The changing U.S. regulatory landscape: takeaways for business

Competition and antitrust

Following through on a campaign promise, the Biden Administration has taken an active approach to address concerns that not enough has been done of late to protect robust competition. Against the backdrop of low employment and tight labor markets, special attention has been directed to non-competition and no-poach agreements, particularly in the technology and health care sectors. With soaring inflation, especially at the gas pump, the Administration has more recently pivoted to take on petroleum and gasoline markets. And, of interest to many of our clients, private equity firms have become a high-profile target of U.S. antitrust enforcers.

The appointment of key officials understood to be progressives who are intent to take on “big business” has laid the groundwork for these developments. At the Federal Trade Commission (the FTC), Chair Lina Khan hit the ground running with numerous initiatives intended to shake up the FTC and its role in promoting competition and enforcing antitrust laws. Over at the Antitrust Division of the U.S. Department of Justice (the DOJ), private practitioner Jonathan Kanter, who challenged Google and other Big Tech companies, was installed in November 2021.

Under Khan’s leadership, the FTC has implemented several significant policy changes intended to enhance its ability to challenge—and deter—anticompetitive M&A activity and monopolistic behavior. Among the most notable has been the reinstatement of a long-dormant policy to include in the FTC’s consent orders’ so-called “prior approval” requirements. The key provision will require settling parties to obtain, for a minimum of ten years, prior approval from the FTC before closing any future transaction affecting relevant markets. The FTC has even threatened to obtain a prior approval order after parties abandon a challenged transaction if they do not do so early enough¹.

Focus on private equity and review of merger guidelines

The FTC’s new approach was in play in its recent challenge of a private equity-backed acquisition of a specialty and emergency veterinary practice. Not only did the FTC impose a prior approval condition on JAB Consumer Partners (JAB), but also will require JAB to provide 30-day advance written notice before JAB or a portfolio company attempts to acquire a business proximate to a location JAB owns now or in the future anywhere in the United States. Acknowledging this as a first-of-its-kind notice requirement in an FTC order, the agency underscored its intention to receive advance notice of any unreported acquisitions that would “ordinarily escape our review”. Moreover, Ms. Khan issued a statement critical of private equity:

Antitrust enforcers must be attentive to how private equity firms’ business models may in some instances distort incentives in ways that strip productive capacity, degrade the quality of goods and services, and hinder competition … Meanwhile, serial acquisitions or “buy-and-[build]” tactics can be used by private equity firms and other corporations to roll up sectors, enabling them to accrue market power and reduce incentives to compete, potentially leading to increased prices and degraded quality.

While these recent actions grab headlines, the FTC and DOJ are also retooling behind the scenes. The agencies have announced that they will undertake a review of their jointly-issued merger guidelines observing that “[w]e must ensure that the merger guidelines reflect current economic realities and empirical learning and that they guide enforcers to review mergers with the skepticism the law demands. The current guidelines deserve a hard look to determine whether they are overly permissive”. The agencies’ reassessment could have a meaningful and lasting impact on antitrust enforcement and, assuming revised guidelines reflect a cynical view of M&A, one can only assume that investigations and challenges of U.S. business combinations will increase.

Takeaway: These developments inject greater uncertainty into dealmaking and, therefore, oblige businesses and their advisers to give antitrust considerations earlier and more thoughtful analysis when assessing deals and drafting transaction documents.

Sanctions

Economic sanctions have been thrust to the forefront given their prominent role in the response to the Russian invasion of Ukraine. The sanctions have in turn prompted investors to navigate a tangled web of prohibitions and exceptions against countries, business sectors and individual companies and persons across numerous jurisdictions globally.

That task has become increasingly difficult as U.S. sanctions come in a variety of permutations enforced by a widening set of authorities. Sanctions have traditionally taken one of two forms managed and enforced by the Treasury Department’s Office of Foreign Assets Control (OFAC): 1) an embargo of a country prohibiting U.S. persons from virtually all transactions with persons or property associated with that country, or 2) identification of individuals or entities on the Specially Designated Nationals and Blocked Persons (SDN) List, which freezes the listed person’s assets and prohibits a U.S. person from nearly all dealings with, or transactions in the property of, the listed person.

Today, that’s just the tip of the iceberg. OFAC alone now maintains six separate lists, while the Department of State maintains a list of foreign terrorist organizations and the Department of Commerce implements U.S. sanctions policy through the use of export controls.

The truly complicating factor is that U.S. sanctions no longer simply bar all dealings with a country or person (which OFAC classifies as “full blocking sanctions”). The sanctions introduced in connection with the Ukraine war include:

• an embargo on the Donetsk People’s Republic and Luhansk People’s Republic regions of Ukraine;
• full blocking sanctions on numerous Russian persons and businesses, including its most prominent banks and financial institutions, which indirectly prohibit even more transactions by cutting off the financial means to conduct them;
• a ban on “new investment” in all Russian enterprises;
• barring importation from Russia of products like vodka and caviar; and
• forbidding exportation to Russia of luxury goods and services such as accounting and management consulting.

Although compliance with U.S. sanctions primarily falls on U.S. persons—U.S. citizens and permanent residents, entities organized under U.S. law, and any person located in the U.S.—the recent sanctions include a provision that reaches non-U.S. persons, commonly referred to as a “secondary sanction.” OFAC warns that the U.S. may sanction non-U.S. persons if they materially assist or provide financial, material, or technological support for, or goods or services to, SDN-listed persons. Indeed, while the U.S. has enforced “secondary sanctions” most frequently in connection with Iran, the material assistance language found in the Russian sanctions has gradually been inserted into the sanctions of other jurisdictions as well, notably Hong Kong and Venezuela.

Takeaway: All of this is to say that nearly anyone contemplating a transaction, whether M&A, lending, capital markets, supply chain or otherwise, outside North America and Western Europe must be cognizant of economic sanctions and their potential impact.

Privacy and data protection

In many parts of the world, including the European Union, Canada and even China, the ever-growing volume of personal data being provided, collected and used by consumers and businesses in the global digital economy has led to the adoption of laws and regulations for comprehensive privacy and data protection frameworks. In the U.S., individual states, rather than the federal government, are the primary drivers of such efforts, giving rise to a patchwork of privacy and data protection regimes that apply to businesses on a state-by-state basis.

The latest state to enact a comprehensive privacy and data protection law is Connecticut², which joins four other states with similar laws, as we identified in our article in the last issue of the Torys Quarterly—California, Virginia, Colorado and Utah³. Any business with an online presence directed at the United States that collects personal information is potentially subject to one or more of these state privacy and data protection laws, because they apply to businesses that collect data from the respective state’s residents.

At a high level, each of the laws enacted by the various states impose generally similar obligations on businesses, such as requiring notification to customers in connection with a sale of such person’s data, and mandating that the business provide opportunities to access, delete, correct or move a person’s data, among other requirements.

However, a number of key differences across state laws may complicate compliance efforts. For example, these states impose different deadlines for “curing” a data breach, and have varying requirements on whether businesses are required to offer an opt-in vs. opt-out mechanism with respect to their collection and use of personal data. In California, even private individuals, not just state attorneys general, can enforce provisions of the privacy and data protection laws relating to certain types of breaches of personal data, by suing for damages individually or as part of a class action, with recovery generally not requiring a showing that the claimant suffered actual harm.

Moving toward a federal framework

While we observed just a few months ago that “a single U.S. federal privacy statute remains a far-off ideal”⁴, a draft bill entitled the American Data Privacy and Protection Act (the ADPPA) has recently been introduced. The ADPPA represents a significant legislative step towards a nationwide privacy and data protection framework in the United States, and if enacted, would bring the U.S. more into line with other nations’ approach to data privacy.

Although the lead sponsors of the ADPPA hail from both Democratic and Republican parties, enactment in its currently proposed form is by no means certain, as it faces opposition on both sides of the political spectrum, seeking to steer the legislation in favor of stronger consumer protections (e.g., civil liberties and privacy advocacy organizations such as the ACLU) or less restrictions on businesses (e.g., business groups such as the Chamber of Commerce). Many thorny issues, such as allowing private individuals to enforce the ADPPA, the extent to which the ADPPA will preempt (i.e., override) state laws, and the extent to which the FTC may become involved in overseeing data collection and use practices (including FTC submission requirements when businesses use algorithms to collect, process or transfer data), will need to be resolved before the ADPPA can become law.

Takeaway: Unless and until the ADPPA becomes the law of the land—an event which may never come to pass—businesses that collect, store and use personal data from U.S. residents should continue to monitor existing and new state data privacy laws, and stand ready to adjust their practices to ensure compliance.