Articles + Publications - Troutman Pepper Locke

This article was originally published on North American Clean Energy and is republished here with permission as it originally appeared on November 15, 2025.

2025 has been a year marked by caution and concern for much of the renewable energy industry in the U.S. as stakeholders waited for the passage of the ‘One Big Beautiful Bill Act’ (OBBBA). However, if it is possible to identify a winner from the renewables sector in the wake of the OBBBA’s passing, energy storage might be it.

It is true that the OBBBA has raised valid doubts in the industry over the future of the energy storage supply chain after introducing foreign entity of concern (FEOC) rules, and in conjunction with fluctuating trade tariffs. Nonetheless, energy storage was spared the same fate as wind and solar which were impacted by a much earlier phaseout of tax credits.

Overall, the result appears less severe than feared; to this extent, it is a modest victory for a sector that has proven itself to be critical to the future of U.S. energy.

Bipartisan support for energy storage

Why is it that the energy storage industry remains quietly confident after a year of project risk profiles growing in complexity? A major source of optimism is the clear signal of recognition from both major parties in the U.S. that energy storage will play a strategic role in bolstering the nation’s overall energy security.

The OBBBA leaves energy storage tax credits largely intact, along with a medium-term runway for the wind and solar industries to continue build-out with the benefit of tax credits and potentially outgrow them. At the same time, the aim to ramp up onshored battery manufacturing is gathering momentum. While the regulatory landscape puts more pressure on the sector to deliver, the space it leaves for continued development and the eventual growth of domestic supply underlines the value placed on energy storage services.

In addition, the versatility of use cases for energy storage has untethered it to a meaningful degree from the fate of wind and solar. The impetus on improving grid resilience, enabling grid flexibility, and bringing stability to power prices favors BESS projects even as decarbonization goals are deprioritized. Currently, the U.S. power market sets its price based on legacy generators that are only needed during ramp times; batteries have the advantage of facilitating this quickly, cheaply, and reliably.

Energy storage is also a beneficiary of the restructuring of U.S. energy to align with broader goals to stimulate economic development and reinforce national security. Power demand is expected to explode as the data center industry undergoes rapid expansion, bringing online more high-energy consumers with exacting power requirements. Batteries are well-positioned to play a key role in managing the challenges this poses to ensure that existing infrastructure can cope with changing needs.

Escalating supply risks

While recognition of the importance of energy storage in the U.S. energy mix brings reassurance, the industry must now adapt to more difficult development conditions, particularly when it comes to navigating the supply chain.

Historically, the booming development of energy storage in the U.S. has been heavily reliant on imports from China. Now, with new restrictions preventing entities connected to adversarial nations from accessing U.S. energy tax incentives, supply lines must be restructured. The threat of exorbitant reciprocal trade tariffs compounds the necessity of sourcing alternative supply lines in the long term.

The task of modifying a supply chain that has been so dependent on one stream of supply is difficult, and there is an urgency to achieve this before FEOC rules come into effect in 2026. These rules can be a heavy burden on the industry in view of the lack of time in which to recalibrate a supply chain as complex as battery cells.

Onshoring U.S. manufacturing has been a goal for a number of years and does not come as a big surprise to the industry — in time, it could make the industry more resilient. However, a question that remains unanswered is whether it is realistic to onshore the supply chain capacity required for a rapidly scaling sector like energy storage. The enforcement of FEOC rules as soon as next year will add pressure to supply services that are already in high demand.

Even with a pathway left open for energy storage to continue its progress, supply risks now leave the industry with a considerable hurdle to overcome before moving their projects forward.

What next?

Energy storage players that have sought to tackle the supply problem proactively by conducting extensive research into alternative suppliers over the last twelve months have had success in combining manufacturing from different parts of the world and securing an early advantage in these working relationships.

The lessons learned from solar supply struggles over recent years should prove helpful to storage developers as they revise their strategies. With manufacturing moving out of China at a remarkable pace and domestic production also advancing at a good rate to support development, the supply chains have strengthened in both reliability and agility.

One of the biggest obstacles for developers attempting to shift their plans in response to turbulence in the U.S. energy sector this year has simply been uncertainty. Prior to the passage of the OBBBA, forecasting the outlook of multiyear development projects was difficult due to the lack of clarity over what level of support projects could expect to receive. The arrival of more legislative certainty — even when it is not overwhelmingly positive for the industry — enables developers to lay solid foundations for their projects, and establish cost transparency to attract investors.

Armed now with more certainty and the bipartisan recognition that it is an essential part of the U.S.’ energy infrastructure moving forward, energy storage has emerged from a year of turbulence in the renewables sector as a relative ‘winner’. Though bruising, the OBBBA has left developers in a position to tackle increased risks with cautious optimism and tax credit support through to 2033.

FUNDamentals is a periodic digest of news and information specifically for investment funds and investment advisors. In this issue, we highlight some industry trends, 401(k) access to alternative assets, fund liquidity trends (LPs acting as lenders, secondaries, and continuation funds), developments with “reverse CFIUS,” crypto, digital assets and tokenization, and the delay or withdrawal of new AML and other rules affecting private funds.

Click here to read this issue.

We offer full-service counsel to private equity, venture, real estate, hedge, and registered investment funds; investment companies; small business investment companies (SBICs); and investment managers and their respective sponsors, managers, advisors, and investors on transactional and legal regulatory issues in the United States and internationally. Our team advises clients in major jurisdictions throughout the United States, Canada, Europe, and Asia.

In a recent U.S. Court of Appeals for the Third Circuit decision, In re Eileen T. Adams, the appellate court blocked just such an effort following an analysis of the Rooker-Feldman doctrine and the ultimate application of preclusion principles. This decision supports the general proposition that a bankruptcy proceeding cannot be used to revive foreclosure-related disputes that have been previously and conclusively resolved by a state court.

Click here to read the full article in The Legal Intelligencer.

On November 10, 2025, the IRS issued Rev. Proc. 2025-31 (the Rev Proc.), which provides a safe harbor for investment trusts and grantor trusts to stake certain digital assets without jeopardizing their status as trusts for U.S. federal income tax purposes. The Rev. Proc. comes in response to the White House’s request made in July 2025 for published guidance on this topic.[1]

Staking Generally

Decentralized cryptocurrency blockchains rely on systems (referred to as “consensus mechanisms”) that allow the users in a network to agree on which blockchain transactions are legitimate. The two major consensus mechanisms used by most blockchains today include “proof-of-work” and “proof-of-stake.”

“Staking” refers to the process of “locking up” a digital asset native to a blockchain in order to assist in the validation of transactions, as well as the underlying network security and integrity. Staking is used in blockchain technology that relies on proof-of-stake architecture (e.g., Ethereum 2.0). In exchange for restricting their access to the digital asset for a period of time, the staking party typically is rewarded by receiving more of the staked cryptocurrency. In this sense, staking a digital asset could be viewed as the equivalent of lending fiat currency (e.g., U.S. dollars) and earning interest on the loaned money.

Tax Classification as a Trust

The term “trust” refers to an arrangement created by a will or an inter vivos declaration, in which trustees hold title to property to protect or conserve it for the beneficiaries.[2] In general, trusts are treated as flow-through entities for U.S. tax purposes (i.e., the grantor (not the trust) reports all items of income, gain, loss, deduction, and credit attributable to its portion of the trust and is liable for paying the associated tax).[3] However, a legal arrangement referred to as a “trust” may nevertheless fail to be classified as a trust for U.S. tax purposes if the arrangement is created to engage in activities for a profit. Notably, if there is a power under the trust agreement to vary the investment,[4] an investment trust will not be classified as a trust for U.S. tax purposes and will not receive flow-through treatment.

The Safe Harbor

To qualify for the safe harbor, the Rev. Proc. requires that the trust satisfy 14 requirements, including most notably:

The interests in the trust must be traded on a national securities exchange and comply with SEC regulations;
The trust must own only cash and units of a single type of digital asset carried out on a permissionless network that uses a proof-of-stake mechanism to validate transactions;
The trust’s digital assets must be held by a custodian, acting on behalf of the trust, at digital asset addresses controlled by the custodian;
The trust’s staking of its digital assets must protect and conserve trust property by mitigating the risk that a third party could control a majority of the total staked assets and engage in transactions that reduce the value of the trust’s digital assets; and
All digital assets must be made available to the staking provider at all times (with certain exceptions permitted).

The Rev. Proc. is effective for tax years ending on or after November 10, 2025. A trust may amend its trust agreement to authorize staking at any time during the nine-month period beginning on November 10, 2025, and the amendment will not prevent the trust from qualifying as an investment trust or as a grantor trust if the 14 requirements noted in the Rev. Proc. are satisfied.

Why It Matters

U.S. investment funds that qualify as exchange traded products (ETPs) holding digital assets are often organized as trusts, and usually take the position that, for U.S. federal income tax purposes, the ETPs are investment trusts classified as grantor trusts.[5] Treatment as a trust is generally favored by both investors and ETPs, given the flow-through treatment of the ETP’s income and the relatively simple tax reporting regime of IRS Forms 1099. If, however, the ETP retains the power to vary its investment, it would no longer be considered a trust for federal income tax purposes, but rather a business trust (i.e., a legal arrangement referred to as a trust but not classified as a trust for U.S. tax purposes). A business trust with more than one owner typically defaults to a classification of partnership for federal income tax purposes. As a partnership, the ETP would be required to file an IRS Form 1065 and an investor would receive a Schedule K-1, and also be subject to the complex partnership tax regime promulgated under Subchapter K of the Internal Revenue Code. A partnership whose interests are considered publicly traded would be treated for federal income tax purposes as publicly traded partnership and subject to the applicable rules.

The Rev. Proc. grants crypto ETPs comfort and certainty regarding the U.S. tax classification of ETPs organized as investment trusts in certain circumstances when staking digital assets and sharing the staking rewards with retail investors. While the Rev. Proc. is welcome news, additional guidance is still needed on how staking should be treated with respect to unrelated business taxable income, effectively connected income, and a whole host of other issues. We welcome further progress on these matters.

[1] See https://www.whitehouse.gov/wp-content/uploads/2025/07/Digital-Assets-Report-EO14178.pdf, p. 131; for additional insight on the White House’s July 2025 report, see Trump Administration’s Landmark Report on Digital Assets – Troutman Pepper Locke.

[2] Treas. Reg. Section 301.7701-4(a).

[3] Section 671. For further insight on the tax classification of grantor trusts, see Thomas Gray and Joel Post, “Grantor Trusts – Disregarded or Not?” Tax Notes Federal, September 2024.

[4] Treasury Regulation Section 301.7701-4(c)(1). For additional insight on the meaning of the power to vary an investment, see Thomas Gray, “Investments Trusts, the Power to Vary, and Holding Partnership Interests,” Journal of Taxation, May 2016.

[5] See STRENGTHENING AMERICAN LEADERSHIP IN DIGITAL FINANCIAL TECHNOLOGY p. 127.

State attorneys general increasingly impact businesses in all industries. Our nationally recognized state AG team has been trusted by clients for more than 20 years to navigate their most complicated state AG investigations and enforcement actions.

State Attorneys General Monitor analyzes regulatory actions by state AGs and other state administrative agencies throughout the nation. Contributors to this newsletter and related blog include attorneys experienced in regulatory enforcement, litigation, and compliance. Also visit our State Attorneys General Monitor microsite.

Contact our State AG Team at StateAG@troutman.com.

Troutman Pepper Locke Spotlight

2025 State AG Election Day Update
By Troutman Pepper Locke State Attorneys General Team

Of the 43 elected state attorneys general (AG), Virginia was the only state to hold an AG election in 2025. Democratic candidate Jay Jones was elected to his first term, defeating incumbent Republican Jason Miyares by a 6.6% margin.

The Garden State’s AG Blueprint: Data, Partnership, Accountability
By Stephen C. Piepgrass and Chris Carlson

In this episode of Regulatory Oversight, Stephen Piepgrass is joined by RISE partner Chris Carlson and New Jersey First Assistant Attorney General (AG) Lyndsay Ruotolo for a deep dive into the unique structure, scope, and impact of the New Jersey Office of the Attorney General (OAG).

Matt Berns Joins Troutman Pepper Locke’s RISE Practice and State AG Team
By Troutman Pepper Locke State Attorneys General Team

Matt Berns, former chief counsel to the New Jersey attorney general (AG) and deputy chief counsel to the New Jersey governor, and previously a trial attorney with the U.S. Department of Justice, has joined Troutman Pepper Locke’s Regulatory Investigations, Strategy + Enforcement (RISE) practice and nationally recognized State AG team.

Multistate State AG News

State AGs Urge SEC to Preserve State Authority in Crypto Regulation
By Troutman Pepper Locke State Attorneys General Team

On October 20, a coalition of 21 state attorneys general (AG), led by Iowa AG Brenna Bird, submitted a letter to Securities and Exchange Commission (SEC) Commissioner Hester M. Peirce in response to her February statement titled “There Must Be Some Way Out of Here.”

State AGs Seek Federal Ban on Intoxicating Hemp-Derived THC Products
By Troutman Pepper Locke State Attorneys General Team, Agustin Rodriguez, and Nick Ramos

The Agriculture Improvement Act of 2018 (the 2018 Farm Bill) legalized industrial hemp for commercial use to support American farmers and create a regulated industrial hemp market. The 2018 Farm Bill defined “hemp” as “the plant Cannabis sativa L. and any part of that plant, including the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not, with a delta-9 tetrahydrocannabinol [THC] concentration of not more than 0.3 percent on a dry weight basis.” The 2018 Farm Bill also removed hemp from the definition of “marihuana” under the Controlled Substances Act. Since 2018, many in the hemp industry have relied on language in the 2018 Farm Bill’s definition of “hemp” (sometimes referred to as the 2018 Farm Bill loophole) to take the position that it authorizes the production and sale of intoxicating, hemp-derived THC products (e.g., beverages, gummies, candies, etc.) that are derived from cannabis plants containing less than 0.3% delta-9 THC on a dry-weight basis. On October 24, the National Association of Attorneys General (NAAG) sent a letter to congressional committee chairs, signed by 39 state and U.S. territory attorneys general (AGs), urging immediate legislative action to close the loophole.

Robinhood Shareholders Gleeful Over Firm’s ‘Prediction Market’ Push, But State AGs Say It’s Illegal Gambling
By Troutman Pepper Locke State Attorneys General Team

Troutman Pepper Locke’s State Attorneys General Practice Group, was mentioned in the November 4, 2025 Law.com article, “Robinhood Shareholders Gleeful Over Firm’s ‘Prediction Market’ Push, But State AGs Say It’s Illegal Gambling.”

Single State AG News

Washington AG Proposes New Model Public Records Act Rules
By Troutman Pepper Locke State Attorneys General Team

Washington Attorney General (AG) Nick Brown proposed updates to Washington State’s Public Records Act (PRA) model rules — the advisory playbook many state and local agencies rely on when handling records requests. The proposal aims to reduce backlogs and improve response times, with a public hearing set for November 6, and written comments invited through November 17.

Vermont AG Settles Alleged Deceptive Marketing Practices With Angi
By Troutman Pepper Locke State Attorneys General Team and Sydney Goldberg

On October 13, Vermont Attorney General (AG) Charity R. Clark announced a settlement with Angi, Inc., (Angi), resolving allegations related to misleading marketing practices.

AG of the Week

Jeff Jackson, North Carolina

Jeff Jackson is the 51st attorney general (AG) of North Carolina, leading the North Carolina Department of Justice. In this role, he oversees efforts to protect taxpayers, seniors, consumers, and military families from scams and fraud, and works to ensure public safety and well-being across the state. The department also provides law enforcement training, legal opinions, civil rights enforcement, and consumer protection services.

Jackson began his career in public service by enlisting in the Army after the September 11 attacks and served in Afghanistan. He continues to serve as a major in the Army National Guard, with more than two decades of military service.

After returning from Afghanistan, Jackson attended law school at the University of North Carolina with support from the G.I. Bill. He worked as a criminal prosecutor in Gaston County, handling serious cases including first-degree murder and sex offenses.

Jackson represented Mecklenburg County in the North Carolina Senate for eight years and was the first person to represent North Carolina’s 14th Congressional District in the U.S. House of Representatives. He holds bachelor’s and master’s degrees from Emory University and a JD from the University of North Carolina School of Law.

North Carolina AG in the News:

Jackson, joined by 10 other state AGs and Kentucky’s governor, sued the Federal Emergency Management Agency and the U.S. Department of Homeland Security, alleging the agencies unlawfully withheld funds and shortened the spending period for congressionally allocated emergency management and homeland security grants. The complaint says the actions jeopardize North Carolina’s disaster response and public safety, including efforts tied to Hurricane Helene.
Jackson urged parents to check Halloween candy packaging for unregulated hemp-derived THC products that mimic treats and can seriously harm children, while supporting state and federal measures to restrict sales and clarify the definition of “hemp.”

Upcoming AG Events

November: AGA | Tribal Summit | Scottsdale, AZ
November: AGA | Cannabis Convention & CWAG Meeting | Scottsdale, AZ
November: DAGA | Scottsdale Policy Conference | Scottsdale, AZ

For more on upcoming AG Events, click here.

Troutman Pepper Locke’s State Attorneys General team combines legal acumen and government experience to develop comprehensive, thoughtful strategies for clients. Our attorneys handle individual and multistate AG investigations, proactive counseling and litigation, and manage ancillary regulatory issues. Our successful approach has been recognized by Chambers USA, which ranked our practice as a leader in the industry.

For many guitarists, finding the right tone is a lifelong pursuit. It’s the quest for the perfect sound—a sound controlled not only by the guitar or the amplifier but also by the complex chain of electronics connecting them. Central to this are the effects pedals, and few pedals have the same mythical status as the Klon Centaur.

This legendary pedal, built by guitarist and designer Bill Finnegan in the 1990s, was the subject of a recent trademark lawsuit that drew a line between a respectful “klone” (often spelled with a “K”) and an infringing counterfeit.

While many Klon klones have existed in the market, what made this certain pedal the subject of a lawsuit? We’ll dissect the intricacies of trademark law, exploring where homage ends and counterfeit begins.

Click here to read the full article on IP Watchdog.

Following his acquittal on the most serious charges and conviction on lesser charges, the highly anticipated sentencing of Sean “Diddy” Combs is among the first high-profile tests of the US Sentencing Commission’s amendment to the US Sentencing Guidelines limiting the use of acquitted conduct to increase an individual’s federal sentence.

Read the full article on Bloomberg Law.

Effective January 1, 2026, New York’s LLC Transparency Act imposing beneficial ownership reporting on New York LLCs and foreign LLCs authorized to do business in New York goes into effect.

Despite the interim final rule (IFR) issued by the Financial Crimes Enforcement Network (FinCEN) in March 2025 revising the definition of “reporting company” for purposes of the federal Corporate Transparency Act (CTA) exempting entities formed under the laws of a U.S. state or tribal authority from reporting under the CTA, the New York Limited Liability Company Transparency Act (NYLLCTA) survives and will go into effect on January 1, 2026. The NYLLCTA applies to both limited liability companies (LLC) formed in the state of New York or LLCs formed in any other state (foreign LLCs) that are registered to do business in the state of New York. As a result, LLCs formed under New York law or registered to do business in New York (each a “reporting company”) must file either the required beneficial ownership information (BOI) disclosure report or an attestation of exemption with the New York Department of State (DOS) on a form to be adopted by the DOS.

LLCs existing or registered to do business in New York before January 1, 2026, have until January 1, 2027, to file the required signed attestation claiming an exemption or provide the required BOI. LLCs formed or registered to do business in New York on or after January 1, 2026, will have 30 days from the date of formation or registration as a foreign LLC to file a signed attestation of exemption or file a BOI information report with the DOS. Unfortunately, the DOS has not, as of this date, issued any required forms or detailed filing guidance, nor has the required database been established.

For nonexempt reporting companies, the BOI disclosure must identify each of its applicants and “beneficial owners” and report such individuals’ full legal name, date of birth, current home or business street address, and a unique identifying number from a valid government-issued identification document. Unfortunately, under the NYLLCTA, FinCEN identifier numbers may not be used to replace BOI for applicants or beneficial owners for DOS filings.

The NYLLCTA originally incorporated the definitions of “reporting company,” “exempt company,” and “beneficial owner” as well as the exemptions under the federal CTA. Unfortunately, with FinCEN’s adoption of the IFR in March 2025 changing the definitions of “domestic reporting company” and “reporting company” to exclude entities created in the U.S. from BOI reporting requirements under the CTA, it remains unclear how the changed CTA definitions and the IFR provisions affecting beneficial owners will affect filings and claims of exemption under the NYLLCTA.

While both houses of the New York Legislature have passed an amendment to the NYLLCTA (SB S8432) to make these terms no longer dependent on the CTA’s definitions, or FinCEN’s rules, regulations, or guidance, it is important to note that even if SB S8432 is signed into law, filings will still be required with the DOS. Although both houses of the New York Legislature have passed SB S8432 to decouple the NYLLCTA’s definitions from the CTA and FinCEN guidance, enactment of SB S8432 would not eliminate filing obligations; filings with the New York Department of State would still be required. This includes annual filings with the DOS by each reporting company required to file BOI reports, and by each exempt company under the NYLLCTA attesting to the applicable exemption, if any, that it asserts applies to it, as well as prompt filings whenever changes in status or changes in beneficial ownership occur. When signed by the governor, SB S8432 will add its own definitions and exemptions for NYLLCTA purposes. Hopefully, the DOS’ forms, database, regulations, and guidance (when issued) will clarify some inconsistencies in the NYLLCTA even after SB S8432 goes into effect and will provide guidance to filers.

LLCs that fail to file either the initial BOI report with the DOS or the annual updates or attestations within 30 days from the applicable deadline will be marked as “past due” on the DOS’s records. Failures that are not cured within two years from the applicable filing deadline will result in the LLC being marked on the DOS’s records as “delinquent.” In addition to initial penalties of $250 for failures to file or late filings, there may also be fines of $500 for each day the LLC is past due or delinquent in its filings. Further, it is unclear if LLCs that are past due or delinquent in their filings will be deemed as “not being in good standing” by banks, lenders, opinion givers, opinion recipients and their counsel, licensing boards, and not being eligible for a good standing certificate from the DOS, NY Education Department, or other agencies (or if any issued certificate will indicate “past due” or “delinquent) or if the LLC may be deemed barred from bidding for or performing New York state or local government contracts whether or not a standing certificate is issued. The New York attorney general may also bring an action to suspend, cancel, or dissolve a domestic or foreign LLC for prolonged failures to file. The DOS may take similar action under the NYLLCTA with respect to delinquent reporting companies or exempt companies.

Troutman Pepper Locke continues to monitor updates affecting the CTA and the NYLLCTA and advises clients on compliance matters. Companies should review the exemptions and, if not exempt, determine their reporting obligations, establish internal compliance processes, and stay updated on any additional guidance provided by FinCEN or the DOS. If you have questions or concerns regarding how the NYLLCTA may impact your reporting practices or obligations, please reach out to the authors or your primary Troutman Pepper Locke contact.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

This article was originally published on IAPP and is republished here with permission as it originally appeared on November 10, 2025.

Although 2025 may end as the first year since 2020 in which no new state comprehensive privacy law is enacted, this year was anything but quiet. We saw hundreds of consumer privacy bills introduced, newly enacted amendments to existing laws, multiple states engaging in rulemaking, including potentially game-changing rulemaking in California, new sectoral laws addressing health and youth privacy and online safety, and an uptick in state enforcement activity.

No new comprehensive laws: A turning tide?

For the first time since 2020, we may not see any new state comprehensive privacy laws enacted this year. This lack of activity is conspicuous and enigmatic. This could be a natural consequence of diminishing marginal returns if the states that were most likely to enact privacy legislation have already done so. It could be simple bad luck, given how unpredictable the legislative process can be.

Bills in Alabama (HB 283), Oklahoma (SB 546) and Georgia (SB 111) all stumbled at the final steps. Given other events happening at the local, state, federal and global levels, state lawmakers could have had more pressing legislative priorities than privacy this year. Or the content of the bills themselves could have diminished the likelihood of passage, as multiple states considered diverging models from the status quo. Legislators in Maine (LD 1822) and Vermont (H208) once again considered bolder, more-restrictive frameworks, but neither state got as close this year as they did in 2024.

It remains possible that 2025 could see a new comprehensive privacy law sneak in just before the turn of the year. Massachusetts is making a late push — S2619 passed the Senate by a vote of 40 to 0 on 25 Sept. — but they are working against the clock. That is a Maryland-style bill characterized by the inclusion of strict, substantive data minimization requirements. Pennsylvania is another late mover — HB 78 passed the House 1 Oct. A similar bill passed the Pennsylvania House last year but stalled in the Senate. Michigan (SB 359) and Wisconsin (AB 172) both have active legislative sessions at the time of writing, but neither have progressed a bill out of committee.

The amendment era: 9 states tweaked existing privacy laws in 2025

There might have been a slowdown in new laws this year, but 2025 was very active for amendments to existing laws as nine states amended their existing comprehensive privacy laws. This year’s crop of amendments include a mix of states incorporating existing aspects of other states’ laws and states experimenting with novel provisions.

One of the more significant amendments this year was Sen. James Maroney’s, D-Conn., SB 1295, which overhauled Connecticut’s comprehensive privacy law yet again. The themes of the amendment were expanded coverage, expanded consumer rights, tightened restrictions with respect to minors and integrating AI-related provisions. The amendment adjusted the law’s applicability thresholds, expanding coverage to include entities who control or process the personal data of at least 35,000 consumers, control or process consumers’ sensitive data, excluding personal data controlled or processed solely for completing a payment transaction, or offer consumers’ personal data for sale.

The amendment also replaced the law’s entity-level Gramm-Leach-Bliley Act exemption with a data-level exemption, although that change was counterbalanced by new entity exemptions for certain insurers, banks and investment agents. The definition of “sensitive data” was also expanded, and now includes financial data and neural data. The consumer right to access one’s personal data was expanded to include inferences derived from one’s personal data and whether personal data is being profiled to make decisions with legal or similarly significant effects. SB 1295 added new rights as well — a right to know the third-party recipients of one’s personal data and a right to contest certain adverse profiling decisions. The amendment also tightens the protections for minors added by SB 3 in 2023. Among the changes is a complete prohibition on targeted advertising to minors under age 18.

The bill also creates a new approach to profiling and impact assessments. It expands the right to opt-out to apply to all automated decisions, not just “solely” automated decisions. Consumers also have a new right to question profiling results under some circumstances. Further, controllers that engage in profiling for the purpose of making a decision that produces any legal or similarly significant effect concerning consumers must conduct an impact assessment. Ultimately, given the law’s entity- and data-level exemptions, it remains unclear whether these changes will have a significant impact on businesses. Finally, in a first for a state privacy law, Connecticut also now requires controllers to provide a statement disclosing whether the controller collects, uses or sells personal data for the purpose of training large language models. The amendments go into effect 1 July 2026.

Another significant change came in Montana. Two years on from the Montana Consumer Data Privacy Act’s first enactment, Montana Sen. Daniel Zolnikov, R-Mont., returned with a significant update to his law. Among the changes made by SB 297 are increased applicability, now applying to persons that either control or process the personal data of at least 25,000 consumers, or control or process the personal data of at least 15,000 consumers if the controller derives at least 25% of gross revenue from the sale of personal data), a duty of care with respect to minors — similar to amendments in Connecticut and Colorado in 2023 and 2024 — and broadened enforcement power for the attorney general, including removing the right to cure.

The other states made less significant changes to their laws. The Oregon Consumer Privacy Act was amended three times: HB 2008 bans the sale of precise geolocation data and personal data of consumers under age 16; HB 3875 expands the law’s applicability to include motor vehicle manufacturers and affiliates who control or process any personal data obtained from a consumer’s use of a motor vehicle or a component of a motor vehicle; and SB 1121 modifies the right to cure. In Colorado, SB 25-276 added “precise geolocation data” (1,850 feet) as a category of sensitive data, bringing Colorado into alignment with most state comprehensive privacy laws. SB 25-276 also clarified that selling sensitive data requires opt-in consent.

The Kentucky Consumer Data Protection Act was also amended by HB 473 before it even went into effect. That bill made minor conforming changes to the law, such as new health care data-level exemptions and a clarification that a data protection assessment should be conducted for the processing of personal data for the purposes of profiling where the profiling presents a reasonably foreseeable risk of “unlawful, disparate impact on consumers,” not just disparate impact on consumers.

The Texas Responsible Artificial Intelligence Governance Act, although largely focused on government use of AI, made minor changes to existing privacy laws. This act added new language regarding contracts between controllers and processors under the Texas Data Privacy and Security Act, requiring processors to assist controllers in complying with requirements relating to the personal data collected, stored and processed by an AI system.

It also amends the Texas Capture or Use of Biometric Identifier Act by adding an exemption for developing or deploying AI systems that are not used to uniquely identify specific individuals; adding an exemption for developing or deploying AI systems used for certain security purposes; and clarifying that individuals do not consent to the capture or storage of biometric identifiers due to the presence of publicly available media online unless that image or media was made publicly available by the individual.

New social media restrictions were added to the Virginia Consumer Data Protection Act by SB 854, now requiring operators of social media platforms to use “commercially reasonable methods” to determine whether users are minors and to limit minors’ use of the platform to one hour per day (or more or less with parental consent). Finally, the Utah Consumer Privacy Act was brought further into alignment with other states when HB 418 added a right for consumers to correct their personal data.

Last but not least, California passed the Opt Me Out Act. This bill amends the California Consumer Privacy Act to require any business that develops or maintains a browser to include a setting that is easy to locate and use which enables a consumer to activate an opt-out preference signal. A browser is defined as an interactive software application used by consumers to locate, access and navigate internet websites. Readers may remember that Gov. Gavin Newsom, D-Calif., vetoed a similar bill last year, citing concerns over how that bill would have applied to mobile operating systems. This year’s bill was narrowed to focus exclusively on browsers.

Activity shifts from legislation to regulations

Perhaps the biggest story coming out of 2025 is California’s new CCPA rulemaking. The California Privacy Protection Agency’s rulemaking covers automated decision-making technology, risk assessments, cybersecurity audits, insurance requirements and updates to the existing CCPA regulations. The regulations go into effect 1 Jan. 2026, although the ADMT, risk assessment and cybersecurity audit regulations have staggered implementation deadlines. Notably, the risk assessment and cybersecurity audit regulations will, starting in 2028, require businesses to submit certifications to the CPPA attesting, under penalty of perjury, that the regulations’ requirements have been met. That novel approach — at least in the realm of state consumer data privacy laws — will no doubt drive significant compliance activities.

The final redline of the regulations is 127 pages long, covering a long list of topics and nuances that are beyond the scope of this article. However, one area that warrants some mention is the ADMT regulations, which were the subject of extensive — and often passionate — comments and revisions during the drafting process. The ADMT regulations also were promulgated during a global shift in approach on artificial intelligence regulation towards a more innovation-friendly environment.

The CPPA Board and staff significantly revised ADMT regulations during the rulemaking process. Ultimately, businesses that use ADMT for certain types of significant decisions such as lending, housing, education or employment, in a manner that replaces or “substantially replaces” human decision-making, a defined term, will need to provide notices, allow for an opt-out, or right to appeal, provide a right to access ADMT, and conduct risk assessments.

Meanwhile, over 1,000 miles east, the Colorado attorney general’s office amended the Colorado Privacy Act rules in three ways. First, the office operationalized the children’s privacy law amendments passed in Sen. Robert Rodriguez’s, D-Colo., SB 41 by providing direction for what it means for a controller to “willfully disregard” that a consumer is a minor — under age 18. Second, the amendments fleshed out what it means for a system design feature to significantly increase, sustain or extend a minor’s use of an online service, product or feature. Finally, the amendments changed the rule’s existing definition of “revealing” to address the addition of precise geolocation data as an element of sensitive data in the law’s 2025 amendment discussed above.

Finally, moving east another 1,700 miles, New Jersey entered the rulemaking fray. When the New Jersey Data Privacy Act was enacted last year, much ado was made about it being only the third law to include general rulemaking authority. In June, the Division of Consumer Affairs released long anticipated draft regulations. Although the draft largely copied Colorado’s existing regulations, there were a few novel aspects that drew intense scrutiny. For example, the draft departed from existing legal frameworks by proposing a definition of publicly available information that excluded scraped data, although no definition of scraping was provided.

The draft also took a novel approach to the law’s internal research exception, providing that the exception did not apply to using personal data to train AI systems without consumers’ consent. “Artificial intelligence” was yet another key undefined term. Public feedback concluded in August, and we await to see what changes the Division will make in response.

Enforcement: The gathering storm

2025 also witnessed an uptick in state enforcement activities. In California, the CPPA entered into a USD632,500 settlement with an automaker, a USD345,178 settlement with a clothing retailer, and a USD1,350,000 settlement with a rural lifestyle retailer. The CPPA also fined various data brokers for failing to register under the state’s data broker registration law. Meanwhile, the California attorney general’s office entered into a USD1,550,000 settlement with a health website publisher. In addition, Connecticut’s attorney general’s office fined an online ticketing marketplace USD85,000.

The nature of the enforcement actions primarily center around improper consumer disclosures, e.g., deficient privacy notices and deficient consumer request processes — predominantly the right to opt-out of selling/sharing and recognition of the Global Privacy Control signal. Other issues include failure to enter into data processing agreements, violation of the CCPA’s purpose limitation provision and malfunctioning consent management platforms.

Although much of the focus on the enforcement actions has been on the size of the fines or types of violations, businesses would be wise to also focus on the injunctive relief provisions. For example, the most recent CPPA enforcement action required the company to conduct scans of its digital properties (at least quarterly) for the purposes of maintaining a full and current inventory of tracking technologies, identifying which tracking technologies constitute sells or shares and properly effectuating opt outs. The CPPA also has required regular audits and contract management processes. These injunctive relief provisions provide a potential roadmap for businesses to develop privacy program policies to demonstrate good faith compliance efforts in case of an enforcement action.

Of course, no discussion of state enforcement activity can be complete without talking about Texas. In contrast to the other states, Texas has taken a litigation-first approach to enforcement. This year, Texas entered into an over USD1 billion settlement with a tech company in a lawsuit that predates its consumer data privacy law. The Texas attorney general also filed a lawsuit against an insurance company and its subsidiary over allegations they violated Texas’ consumer data privacy law, data broker law and insurance code.

Florida similarly joined the party of first-time enforcers this year. Whether the Florida Digital Bill of Rights is “comprehensive” remains controversial among privacy professionals, given the law’s narrow applicability thresholds. Nevertheless, the attorney general’s office recently announced a lawsuit against a content platform for connected televisions. The allegations largely concern the selling of sensitive data (including precise geolocation data and the personal data of known children) for targeted advertising without consent. The complaint faulted the company for not implementing “industry-standard user profiles to identify which of its users are children.” Under the FDBR regulations, a controller “willfully disregards” a consumer’s age, and hence has actual knowledge, if it “should reasonably have been aroused to question whether a consumer was a child and thereafter failed to perform reasonable age verification.” The complaint points to a number of age signals that could have prompted an inference that children were using the service, including content designated as “Made for Kids.” Another notable aspect of the lawsuit is the high civil penalties — up to USD150,000 per violation.

As more laws come into effect and right-to-cure periods expire, businesses should expect a new era of enforcement activity and they will soon likely be shifting their compliance activities from integrating new laws to integrating enforcement priorities. Indeed, the CPPA’s head of enforcement, Michael Macko, recently caused quite a stir when he announced the CPPA had hundreds of open investigations. States also have shown a willingness to act together with California, Connecticut and Colorado announcing a joint investigative sweep and 10 states forming a Consortium of Privacy Regulators.

The chaos of kids’ online data privacy laws

At least since California passed its Age-Appropriate Design Code Act in 2022, state lawmakers from both parties and across the country have been trying to find a way to regulate teen and children’s data privacy and online safety. Last year, we discussed new laws enacted in Colorado, Maryland and New York. This year, we saw news laws passed in Arkansas, California, Louisiana, Montana, Nebraska, Texas, Utahand Vermont. As discussed above, there also were kids’ privacy-related changes to Connecticut and Oregon’s data privacy laws as well as rulemaking in Colorado. The CPPA’s new regulations also revised the regulation’s definition of sensitive personal information to include “[p]ersonal information of consumers that the business has actual knowledge are less than 16 years of age.”

Arkansas’ law stands alone for both its unique approach and its perplexity. Effective 1 July 2026, the law contains contradictory and ambiguous provisions. Meanwhile, Nebraska and Vermont passed age-appropriate design code acts; however, the laws are vastly different rendering the “AADC” moniker essentially meaningless. On the other hand, Montana amended its law to add children’s privacy provisions similar to those enacted in Colorado and Connecticut. While this interoperability may have been a welcome sight for companies, Connecticut then amended its law to significantly revise these provisions. To add to the complexity, Louisiana, Texas, and Utah passed app store accountability acts, which (if they survive constitutional challenge) will require app stores to collect age information and send age bracket signals to app developers in addition to creating parental oversight of teen and child accounts. California passed a somewhat similar law that requires operating systems to collect age information and send signals to apps.

New laws and no enforcement contribute to continued uncertainty for health privacy

Consumer health has been one of the more volatile privacy legislative areas in recent years and 2025 continued that trend. January got off to a dramatic start as New York passed S929, the New York Health Information Privacy Act. The bill is currently stuck in legislative limbo, as it has not yet been transmitted to the governor for signature or veto. NYHIPA is similar in scope and substance to Washington’s My Health My Data Act but introduces several novel requirements. For example, the bill includes a 24-hour waiting period before a regulated entity can request consent for a processing activity that is not strictly necessary for one of the law’s permitted purposes, e.g., providing a requested product or service or complying with legal obligations. The bill notably lacks some common features of privacy bills, such as any provisions concerning the verification of consumer rights requests.

In one of the surprises of the year, Gov. Glenn Youngkin, R-Va., signed SB 754, a new health privacy requirement that prohibits obtaining, disclosing, selling or disseminating any personally identifiable reproductive or sexual health information without a consumer’s consent. That bill amends the Virginia Consumer Protection Act rather than the Virginia Consumer Data Privacy Act, so it is subject to a private right of action. The bill quickly went into effect 1 July and has already raised compliance questions.

In California, two health privacy bills were enacted this year. Like many health privacy bills passed since the Dobbs decision, AB 45 introduces new restrictions on geofencing facilities that provide in-person health care services for certain purposes and collecting, using or disclosing the personal information of persons at family planning centers. That bill makes it unlawful to geofence such a facility, within a radius of 1,850 feet, for certain purposes, such as to identify or track a person seeking health care services or to send such a person advertisements related to their personal information or health care services.

The bill further prohibits persons from selling or sharing personal information to a third party for a use that violates any of those geofencing prohibitions. The bill includes an exception for geofencing your own health care facility to provide necessary health care services. A narrower bill, SB 81, amends the California Confidentiality of Medical Information Act to extend protections to certain immigration-related data. Both bills include restrictions on disclosing certain data to law enforcement agencies.

Finally, we continue to wait for enforcement of two landmark health privacy laws — Washington’s MHMDA and Nevada’s consumer health data law (Nev. Rev. Stat. § 603A.400 et seq.). Both laws went into effect more than a year ago on 31 March 2024, but we have yet to see any public enforcement. 2025 did see the first class-action lawsuit claiming a violation of MHMDA, concerning the use of third party SDKs, but that case was consolidated in April with other SDK litigation and dismissed without prejudice in May.

Data brokers remain in regulatory focus

Data brokers continue to attract legislative scrutiny, particularly in California. Late last year, the CPPA finalized regulations concerning data broker registration pursuant to the Delete Act and kicked off a series of enforcement actions for failure to register as a data broker. The CPPA has engaged in several rounds of rulemaking under the law and is currently in the process of finalizing new regulations operationalizing the Delete Request and Opt-out Platform, a mechanism that will allow consumers to submit a single mass deletion request to registered data brokers. California also passed SB 361, amending the Delete Act, this year. That bill adds new categories of information that a data broker must provide when registering with the CPPA. These new disclosures mostly concern whether the data broker collects certain categories of consumers’ personal information, e.g., Social Security numbers, sexual orientation status, precise geolocation or whether the data broker has, in the past year, shared or sold consumers’ data to certain actors, such as, foreign actors, a state government, the federal government.

Texas also amended its data broker law — twice. One of the bills, SB 1343, marginally increases notice obligations, requiring data brokers to include information as to how consumers can exercise any rights they have under the TDSPA in their website’s privacy notice and to include a relevant link in their registration. The other amendment, SB 2121, expands the law’s coverage. “Data broker” is now defined as “a business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” Previously, to qualify as a data broker an entity’s principal source of revenue had to be derived from its collection, processing or transferring of personal data. The bill retains additional eligibility criteria based upon revenue or the number of affected consumers.

Conclusion

The state privacy landscape grows more complex every year, as do the underlying issues around societal welfare, economic competitiveness, data-driven harms, surveillance’ and mass data collection. As we all continue to await a unifying federal privacy approach, state policymakers are likely to continue to push legislative and regulatory responses to these thorny problems.

Jordan Francis, CIPP/E, CIPP/US, CIPM is senior policy counsel for the U.S. Legislation team at the Future of Privacy Forum.

David Stauss, CIPP/E, CIPP/US, CIPT, FIP, is a partner at Troutman Pepper Locke.

On November 4, President Trump issued two executive orders that: (1) continued the 10% baseline reciprocal tariff rate on certain Chinese-origin imports into the U.S. until November 10, 2026; and (2) reduced from 20% to 10% the additional fentanyl-related tariff on Chinese products established under Executive Order 14195 and modified by Executive Order 14228 (China IEEPA Fentanyl Tariff). All of these duties were issued pursuant to the International Emergency Economic Powers Act (IEEPA). These actions implement the terms of a recent U.S.-China trade and economic deal (the U.S.-China Trade Deal) and explicitly preserve the administration’s authority to re-impose or increase duties if China fails to meet its commitments.

Meanwhile, on November 5, the Supreme Court of the United States (SCOTUS) heard oral argument in the consolidated IEEPA tariff challenge we discussed in our prior alert. Justices questioned whether IEEPA authorizes tariffs of this breadth, questioned the government’s delegation theory, and focused on whether the measures amount to a tax or major policy decision requiring clear congressional authorization. SCOTUS’ eventual ruling will determine the legality of these tariffs and future executive reliance on IEEPA for the imposition of tariffs.

U.S.-China Trade Deal

The White House announced the U.S.-China Trade Deal that, if implemented, would ease near-term frictions and expand market access while addressing supply chain concerns. China committed to “halt the flow” of fentanyl precursors to the United States, “effectively eliminate” China’s “current and proposed” export controls on rare earths and other critical minerals by issuing general licenses “for the benefit of U.S. end users and their suppliers around the world,” “end” retaliation against U.S. semiconductor firms “and other major U.S. companies,” and restore critical legacy chip trade. China also agreed to suspend wide‑ranging retaliatory tariffs and non‑tariff measures (including unreliable entity listings), extend its market‑based tariff exclusion process for U.S. imports through December 31, 2026, terminate investigations targeting U.S. semiconductor supply‑chain companies, and make substantial purchases of U.S. agricultural products.

In parallel, the United States agreed to lower the China IEEPA Fentanyl Tariff rate, maintain the suspension of heightened reciprocal tariffs through November 10, 2026, and suspend for one year the U.S. Trade Representative’s responsive actions following an investigation under Section 301 of the U.S. Trade Act of 1974 (Section 301) into China’s maritime, logistics, and shipbuilding sectors starting November 10. Furthermore, the U.S. has agreed to pause for one year the interim final rule titled “Expansion of End-User Controls to Cover Affiliates of Certain Listed Entities” and extend certain Section 301 tariff exclusions, originally set to expire November 29, 2025, through November 10, 2026.

Reciprocal Tariff on Chinese Imports

Under the November 4 executive order, “Modifying Reciprocal Tariff Rates Consistent With the Economic and Trade Arrangement Between the United States and the People’s Republic of China” (the Reciprocal Tariff Order), President Trump again extended the suspension of the heightened 34% reciprocal tariff on certain Chinese‑origin imports — originally imposed under Executive Order 14257 and amended by Executive Orders 14259, 14266, 14298, and 14334 — through 12:01 a.m. EST on November 10, 2026. As a result, the current 10% reciprocal tariff on those Chinese‑origin goods will remain in effect until at least the deadline, unless modified earlier. The Reciprocal Tariff Order continues the suspension of heading 9903.01.63 and the listed Harmonized Tariff Schedule of the United States (HTSUS) note subdivisions through the deadline and instructs federal agencies to monitor China’s implementation of its commitments under the U.S.-China Trade Deal.

China IEEPA Fentanyl Tariff

As a result of China’s commitment to take “significant measures” to end the flow of fentanyl to the United States, President Trump issued the November 4 executive order, “Modifying Duties Addressing the Synthetic Opioid Supply Chain in the People’s Republic of China” (the China IEEPA Fentanyl Tariff Order), which lowers the China IEEPA Fentanyl Tariff effective rate to 10% (from 20%) for goods entered for consumption (or withdrawn from warehouse for consumption) on or after 12:01 a.m. EST on November 10, 2025. If China fails to meet its commitments under the U.S.-China Trade Deal, the administration may reinstitute the China IEEPA Fentanyl Tariff rates. The China IEEPA Fentanyl Tariff Order does not expand the product scope; it only reduces the rate for the set of articles already designated under Executive Order 14195 and modified by Executive Order 14228.

IEEPA Supreme Court Case

On November 5, the SCOTUS heard consolidated challenges to the administration’s authority to issue tariffs under IEEPA, which include both the broad reciprocal tariffs and the migration- and fentanyl-related tariffs (the IEEPA Tariffs). As we discussed in previous client alerts, the courts below (including the Court of International Trade and the U.S. Court of Appeals for the Federal Circuit) struck down these tariffs and limited the president’s authority to issue tariffs under IEEPA. The Trump administration appealed the decision to the SCOTUS.

Several justices of the SCOTUS noted that IEEPA does not contain explicit statutory language authorizing the president to impose tariffs, and many questioned whether Congress had delegated such sweeping taxing authority to the Executive. Framing the dispute as a major-questions issue, the Court pressed whether exercises of vast economic and political significance require clear congressional authorization, and probed the separation-of-powers issue — specifically, the allocation of Article I taxing and commerce powers versus Article II foreign affairs and emergency authorities.

Chief Justice Roberts asked: “Who pays the tariffs?” — testing whether the measures function as revenue-raising instruments that would require congressional authorization. The U.S. solicitor general responded that the tariffs are regulatory tools aimed at altering behavior and addressing national emergencies, acknowledging incidental revenue effects but disputing that American consumers invariably bear the full economic burden.

Justice Sotomayor highlighted Congress’ use of explicit “tariff” or tax language in other statutes and questioned why IEEPA’s “regulate” language should be read to include taxation; the government urged a broad reading of “regulate” grounded in longstanding national-security practice, while Sotomayor emphasized the drafting distinction between regulation and taxation.

Justice Gorsuch warned about the risk of unchecked executive authority if broad tariff power is read into IEEPA, given Congress’ practical difficulty in “taking back” delegated powers; the government pointed to political checks such as joint resolutions and repeal, though the prospect of veto remained a friction point.

Justice Kavanaugh pushed for doctrinal consistency, probing textual and precedential differences — including Nixon-era Trading with the Enemy Act of 1917 cases — while petitioners argued the scale and duration of the recent executive actions far exceed the limited historical practice.

Justice Barrett questioned whether the government could rely on alternative foreign-affairs tools (licensing, export controls, embargoes) rather than tariffs; petitioners maintained that any sweeping taxing authority must come from Congress, and the government countered that IEEPA was the chosen vehicle to address these declared emergencies and that other tools were inadequate.

The government has urged the tariffs as regulatory emergency measures grounded in national-security needs rather than traditional taxes, while petitioners emphasized textual limits on delegation and the primacy of Article I’s taxing power. SCOTUS appears focused on whether IEEPA’s “regulate” language can encompass tariffs and whether measures of such broad economic scope require clear congressional authorization.

If SCOTUS rules against the administration, a decision invalidating the IEEPA Tariffs could open the door to refunds of duties already collected; however, refunds may not be automatic and may require the importer of record to affirmatively request relief through CBP processes, which would create substantial administrative complexity for CBP and the U.S. Department of the Treasury and constrain the administration’s ability to use IEEPA to impose similar tariff measures in the future. Conversely, a ruling against the petitioners would validate the administration’s approach.

Importers with significant duty exposure should prepare for continued tariff enforcement — whether under IEEPA if SCOTUS upholds the administration’s position, or under a different statutory authority if SCOTUS rules against the administration — and for a potential post‑decision refund and liquidation process.

Energy

Financial Services

Health Care + Life Sciences

Insurance + Reinsurance

Private Equity

Real Estate

Innovation

plus

Pro Bono

Alumni Network

Emerge

The Pepper Center

Learn + Connect

BLOG, Microsite + Podcast HUB

ACHIEVEMENTS