Tag: FTC

FTC/FDA Send Letters to THC Edibles Companies Warning of Risks to Children

Earlier this week, the Federal Trade Commission (FTC) and Food and Drug Administration (FDA) sent cease-and-desist letters to several companies warning them that their products, which were marketed to mimic popular children’s snacks, ran the risk of unintended consumption of the Delta-8 THC by children. In addition to the FDA’s concerns regarding marketing an unsafe food additive, the agencies warned that imitating non-THC-containing food products often consumed by children through the use of advertising or labeling is misleading under Section 5 of the FTC Act. The FTC noted that “preventing practices that present unwarranted health and safety risks, particularly to children, is one of the Commission’s highest priorities.”

The FTC’s focus on these particular companies and products shouldn’t come as a surprise. One such company advertises edible products labelled as “Stoney Ranchers Hard Candy,” mimicking the common Jolly Ranchers candy, and “Trips Ahoy” closely resembling the well-known “Chips Ahoy.” Another company advertises a product closely resembling a Nerds Rope candy, with similar background coloring, and copy-cats of the Nerds logo and mascot. This is not the first time the FTC has warned companies about the dangers of advertising products containing THC in a way that could mislead consumers, particularly minors. In July of 2023, the FTC sent cease-and-desist letters to six organizations for the same violations alleged this week – there companies copied popular snack brands such as Doritos and Cheetos, mimicking the brands’ color, mascot, font, bag style, and more.

This batch of warning letters orders the companies to stop marketing the edibles immediately, to review their products for compliance, and to inform the FTC within 15 days of the specific actions taken to address the FTC’s concerns. The companies also are required to report to the FDA on corrective actions taken.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.
For more on Cannabis, visit the NLR Biotech Food Drug section

Be Careful What You Write: What a Heavily Redacted Antitrust Complaint Teaches Us About Creating Problematic Documents in Transactions

The Federal Trade Commission (FTC) recently filed a complaint in the U.S. District Court for the Southern District of Texas to stop Tempur Sealy’s proposed acquisition of Mattress Firm. See Federal Trade Comm’n v. Tempur Sealy Int’l, Inc. and Mattress Firm Group Inc., Case No. 4:24-cv-02508 (S.D. Tex. Jul. 2, 2024). On the same day, the FTC also commenced an administrative proceeding in its own court to block the transaction. See In re Tempur Sealy Int’l, Inc. and Mattress Firm Group Inc., Docket No. 9433 (FTC Jul. 2, 2024). According to the complaints, Tempur Sealy is the world’s largest mattress supplier and Mattress Firm is the largest mattress retailer in the United States. Vertical mergers between manufacturers and retailers can often produce procompetitive benefits, but this transaction struck the FTC as anticompetitive. The FTC’s principal concern appears to be that Tempur Sealy would shut off its rivals’ access to Mattress Firm.

Supporting the FTC’s decision to sue, Federal Trade Commissioner Melissa Holyoak said, “Despite the increased likelihood of procompetitive effects from vertical mergers, they may still result in harm in some circumstances. Consistent with these well-established economic principles, I vote in favor of filing this complaint based upon the substantial evidence generated by staff’s thorough investigation, especially the parties’ own ordinary-course documents. I have reason to believe that the effect of Tempur Sealy’s acquisition of Mattress Firm ‘may be to substantially lessen competition.’” (Emphasis added).

What exactly was in these ordinary course documents that caused Holyoak to believe this merger violates Section 7 of the Clayton Act and Section 5 of the FTC Act? The short answer is we don’t know. The complaints, which extensively quote some documents, are heavily redacted and the documents themselves, even in redacted form, are not attached to the complaints. Nor would we expect the documents to be attached, as they likely contain competitively sensitive information that ordinarily would not be on the public record. Rather than speculate about the documents themselves, let’s use the allegations in the FTC’s complaints as a tool to remind ourselves how documents are used in antitrust investigations and how lawyers and clients can work together to reduce the likelihood that potentially problematic documents are created.

  1. What’s an “ordinary course” document? As the name suggests, an ordinary course document is one that is created by the parties in the course of their ordinary business activities. It may be a routinely issued report, an email or text exchange by two employees, Slack messages, a slide deck, board minutes or any other form of written communication. Antitrust regulators routinely use these documents to gain insight into how the parties see themselves in relation to the competition, the rationale for a transaction, and how the parties view the likely competitive effects of a transaction. Often regulators will place more emphasis on communications from senior leadership in a corporation as those individuals may have greater knowledge of the transaction and have more authority to “speak” for an entity than lower-level employees. Regulators will use these documents not only to support their own theories and claims, but also to contradict the parties’ advocacy about the procompetitive aspects of a deal.
  2. How does the government obtain these ordinary course documents? In the case of the Tempur Sealy/Mattress Firm transaction and other high dollar value transactions, the parties were required to file Hart-Scott-Rodino (HSR) premerger notification forms. When an HSR filing is required, the parties must produce documents that discuss the transaction in relation to certain specific topics, such as competition, competitors, markets, and market shares. These documents are usually not ordinary course documents as they were created specifically for the deal but are nevertheless critical in the regulators’ review of potential competitive issues. Documents routinely produced in the HSR process, such as Confidential Information Memoranda (CIM) and Management Presentations, may contain statements that could create potential antitrust concerns. Clients should recognize that even the smallest of things in a CIM or Management Presentation have the potential to create big problems, as government regulators will read every page of what is submitted to them. For example, assume that an HSR filing contains a 100-page deck intended to serve as a Management Presentation, and one page of that deck contains a sentence that says: “We [seller] are the dominant player in our industry and we face minimal competition.” The rest of the deck might be completely innocuous, but depending on the circumstances, that one sentence has the potential to ignite regulators’ interest.Some transactions, such as Tempur Sealy/Mattress Firm, undergo a Second Request process after HSR is filed. A Second Request is an extensive subpoena requesting documents and data from the parties that goes far beyond the HSR process. The Second Request process is what likely turned up the “ordinary course” documents mentioned in Holyoak’s statement. This included text messages. See, e.g., Paragraph 108 of the federal complaint and Paragraph 99 of the administrative complaint. Judging from the amount of redacted material referenced in the complaints, the FTC appears to believe there are many documents that portray this transaction in an anticompetitive light.

    Clients should also be aware that the government’s authority to review and investigate transactions is not limited to only those transactions that require HSR filings; the government’s authority extends to any transaction that impacts competition in the United States. In addition to HSR filings, the government learns about deals through a variety of sources, such as press reports and third party complaints from customers or competitors. Accordingly, our views about document creation extend to all transactions, not just those requiring HSR premerger notification.

  3. Document creation in transactions is a team sport. That means lawyers and clients should work together as a team to minimize the creation of potentially harmful documents. The team should also include investment bankers and other advisors who are generating documents that analyze the transaction. In ideal circumstances, clients will involve experienced antitrust lawyers early on to understand: 1) whether the transaction potentially raises substantive antitrust concerns, such as when two direct competitors combine; 2) if the transaction will require HSR notification; and 3) whether or not HSR is required, what are the guardrails or best practices the client should observe. Recognizing that we don’t always operate in ideal circumstances and lawyers may only become involved after certain documents are created, lawyers should nevertheless remain vigilant about documents from the time they become involved in a deal. Coaching clients and their advisors about document creation best practices is always critically important.
  4. What are some best practices? Lawyers should proactively educate their clients on what to say (or not say) about the transaction and which words or phrases may be particularly susceptible to raising potential antitrust concerns. For example, words like “dominate” and “control” in relation to competition and competitors may create problems, as could market share statistics that overstate a seller’s prominence in a particular industry. Lawyers should also review drafts of documents such as CIMs, Management Presentations, and teasers to ensure that they are free of harmful verbiage.
  5. Expect statements to be misunderstood or taken out of context: Reading the Tempur Sealy/Mattress Firm complaints, two things are clear: 1) the government relied on portions of documents to support its allegations; and 2) the context of many of the quoted statements is unknown. It may be the case that some of the statements the FTC found important become less important when the entire document is reviewed and the context of the statement is made clear. Relatedly, there may be other documents not referenced in the complaints that indicate the transaction has procompetitive benefits. Allegations in a complaint are just that – allegations – and the evidence that emerges as the case progresses may or may not support those allegations. That being said, parties are wise to follow the best practices above. Similarly, they are also wise to avoid making exaggerated statements or statements intended to be humorous. These statements may be misunderstood by government regulators who do not know the specific industry or its players as well as clients do.
  6. Follow the general principle of “less is more” when it comes to document creation. Many transactions seem to move at lightning speed, but a moment of self-reflection can be very valuable. Ask yourself: do I need to write this, and if I do, what’s the best way to say it? Some organizations are more document-intensive than others, and there may be other reasons, unrelated to antitrust considerations, that require certain documentation. But in general, more documents are probably created than are truly necessary and more documents create the potential for more problems. Regardless, the key is to remember emails, texts, Slack messages, and slide decks may be read not only by their intended recipients but also by government antitrust regulators.
Copyright ©2024 Nelson Mullins Riley & Scarborough LLP
For more news on Antitrust Complaints, visit the NLR Antitrust Trade & Regulation section.

Mid-Year Recap: Think Beyond US State Laws!

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.

On the industry law, there has been activity focused on data brokers, those in the health space, and for those that sell motor vehicles. The FTC has focused on the activities of data brokers this year, beginning the year with a settlement with lead-generation company Response Tree. It also settled with X-Mode Social over the company’s collection and use of sensitive information. There have also been ongoing regulation and scrutiny of companies in the health space, including HHS’s new AI transparency rule. Finally, in this area is a new law in Utah, with a Motor Vehicle Data Protection Act applicable to data systems used by car dealers to house consumer information.

On the activity side, there has been less news, although in this area the “activity” of protecting information (or failing to do so) has continued to receive regulatory focus. This includes the SEC’s new cybersecurity reporting obligations for public companies, as well as minor modifications to Utah’s data breach notification law.

Finally, there have been new laws directed to particular individuals. In particular, laws intended to protect children. These include social media laws in Florida and Utah, effective January 1, 2025 and October 1, 2024 respectively. These are similar to attempts to regulate social media’s collection of information from children in Arkansas, California, Ohio and Texas, but the drafters hope sufficiently different to survive challenges currently being faced by those laws. The FTC is also exploring updates to its decades’ old Children’s Online Privacy Protection Act.

Putting It Into Practice: As we approach the mid-point of the year, now is a good time to look back at privacy developments over the past six months. There have been many developments in the privacy patchwork, and companies may want to take the time now to ensure that their privacy programs have incorporated and addressed those laws’ obligations.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Privacy, visit the NLR Consumer Protection section.

NIST Releases Risk ‘Profile’ for Generative AI

A year ago, we highlighted the National Institute of Standards and Technology’s (“NIST”) release of a framework designed to address AI risks (the “AI RMF”). We noted how it is abstract, like its central subject, and is expected to evolve and change substantially over time, and how NIST frameworks have a relatively short but significant history that shapes industry standards.

As support for the AI RMF, last month NIST released in draft form the Generative Artificial Intelligence Profile (the “Profile”).The Profile identifies twelve risks posed by Generative AI (“GAI”) including several that are novel or expected to be exacerbated by GAI. Some of the risks are exotic and new, such as confabulation, toxicity, and homogenization.

The Profile also identifies risks that are familiar, such as those for data privacy and cybersecurity. For the latter, the Profile details two types of cybersecurity risks: (1) those with the potential to discover or enable the lowering of barriers for offensive capabilities, and (2) those that can expand the overall attack surface by exploiting vulnerabilities as novel attacks.

For offensive capabilities and novel attack risks, the Profile includes these examples:

  • Large language models (a subset of GAI) that discover vulnerabilities in data and write code to exploit them.
  • GAI-powered co-pilots that proactively inform threat actors on how to evade detection.
  • Prompt-injections that steal data and run code remotely on a machine.
  • Compromised datasets that have been ‘poisoned’ to undermine the integrity of outputs.

In the past, the Federal Trade Commission (“FTC”) has referred to NIST when investigating companies’ data breaches. In settlement agreements, the FTC has required organizations to implement security measures through the NIST Cybersecurity Framework. It is reasonable to assume then, that NIST guidance on GAI will also be recommended or eventually required.

But it’s not all bad news – despite the risks when in the wrong hands, GAI will also improve cybersecurity defenses. As recently noted by Microsoft’s recent report on the GDPR & GAI, GAI can already: (1) support cybersecurity teams and protect organizations from threats, (2) train models to review applications and code for weaknesses, and (3) review and deploy new code more quickly by automating vulnerability detection.

Before ‘using AI to fight AI’ becomes legally required, just as multi-factor authentication, encryption, and training have become legally required for cybersecurity, the Profile should be considered to mitigate GAI risks. From pages 11-52, the Profile examines four hundred ways to use the Profile for GAI risks. Grouping them together, some of the recommendations include:

  • Refine existing incident response plans and risk assessments if acquiring, embedding, incorporating, or using open-source or proprietary GAI systems.
  • Implement regular adversary testing of the GAI, along with regular tabletop exercises with stakeholders and the incident response team to better inform improvements.
  • Carefully review and revise contracts and service level agreements to identify who is liable for a breach and responsible for handling an incident in case one is identified.
  • Document everything throughout the GAI lifecycle, including changes to any third parties’ GAI systems, and where audited data is stored.

“Cybersecurity is the mother of all problems. If you don’t solve it, all the other technology stuff just doesn’t happen” said Charlie Bell, Microsoft’s Chief of Security, in 2022. To that end, the AM RMF and now the Profile provide useful and early guidance on how to manage GAI Risks. The Profile is open for public comment until June 2, 2024.

© Polsinelli PC, Polsinelli LLP in California
For more on Generative AI, visit the NLR Communications, Media & Internet section.

Update on FTC Noncompete Ban: Court Challenges Begin

On April ­­23 we reported on the Federal Trade Commission’s vote to ban almost all non-competition agreements in the United States. Within hours of that vote, Ryan LLC, a global tax consulting firm headquartered in Dallas, filed a lawsuit in the U.S. District Court for the Northern District of Texas challenging the FTC’s authority to issue such a rule.

The U.S. Chamber of Commerce has been allowed to intervene in that case and will join in the challenge to the FTC ban.

Ryan’s claims are that:

  1. The FTC lacks the legal authority to promulgate such a rule.
  2. Even if Congress had granted that authority by statute, such a grant would be an unconstitutional delegation of legislative authority to the executive branch, in violation of Article 1 of the U.S. Constitution.
  3. The FTC Act is unconstitutional because it limits the president’s authority to remove subordinates (in this case, FTC Commissioners).
  4. The FTC promulgated the rule in violation of the Administrative Procedure Act because it failed to establish a factual basis for the rule.
  5. The rule is retroactive in purporting to invalidate all existing non-competition agreements, but the FTC has no authority to issue retroactive rules.

Based on our review of the pleadings filed thus far in the case, we think that the U.S. Chamber and its allies agree that these are the correct arguments and that they will file a brief supporting them.

Ryan is asking the court for two things: a stay of the effective date of the rule, and preliminary and permanent injunctions barring the FTC from enforcing it. The case is on an expedited schedule, with briefing to be completed by June 12 and a ruling expected on the pending motion by July 3.

Given that the rule’s effective date is September 4, if the court can meet that schedule, employers should have sufficient time to take the necessary steps to comply, if the court allows the rule to go into effect.

However, we would advise employers to start identifying all employees who are subject to an existing non-competition agreement, so they can move quickly to meet the notice requirements over the summer, should that become necessary.

©2024 Pierce Atwood LLP. All rights reserved.
For more on the FTC Noncompete Ban, visit the NLR Labor & Employment section.

FTC: Three Enforcement Actions and a Ruling

In today’s digital landscape, the exchange of personal information has become ubiquitous, often without consumers fully comprehending the extent of its implications.

The recent actions undertaken by the Federal Trade Commission (FTC) shine a light on the intricate web of data extraction and mishandling that pervades our online interactions. From the seemingly innocuous permission requests of game apps to the purported protection promises of security software, consumers find themselves at the mercy of data practices that blur the lines between consent and exploitation.

The FTC’s proposed settlements with companies like X-Mode Social (“X Mode”) and InMarket, two data aggregators, and Avast, a security software company, underscores the need for businesses to appropriately secure and limit the use of consumer data, including previously considered innocuous information such as browsing and location data. In a world where personal information serves as currency, ensuring consumer privacy compliance has never been more critical – or posed such a commercial risk for failing to get it right.

X-Mode and InMarket Settlements: The proposed settlements with X-Mode and InMarket concern numerous allegations based on the mishandling of consumers’ location data. Both companies supposedly collected precise location data through their own mobile apps and those of third parties (through software development kits).  X-Mode is alleged to have sold precise location data (advertised as being 70% accurate within 20 meters or less) linked to timestamps and unique persistent identifiers (i.e., names, email addresses, etc.) of its consumers to private government contractors without obtaining proper consent. Plotting this data on a map makes it easy to reveal each person’s movements over time.

InMarket purportedly utilized location data to cross-reference such data with points of interest to sort consumers into particularized audience segments for targeted advertising purposes without adequately informing consumers – examples of audience segments include parents of preschoolers, Christian church attendees, and “wealthy and not healthy,” among other groupings.

Avast Settlement: Avast, a security software company, allegedly sold granular and re-identifiable browsing information of its consumers despite assuring consumers it would protect their privacy. Avast allegedly collected extensive browsing data of its consumers through its antivirus software and browser extensions while ensuring its consumers that their browsing data would only be used in aggregated and anonymous form. The data collected by Avast revealed visits to various websites that could be attributed to particular people and allowed for inferences to be drawn about such individuals – examples include academic papers on symptoms of breast cancer, education courses on tax exemptions, government jobs in Fort Meade, Maryland with a salary over $100,000, links to FAFSA applications and directions from one location to another, among others.

Sensitivity of Browsing and Location Data

It is important to note that none of the underlying datasets in question contained traditional types of personally identifiable information (e.g., name, identification numbers, physical descriptions, etc.) (“PII”). Even still, the three proposed settlements by the FTC underscore the sensitive nature of browsing and location data due to the insights such data reveals, such as religious beliefs, health conditions, and financial status, and the ease with which the insights can be linked to certain individuals.

In the digital age, the amount of data available about individuals online and collected by various companies makes the re-identification of individuals easier every day. Even when traditional PII is not included in a data set, by linking sufficient data points, a profile or understanding of an individual can be created. When such profile is then linked to an identifier (such as username, phone number, or email address provided when downloading an app or setting up an account on an app) and cross-referenced with various publicly available data, such as name, email, phone number or content on social media sites, it can allow for deep insights into an individual. Despite the absence of traditional types of PII, such data poses significant privacy risks due to the potential for re-identification and the intimate details about individuals’ lives that it can divulge.

The FTC emphasizes the imperative for companies to recognize and treat browsing and location data as sensitive information and implement appropriate robust safeguards to protect consumer privacy. This is especially true when the data set includes information with the precision of those cited by the FTC in its proposed settlements.

Accountability and Consent

With browsing and location data, there is also a concern that the consumer may not be fully aware of how their data is used. For instance, Avast claimed to protect consumers’ browsing data and then sold that very same browsing information, often without notice to consumers. When Avast did inform customers of their practices, the FTC claims it deceptively stated any sharing would be “anonymous and aggregated.” Similarly, X-Mode claimed it would use location data for ad-personalization and location-based analytics. Consumers were unaware such location data was also sold to government contractors.

The FTC has recognized that a company may need to process an individual’s information to provide them with services or products requested by the individual. The FTC also holds that such processing does not mean the company is then free to collect, access, use, or transfer that information for other purposes (e.g., marketing, profiling, background screening, etc.). Essentially, purpose matters. As the FTC explains, a flashlight app provider cannot collect, use, store, or share a user’s precise geolocation data, or a tax preparation service cannot use a customer’s information to market other products or services.

If companies want to use consumer personal information for purposes other than providing the requested product or services, the FTC states that companies should inform consumers of such uses and obtain consent to do so.

The FTC aims to hold companies accountable for their data-handling practices and ensure that consumers are provided with meaningful consent mechanisms. Companies should handle consumer data only for the purposes for which data was collected and honor their privacy promises to consumers. The proposed settlements emphasize the importance of transparency, accountability, meaningful consent, and the prioritization of consumer privacy in companies’ data handling practices.

Implementing and Maintaining Safeguards

Data, especially specific data that provide insights and inferences about individuals, is extremely valuable to companies, but it is that same data that exposes such individuals’ privacy. Companies that sell or share information sometimes include limitations for the use of the data, but not all contracts have such restrictions or sufficient restrictions to safeguard individuals’ privacy.

For instance, the FTC alleges that some of Avast’s underlying contracts did not prohibit the re-identification of Avast’s users. Where Avast’s underlying contracts prohibited re-identification, the FTC alleges that purchasers of the data were still able to match Avast users’ browsing data with information from other sources if the information was not “personally identifiable.” Avast also failed to audit or confirm that purchasers of data complied with its prohibitions.

The proposed complaint against X-Mode recognized that at least twice, X-Mode sold location data to purchasers who violated restrictions in X-Mode’s contracts by reselling the data they bought from X-Mode to companies further downstream. The X-Mode example shows that even when restrictions are included in contracts, they may not prevent misuse by subsequent downstream parties.

Ongoing Commitment to Privacy Protection:

The FTC stresses the importance of obtaining informed consent before collecting or disclosing consumers’ sensitive data, as such data can violate consumer privacy and expose them to various harms, including stigma and discrimination. While privacy notices, consent, and contractual restrictions are important, the FTC emphasizes they need to be backed up by action. Accordingly, the FTC’s proposed orders require companies to design, implement, maintain, and document safeguards to protect the personal information they handle, especially when it is sensitive in nature.

What Does a Company Need To Do?

Given the recent enforcement actions by the FTC, companies should:

  1. Consider the data it collects and whether such data is needed to provide the services and products requested by the consumer and/or a legitimate business need in support of providing such services and products (e.g., billing, ongoing technical support, shipping);
  2. Consider browsing and location data as sensitive personal information;
  3. Accurately inform consumers of the types of personal information collected by the company, its uses, and parties to whom it discloses the personal information;
  4. Collect, store, use, or share consumers’ sensitive personal information (including browser and location data) only with such consumers’ informed consent;
  5. Limit the use of consumers’ personal information solely to the purposes for which it was collected and not market, sell, or monetize consumers’ personal information beyond such purpose;
  6. Design, Implement, maintain, document, and adhere to safeguards that actually maintain consumers’ privacy; and
  7. Audit and inspect service providers and third-party companies downstream with whom consumers’ data is shared to confirm they are (a) adhering to and complying with contractual restrictions and (b) implementing appropriate safeguards to protect such consumer data.
© 2024 Ward and Smith, P.A.. All Rights Reserved.
For more on the FTC, visit the NLR Communications, Media & Internet section.

A Closer Look at the FTC’s Final Non-Compete Rule

On April 23, 2024, the Federal Trade Commission (FTC) issued its Final Non-Compete Agreement Rule (Final Rule), banning non-compete agreements between employers and their workers. The Final Rule will go into effect 120 days after being published in the Federal Register. This Final Rule will impact most US businesses, specifically those that utilize non-compete agreements to protect their trade secrets, confidential business information, goodwill, and other important intangible assets.

The Final Rule prohibits employers from entering or attempting to enter into a non-compete agreement with “workers” (employees and independent contractors). Employers are also prohibited from even representing that a worker is subject to such a clause. The Final Rule provides that it is an unfair method of competition for employers to enter into non-compete agreements with workers and is therefore a violation of Section 5 of the FTC Act.

There are few exceptions under the Final Rule. For senior executives, existing non-compete agreements can remain in force. However, employers are barred from entering or attempting to enter into a non-compete agreement with a senior executive after the effective date of the Final Rule. The Final Rule defines “senior executive” as a worker who is both (1) earning more than $151,164 annually and (2) in a “policy-making position” for the business. For workers who are not senior executives, existing non-competes are not enforceable after the effective date. If not invalidated all together, the Final Rule will likely have extensive litigation related to “policy-making position.” According to the current commentary on the Final Rule, the FTC will likely take the position that “senior executive” is a very limited definition.

Further, the Final Rule does not apply to non-competes entered into pursuant to a “bona fide sale of a business entity, of the person’s ownership interest in [a] business entity, or of all or substantially all of a business entity’s operating assets.” As a result, parties entering into transactions can continue to use non-compete agreements in the sale of a business. But transactional lawyers should note that any non-compete in a subsequent employment agreement with a seller will likely be subject to the Final Rule. The Final Rule also does not prohibit employers from enforcing non-compete clauses where the cause of action related to the non-compete clause occurred prior to the effective date of the Final Rule.

The Final Rule also states that agreements that “penalize” or “function to prevent” an employee from working for a competitor are banned and unlawful. For example, a non-disclosure agreement may be viewed as a non-compete when it is so broad that it functions to prevent workers from seeking or accepting other work or starting a business after they leave their job. Similarly, non-solicitation agreements may also be banned under the new rule “where they function to prevent a worker from seeking or accepting other work or starting a business after their employment ends.” The commentary makes clear that the enforceability and legality of these types of agreements will need to be analyzed on a case-by-case basis.

Under the Final Rule, employers are required to provide clear and conspicuous notice to workers who are subject to a prohibited non-compete. This notice must be sent in an individualized communication (text message, hand delivery, mailed to last known address, etc.) and indicate that the worker’s non-compete clause will not be enforced.

The Final Rule has already been challenged in at least two lawsuits, both filed in the state of Texas. The US Chamber of Commerce filed suit in the US District Court for the Eastern District of Texas seeking a declaratory judgment and an injunction to prevent the enactment of the Final Rule. A second suit, filed by Ryan, LLC, a tax services firm, was filed in the US District Court for the Northern District of Texas. Both suits raise similar arguments: (1) the FTC lacks authority to enact the rule due to the major questions doctrine; (2) the Final Rule is inconsistent with the FTC Act; (3) the retroactive nature of the Final Rule exceeds the FTC’s authority and raises Fifth Amendment concerns; and (4) the Final Rule is arbitrary and capricious. The US Chamber of Commerce has also filed a motion to stay the effective date of the Final Rule pending resolution of the lawsuit.

The very nature of how business entities protect their intangible assets is at risk, and the Final Rule will change the contractual dynamic of the employer-employee relationship.

© 2024 Jones Walker LLP
For more on the FTC Non-Compete Rule, visit the NLR Labor & Employment section.

FTC Moves to Strike Most Noncompetes: Considerations for Cannabis Companies

As Bradley previously reported, the Federal Trade Commission at the beginning of last year issued a notice of proposed rulemaking to effectively ban employee noncompete provisions as an unfair method of competition in violation of Section 5 of the FTC Act. Following a 16-month administrative process that drew more than 26,000 public comments, the FTC on April 23, 2024, issued its final rule that will, according to the FTC, “promote competition by banning noncompetes nationwide, protecting the fundamental freedom of workers to change jobs, increasing innovation, and fostering new business formation.”

Key Features of the Final Rule

Key features of the final rule include:

  • Defining “noncompete clauses” as a term or condition of employment that either “prohibits” a worker from, “penalizes” a worker for, or “functions to prevent” a worker from (a) seeking or accepting work in the United States with a different person where such work would begin after the conclusion of the employment that includes the term or condition; or (b) operating a business in the United States after the conclusion of the employment that includes the term or condition.
  • Treating existing noncompetes differently depending on the category of worker.
    • For “senior executives,” existing noncompetes may remain in force. The term “senior executive” refers to workers earning more than $151,164 who are in a “policy-making position.” As so defined, the FTC estimates that senior executives represent less than 0.75% of all workers.
    • For all other categories of workers, existing noncompetes will be unenforceable following the effective date (i.e., 120 days following its publication on the Federal Register).
  • Banning new noncompetes for all workers following the effective date.
  • Requiring employers to provide “clear and conspicuous notice” to workers who are not senior executives and are subject to existing noncompetes that such provisions are no longer enforceable. The FTC included model language in the final rule that satisfies the notice requirements.
  • Excluding banks but not bank affiliates. Because the FTC does not have regulatory authority over banks, it does not apply to banks. The rule does apply to bank affiliates however as those entities are within FTC jurisdiction.
  • Excluding nonprofit entities. The final rule does not apply to nonprofit entities, such as nonprofit hospitals, as they fall outside of the jurisdiction of the FTC Act. The FTC notes, however, that not all entities that claim tax-exempt status in their tax filings are automatically outside of the scope of the final rule. Rather, the FTC applies a two-part test to determine whether the purported nonprofit is within the scope of the FTC Act, focusing on the source of the entity’s income and the destination of the income.
  • Excluding noncompetes in the sale of business context. The final rule generally does not apply to business owners upon the “bona fide” sale of a business. The final rule expanded the sale of business exception found in the proposed rule.
  • The final rule does not apply where a cause of action related to a noncompete accrued prior to the effective date of the final rule.

What Does the New Rule Mean for the Cannabis Industry in Particular?

The FTC contends that the final rule will benefit the U.S. economy by, among other things, increasing worker earnings, reducing healthcare costs, spurring new business formation, and enhancing innovation. But what will it mean for the U.S. cannabis industry specifically?

As we’ve written about before, there’s a significant amount of proprietary information that may give players in the cannabis space a competitive edge – e.g., customer lists, grow processes, or unique cannabinoid extracts, plants, and products. Because marijuana is still a Schedule I substance under the Controlled Substance Act, however, there are open questions about whether an entity engaged in marijuana-related commercial activity can avail itself of federal law protections, such as U.S. patent and trademark laws. If an entity cannot avail itself of those federal law protections, the ability to turn to state contract law becomes even more important to protect its investments. That’s where noncompetes could come in — going a long way to protect an individual from taking and utilizing a company’s or individual’s investments. The FTC final rule largely would put an end to the ability to use noncompete protections, save for the exceptions outlined above. That may be an even bigger blow to the cannabis industry as compared to other industries who can readily utilize federal law protections. On the other hand, the cannabis industry is largely transient and collaborative, and many cannabis companies and individuals in the industry may be willing to take the good with the bad when it comes to the absence of noncompete rules.

What’s Next?

First, the final rule is not yet in effect. It will go into effect 120 days after its publication in the Federal Register.

Second, we expect there will be significant legal challenges and efforts to halt the implementation of the rule.

The final rule was issued following a 3-2 vote by the commissioners, with the two newly appointed Republican commissioners – Melissa Holyoak and Andrew Ferguson – voting against the rule. In their prepared remarks, the dissenting commissioners questioned the FTC’s legal authority to take such sweeping action.

The final rule has already prompted a legal challenge. Shortly after the FTC’s public meeting approving the final rule, the U.S. Chamber of Commerce released a statement indicating its intent to “sue the FTC to block this unnecessary and unlawful rule and put other agencies on notice that such overreach will not go unchecked.” True to its word, the Chamber filed yesterday a Complaint for Declaratory Judgment and Injunctive Relief in U.S. District Court for the Eastern District of Texas (Chamber of Commerce of the United States of America v. Federal Trade Commission, Case No. 6:24-cv-00148 (E.D.Tex. filed April 24, 2024)). The lawsuit mounts a number of legal challenges to the final rule.

© 2024 Bradley Arant Boult Cummings LLP
For more on FTC Noncompete Ban, visit the NLR Labor & Employment section.

What the FTC’s Rule Banning Non-Competes Means for Healthcare

The FTC unveiled its long-awaited final rule banning most non-compete agreements during a live broadcast of a Commission meeting on April 23, 2024. The proposed rule, which was first announced in January 2023, underwent an extensive public comment process in which approximately 26,000 comments were received. According to the FTC, approximately 25,000 of these comments supported a total ban on non-competes. While there was some expectation that the final rule would be less aggressive than the proposed rule, that turned out not to be the case. By late summer 2024, most employers, except for non-profit organizations, will not be able to enforce or obtain non-competes in the U.S. except in extremely narrow circumstances. The new rule will take effect 120 days after it is published in the Federal Register. Assuming the rule is published this week, we can expect it to take effect by late August. That is, of course, if a court does not enjoin the rule first. Shortly after the rule was announced on April 23, the U.S. Chamber of Commerce stated its intention to sue the FTC. U.S. Chamber to Sue FTC Over Unlawful Power Grab on Noncompete Agreements Ban | U.S. Chamber of Commerce (uschamber.com) The first lawsuit challenging the new rule was filed on April 23, Ryan, LLC v. Federal Trade Commission, Case No. 3:24cv986 (N.D. Tex. Apr. 23, 2024). Among other relief, the Ryan suit seeks to have the rule vacated and set aside. There are significant legal questions concerning whether the FTC has the authority to take this action by rulemaking or whether this is best left to the legislative process. While some U.S. states have banned non-competes, many U.S. states have not banned them.

As written, the rule will have profound effects on virtually every industry, especially health care, where non-competes are common in physician and mid-level practitioner employment agreements. As several Commissioners indicated during the April 23 meeting, they are particularly concerned about non-competes in health care and believe this rule will save approximately $74-194 billion in reduced spending on physician services over the next decade.

Following is Nelson Mullins’ quick take on what health care employers need to know:

  1. The rule does not apply to non-profits. The basis for the rule making is Section 5 of the FTC Act, which doesn’t apply to non-profits. So, a non-profit health system that has non-competes with physicians or other workers is not impacted by the rule. Be aware, though, that the FTC may be looking to test whether some non-profit health systems are really operating as true non-profits. Tax exempt status alone will not be enough. We believe, however, that given significant and quantifiable charitable benefits that most non-profit systems provide, the FTC may be hard pressed to find a good test case within the non-profit health care industry.
  2. For all others, the rule bans all non-compete agreements for any worker, regardless of title, job function, or compensation, after the effective date. Thus, a for-profit health system or for-profit physician practice that uses non-competes will be significantly limited. The only non-competes that will be allowed to remain in force are non-competes for “Senior Executives” that were entered into before the rule becomes effective.
  3. The rule will take effect 120 days after it is published in the Federal Register. This will likely occur this week, so we expect the effective date to be approximately August 20, 2024.
  4. The rule rescinds existing non-competes for all workers who are not “Senior Executives.”
  5. “Senior Executive” is a narrowly-defined term meaning:
    1. a person in a policy making position; and
    2. who was paid at least $151,164 in the prior year.
  6. Existing non-competes for Senior Executives are not rescinded. New non-competes with Senior Executives entered into prior to the effective date are still allowed. However, no new non-competes with Senior Executives may be entered into after the effective date.
  7. “Policy-making position” means: President, CEO, or equivalent, or other person who has policy making authority, i.e., decisions that control a significant aspect of a business entity. Most clinicians will not meet the definition of “Senior Executive.”
  8. Non-senior executives who are now under a non-compete must be given notice by the effective date that their non-compete will not be, and cannot legally be, enforced. Model language for the notice is in the rule.
Copyright ©2024 Nelson Mullins Riley & Scarborough LLP
by: Denise M. GunterCarrie A. HangerCandace S. Friel of Nelson Mullins
For more news on the Implications of the FTC Noncompete Ban on Healthcare, visit the NLR Health Law & Managed Care section.

FTC Approves Non-Compete Ban

On Tuesday afternoon, April 23, the Federal Trade Commission (FTC) voted 3-2 along party lines to approve its new rule on non-competes. The new rule, which will take effect in 120 days, essentially bans non-competes for all workers, finding them “an unfair method of competition – and therefore a violation of Section 5 of the FTC Act.”

Notably, a non-complete clause is broadly defined as a “contractual term or workplace policy that prohibits a worker from, penalizes a worker for, or functions to prevent a worker from seeking or accepting work in the United States with a different person where such work would begin after the conclusion of the employment or operating a business in the United States after the conclusion of the employment.”

The new rule applies retroactively to prior agreements, other than those for senior executives earning more than $151,164 a year in a “policy-making position.” Employers must provide notice to other workers subject to non-compete agreements that they are no longer enforceable.

Not limited to employees, the non-compete ban extends to independent contractors, externs, interns, volunteers, apprentices, and sole proprietors who provide a service to a person. It does not include non-competes entered into pursuant to a bona fide sale of a business entity or in a franchisor-franchisee relationship.

While the rule is final, expect legal challenges to follow. For example, the U.S. Chamber of Commerce, the nation’s largest business lobby, told reporters it plans to sue over the rule, claiming the FTC is not authorized to make this rule, that non-competes are not categorically unfair, and the rule is arbitrary. The Chamber’s thoughts were echoed by the opposing Republican FTC voters, who cited concerns about the FTC’s authority (as compared to the merits of such a rule).

While employers’ protectable interests are often a concern, it is important to note that this rule does not ban non-disclosure and confidentiality agreements.

“…it is an unfair method of competition – and therefore a violation of Section 5 of the FTC Act – for employers to enter into noncompetes with workers after the effective date.”
© 2024 BARNES & THORNBURG LLP
by: Christopher Rubey of Barnes & Thornburg LLP
For more news on FTC’s noncompete ban, visit the NLR Labor & Employment section.