subject to the following additional requirements:

Confirm high-impact AI: Must assess whether their AI qualifies as “high-impact AI” before deployment. If necessary, the operator may request an assessment by MSIT.
Explainability: Must provide a “meaningful explanation” of the high-impact AI’s outcomes, key criteria and principles used for such outcome, and a summary of the AI’s training data.
User protection plan: Requires creation and deployment of a user protection plan.
Human oversight: Requires a mechanism for human intervention and supervision.
Documentation: Requires documentation of actions taken to secure trust and safety.

High-impact AI operators must also make efforts to assess their AI’s impact on fundamental rights (“impact assessments”) before incorporating the AI in products or services.

3. High-performance AI

In a legislative notice for the Enforcement Decree accompanying the AI Basic Act, MSIT clarified that AI systems trained with a cumulative compute of at least 10²⁶ floating-point operations (FLOPs) are designated as high-performance AI with associated safety obligations. According to the AI Basic Act, operators of such systems may be required to implement a risk management plan and user protection measures spanning the system’s life cycle and report implementation outcomes to MSIT.

More details on the requirements for high-performance AI are expected in forthcoming implementing regulations and guidelines.

Extraterritorial application and local representative

The law applies even to AI systems outside of South Korea, as long as the systems affect users or markets within the country.¹ Any foreign AI business without a physical office in Korea that meets any of the following thresholds must designate a local agent:

Total revenue exceeding one trillion KRW in the previous year.²
Revenue from AI services exceeding 10 billion KRW in the previous year.
Average daily users in Korea exceeding one million users during the three months preceding the end of the previous year.

This agent will be legally responsible for responding to government inquiries and safety reports.

Enforcement and penalties

Corrective orders: MSIT can order the suspension of a service if it poses a threat to safety.
Administrative fines: Fines of up to 30 million KRW (about US$21,000) for:
- Failing to notify users about the use of AI.
- Failing to appoint a domestic representative.
- Violating corrective orders or refusing government inspections.
Grace period: MSIT has indicated that it will grant subject businesses a grace period of one year before administrative fines are imposed to support effective implementation of the AI Basic Act and preparation by companies.

Governance and promotion

In addition, the AI Basic Act includes provisions that are geared toward promoting and supporting this comprehensive regulatory framework. Some examples include:

Establishment of several organizations:
- National AI Committee – a control tower chaired by the president to oversee national policy.
- AI Policy Center – responsible for the strategic and intellectual development of South Korea’s AI industry, as well as fostering international cooperation.
- AI Safety Research Institute – tasked with evaluating AI risk and developing standards.
Industrial support: The law mandates government support for research and development, data centers, small/medium businesses and entrepreneurship.

Next steps

In light of this new global regulation, companies doing business in South Korea should review use of AI in their products and services to ensure alignment with the AI Basic Act. As AI regulation continues to evolve around the globe, companies will face increasing challenges with compliance. The Cooley team is ready to assist compliance teams with operationalizing a risk-based framework that accounts for these new global requirements.

Notes

The law carves out an exception for AI systems for purposes of national security or those designated by presidential decree.
As of this writing, this would roughly convert to more than US$681 million, an annual revenue figure that would implicate only the largest technology firms.

California’s SB 253 and SB 261: Developments and Litigation

Mon, 26 Jan 2026 21:57:37 Z

As discussed in our November 2025 alert, on November 18, 2025, the US Court of Appeals for the Ninth Circuit issued a temporary injunction blocking enforcement of SB 261 (climate-related financial risk reporting) pending appeal, but not affecting SB 253 (greenhouse gas emissions reporting). Oral arguments before the Ninth Circuit took place on January 9, 2026, but as of now the stay remains in effect.

Despite the ongoing litigation, the California Air Resources Board (CARB) has moved from issuing guidance to a formal initial rulemaking package focused on fees and key applicability definitions, proposing a first-year deadline of August 10, 2026, for SB 253 Scopes 1 and 2 reporting. Although SB 261 timing is uncertain given the injunction, the litigation and rulemaking posture suggests covered companies should be prepared to publish SB 261 reports following any lifting of the stay.

As SB 253 currently is unaffected by the litigation, companies should continue preparing for disclosure, taking into account CARB’s previously announced first-year reporting guidance for companies that had not previously measured emissions – including CARB’s stated expectation that entities not currently collecting/planning to collect Scopes 1 and 2 emissions data as of CARB’s December 5, 2024, enforcement notice may submit, in lieu of emissions data for the 2026 submission, a statement on company letterhead attesting to that fact.

Litigation developments

The Ninth Circuit is currently considering an appeal challenging California’s SB 253 and SB 261. The underlying case was filed by business groups asserting constitutional and procedural deficiencies, including claims that SB 261’s disclosure requirements constitute compelled speech in violation of the First Amendment. In response to the litigation, the Ninth Circuit granted preliminary injunctive relief, temporarily halting enforcement of SB 261 while the case proceeds.

SB 253, in contrast, remains in effect. The appeal is currently pending, and the Ninth Circuit recently heard oral argument and will determine whether the injunction should remain in place and whether any of the statutory requirements are enforceable, leaving the ultimate regulatory landscape in flux. At oral argument, the Ninth Circuit focused on how SB 253 and SB 261 should be analyzed under the First Amendment, including whether California is defending the statutes as incidental regulation of conduct (given California’s existing emissions regime) and whether the required disclosures are sufficiently tied to “commercial transactions” to fit within a commercial-speech framework. Judge Jacqueline Nguyen questioned the breadth of SB 261’s disclosure mandate and asked California to distinguish SB 261 from risk disclosures already required under federal securities laws. California acknowledged overlap, describing the information as similar in some respects while arguing SB 261 requires more specific disclosures than currently mandated by federal securities laws. Plaintiffs emphasized that SB 253, particularly through Scope 3 reporting, would require companies to report emissions associated with other entities in their value chain. Judge Nguyen also raised the possibility of a remand focused on SB 253’s Scope 3 requirements (slated to go into effect in 2027), which California stated it would not oppose. The court did not indicate when it would issue a decision, and the stay of SB 261 enforcement remains in place pending appeal.

On December 1, 2025, CARB issued an enforcement advisory stating that, because of the Ninth Circuit’s injunction, CARB will not enforce SB 261 against covered entities that do not meet the statutory January 1, 2026, deadline while the injunction remains in place, and that CARB will provide an alternate reporting date after the appeal is resolved.

Regulatory implementation

Following several rounds of presentations and informal guidance, CARB has initiated formal rulemaking that is primarily designed to establish annual implementation fees for SB 253 and SB 261 and adopt definitions needed to determine which entities are within scope of each rule (including “revenue” and “doing business in California”). CARB materials describe this package as a first step intended to address fee administration and certain applicability mechanics, with additional program details expected to be addressed through subsequent rulemaking. The proposed rulemaking text is mostly a codification of the guidance given by CARB at the November 18, 2025, workshop covering who is in scope, how fees will be administered, and the one-time, first-year SB 253 Scopes 1 and 2 reporting deadline.

Notably, not all company-friendly guidance previously issued by CARB is formalized in these regulations, such as allowing companies not currently collecting or planning to collect emissions data to submit a statement on company letterhead to CARB stating that they did not submit a report and indicating that in accordance with the December enforcement notice, the company was not collecting data or planning to collect data at the time the notice was issued. Further, the rulemaking package does not codify CARB’s guidance that no limited assurance will be required for SB 253 reporting in 2026, or guidance on the content of SB 261 reports. There is no indication that previously issued guidance on topics not covered by the proposed regulations are superseded, and many items, including first-year exemptions for companies not previously collecting data, are covered in additional CARB guidance issued alongside the proposed regulations..

Key rulemaking dates

Public comment period opened: December 26, 2025
Written comments due: February 9, 2026
CARB Board hearing: February 26, 2026 (may continue on February 27)

Who is covered? (‘covered/reporting entities’)

CARB’s proposal includes changes to definitions relevant to threshold determinations for purposes of establishing whether an entity is within scope of SB 253 or SB 261. Both laws require an entity (“corporation, limited liability company, or other business entity”) with total annual revenues in excess of $500 million (SB 261) or $1 billion (SB 253) that do business in California to submit the applicable disclosures.

Revenue definition

CARB proposes defining “revenue” by reference to California tax law concepts, tying the threshold analysis to “gross receipts” as used in the California Revenue and Taxation Code (RTC). Under the proposed package, the definition of “revenue” would be tied to the meaning of “gross receipts” under RTC § 25120(f)(2).

Revenue measurement

CARB’s proposed framework would allow companies to determine whether they are in scope by looking at the “lesser of the last two fiscal years.” The framework would assess whether an entity qualifies as a “reporting entity” under SB 253 (greater than $1 billion) or a “covered entity” under SB 261 (greater than $500 million) using the lesser of the entity’s two previous fiscal years of revenue. Under the RTC § 25120(f)(2) “gross receipts” definition, the relevant “gross revenue” concept generally means the total amounts realized from business transactions – cash plus the fair market value of property or services received. This could result in significant numbers of high-growth companies falling out of scope of climate reporting obligations for 2026.

‘Doing business in California’

CARB proposes defining “doing business”/“doing business in California” by reference to the definition in RTC § 23101(b)(1) and (2), but omitting Section 23101(b)(3-4) relating to property holdings and payroll, excluding certain subcomponents (including certain property and payroll-related factors) and clarifying the exclusions of certain categories of transactions for purposes of the “doing business in California” test. These changes also have the potential to slightly narrow the list of companies covered by SB 261 and SB 253 in 2026.

Proposed exclusions

CARB’s rulemaking package proposes five categories of entities that would be excluded as “covered entities” even if revenue thresholds are otherwise met, including:

Nonprofit or charitable organizations that are tax-exempt under the Internal Revenue Code.
A business entity that is subject to regulation by the Department of Insurance in California, or that is in the business of insurance in any other state.
Federal, state and local government entities, and companies that are majority-owned by government entities (greater than 50%).
A business entity whose only activity within California consists of wholesale electricity transactions.
A business entity whose only business in California is employee compensation or payroll expenses, including teleworking employees.

SB 261 reporting docket

The SB 261 reporting docket is CARB’s public portal for climate-related financial risk reports. It functions primarily as a submission point for companies to provide the public URL to an SB 261 report hosted on the company’s own website (including voluntary submissions while enforcement is stayed). CARB opened the docket on December 1, 2025, and plans to close it on July 1, 2026. As of January 24, 2026, approximately 100 entities have voluntarily submitted reports, many of which link to or adapt existing Task Force on Climate-related Financial Disclosures-aligned annexes from their sustainability reports. Reports should:

Specify (if applicable) the list of subsidiaries included.
Use the file naming convention “CompanyName_Statement_date.”
Include a URL to the publicly available report hosted on the company’s website.

SB 253’s timing

First-year reporting deadline (Scopes 1 and 2): CARB’s proposal provides a specific “on or before” date of August 10, 2026, for first-year Scopes 1 and 2 reporting.
First-year data posture (“best-available data”): CARB staff materials describe an initial transition period and contemplate that first-year reporting may rely on “best-available data.”
Fiscal-year approach (February 1 cutoff): CARB’s proposal includes mechanics using a February 1 cutoff to determine which fiscal year’s data will be treated as “applicable” for first-year reporting, with flexibility to use more recent data where available.
- Entities with fiscal years ending on or before February 1, 2026, should report on the fiscal year ending in calendar year 2026 (e.g., January 31, 2026).
- Entities with fiscal years ending after February 1, 2026 (February 2 – December 31) may report on the fiscal year that ended in calendar year 2025.
  - However, if an entity’s most recent completed fiscal year ends in 2026 before the August 10, 2026, filing date (e.g., March 31 or June 30), you may choose to report on FY 2026 instead.

Companies should note that CARB materials continue to emphasize that the initial package does not finalize the full reporting architecture, which will be phased in at later dates, including:

Detailed reporting formats and content requirements
Assurance requirements and schedules
Enforcement provisions beyond fee administration

Practical impacts

SB 253: Treat implementation as ‘on track’

Confirm scoping now using CARB’s proposed definitions. Entity mapping (including subsidiaries), threshold testing and “doing business” analysis should be validated now.
Stand up first-year Scopes 1 and 2 reporting capability. Determine a data collections process now and pressure-test whether you can produce a defensible first-year report on the proposed timetable. Companies should also evaluate whether they are able to rely on CARB’s exemption for companies that previously had not been collecting data.
Do not defer Scope 3 planning. Even though later-year obligations are currently being litigated, supplier engagement and data strategy typically require long lead times and are hard to accelerate late.

SB 261: ‘Stayed’ does not equal ‘stop’

Maintain a publish-ready report. The highest risk posture is waiting for a ruling and then attempting to compress governance, risk identification and disclosure approvals into a short window.
Coordinate messaging across disclosure channels. Align SB 261 work with existing risk factor disclosures and sustainability reporting (e.g., Task Force on Climate-related Financial Disclosures, International Financial Reporting Standards S2) and governance narratives to reduce disclosure inconsistency and review friction.
Decide intentionally on voluntary posting. Some companies may choose to post during the stay, while others may prefer to hold pending litigation clarity. The decision should be deliberate and documented.