CFIUS’ Final Rules: Broader Reach, Narrow Exceptions and Foretelling Future Change

Skadden, Arps, Slate, Meagher & Flom LLP

On January 13, 2020, the U.S. Department of the Treasury (Treasury), on behalf of the Committee on Foreign Investment in the United States (CFIUS or the Committee), issued two sets of final regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) — one for certain covered real estate transactions and one for all other covered transactions. These final regulations follow proposed regulations that the Treasury published on September 17, 2019, which were open to public comment until October 17, 2019. Although the Committee made a few noteworthy changes in response to public comments, the final regulations are substantially similar to the draft ones.

Consistent with our analysis of the draft regulations, the Treasury’s FIRRMA regulations — now in their final form — largely adopted many pre-FIRRMA CFIUS trends, standards and practices while adding some new features, such as expanded jurisdiction over non-controlling investments and real estate transactions, as well as mandatory filings for certain deals. The regulations, like the FIRRMA itself, are a response to three concerns: (i) that foreign acquisitions of early-stage U.S. technology companies jeopardize the United States’ technological advantage, particularly in emerging and foundational technologies whose importance to national security may not yet be apparent; (ii) that foreign actors, particularly China, can use acquisitions of U.S. companies possessing significant amounts of sensitive personal data as an easy, legal form of bulk intelligence collection on U.S. citizens; and (iii) that the ability to acquire real estate, which on its own was not a covered transaction pre-FIRRMA, provides foreign actors an opportunity to gain physical proximity to sensitive U.S. government facilities.

The final regulations, which become effective on February 13, 2020, implement almost all of the FIRRMA, and provide clarity on the Treasury’s interpretation of covered minority investments, covered real estate transactions, excepted investors and mandatory filings for foreign government-related investments. However, some issues remain open. Future planned rulemaking is required to address, for example, changes to mandatory filings for critical technologies, the definition of “principal place of business” and the CFIUS filing fees.

Even with the added clarity that the FIRRMA regulations provide in many contexts, dealmakers must still approach CFIUS decision-making on a case-by-case basis depending on the risks raised by the particular buyers and the sensitivities raised by particular assets, weighing considerations such as deal certainty, risk and timing. Below we highlight key provisions of the FIRRMA regulations that will impact clients as they consider future transactions.

Mandatory Filings Are a Permanent Feature of the FIRRMA Regime

In a change to CFIUS’s long-standing history as a purely voluntary process, the FIRRMA regulations require parties to submit a declaration, i.e., a shortened version of the standard CFIUS notice, in two types of transactions: certain foreign government-related transactions and certain “critical technology” investments. The regulations provide the required contents for a declaration, which represent a somewhat shorter list of the requirements for a notice, and specify that the review period for a declaration is 30 calendar days (compared to the potential 90 calendar days for a traditional notice review and investigation). Although the declaration ostensibly offers a more streamlined process, parties in mandatory filing cases should consider whether to file a traditional notice in lieu of a declaration (this calculus may differ in voluntary declaration scenarios, discussed further below).

First, parties must file a declaration for any covered transaction that results in a foreign government having a “substantial interest” in a Technology, Infrastructure, or Data (TID) U.S. Business. A substantial interest arises when a foreign person obtains a 25 percent or greater voting interest, directly or indirectly, in a U.S. business if a foreign government in turn holds a 49 percent or greater voting interest, directly or indirectly, in the foreign person. Importantly, although the draft regulations stated that a fund where 49 percent or more of the voting interest of the limited partners is held by a foreign government would meet the second prong of the substantial interest test, the final rules now instead provide that the foreign government’s 49 percent interest must be in the general partner in order to trigger a mandatory filing.

Second, parties must file a declaration for certain noncontrolling or controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop critical technology in 27 enumerated industries. This matches the CFIUS “pilot program” initiated by the Committee in October 2018 and discussed in our previous alert. The U.S. Department of Commerce (Commerce) has yet to specifically identify the emerging or foundational technologies that will form a significant part of critical technologies pursuant to its ECRA mandate, but is taking affirmative steps toward doing so, as detailed in our recent publication “Commerce Department Will Move Forward With More Stringent Export Controls for Certain Emerging Technologies.”

By its nature, the pilot program was experimental and the Treasury, in its September 2019 draft regulations implementing FIRRMA, indicated that it would address the status of the pilot program. The Treasury did so in its final rules, but essentially delayed substantive changes to the program until a later date. As a consequence, the pilot program in its current form remains in effect through February 12, 2020. Beginning February 13, 2020, the pilot program will continue to remain in effect but operate within Part 800, rather than Part 801, of the CFIUS regulations. According to the final rule, the Treasury anticipates issuing a separate notice of proposed rulemaking that would effectively eliminate the association between “critical technologies” and the 27 industries previously identified as sensitive. Instead the mandatory filing requirement would be triggered by export licensing requirements alone.

The shift away from North American Industry Classification System (NAICS) codes presumably reflects the Treasury’s concerns with the inherent ambiguities in basing the jurisdictional scope of a mandatory filing requirement on self-designated industry classifications. From a purely national-security standpoint, although the 27 industries identified in the pilot program represent a wide swath of those that would likely raise national security concerns, the justification for treating two companies making the same critical technology differently based on self-assigned NAICS code differences was always suspect. However, how replacing NAICS Codes with an export licensing prong will impact the scope of transactions for which mandatory filings would be required remains to be seen. For example, if the issue becomes whether an export license is required for a certain technology to be exported to the home country of the investor, for certain technologies certain countries may be favored over others and the pilot program may not capture a substantial number of new transactions. On the other hand, because many critical technologies would require licenses for export to most countries, opening the program to all industries could materially expand the scope of mandatory filing.

Nonetheless, we expect the Treasury will continue to scrutinize and prioritize transactions involving businesses that operate in sensitive sectors despite possible changes to the mandatory filing criteria. For most foreign investors considering transactions in these spaces, a voluntary filing will remain the norm.

In a welcome development, the final regulations do provide some exceptions1 to mandatory filing requirements, notably including:

  • Investments by foreign entities operating under a valid facility security clearance and subject to mitigation agreements with the Defense Security and Counterintelligence Agency (DCSA)2 to address foreign ownership, control or influence (FOCI);
  • Investments by funds controlled and managed exclusively by U.S. nationals;
  • Investments where the U.S. business is a TID U.S. business solely because it produces, designs, tests, manufactures, fabricates or develops one or more critical technologies that is eligible for export, reexport or transfer (in country) pursuant to License Exception ENC (for encryption commodities, software, and technology) of the Export Administration Regulations; and
  • Investments by “excepted investors,” a new category of investors described further below.

The very specific exception for investments involving License Exception ENC — which covers those involving most commercial and dual-use encryption items — will be especially welcome relief to many early-stage technology companies and investors. Nascent companies engaging in software development and Software-as-a-Service providers will now have clarity that the encryption controls used in their products and services will not, on their own, create a mandatory filing requirement.

Although transactions falling into one of these categories are not subject to mandatory filing, other than for non-controlling transactions by excepted investors, these transactions remain subject to the CFIUS’s jurisdiction. In other words foreign investors must still consider whether a voluntary filing of the transaction is warranted.

Despite the relatively limited scope of these exceptions with regard to the CFIUS’s formal jurisdiction, they may also be a useful signal regarding the Committee’s general view of risk presented by certain entities. For example, by providing that a company subject to a FOCI agreement with DCSA is not subject to mandatory filing for a critical technology investment, the Committee may be signaling more broadly that it views such an entity as low-risk. This means that, at least for transactions involving less sensitive assets, the FOCI-mitigated company may expect a lighter touch from the CFIUS. Parties still may consider using the CFIUS process and statutory time frame as a lever to move the DCSA process forward expeditiously.

Limited Application of Excepted Investor Status

In what many saw as a significant compromise to the FIRRMA’s expanded jurisdiction over non-controlling investments and certain real estate transactions, and in response to various calls for country-based approaches to the CFIUS regulations, FIRRMA requires the Committee to specify criteria for limiting the application of its expanded jurisdiction to certain categories of foreign persons. The FIRRMA regulations implement this limitation through the creation of “excepted investors,” i.e., investors having sufficiently strong ties to certain “excepted foreign states.” The final rules have borne out our assessment, expressed with regard to the original “excepted investor” scope proposed in the draft regulations, that the exception is unlikely to have a significant effect, or any effect at all, for the vast majority of foreign investors.

Only three countries that share extremely close intelligence and foreign-investment-review relationships with the United States — Australia, Canada, and the United Kingdom — are excepted foreign states under the FIRRMA regulations. The regulations provide a mechanism for other countries to be added to the list, but we do not expect significant or rapid expansion of the excepted countries list. Although the final rules lower the bar somewhat to meet “excepted investor” status, the threshold remains high, potentially excluding a number of investors originating in the excepted countries.3 Accordingly, relatively few entities will qualify as excepted investors.

Moreover, the payoff for qualifying as an excepted investor is relatively small. For excepted investors, the FIRRMA regulations restore the pre-FIRRMA jurisdictional status quo. Excepted investors are not subject to the CFIUS’s expanded jurisdiction for non-controlling investments or covered real estate transactions, or to mandatory filing requirements, but they remain subject to the CFIUS’s “traditional” jurisdiction for transactions that would result in their control of a U.S. business. As noted in the review above of mandatory filings, although the jurisdictional application of this exception is somewhat limited, it also undoubtedly signals that CFIUS generally views investors from these countries as presenting a low threat to U.S. national security. Excepted investors will still want to carefully consider whether to voluntarily file controlling transactions (including through the new process for voluntary declarations), particularly when acquiring potentially sensitive assets.

Potential Efficiencies From the Voluntary Declaration Process

A potential benefit of the FIRRMA regulations that applies more broadly than its jurisdictional exceptions is the option to file a declaration, i.e., a short-form notice, for any covered transaction or covered real estate transaction. At least for acquirers likely to be viewed as a relatively low threat that are acquiring assets with limited or no national security implications, the declaration provides an opportunity to obtain a CFIUS safe harbor through a more streamlined and quicker process. The declaration evaluation phase lasts only 30 days compared to the 45-day notice review period, which can extend a further 45 days if the Committee moves the case to investigation. We expect that for many low-risk or repeat filers, the declaration process will not only provide a shorter government evaluation period, but also allow for expedited preparation of the declaration itself, shaving weeks off of the overall timeline.

For acquirers that may present a higher risk to national security or that have not previously been through the CFIUS approval process, or for any acquirer investing in or acquiring a sensitive asset, however, we expect that filing a full CFIUS notice instead of a declaration will remain advisable. Given the depth and breadth of national security concerns, the Committee must consider in such cases that a 30-day declaration evaluation period will likely not allow it enough time to fully analyze potential risk and provide clearance. We expect that, in time, the voluntary declaration process will become a tool for the Committee to triage matters and focus its attention on truly sensitive transactions, while allowing trusted parties or straightforward transactions to have regulatory certainty in a shortened timeframe. However, the shortened review period and limited information provided in declarations also make reaching a determination on a case more difficult for the Committee, meaning that parties with more complex transactions will want to consider foregoing a declaration and filing a notice.

Real Estate Regulations Do Not Preclude Other CFIUS Jurisdiction

Pre-FIRRMA, the CFIUS held jurisdiction over transactions involving a “U.S. business,” i.e., an entity engaged in interstate commerce in the United States. The FIRRMA expanded the CFIUS’s jurisdiction to review purchases, leases and concessions of real estate by foreign persons, including Real Estate Investment Trusts (REITs) irrespective of whether such transaction involves a U.S. business. With little modification from the draft regulations, the final regulations focus on vulnerabilities exposed by real estate proximities to airports and maritime ports as well as to military installations or other sensitive U.S. government facilities or properties.

The Committee anticipates providing a web-based tool for the public to better understand the geographic coverage of the final regulations. Investors should remain cognizant, however, that the Committee’s expanded jurisdiction over real estate transactions does not subsume the Committee’s preexisting jurisdiction over transactions that could result in foreign control or certain non-controlling investments by a foreign person in an entity engaged in interstate commerce that also owns or leases real estate. The Committee’s comments to the FIRRMA regulations make clear that proximity to sensitive facilities (including some not listed in the regulations) will continue to play an important role in the Committee’s national security risk analysis for covered control transactions and covered non-controlling investments. Thus, the real estate regulations do not provide relief for real estate-related investments previously covered by the CFIUS’s jurisdiction but instead expand its jurisdiction to new types of real estate transactions that do not constitute a U.S. business.

Data Remains a Central National Security Concern

Unsurprisingly, CFIUS maintained its stance on the national security importance of personal data. A U.S. business collecting or maintaining sensitive data — or having the strategic intent to collect or maintain such data — on one million or more persons will still qualify as a TID U.S. Business.

The final regulations provide limited narrowing of this relatively low threshold from what was originally proposed in the September 2019 draft. For example, the final regulations provide that a U.S. business that has collected sensitive data on over one million persons in the past year may demonstrate that it does not and will not have the capability to maintain or collect sensitive information on over one million persons as of the closing of a transaction in question. The final regulations also provide that data used for analyzing or determining financial distress or hardship is now limited to "financial" data. The scope of genetic information has also narrowed from the original proposal to only include the results of an individual's genetic tests with the added exception of data derived from databases maintained by the U.S. government and routinely provided to private parties for research purposes.

Despite these narrowing efforts, the scope of sensitive data remains quite broad. Possessing data on one million or more persons is no longer a sizable figure for many businesses. Furthermore, the FIRRMA regulations note several scenarios where a U.S. business may qualify as a TID U.S. Business without possessing sensitive data on one million or more persons, including cases where the total sum of different types of data adds up to more than one million persons. Also of interest to early-stage investors, the regulations make clear that a strategic intent to collect or maintain information on over one million persons (coupled with concrete steps taken to achieve this goal) is sufficient to trigger jurisdiction. Ultimately, given this low threshold to prompt a CFIUS review, parties should generally focus their decision-making regarding whether to file more on the nature of a U.S. business’s data than how much of that data the company possesses or is likely to possess in the future.

Providing Greater Clarity Through Examples

The Treasury’s addition to the final guidance of examples outlining the Committee’s interpretation of its own rules provide further helpful instruction. The examples often come directly from specific transactions that the Committee has reviewed over the past few years, largely codifying its evolving practices. Notable examples include providing clarity on several key terms:

  • “Material Nonpublic Technical Information” — The Committee added color to its interpretation of “material nonpublic technical information,” a source of considerable consternation for parties since the implementation of the pilot program in October 2018. In its example, the CFIUS states notifications of certain developmental milestones achieved (without accompanying technical details) do not constitute material nonpublic technical information necessary to design, fabricate, develop, test, produce or manufacture a critical technology.
  • “U.S. Business” — The final regulations provide an example in which a foreign business remotely servicing customers in the United States did not meet the definition of a “U.S. business” subject to the CFIUS’s jurisdiction. Although helpful insight, investors should remain aware that the Committee reviews each transaction on its specific set of facts and circumstances and another transaction, although similar in structure, may fall within the Committee’s purview.
  • “Incremental Investments” — The final regulations provide further clarity on the treatment of incremental investments, confirming that investments made by the same foreign person in the same U.S. business after the Committee has previously cleared a transaction by that foreign person as a controlling investment will not be considered new covered transactions subject to review. However, if a subsequent investment would result in the foreign person obtaining control of the target (i.e., the Committee previously cleared the transaction as a covered investment, rather than a covered controlling transaction), that would be a new covered transaction, as would a subsequent investment by an affiliated entity (i.e., an entity that shares the same parent as the foreign person).

Clarifications for Private Equity & Venture Capital

In the one element of the January 13th publication that is not a final rule, the Committee proposed a definition of “principal place of business,” a previously undefined term that is a key factor in deciding whether an entity is a foreign entity. The proposed definition essentially follows the “nerve center” test used by federal courts in evaluating federal diversity jurisdiction. Under the definition, an entity’s principal place of business is “the primary location where an entity’s management directs, controls, or coordinates an entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” This definition is particularly useful for clarifying that the Committee will look past decisions to domicile an entity in a particular jurisdiction for tax or other legal reasons where that domicile is not the “nerve center” of the entity.

In further fine-tuning of the definitions, the final regulations add “the general partner, managing member, or equivalent” to the definition of “parent.” The Committee received a number of public comments regarding the application of certain provisions of the regulations to funds and other entities with multiple layers of ownership and governance. For the Committee, this ensures that entities with the ultimate decision-making power in a fund are appropriately evaluated as entities exercising such control, for example, when considering whether or not a foreign person meets the definition of an “excepted investor.”

Lastly, since the pilot program's implementation many have questioned the applicability of the mandatory filing requirement to a fund and its limited partners. As described above, the final regulations provide an exemption for investment funds managed by general partners who are controlled and managed by U.S. nationals. The regulations clarify, however, that a limited partner in a fund could have a filing obligation separate and apart from that of the general partner if the limited partner is afforded certain rights. If a limited partner, for example, is granted board membership or observer rights, involvement in substantive decision-making, or access to material nonpublic technical information of a critical technology U.S. business, the limited partner may be subject to its own mandatory filing even if the fund itself is not. Dealmakers will need to remain vigilant when negotiating rights granted to limited partners in sensitive technology transactions to avoid potentially hefty fines for a failure to file in a mandatory scenario.

Key Takeaways

  • Mandatory filings are here to stay — and the final regulations fully implement the CFIUS’s authority on this front, now capturing certain foreign-government-related transactions.
  • Parties must now consider voluntary filings for a certain non-controlling transactions in a broad range of TID U.S. Businesses.
  • The public still awaits Commerce’s definitions of critical and foundational technologies, which will provide further clarity in understanding potential CFIUS concerns that may need to be addressed at the outset of a transaction.
  • The bar to qualify as an “excepted investor” remains high and the benefits are limited.
  • The final real estate regulations do not limit the Committee’s existing jurisdiction to review controlling transactions that involve real estate — and instead will capture a larger segment of transactions in the real estate space.
  • Fund Managers should ensure that their fund documents do not provide limited partners with significant governance rights over the fund’s operations and appropriately limit access to material nonpublic information — which does not include milestone information.

CFIUS Final Rules


1 Certain exceptions apply to only one category of mandatory filings (either critical technology mandatory filings or substantial government interest mandatory filings).

2 Formerly the Defense Security Service (DSS).

3 Investors from these jurisdictions will not be required to file mandatory declarations for investments in critical technology or substantial interest transactions if they meet certain criteria, including a minimum excepted ownership threshold (all investors above 10% are of U.S. or excepted nationality) and no more than 25% board membership by foreign nationals of foreign states that are not excepted foreign states that are not excepted foreign states. Importantly, the Committee clarifies that an excepted investor must meet the criterion at each level of the ownership chain; ultimate parent compliance is not sufficient. This interpretation is consistent with similar regulatory policies, including those implemented by the Department of State’s Directorate of Defense Trade Controls.

Download PDF

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.