The Mendes Hershman Student Writing Contest is a highly regarded legal writing competition that encourages and rewards law students for their outstanding writing on business law topics. Papers are judged on research and analysis, choice of topic, writing style, originality, and contribution to the literature available on the topic. The distinguished former Business Law Section Chair Mendes Hershman (1974–1975) lends his name to this legacy. Read the abstract of this year’s second-place winner, Samuel H. Hirsch of University of Miami School of Law, Class of 2025, below.

Over sixty years ago, the Supreme Court of Delaware suggested that absent suspicion of wrongdoing, directors of a Delaware corporation have no duty to set up procedures for gathering and responding to information about compliance with regulations. But over time, Delaware courts clarified that directors cannot simply turn a blind eye—they must keep themselves informed through systems designed to oversee regulated business activities. Recently, in the two-part decision In re McDonald’s Corp. Stockholder Derivative Litigation,^[1] the Delaware Chancery Court expanded the duty of oversight to officers but reinforced that these suits are difficult to win a judgment on. The expansion of oversight duties to officers will result in better corporate management as the risk of personal liability to directors and officers increases. Also, the decision clarified that the mission-critical standard for Caremark claims established in Marchand v. Barnhill^[2] is no longer the baseline; if directors and/or officers receive notice of any red flag, regardless of its mission-critical status, they are obligated to respond. Finally, a high hurdle to succeed on a Caremark claim will ensure corporate assets are not wasted.

1. In re McDonald’s Corp. S’holder Deriv. Litig. (McDonald’s I), 289 A.3d 343 (Del. Ch. 2023); In re McDonald’s Corp. S’holder Deriv. Litig. (McDonald’s II), 291 A.3d 652 (Del. Ch. 2023). ↑

2. Marchand v. Barnhill, 212 A.3d 805, 824 (Del. 2019). ↑

While the recent proliferation of comprehensive privacy laws enacted by at least eighteen states has dominated the news in the US, another development threatens to further impact companies operating websites accessed by California consumers—the recent wave of lawsuits and arbitration demands under the California Invasion of Privacy Act (CIPA).

Both large and small companies that operate websites California consumers visit have been receiving letters threatening litigation or arbitration. In many instances, these threats have materialized into actual lawsuits (including putative class actions) and arbitration proceedings. The CIPA allows for statutory damages of $5,000 per violation, which could pose significant financial risk to companies where claims of alleged violations are asserted on behalf of a class.

Why Are These Claims Being Filed Now?

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), pioneered broad privacy rights for consumers in the United States. Following California’s lead, more than a dozen states have enacted similar comprehensive privacy laws. However, most of these state laws, including California’s, do not provide a private right of action for violations except for data breaches under the CCPA. Critics argue that without a private right of action, these laws lack the necessary enforcement mechanisms to ensure compliance. In response, plaintiffs’ attorneys in California have sought alternative legal strategies.

One such strategy involves invoking the CIPA, a decades-old criminal statute enacted in 1967 to prevent eavesdropping on telephone calls. This approach represents a novel attempt to bypass the limitations of the CCPA by leveraging a law designed for different circumstances, thus giving it a modern application in the digital age. A significant issue underlying these lawsuits is whether the use of cookies and other website tracking technologies by companies constitutes a violation of individuals’ privacy rights.

What Is the Basis for These Claims?

The new CIPA cases focus on the alleged unlawful use of website tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit these websites. Many of the lawsuits and arbitration demands center around a few key arguments.

Website tracking technologies are alleged to be unlawful “pen registers.” Plaintiffs allege that tracking technologies are used to “record” a user’s interactions with websites, which amounts to the use of a “pen register” or “trap and trace” device (although the bulk of the claims and related court decisions have focused on the definition of pen register rather than trap and trace). These technologies capture information, such as IP addresses, when users visit or leave a website, thereby recording “dialing, routing, addressing, or signaling information” transmitted from a device but not the content of the communication.^[1] Such activities, plaintiffs argue, amount to illegal pen registers under the CIPA.

Using tracking technologies without consent allegedly violates users’ right to privacy. Under California law, it is prohibited to use a pen register or trap and trace device without either a court order or explicit consent from the person being tracked.^[2] Plaintiffs allege that when websites deploy tracking technologies without obtaining consent beforehand, it constitutes a violation of the CIPA.

A frequently cited case in these lawsuits is Greenley v. Kochava.^[3] In this case, the court denied the defendant’s motion to dismiss and rejected the argument that a privacy company’s surreptitiously embedded software did not constitute a “pen register.”^[4] The court sided with the plaintiff, asserting that when software identifies consumers, gathers data, and correlates that data through unique “fingerprinting,” it constitutes a “process” through which a pen register can be deployed.^[5]

Despite many plaintiffs’ heavy reliance on Greenley, it is important to note that this case is still pending and has not yet set a definitive precedent on these legal points. Moreover, the specifics of Greenley distinguish it from many other claims. Defendant Kochava, a data broker, provided software development kits (SDKs) to its customers, meaning the data in question was not collected directly through Kochava’s own website but through software deployed on customers’ websites. Consequently, users who visited these websites were arguably unaware of the Kochava SDK’s presence, differentiating these circumstances from those involving direct website tracking.

This distinction is critical: it suggests that recent claims against website operators may not be directly analogous to Greenley. The indirect nature of data collection in Greenley, compared to direct website tracking claims, underscores how much each CIPA case may turn on its specific facts.

Recent Case Developments

Some companies have opted to settle these CIPA claims rather than litigate them. However, it is crucial to understand that settling early with one claimant does not shield a company from subsequent similar claims and could have the unintended consequence of inviting future lawsuits by plaintiffs’ counsel. For those who have chosen to fight, preliminary rulings have been mixed, and no claim has yet been fully litigated to final judgment.

Two significant cases in this area are Licea v. Hickory Farms^[6] and Levings v. Choice Hotels,^[7] both in the Los Angeles County Superior Court and involving nearly identical claims regarding defendants’ use of website tracking technologies. These cases, filed by the same law firm, have seen divergent outcomes in their initial rulings.

In Licea, the court sustained Hickory Farms’ demurrer, concluding that the plaintiff failed to demonstrate the use of a “pen register.”^[8] The court distinguished this case from Greenley partly by disagreeing that tracking IP addresses was analogous to the unique digital “fingerprinting” involved in Greenley.

Conversely, in Levings, the court overruled Choice Hotels’ demurrer, finding that the defendant had “‘deployed a software device and process’ which first recorded the information transmitted by Plaintiff’s device, and then used that information to install tracking code on Plaintiff’s device.” ^[9] The court found this sufficient to describe the use of a pen register as defined under California law.^[10]

A key difference between these cases is their treatment of consent and the argument that voluntarily visiting a website implies consent to the use of website tracking technologies, even if such technologies are considered pen registers.

In Licea, the court indicated that even if the tool used to capture user information qualified as a pen register, the argument that users implied consent by visiting the website—where an IP address may be voluntarily disclosed—was persuasive. The court referenced prior cases such as Heeger v. Facebook, Inc.^[11] and U.S. v. Forrester^[12] to support this view.^[13]

In contrast, the court in Levings rejected the notion that simply visiting a website constitutes implied consent to collection of information. The court stated that accepting this argument “would allow the exception to swallow the rule whole.”^[14]

Given that neither case has progressed to a final judgment, defendants in other suits face potentially contradictory rulings on two critical issues:

• whether internet tracking tools qualify as pen registers
• whether visiting a website constitutes consent for the collection of user information

In Licea, the court expressed concern about the broader implications of interpreting web tracking technologies as pen registers, which could render nearly every online entity a potential criminal violator. The court noted that “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such broad-based interpretation would potentially disrupt a large swath of internet commerce without further refinement as [to] the precise basis of liability.”^[15] This point is potentially a harbinger of the debate that will escalate as more restrictions on website data gathering are considered by the courts and legislatures.

The preliminary rulings in Licea and Levings highlight the complex and evolving nature of privacy litigation in California. Companies must stay informed and be proactive in managing their compliance with privacy laws to mitigate risks associated with these legal challenges.

What Can Companies Do Now, Even If They Haven’t Yet Received a Complaint or Arbitration Demand?

As courts continue to grapple with whether website tracking technologies qualify as pen registers and whether visiting a website implies consent for data collection, companies must proactively review their technology and compliance practices.

Many US state laws, starting with California, include specific rules regarding the notices companies must provide on their websites, how they can use consumers’ information, and how such information can lawfully be shared with third parties. Companies should begin by ensuring that their websites and notices (e.g., website privacy policies) comply with the various states’ data protection laws.

Beyond legal compliance, companies should assess whether they are truly transparent about their website tracking technologies. For instance, does the company’s privacy notice include comprehensive information about cookies and tracking technologies, including which ones are used and how users can block them or opt out?

If possible, companies should consider deploying an opt-in mechanism for tracking technologies for California users. One of the key considerations in the cited cases is whether visiting a website constitutes consent for data collection. By asking for explicit consent (i.e., an opt-in for tracking technologies like cookies), companies could potentially provide an affirmative defense against allegations that an unlawful pen register was deployed, as consent is an exception to the prohibition on the use of pen registers.

Regardless, companies should remain vigilant for threatening letters, demands for arbitration, and service of claims related to the CIPA. Plaintiffs’ firms do not appear to discriminate based on company size or industry. If a company operates a website in the US and California consumers visit it, it is a potential target.

1. Ca. Pen. Code § 638.50. ↑

2. Ca. Pen. Code § 638.51. ↑

3. 684 F. Supp. 3d 1024 (S.D. Cal. 2023). ↑

4. Id. at 1050. ↑

5. Id. ↑

6. No. 23STCV26148, 2024 WL 1698147 (Cal. Super. L.A. Cnty. Mar. 13, 2024). ↑

7. No. 23STCV28359, 2024 WL 1481189 (Cal. Super. Ct. L.A. Cnty. Apr. 3, 2024). ↑

8. Licea, 2024 WL 1698147, at *4. ↑

9. Levings, 2024 WL 1481189, at *2. ↑

10. Id. ↑

11. 509 F. Supp. 3d 1182, 1190 (N.D. Cal. 2020). ↑

12. 512 F.3d 500, 510 (9th Cir. 2008). ↑

13. Licea, 2024 WL 1698147, at *4. ↑

14. Levings, 2024 WL 1481189, at *2. ↑

15. Licea, 2024 WL 1698147, at *4. ↑

Historically, blue-collar businesses, ranging from heating and cooling companies to porta-potty rentals, have been owned by workers who already knew their industries well. However, amid a looming recession and an abundance of layoffs in the tech and finance industries, there are new players purchasing (and running) these businesses: MBA-educated, former Wall Street, and former private equity professionals. This new trend, referred to as “Entrepreneurship Through Acquisition” (ETA), allows these graduates from top business school programs to become their own bosses with lower risk, gaining back valuable time and autonomy.

Many M&A attorneys are accustomed to large corporate clients or private equity firms purchasing businesses, so working with this new “independent searcher” buyer demographic can come with its own set of challenges. As this demographic continues to grow, here’s what M&A attorneys should know.

What’s Driving the Shift in the Small Business M&A Market?

Given the volatile nature of the job market, many white-collar professionals are ditching the traditional track of climbing the corporate ladder in favor of becoming small business owners instead. Customers may cut back on tech services during a recession, after all, but a burst water pipe will always require a plumber regardless of economic conditions.

While many of these workers are attracted to seemingly more stable career opportunities and the allure of becoming their own bosses, they also see significant opportunity in the upcoming “Great Wealth Transfer” from baby boomers to subsequent generations. As Walker Deibel highlights in Buy Then Build: How Acquisition Entrepreneurs Outsmart the Startup Game, $7 billion worth of small and medium businesses currently held by baby boomers will be available for purchase by 2030—meaning that there’s huge market potential.

How Firms Can Best Attract and Serve ETA Buyers

Billing Considerations

A significant part of attracting and serving ETA buyers comes down to understanding their financial situation, including budgetary constraints. That’s why, when it comes to catering to the unique needs of ETA buyers, offering alternative billing and fee arrangements can be essential. Unlike the traditional buyer, ETA buyers are often “self-funded searchers.” That means they’re actively looking for a business to purchase without the help of an investor, while simultaneously covering the costs of their own living expenses. As a result, they may be strapped for cash.

To better accommodate ETA buyers with tight budgets, creative billing structures like fixed-fee or delayed-fee billing can help by giving buyers a better sense of how to budget their legal expenses—without worrying about unexpected bills piling up.

Rules and Regulations

Attorneys should also be aware of common rules and regulations that pertain specifically to ETA buyers. Many ETA buyers, for example, choose to pursue Small Business Administration (SBA) loans, leveraging a combination of debt and equity for business acquisitions. A 2023 study found 58 percent of all self-funded searchers received funding through the SBA’s 7(a) loan. These loans often come with strict regulations and requirements.

One of the most critical regulations attorneys should consider pertains to personal guarantees. Individuals with 20 percent or more ownership in a business must sign an unconditional personal guarantee, which allows the lender to recover a loan’s full outstanding balance from the borrower. Self-funded searchers also must provide minimum equity injections to both mitigate risk and demonstrate dedication to the project. These minimum equity injections are often up to 10 percent of the total project cost.

In addition to regulations specific to self-funded searchers, the SBA’s standard eligibility requirements are applicable. There may be restrictions on business size, the nature of the business, and more. Attorneys can help advise ETA buyers on funding eligibility, proactively discussing any requirements that may impact risks or costs incurred by the borrower.

Due Diligence

With much less industry and business ownership experience, it’s essential that attorneys provide thorough third-party due diligence for ETA clients. This may involve a more rigorous review of financial statements, as well as important documents that M&A lawyers may not be accustomed to with their larger clients.

Due diligence is particularly important because ETA buyers are funding their own search. Without a robust financial safety net, unforeseen risks and liabilities could be detrimental. That’s where a great attorney comes in!

Common Pitfalls Attorneys Should Consider

There are risks involved when working with ETA buyers that attorneys can both monitor for and warn their clients about.

Loss of Key Relationships

The first common pitfall is the potential loss of clients or suppliers following a business purchase. Supplier or client loss is particularly common in small businesses that are deeply involved in their local communities, where personal relationships carry significant weight. Working closely with the seller to transition client and supplier relationships may help prevent this, especially when facilitated with proactive communication, early introductions, and joint meetings.

Seller Competition

Some sellers will aid in creating a smooth transition, but ETA buyers and their attorneys should also consider the risk of seller competition. The seller has already built one thriving business worth purchasing, and they’re walking away with extensive industry knowledge, experience, and contracts. They could take their post-sale cash reserves and start a new competing business. To prevent this, attorneys should advise their clients to put a noncompete agreement in the sale contract.

***

Working with ETA buyers can come with a learning curve, especially for attorneys accustomed to working with large corporate buyers or search funds. Attorneys looking to cater to this new business buyer demographic should be aware of their unique needs and adapt their practice accordingly. While this may seem like more effort is involved, I’ve found that it’s well worth it: helping business buyers break out of the corporate cycle to become their own bosses can be incredibly rewarding work.

It takes a village to prepare and file a customs entry. Importers rely on information they receive from vendors and their attorneys, licensed customs brokers, and consultants to ensure that reasonable care is exercised and their goods are properly entered. This multifaceted approach to compliance is a reflection of the very nature of the international transaction. The customs broker combines information from the transportation documents, commercial invoice, packing list, origin declarations, product specifications, etc., into its automated systems to transmit the entry information to U.S. Customs and Border Protection (CBP). This village is now electronic, with parties along the supply chain submitting electronic records that are ultimately processed by the customs broker’s systems to prepare and file an entry. This village is also regulated: no person or entity may conduct “customs business” on behalf of another without a valid customs broker’s license.^[1] CBP’s current interpretation of “customs business,” however, throws into confusion whether the preparation and transmission of the information associated with ordinary international trade activities could be considered unlawful.

As the U.S. Court of International Trade observed in a 2008 case, the “definition of ‘Customs business’ is very broad.”^[2] First, customs business includes “transactions with the Customs Service” as well as “activities involving transactions with the Customs Service.”^[3] Second, customs business includes preparing documents intended to be filed with the Customs Service, as well as any activities related to preparing documents to be filed with the Customs Service.

In interpreting the term “customs business,” however, CBP has applied a logic that, if taken to its logical conclusion, would threaten the legality of the collaboration many importers use to assure compliance and to create efficiencies in the international supply chain. This does not seem to serve the interests of the companies involved in international trade, the customs brokers who facilitate these activities, or CBP. The compliance-oriented interpretation of “customs business” that CBP developed for large corporations in its rules on “corporate compliance activities,” however, presents an alternative that could be applied to the activities of smaller businesses.

***

CBP has seemingly departed from the statutory requirement that the definition of customs business is focused on the preparation of the information or documentation that is to be filed with CBP. For example, in preparing a customs entry, the imported goods must be classified under the correct provision of the Harmonized Tariff Schedule of the United States (HTSUS), an exercise that requires some training and skill. Generally, it is the manufacturer of the goods that has the knowledge of the detailed information required to arrive at the correct tariff classification. CBP has determined, however, that the provision of an HTSUS classification is “customs business” if a “possibility exists that the . . . classification information . . . will end up on the entry.”^[4] CBP relied on this concept in a 2022 customs ruling to determine that it would be unlawful for a supplier—the party arguably in the best position to determine the classification of an item under the HTSUS—to provide its customers with the classification for its merchandise.^[5] In the ruling, CBP appears to suggest that providing a tariff classification is tantamount to preparing documents intended to be filed with CBP on the basis that the provision of a tariff classification is “giving advice about how to classify a good,” which is a “necessary part” of preparing documents that will be filed with CBP.^[6] This determination subjects the supplier to penalty for engaging in those activities.

This raises the question as to whether to merely print the tariff classification on the invoice—a common practice in international trade—would be the unlawful practice of customs business. Similarly, since “activities involving . . . valuation” are included in the definition of customs business,^[7] and since the price paid or payable for the merchandise when sold for export to the United States is generally the value stated on the invoice, would placing a value on an invoice also be customs business?^[8] In fact, since the commercial invoice is prepared with intent that it be filed with CBP, then CBP’s recent interpretation of “customs business” would seem to suggest that the generation of a commercial invoice for a customer may be considered customs business. Since customs entries include information about the transportation that was involved in bringing the goods to the United States, would the preparation of these documents also be customs business?

CBP has already determined that the gathering of some of this information by an unlicensed person is “customs business.” In a December 2023 customs ruling, CBP determined that using foreign persons to enter information from the various commercial invoices, packing lists, shipping documents, and other documents used in international transactions into an Automated Broker Interface (ABI) system constituted unlicensed customs business activities.^[9] While this decision is reasonably supported by the fact that using an ABI system—a system that is specifically designed for the preparation and filing of customs entries—is directly related to preparing “documents” and the related information for transmission to CBP, this interpretation raises questions that may need to be resolved in separate rulings. For example, as mentioned above, preparing new entry documents involves accumulating information from different sources. CBP could determine that using EDI (electronic data interchange) to transmit the invoice or bill of lading information to a customs broker for use in the preparation of the customs entry is customs business, as it is known that the information will later be transmitted to CBP. What if an unlicensed service provider receives those transmissions and consolidates the information for transmission to the customs broker?

For large corporations, CBP has developed a regulatory framework that resolves many of these problems. Importers are obligated to exercise “reasonable care” in the preparation of a customs entry. The responsibility of “reasonable care” includes seeking the advice of parties with specific, or expert, knowledge, including consultation with unlicensed persons.^[10] The types of “unlicensed persons” an entity can consult with to ensure it has undertaken “reasonable care” in describing and/or classifying merchandise are “experts,” such as attorneys, licensed customs brokers, or customs consultants. In 2002 and 2003, large corporations approached CBP about centralizing their compliance activities. After several rulings that found it to be the unlicensed practice of customs business when one corporation performed compliance activities for other corporations within the corporate group, CBP crafted a rule that removed “corporate compliance activities” from the definition of “customs business,” drawing on the “reasonable care” concept.^[11] “Corporate compliance activity” is defined as:

[an] activity performed by a business entity to ensure that documents for a related business entity or entities are prepared and filed with CBP using “reasonable care”, but such activity does not extend to the actual preparation or filing of the documents or their electronic equivalents.^[12]

In other words, “corporate compliance activity” allows one company in a corporate group to conduct some customs business for other businesses within the group, even if the company providing those service is not licensed. In the words of CBP, the company providing these “corporate compliance activities” may “conduct any activities mentioned in the definition of ‘customs business,’ other than the actual preparation and filing of documents, so long as those activities fall within the definition of ‘corporate compliance activity.’”^[13]

This description of “corporate compliance activity” allows these companies to do nearly anything that is considered to be “customs business” when performed by an unrelated party. Only those activities that involve the actual preparation and filing of documents with CBP are excluded from corporate compliance activities. The final rule on “corporate compliance activity” states the following:

The proposed definition of “corporate compliance activity,” which precludes the “actual preparation or filing of the documents or their electronic equivalents,” . . . is intended to emphasize that the documents in question are those that will be filed with CBP. Therefore, any work performed in anticipation of document preparation, including the gathering and organizing of information and its recordation on background paperwork, will be allowed under this provision.^[14]

There is no statutory reason to adopt these requirements when the importing entity is part of a corporate group but not when the importer is an independent business. Yet CBP’s rulings draw this distinction, placing independent importers at a disadvantage as compared to competing importers that are part of a group of companies and may use unlicensed persons from one company to provide advice to the importing entity.

CBP has made significant investments in technology to gain visibility in the movement of goods through supply chains and their importation into the U.S. The international trade community is attempting to adjust to this reality by developing mechanisms to electronically bring together information from the various parties involved in the supply chain. CBP’s interpretation of “customs business” threatens to stifle these innovations in a manner that is not in the interest of CBP or the international trade community, nor does this interpretation serve the purpose of the customs broker statute. Expanding the concept of “corporate compliance activities” to include all such activities, regardless of the relationships between the parties, could go a long way toward recognizing modern business practices and encouraging compliance, while also serving the purpose of the customs broker statute.

1. “Customs business” is defined as “those activities involving transactions with U.S. Customs and Border Protection concerning . . . classification and valuation. . . . It also includes the preparation of documents or forms in any format and the electronic transmission of documents, invoices, bills, or parts thereof, intended to be filed with U.S. Customs and Border Protection . . . [of merchandise] or activities relating to such preparation, but does not include the mere electronic transmission of data received for transmission to Customs. No person may conduct customs business on behalf of another unless they hold a valid customs broker’s license.” 19 U.S.C. § 1641(a)(2) (emphasis added). ↑

2. Delgado v. United States, 581 F. Supp. 2d 1326 (Ct. Int’l Trade 2008) (examining, in dicta, the definition of “customs business” in the context of a proceeding to revoke a broker’s license). ↑

3. Id. ↑

4. HQ 115248 (Aug. 28, 2001). ↑

5. HQ H290535 (Sept. 29, 2022). ↑

6. Id. citing HQ 115278. ↑

7. 19 U.S.C. § 1641(a)(2). ↑

8. Id. ↑

9. HQ H326926 (Dec. 19, 2023). ↑

10. CBP, What Every Member of the Trade Community Should Know: Reasonable Care—An Informed Compliance Publication (Sept. 2017), last visited Jul. 29, 2024. ↑

11. 68 Fed. Reg. 47455 (Aug. 11, 2003). ↑

12. 19 C.F.R. §111.1 (emphasis added). ↑

13. 68 Fed. Reg. at 47456. ↑

14. Id. at 47457. ↑

A Texas federal court dismissed the lawsuit of the Federal Trade Commission (FTC) against private equity (PE) firm Welsh, Carson, Anderson & Stowe (Welsh Carson), while allowing to proceed the agency’s challenge against U.S. Anesthesia Partners (USAP), in a case challenging a series of acquisitions of anesthesia providers.^[1]

Background

Rather than directly employ anesthesiologists, many hospitals contract with outside anesthesiologists or anesthesia groups to ensure around-the-clock access to anesthesia services. In 2012, Welsh Carson created USAP, which began to buy other anesthesia practices in Texas, eventually owning at least fifteen practices. According to the FTC’s complaint, USAP would add each acquired practice to its existing insurance contracts and thereby raise the rates of the newly acquired practices’ services to match its own higher reimbursement rates.^[2] Today, USAP “handles nearly half of all hospital-only anesthesia cases in Texas, and earns almost 60% of all hospital anesthesia revenue paid by Texas insurers, employers, and patients.”^[3]

When Welsh Carson formed USAP, it owned 50.2 percent of the company and chose company leadership. In 2017, the firm sold half of its stake in USAP.^[4] Since then, one of the firm’s funds has owned 23 percent of USAP and had the right to appoint two of USAP’s fourteen board members.^[5]

In September 2023, the FTC sued Welsh Carson and USAP, claiming that they engaged in anticompetitive practices to monopolize Texas’ anesthesiology.^[6] Allegedly, “Welsh Carson masterminded the plan for USAP to roll up markets across Texas and inflate prices,” with the FTC pointing to internal communications at Welsh Carson where the firm allegedly bragged about being USAP’s “primary architect.”^[7] From the FTC’s perspective, Welsh Carson’s minority ownership in USAP was no shield from liability because there is nothing to “prevent Welsh Carson from re-upping its investment in USAP, retaking formal control of the company, and directing yet more anticompetitive acquisitions.”^[8] The FTC also pointed to Welsh Carson’s duplication of its anesthesiology consolidation strategy in the radiology market as evidence the firm would continue its anticompetitive practices.

The FTC claimed that it was entitled to an injunction under Section 13(b) of the FTC Act. Section 13(b) provides that when the FTC has reason to believe “that any person, partnership, or corporation is violating, or is about to violate, any provision of law enforced by the [FTC],” it may sue in federal district court to enjoin those practices.^[9] Welsh Carson and USAP each moved to dismiss the claims against them.

The Court’s Decision

First, in granting the motion to dismiss for Welsh Carson, the court ruled that the FTC did not adequately allege that Welsh Carson is currently violating antitrust laws. The court acknowledged that an acquisition of assets in a company may subject one to liability for monopolization or an unlawful transaction that may substantially lessen competition.^[10] Welsh Carson, however, owns only 23 percent of USAP, and the FTC did not “cite[] a case in which a minority, noncontrolling investor—[regardless of how] hands-on—is liable under Section 13(b) because the company it partially owned made anticompetitive acquisitions.”^[11] In contrast, in denying the motion to dismiss for USAP, the court stated that USAP’s alleged continued acquisitions and dominance in the state’s anesthesiology market “constitute ongoing activity and plausibly contribute to the monopoly power and unfair competition that the FTC’s complaint alleges.”^[12]

Second, the court ruled that the FTC did not adequately allege that Welsh Carson is about to violate antitrust laws. As stated, the FTC argued that nothing prevents Welsh Carson from again becoming a controlling investor in USAP and directing anticompetitive acquisitions. The court disposed of this by pointing out that “the mere capacity to do something does not meet the requirement that the thing is likely to recur.”^[13] And the fact that USAP is continuing its alleged anticompetitive practices “goes to USAP’s violations, not Welsh Carson’s.”^[14] The court also acknowledged that Welsh Carson seeks to replicate its strategy in other health care markets, but “comments from Welsh Carson executives indicating a desire to consolidate other healthcare markets do not show that Welsh Carson is about to violate antitrust laws.”^[15]

Takeaways

Governance separation matters. Welsh Carson was a minority, noncontrolling investor. It controlled only two of USAP’s fourteen board seats. This gave the firm the meaningful separation from USAP it needed. Firms should be mindful that courts will examine the extent of board control no matter how “hands-on” or “hands-off” the investor is regarding operations.

The FTC is concerned about serial acquisitions. The agency’s December 2023 merger guidelines provide that the agency will “examin[e] both the firm’s history and current or future strategic incentives” by evaluating “documents and testimony reflecting [the firm’s] plans and strategic incentives both for the individual acquisitions and for its position in the industry broadly.”^[16] In the FTC’s press release after filing the lawsuit, FTC Chair Lina M. Khan remarked that the “FTC will continue to scrutinize and challenge serial acquisitions, roll-ups, and other stealth consolidation schemes.”^[17] Firms should ensure that procompetitive effects from or reasons for strategies are spelled out in their business development and strategy documents. Firms should assume that that their informal and formal comments will be interpreted skeptically by antitrust authorities. Accordingly, documents discussing the acquisition pipeline or strategy, for example, should be factual and not overstate the plan as one to roll-up, control, or own an entire market or geography.

Consult an expert. Commercial arrangements with competitors that, in any way, implicate rates, prices, production levels, or information regarding same should be carefully reviewed with antitrust counsel.

Acquisitions in health care put agencies on heightened alert. The FTC’s complaint is replete with references to Welsh Carson’s involvement in health care. This concern extends to the states as well. For instance, in February 2024, USAP reached an agreement with Colorado Attorney General Phil Weiser that required it to divest and pay monetary relief.^[18] Weiser remarked that “[w]hen private equity gets involved in health care with a focus on raising prices to make a quick buck, bad things happen for consumers.”^[19] Firms investing in markets related to health care should be aware that federal and state agencies are looking out for serial acquisitions in the sector.

1. No. 4:23-cv-03560, 2024 WL 2137649 (S.D. Tex. May 13, 2024). ↑

2. Id. at *1. ↑

3. Id. at *2. ↑

4. Id. at *3. ↑

5. Id. ↑

6. See Complaint, FTC v. U.S. Anesthesia Partners, Inc., No. 4:23-cv-03560 (S.D. Tex. Sept. 21, 2023). ↑

7. Id. at *93. ↑

8. Id. at *94. ↑

9. 15 U.S.C. § 53(b). ↑

10. FTC v. U.S. Anesthesia Partners, No. 4:23-CV-03560, 2024 WL 2137649, at *4 (S.D. Tex. May 13, 2024). ↑

11. Id. at *5. ↑

12. Id. at *8. ↑

13. Id. at *6. ↑

14. Id. at *5. ↑

15. Id. at *6. ↑

16. U.S. Dep’t of Just., 2023 Merger Guidelines 23 (2023). ↑

17. Press Release, Fed. Trade Comm’n, FTC Challenges Private Equity Firm’s Scheme to Suppress Competition in Anesthesiology Practices Across Texas (Sept. 21, 2023). ↑

18. Press Release, Colo. Off. of the Att’y Gen., Private Equity-Run U.S. Anesthesia Partners to End Colorado Health Care Monopoly under Agreement with Attorney General Phil Weiser (Feb. 27, 2024). ↑

19. Id. ↑

On May 17, 2024, Colorado enacted SB 205, broadly regulating the use of high-risk artificial intelligence systems to protect consumers from unfavorable and unlawful differential treatment. The bill, which requires compliance on or after February 1, 2026, declares that both developers and users of high-risk artificial intelligence systems must comply with extensive monitoring and reporting requirements to demonstrate reasonable care has been taken to prevent algorithmic discrimination. A violation of the requirements set forth in Colorado SB 205 constitutes an unfair trade practice under Colorado’s Consumer Protection Act.

What Is an Artificial Intelligence System?

Colorado SB 205 defines “artificial intelligence system” as “any machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments.”

The artificial intelligence system becomes “high risk” when it is deployed to make, or is a substantial factor in making, a consequential decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: (a) education enrollment or an education opportunity; (b) employment or an employment opportunity; (c) a financial or lending service; (d) an essential government service; (e) health-care services; (f) housing; (g) insurance; or (h) a legal service.

A high-risk artificial intelligence system does not include, among others, technology that communicates with consumers in natural language for the purpose of providing users with information, making referrals or recommendations, and answering questions and is subject to an accepted use policy that prohibits generating content that is discriminatory or harmful.

Affirmative Obligations for Developers

Colorado SB 205 requires a developer of a high-risk artificial intelligence system to make available to the deployer, or user of the artificial intelligence system:

1. A general statement describing the reasonably foreseeable uses and known harmful or inappropriate uses of the high-risk artificial intelligence system;
2. Documentation disclosing:
   1. High-level summaries of the type of data used to train the high-risk artificial intelligence system;
   2. Known or reasonably foreseeable limitations of the high-risk artificial intelligence system, including known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of the high-risk artificial intelligence system;
   3. The purpose of the high-risk artificial intelligence system;
   4. The intended benefits and uses of the high-risk artificial intelligence system; and
   5. All other information necessary to allow the deployer to comply with the requirements of Section 6-1-1703 [Deployer Duty to Avoid Algorithmic Discrimination];
3. Documentation describing:
   1. How the high-risk artificial intelligence system was evaluated for performance and mitigation of algorithmic discrimination before the high-risk artificial intelligence system was offered, sold, leased, licensed, given, or otherwise made available to the deployer;
   2. The data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation;
   3. The intended outputs of the high-risk artificial intelligence system;
   4. The measures the developer has taken to mitigate known or reasonably foreseeable risks of algorithmic discrimination that may arise from the reasonably foreseeable deployment of the high-risk artificial intelligence system; and
   5. How the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when the high-risk artificial intelligence system is used to make, or is a substantial factor in making, a consequential decision; and
4. Any additional documentation that is reasonably necessary to assist the deployer in understanding the outputs and monitor the performance of the high-risk artificial intelligence system for risks of algorithmic discrimination.

Affirmative Obligations for Deployers

Colorado SB 205 requires deployers of a high-risk artificial intelligence system to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. Reasonable care is demonstrated by the deployer’s implementation of a risk management policy and program governing the deployment of the high-risk artificial intelligence system, completion of an annual impact assessment, and disclosure to consumers when they are interacting with an artificial intelligence system or when the system has made a decision adverse to the consumer’s interests.

Risk Management Policy and Program

The risk management policy and program must be “an iterative process planned, implemented, and regularly and systematically reviewed and updated over the life cycle of a high-risk artificial intelligence system, requiring regular, systematic review and updates.” It must incorporate the principles, processes, and personnel that the deployer uses to identify, document, and mitigate known or reasonably foreseeable risks of algorithmic discrimination.

The risk management policy and program must be reasonable considering:

1. (a) The guidance and standards set forth in the latest version of the “Artificial Intelligence Risk Management Framework” published by the National Institute of Standards and Technology in the United States Department of Commerce, Standard ISO/IEC 42001 of the International Organization for Standardization, or another nationally or internationally recognized risk management framework for artificial intelligence systems, if the standards are substantially equivalent to or more stringent than the requirements of [the bill]; or (b) Any risk management framework for artificial intelligence systems that the Attorney General, in the Attorney General’s discretion, may designate;
2. The size and complexity of the deployer;
3. The nature and scope of the high-risk artificial intelligence systems deployed by the deployer, including the intended uses of the high-risk artificial intelligence systems; and
4. The sensitivity and volume of data processed in connection with the high-risk artificial intelligence systems deployed by the deployer.

Impact Assessment

An impact assessment must be completed annually and within ninety days after any intentional and substantial modification to the high-risk artificial intelligence system is made available. The impact assessment must include, at a minimum, and to the extent reasonably known by or available to the deployer:

1. A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system;
2. An analysis of whether the deployment of the high-risk artificial intelligence system poses any known or reasonably foreseeable risks of algorithmic discrimination and, if so, the nature of the algorithmic discrimination and the steps that have been taken to mitigate the risks;
3. A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces;
4. If the deployer used data to customize the high-risk artificial intelligence system, an overview of the categories of data the deployer used to customize the high-risk artificial intelligence system;
5. Any metrics used to evaluate the performance and known limitations of the high-risk artificial intelligence system;
6. A description of any transparency measures taken concerning the high-risk artificial intelligence system, including any measures taken to disclose to a consumer that the high-risk artificial intelligence system is in use when the high-risk artificial intelligence system is in use; and
7. A description of the post-deployment monitoring and user safeguards provided concerning the high-risk artificial intelligence system, including the oversight, use, and learning process established by the deployer to address issues arising from the deployment of the high-risk artificial intelligence system.

The impact assessment must also include a statement disclosing the extent to which the high-risk artificial intelligence system was used in a manner that was consistent with or varied from the developer’s intended uses of the high-risk artificial intelligence system. A deployer must maintain the most recently completed impact assessment, all records concerning each impact assessment, and all prior impact assessments, if any, for at least three years following the final deployment of the high-risk artificial intelligence system.

Notice to Consumer

On and after February 1, 2026, and no later than the time that a deployer deploys a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision concerning a consumer, the deployer must:

1. Notify the consumer that the deployer has deployed a high-risk artificial intelligence system to make, or be a substantial factor in making, a consequential decision before the decision is made;
2. Provide to the consumer a statement disclosing the purpose of the high-risk artificial intelligence system and the nature of the consequential decision; the contact information for the deployer; a description, in plain language, of the high-risk artificial intelligence system; and instructions on how to access the statement . . . ; and
3. Provide to the consumer information, if applicable, regarding the consumer’s right to opt out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. . . .

The deployer must also comply with substantial notice requirements if the high-risk artificial intelligence system makes a consequential decision that is adverse to the consumer and allow the consumer to appeal or correct any incorrect personal data that the high-risk artificial intelligence system processed in making the decision.

If a deployer deploys a high-risk artificial intelligence system and subsequently discovers that the high-risk artificial intelligence system has caused algorithmic discrimination, the deployer, without unreasonable delay, but no later than ninety days after the date of the discovery, must send to the Attorney General, in a form and manner prescribed by the Attorney General, a notice disclosing the discovery.

A deployer who uses a high-risk artificial intelligence system that is intended to interact with consumers must ensure it discloses to each consumer who interacts with the artificial intelligence system that the consumer is interacting with an artificial intelligence system. Disclosure is not required under circumstances in which it would be obvious to a reasonable person that the person is interacting with an artificial intelligence system.

Website Disclosures

A developer must make available, in a manner that is clear and readily available on the developer’s website or in a public use case inventory, a statement summarizing:

1. The types of high-risk artificial intelligence systems that the developer has developed or intentionally and substantially modified and currently makes available to a deployer or other developer; and
2. How the developer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the development or intentional and substantial modification of the types of high-risk artificial intelligence systems described in accordance with [the above].

Similarly, a deployer must also make available on its website a statement summarizing:

1. The types of high-risk artificial intelligence systems that are currently deployed by the deployer;
2. How the deployer manages known or reasonably foreseeable risks of algorithmic discrimination that may arise from the deployment of each high-risk artificial intelligence system . . . ; and
3. In detail, the nature, source, and extent of the information collected and used by the deployer.

Exemptions

These requirements do not apply to a deployer if, at the time the deployer deploys a high-risk artificial intelligence system and at all times while the high-risk artificial intelligence system is deployed,

1. The deployer:
   1. Employs fewer than 50 full-time equivalent employees; and
   2. Does not use the deployer’s own data to train the high-risk artificial intelligence system;
2. The high-risk artificial intelligence system:
   1. Is used for the intended uses that are disclosed to the deployer as required by [the developer]; and
   2. Continues learning based on data derived from sources other than the deployer’s own data; and
3. The deployer makes available to consumers an impact assessment that:
   1. The developer of the high-risk artificial intelligence system has completed and provided to the deployer; and
   2. Includes information that is substantially similar to the information in the impact assessment required [to be submitted by the deployer pursuant to the requirements of the bill].

The European Union’s Corporate Sustainability Due Diligence Directive (the “CSDDD” or “Directive”) was published on July 5, 2024. It must be transposed into national laws by July 26, 2026, and phased in over the coming several years. The national laws adopted pursuant to the Directive will ultimately apply to all companies that have annual group-wide net turnover (i.e., sales net of rebates, value-added tax, and similar taxes) in the EU of over €450 million (and, in the case of EU companies, also at least one thousand employees); to EU companies with annual franchising fees and/or royalties of at least €22.5 million and net turnover above €80 million; and to non-EU companies with those levels of franchising/royalty revenue in the EU.

Nearly all large U.S. multinational enterprises (“MNEs”) will be subject to these laws, because their European subsidiaries exceed the revenue thresholds, and/or because their global sales in and exports to the EU exceed €450 million. The largest MNEs will become subject to the laws beginning in 2027.

Because the due diligence review mandated by the Directive extends to in-scope MNEs’ supply chains, distribution channels, and other “business partners,” the human rights, environmental, and climate change requirements of the Directive will also indirectly impact many smaller companies (including U.S. companies that are not otherwise covered). Many of those companies will, however, be in a position to respond to the due diligence requests of in-scope companies because of their own obligations under the EU’s Corporate Sustainability Reporting Directive, which will apply to a much larger number of U.S. companies.

What does the Directive do?

The Directive will in effect convert the nonbinding obligations of the U.N. Guiding Principles on Business and Human Rights and the frameworks in the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct and OECD Due Diligence Guidance for Responsible Business Conduct into legal obligations binding on companies that fall within the CSDDD’s scope (“in-scope” companies or MNEs). Many large MNEs already seek to comply with these instruments. An even larger number purport to. These companies may already be well positioned to evaluate the potential significance of the Directive.

The Directive’s significance should not, however, be understated. It will cause the rights articulated in a variety of international agreements, all of which until now have been binding only on state parties (except to the extent enacted into domestic law by state parties), to become legally binding obligations enforceable against in-scope MNEs under the laws of all twenty-seven of the member states of the EU. Those agreements include three international human rights treaties—the International Covenant on Civil and Political Rights (“ICCPR”), the International Covenant on Economic, Social and Cultural Rights (“ICESCR”), and the Convention on the Rights of the Child—eight core/fundamental conventions of the International Labour Organization (“ILO”),^[1] the core climate change mitigation objective of the Paris Agreement, and eleven environmental conventions. The U.S. has signed but not ratified the ICESCR and the Convention on the Rights of the Child; it has only signed two of the eight ILO conventions, and it has signed but not ratified three of the environmental conventions.

These international agreements articulate a lengthy list of rights and obligations and, if national authorities and courts in the EU enforce the provisions of the Directive as written, the potential impact will be significant. In-scope companies will be required (among other things):

• to ensure that their global operations and those of their supply chain comply with international standards in relation to workers’ rights, equal pay, union activities, etc., even when those standards go beyond the requirements of domestic law in the country of employment;
• to adopt and implement a transition plan to reduce their global greenhouse gas emissions in line with the Paris Agreement’s objective of limiting the temperature increase to 1.5°C above preindustrial levels and with the EU’s “net zero” targets;
• to avoid causing any measurable environmental degradation that has any one of a range of negative effects, anywhere in their global operations;
• to avoid violating others’ right to freedom of expression or interfering with persons’ privacy and correspondence; and
• to ensure that any land or other natural resources to be used by the companies is not taken from, and does not result in evictions of, persons or communities who thereby lose their ability to subsist or their means of livelihood.

Although styled as a “due diligence” directive, the name is somewhat misleading. If violations of rights are identified through the due diligence process (or by the parallel efforts of trade unions, NGOs, or other interested parties), the in-scope MNE will be required to eliminate or, if that is not possible, mitigate them.

The CSDDD raises many critically important questions, to which at present there are no clear answers. Among other aspects of the Directive, U.S. MNEs will need to focus on their own compliance, and the compliance of their supply chain and other business partners, with at least seven sets of rights and obligations set forth in the Directive.

Conditions of work

Among the rights listed in the Directive is the “right to enjoy just and favourable conditions of work,” including:

• a fair wage and an adequate living wage for employed workers,
• a decent living,
• safe and healthy working conditions, and
• reasonable limitation of working hours,

interpreted in line with Article 7 and 11 of the ICESCR, which clarify that the right to an adequate living wage and a decent living is intended to provide the worker and the worker’s family “an adequate standard of living for himself and his family, including adequate food, clothing and housing.”

Although over 170 countries have minimum wage laws,^[2] and MNEs tend to pay above the going rate in most countries, enforcement of minimum wage laws differs significantly across countries. Categories of workers (e.g., agricultural, domestic, and younger) are often excluded from minimum wage laws,^[3] and there is often a significant gap between the minimum wage and a living wage, as that term is defined by the ILO.

In-scope companies will need to conduct due diligence into these matters, both in their own global operations and in their supply chains, to determine whether their subsidiaries and their key suppliers meet the higher standard. According to data collected by the World Economic Forum, at present only 24 percent of employers currently pay a living wage globally.^[4] The CSDDD will make this obligatory for in-scope companies.

Laws in many countries set maximum working hours, but enforcement varies, and there are significant exceptions.^[5] Similarly, many countries have laws regulating the health and safety of workplaces, but in some countries there is little enforcement.

It appears that workers in non-EU countries, or an NGO or trade union acting on their behalf, will be able to lodge complaints with EU enforcement authorities or to bring suit in EU courts for a non-EU company’s alleged failure to pay a living wage or limit working hours. While in-scope companies will be required to seek contractual assurances from direct business partners that they will ensure compliance with these requirements as well, and verify compliance with those undertakings, it is not clear what an in-scope MNE is supposed to do, and what its liability may be, if the counterparty refuses to do so or if the MNE knows that the counterparty is not complying. The Directive provides some guidance on these matters, but further clarity in the transposed laws would be useful.

Equal pay and nondiscrimination

The Directive requires the transposed laws to prohibit unequal treatment in terms of employment, unless this is justified by the requirements of the employment. Unequal treatment includes, in particular:

1. the payment of unequal remuneration for work of equal value; and
2. discrimination on grounds of national extraction or social origin, race, color, sex, religion, or political opinion.

This right is to be interpreted in line with Article 7 of the ICESCR, which requires “equal remuneration for work of equal value without distinction of any kind, in particular women being guaranteed conditions of work not inferior to those enjoyed by men, with equal pay for equal work.”

Equal pay for equal work, and nondiscrimination in employment, are established legal principles in the EU,^[6] U.S.,^[7] and U.K.^[8] and in several other countries, but legal protections for women and racial and ethnic minorities in many countries are nonexistent or weak.^[9] Will the Directive result in the EU courts becoming the venue of choice for forcing MNEs to end unequal pay in all their subsidiaries? Will there be a requirement that plaintiffs first seek remedies in their own country, if an effective remedy is available there? Again, the implementing legislation may provide clarity.

Rights to form unions and to strike

The Directive also requires in-scope companies to ensure their workers are entitled to freedom of association, assembly, the right to organize, and collective bargaining. This includes the following rights:

1. workers are free to form or join trade unions;
2. the formation, joining and membership of a trade union must not be used as a reason for unjustified discrimination or retaliation;
3. trade unions are free to operate in line with their constitutions and rules, without interference from the authorities; and
4. the right to strike and the right to collective bargaining.^[10]

Many countries in the world do not—at least in practice—allow workers the freedom to form unions (except, in some cases, those established by the government), to strike, and to engage in collective bargaining. According to the International Trade Union Confederation, 87 percent of countries have violated the right to strike, and 79 percent have violated the right to collective bargaining.^[11]

In countries where there is no right to form labor unions, right to strike, and/or right to collective bargaining, but also no prohibition, the Directive may require in-scope companies (and their suppliers) to afford their workers these rights, as a matter of EU law. But what will this mean in practice? Will workers in non-EU countries be able to bring their unionization and collective bargaining disputes to EU courts, demanding the rights articulated in the relevant international conventions, even if those go beyond what they are entitled to under their own country’s laws? And what will the Directive’s requirements mean as applied to countries where independent labor unions are not permitted to exist, or where strikes are banned? Guidance on these points will be needed.

Climate change transition plans

The Directive will require in-scope companies to adopt and put into effect a “transition plan” that aims to ensure, through best efforts, that the business model and strategy of the company are compatible with the Paris Agreement’s objective of limiting global warming to 1.5°C and the EU regulation establishing the objective of achieving “climate neutrality,” including its intermediate and 2050 targets. The transition plans will be required:

• to cover the entire group’s operations, and include its suppliers and other business partners;
• to contain time-bound targets related to climate change for 2030, then in five-year incremental steps up to 2050;
• to include absolute emission reduction targets for Scope 1, Scope 2, and Scope 3 greenhouse gas emissions,^[12] as well as the key actions planned to reach those targets,
• to explain and quantify the investments and funding supporting the transition plan; and
• to be updated every twelve months, together with a report on the progress made towards achieving the plan’s targets.

The Directive contemplates that the national supervisory authorities charged with implementing its provisions shall be required “to supervise the adoption and design of the plan.”

While many MNEs have adopted action plans relating to the reduction of greenhouse gases, in most cases these initiatives have been voluntary, have not been based on governmentally mandated targets, have not extended to their supply chain and distributors, and have not been subject to governmental oversight. The Directive proposes to change all that, for in-scope MNEs and, indirectly, their business partners.

As the Paris Agreement’s objective of limiting climate change to a 1.5°C increase is, at this point, ambitious (if not, according to some, impossible), to have the desired impact, transition plans will have to be similarly ambitious. It is not clear whether there will continue to be political support within the EU for the radical reductions in greenhouse gas emissions that companies will need to implement to meet the plans’ stated objectives. But if the EU is willing to exert maximum pressure on its own companies to convert rapidly to renewable energy sources and energy-efficient modes of production and transportation, the EU may be particularly insistent on forcing non-EU MNEs to take the same bold (and, in the short run, costly) steps.

The activities of NGOs are likely to be relevant in this context. Within the EU there have been several high-profile lawsuits designed to force companies^[13] to act more aggressively to reduce greenhouse gas emissions. NGOs sense an opportunity to use the Directive to force both EU and non-EU companies into faster and bolder action. They may also use the transposed laws to seek damages and/or remediation for the adverse impacts allegedly caused by the failure to implement efficacious transition plans in line with the Directive’s requirements.

Environmental degradation

The Directive will require in-scope companies to avoid causing any measurable environmental degradation, such as harmful soil change, water or air pollution, harmful emissions, excessive water consumption, degradation of land, or other impact on natural resources (such as deforestation) that has any one of a range of adverse environmental impacts. It will also require in-scope companies to avoid or minimize adverse impacts on biological diversity.

It is not clear what this will mean in practice. One possibility is that the Directive will create a set of environmental laws applicable to all large MNEs, to be enforced by European governmental authorities and courts. If that is the intent, the EU or national EU governments will—one hopes—provide more detailed guidance on what is (and is not) considered a violation of the CSDDD’s general rules.^[14]

Freedom of expression, privacy, and correspondence

The Directive prohibits arbitrary or unlawful interference with a person’s privacy, family, home, or correspondence, interpreted in line with Article 17 of the ICCPR. Article 19 of the ICCPR, also covered by the CSDDD, includes the right to hold opinions without interference, and the right to freedom of expression, regardless of frontiers, orally, in writing or in print, or through any other media. Protecting these rights may prove challenging for telecommunications and social media companies (among others) operating in repressive countries.

Governments often request personal information from social media and telecom companies, in the course of criminal investigations or for other legitimate reasons. Repressive regimes will, however, often demand access to customer information in order to track down individuals who have criticized the government, or who support the political opposition. Those governments may use that information to detain, interrogate, and/or incarcerate dissidents and political opponents. Companies are regularly compelled by repressive regimes to block websites and shut down services to suppress political criticism or prevent reporting of human rights abuses.

When faced with a governmental demand for access to an email account or telephone line, even when it knows or guesses that the reason may lead to a violation of human rights, a telcom may often have no choice but to comply, as to refuse will be a criminal offense and may result in its subsidiary’s employees being arrested and prosecuted. To accede to the government’s demand may, however, result in the company’s customer(s) being arrested and prosecuted (or jailed without charges), in violation of their human rights. This is not a new dilemma. But under the laws contemplated by the Directive, it may evolve from being an ethical dilemma to being a conflict between diametrically opposed legal requirements.^[15]

Evictions and takings

The Directive will also require in-scope companies to respect “the right of individuals, groupings and communities to lands and resources and the right not to be deprived of means of subsistence, which entails the prohibition to unlawfully evict or take land, forests and waters when acquiring, developing or otherwise using land, forests and waters, including by deforestation, the use of which secures the livelihood of a person.”

This requirement will impose on in-scope companies an obligation to ensure, when acquiring land or water rights, etc. (e.g., for the construction of a new factory or other asset), that the land is not occupied or in use as farm or grazing land by individuals who will be adversely affected by their dispossession of the land, unless adequate arrangements have been made to compensate them and protect their interests. The Directive’s interpretive guidance^[16] makes clear that particular attention must be paid to situations in which the people being dispossessed are individuals from disadvantaged minority groups, low-caste individuals, indigenous peoples, or others who may be particularly vulnerable.

It is not uncommon, in large-scale development projects, for there to be complaints regarding the displacement of indigenous, minority, low-caste, or otherwise marginalized peoples, whose claim to the land is often undocumented. Similarly, there are often complaints regarding a project’s likely adverse impact on drinking water, fish, or other resources, and the adverse impact that will have on local people.

NGOs often champion the rights of the affected people in local courts, but particularly in cases where there is significant government backing for the project, local courts may be unsympathetic, or grant only nominal compensation. The CSDDD seems to offer alternative, potentially more sympathetic, venues for NGOs to pursue these claims.

Next steps

Particularly if not implemented with clarity, practicality, and nuance, the laws promulgated pursuant to the CSDDD will present significant challenges for in-scope MNEs, including even those that already strive to comply with the U.N. Guiding Principles and the OECD Guidelines for Multinational Enterprises. It is important that the EU, and the twenty-seven national governments that will be transposing the Directive into national law and then enforcing it, implement the Directive in a manner that is realistic and responsive to the practical realities faced by MNEs in complex business environments.

U.S. companies should assess the potential impact of the Directive on their global operations, follow closely further developments as the CSDDD is transposed into national laws, and use the time before these laws become applicable to prepare to meet the compliance challenges they present.

1. Freedom of Association and Protection of the Right to Organise Convention, 1948 (No. 87); Right to Organise and Collective Bargaining Convention, 1949 (No. 98); Forced Labour Convention, 1930 (No. 29) and its 2014 Protocol; Abolition of Forced Labour Convention, 1957 (No. 105); Minimum Age Convention, 1973 (No. 138); Worst Forms of Child Labour Convention, 1999 (No. 182); Equal Remuneration Convention, 1951 (No. 100); and Discrimination (Employment and Occupation) Convention, 1958 (No. 111). ↑

2. “Living Wage,” U.N. Global Compact, accessed July 11, 2024. ↑

3. See ITUC Global Survey on Minimum Living Wages: Key Findings, International Trade Union Confederation (“ITUC”) (Jan. 2024), at 5. ↑

4. See Victoria Masterson, “Explainer: What is a living wage and how is it different from the minimum wage?,” World Economic Forum (Apr. 9, 2024). ↑

5. See Sangheon Lee, Deirdre McCann, and Jon C. Messenger, Working Time Around the World: Trends in working hours, laws and policies in a global comparative perspective (London: Routledge, 2007). ↑

6. See Art. 157 of the Treaty on the Functioning of the European Union, and Directive 2006/54/EC on the implementation of the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation (July 5, 2006). ↑

7. Equal Pay Act of 1963 (Pub. L. 88-38), as amended, and Title VII of the Civil Rights Act of 1964 (Pub. L. 88-352). ↑

8. Equality Act 2010. ↑

9. See Women, Business and the Law 2024, World Bank Group (Mar. 4, 2024); “ITUC Policy Brief: Trade union action to promote equal pay for work of equal value,” ITUC (Sept. 14, 2023). ↑

10. These rights are to be interpreted in line with Articles 21 and 22 of the ICCPR, Article 8 of the ICESCR, the ILO Freedom of Association and Protection of the Right to Organise Convention, 1948 (No. 87), and the ILO Right to Organise and Collective Bargaining Convention, 1949 (No. 98). ↑

11. Global Rights Index 2024, ITUC (2024), at 8. ↑

12. Scope 1 greenhouse gas emissions are those that are produced from sources that are owned or controlled by the corporate group. Scope 2 emissions are those that result from the production of electricity, and heating and cooling purchased by the corporate group. Scope 3 emissions are those emitted by the company’s value chain, including those produced by suppliers, distributors, and product usage, to the extent not included in Scope 2. ↑

13. See, e.g., Milieudefensie v. Royal Dutch Shell plc, Case No. C/09/571932 (May 26, 2021). Shell has appealed the decision. ↑

14. The CSDDD will also require covered companies to comply with the terms of about ten international environmental treaties. Because most of these conventions make clear what is prohibited or required, companies with operations that may be covered by their provisions will have greater clarity on what is required. ↑

15. The word “unlawful” will not resolve the legal conflict. The U.N. Human Rights Committee has clarified that the word “unlawful” means that no interference can take place except in cases envisaged by the law, and that the law must comply with the provisions, aims, and objectives of the Covenant. ICCPR General Comment No. 16 (1988). ↑

16. These rights are to be interpreted in line with Article 1 and 27 of the ICCPR and Article 1, 2, and 11 of the ICESCR. Article 27 of the ICCPR provides that where ethnic, religious, or linguistic minorities exist, persons belonging to such minorities shall not be denied the right, in community with the other members of their group, to enjoy their own culture, to profess and practice their own religion, or to use their own language. Article 2 of the ICESCR includes a requirement that rights be exercisable without discrimination of any kind as to race, color, sex, language, religion, political or other opinion, national or social origin, property, birth, or other status. ↑

On June 18, 2024, in NAIB v. Weiser, the United States District Court for the District of Colorado granted the motion for preliminary injunction filed by plaintiffs—the National Association of Industrial Bankers (NAIB), American Financial Services Association (AFSA), and American Fintech Council (AFC) (collectively, “Trade Associations”)—against the Colorado Attorney General and Administrator of the Colorado Uniform Consumer Credit Code (Colorado), which challenges Colorado’s opt-out of Section 521 of the Depository Institutions Deregulation and Monetary Control Act of 1980 (DIDMCA) and its interpretation of Colo. Rev. Stat. § 5-13-106, which was set to take effect on July 1, 2024.

Background on DIDMCA and Legal Challenge by Trade Associations

As discussed in our prior articles, Sections 521–523 of DIDMCA granted federal authority to insured, state-chartered banks and credit unions, authorizing them to contract for the interest rate permitted by the state where the bank is located and export that interest rate into other states. In June 2023, Colorado signed into law legislation exercising its right under Section 525 to opt out of DIDMCA, which it believes will require state-chartered banks and credit unions to adhere to Colorado laws regarding interest rate and fee limitations.

The preliminary injunction filed by the court follows the original complaint filed by the Trade Associations on behalf of their members on March 24, 2024, which challenged the interpretation of Colo. Rev. Stat. § 5-13-106 and the opt-out. Colorado filed a motion to dismiss on May 13, 2024.

Amicus Curiae Briefs in Support

In a unique turn of events, the Federal Deposit Insurance Corporation (FDIC) filed an amicus curiae brief in support of Colorado’s position and asserted that loan transactions between parties in different states are made in the state where the borrower enters into the transaction. The FDIC’s position in the brief contradicted its long-standing position on this topic that loans are made in the state where the contractual choice-of-law and the location where certain nonministerial lending functions are performed, such as where the credit decision is made, where the decision to grant credit is communicated from, and where the funds are disbursed.

The American Bankers Association and Consumer Bankers Association also filed an amicus curiae brief in support of the Trade Associations and noted that the position the FDIC took was the first time it had ever argued that the loan is made where the borrower is located.

Court’s Interpretation and Ruling

The preliminary injunction issued by the court in NAIB v. Weiser provides that Colorado is enjoined preliminarily from enforcing the rate and fee limitations “with respect to any loan made by the [Trade Associations’] members, to the extent the loan is not ‘made in’ Colorado and the applicable interest rate in Section 1831d(a) exceeds the rate that would otherwise be permitted.” The court found strong support in the interpretation of where a loan is “made” in the plain language of Section 521 when viewing the statutory scheme holistically and when coupled with the Federal Deposit Insurance Act and Title 12 of the United States Code, containing the National Bank Act.

Further, the court provided that “the plain and ordinary answer to the question of who ‘makes’ a loan is the bank, not the borrower. It follows, then, that the answer to the question of where a loan is ‘made’ depends on the location of the bank, and where the bank takes certain actions, but not on the location of the borrower who ‘obtains’ or ‘receives’ the loan.”

Implications and Potential Impact of the Injunction

While the court found that the requirements for a preliminary injunction were satisfied, it is certainly worth noting that if the Trade Associations were not granted the injunction, the products their members offer could no longer be offered to Colorado customers. As a result, “those customers—and their goodwill along with that of the banks’ business partners—may be gone forever.” Even if the Trade Association members were able to recover monetary damages from Colorado, the “loss of customers, loss of goodwill, and erosion of a competitive position in the marketplace are the types of intangible damages that may be incalculable, and for which a monetary award cannot be adequate compensation.”

Additionally, the court determined that the balance of the harms weighed in favor of the Trade Associations because national banks would be able to continue making consumer loans to Colorado residents irrespective of the interest rate and fee limitations under Colorado law and placing the Trade Associations’ members at a disadvantage, all for only providing marginally more protections from higher interest rates. Further, the court determined that the public interest favors enjoining enforcement of “likely invalid provisions of state law.”

Colorado has thirty days to appeal the preliminary injunction, and an appeal is very likely. However, the outcome of such an appeal is uncertain. Assuming the District Court decision is upheld on appeal, the rate and fee limitations would no longer be applicable to out-of-state, state-chartered banks that make consumer loans to Colorado residents. If the decision is overturned, these parties would need to adhere to the prescribed rate caps and fee limitations as prescribed by Colorado law.

The Takeaway

Even though this injunctive relief is limited to the Trade Association’s members, we still recommend that financial services companies operating in the fintech and nondepository space remain mindful that Colorado has previously used true lender theories to challenge loan charges assessed by out-of-state depository institutions in the context of bank partnership programs, resulting in a prior Assurance of Discontinuance (AOD) that sets forth guidelines for true lender determinations in Colorado.

As workers were leaving their offices for the Fourth of July holiday, the Northern District of Texas issued its much-anticipated order preliminarily enjoining the effective date of the controversial noncompete ban rule issued by the Federal Trade Commission (FTC). The court’s decision, however, is limited to the named plaintiffs in the case—a tax accounting firm and several business groups. Although the stay is temporary pending the court’s final decision on the merits of the case and applies only to the movants in the case, it signals that a permanent and nationwide injunction is likely.

The FTC’s noncompete rule, if it becomes effective, will apply to any written or oral employment term or policy that penalizes or prevents a worker from (a) seeking or accepting work in the U.S. with a different employer, or (b) operating a business in the U.S. after the conclusion of the employment that includes the term or condition. The rule prohibits entering into new noncompete agreements on or after the effective date with any worker. The rule also prohibits enforcing or attempting to enforce a noncompete clause that existed before the effective date for any worker except for those who qualify as senior executives. The ban does not apply to customer or employee nonsolicitation agreements.

The central issue before the Texas court was whether the FTC Act gives the FTC the authority to promulgate substantive rules in general, and the broad, sweeping noncompete ban in particular. The court rejected the FTC’s interpretation of the FTC Act and ruled that a “plain reading” of Section 6(g) of the FTC Act “does not expressly grant the Commission authority to promulgate substantive rules regarding unfair methods of competition.” Further, the court cited a 1979 Supreme Court case that referred to Section 6(g) as a “housekeeping statute,” authorizing rules related to “procedure or practice,” not “substantive rules.” Ultimately, the court found that “the text, structure, and history of the FTC Act reveal that the FTC lacks substantive rulemaking authority with respect to unfair methods of competition under Section 6(g).” The court also determined that the FTC noncompete rule is likely “arbitrary and capricious.”

Notably, the Texas court limited its preliminary ruling to the parties and declined to enter an order enjoining enforcement of the FTC noncompete rule nationwide. As a result, the court’s preliminary injunction order does not invalidate the rule for any nonparty.

The court’s ruling on the preliminary injunction is not a final judgment in the case. However, its approach to the preliminary injunction and finding that the plaintiffs demonstrated a “substantial likelihood of success on the merits” strongly suggest that it will strike down the rule on the merits. The court committed to issuing its decision on the merits by August 30. In the interim, the parties will further brief the merits issues and the narrow scope of the court’s order, including whether the injunction should be expanded to be national.

A separate case brought by ATS Tree Services LLC is proceeding in a Pennsylvania federal court; that case currently has a preliminary injunction hearing scheduled for July 10. The ATS court anticipated that it would publish its opinion by or before July 23. The ATS court is not bound by the Texas court’s reasoning or decision, but it will doubtless be taken into consideration.

What’s Next?

Because the Texas court limited its preliminary injunction ruling to only the plaintiffs and rejected a request to issue a nationwide preliminary injunction, companies should continue to plan for implementation of the rule on September 4.

A few things employers can do to be prepared include:

• Assess existing agreements imposing post-employment restrictions, including noncompetition agreements that would be banned under the FTC noncompete rule and confidentiality and nonsolicitation agreements that are not.
• Consider improvements and clarifications that could strengthen your nonsolicitation and confidentiality agreements regardless of the noncompete ban’s future. Clear and precise drafting is essential, and employers with workers in multiple states must account in their agreements for the many different and evolving state laws.
• Prepare to provide the required notice under the final rule, because it could take time to identify the workers who are subject to oral or written noncompetes or equivalent employee policies, compile the relevant worker address information, and draft the notices. If the rule becomes effective, the notification must be made by the effective date.

On June 6, the U.S. Department of the Treasury issued a request for information (“RFI”) seeking information and public input on the use of artificial intelligence in the financial services sector. The RFI asks that written comments and information be submitted on or before August 12, 2024.

Through this RFI, the Treasury Department seeks to increase its understanding of how AI is being used within the financial services sector and the opportunities and risks presented by the development and applications of AI. The Treasury Department is relying on the definition of AI utilized in President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence and the National Artificial Intelligence Initiative: “a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action.” It is worth noting that the first question asked by the Treasury Department, however, is whether this definition is appropriate for financial institutions.

The focus of the RFI is on the following uses of AI by financial institutions:

• Provision of products and services (e.g., how is AI being used to offer financial products or services? How is AI being used for financial forecasting products and pattern recognition tools?)
• Risk management (e.g., how is AI being used to manage risk and asset liability?)
• Capital markets (e.g., how is AI being used to identify investment opportunities and provide financial advisory services?)
• Internal operations (e.g., how is AI being used to manage payroll, HR functions, training, and software development?)
• Customer service (e.g., how is AI being used to help handle complaints or manage a website?)
• Regulatory compliance (e.g., how is AI being used to assist with regulatory reporting or disclosure requirements?)
• Marketing (e.g., how is AI being used to market to consumers?)

As part of the RFI, the Treasury Department has posed a series of questions geared toward a broad set of stakeholders in the financial services ecosystem (including consumer and small business advocates, nonprofits, academics, and others) to understand the benefits and risks of AI. These questions are use-case focused and seek to ferret out how AI could benefit or pose risks to stakeholders. In addition, the Treasury Department is seeking specific information on how financial institutions are protecting against “dark patterns” and predatory targeting, which could lead to bias and fair lending issues; mimicry of biometric data (e.g., a consumer’s voice), which could affect fraud detection and prevention tools such as multi-factor authentication; and unfair or deceptive acts or practices. The Treasury Department also asks about the privacy impact of AI, noting that AI can enable a firm’s ability to infer attributes and behavior about an individual that could “undermine privacy (including the privacy of others) and dilute the power of existing ‘opt-out’ privacy protections.”

The Treasury Department’s RFI is one of several requests for information on AI. Various other federal agencies are seeking or have sought information on AI, including the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Consumer Financial Protection Bureau, and the National Credit Union Administration, which issued an interagency RFI in 2021 on financial institutions’ use of AI. This most recent RFI is a reminder that this is a hot topic for regulators, and the heat does not appear to be dissipating any time soon.