New CFIUS Regulations Finally Take Effect

Holland & Knight LLP

Holland & Knight LLP


  • Regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) took effect on Feb. 13, 2020.
  • The new rules build on FIRRMA and are intended to strengthen the oversight and expand the jurisdictional reach of the Committee on Foreign Investment in the U.S. (CFIUS).
  • Additional rules on fees, penalties and other procedural matters, as well as rolling back some of the requirements of the CFIUS Pilot Program on critical technologies, are expected in the near future.

After a few years of debating and making into law, the Committee on Foreign Investment in the U.S. (CFIUS) regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) took effect on Feb. 13, 2020. The new rules are intended to strengthen the oversight and expand the jurisdictional reach of CFIUS.

CFIUS released on Jan. 13, 2020, two final sets of regulations to implement some of the more significant jurisdictional changes that FIRRMA mandated. Additional rules on fees, penalties, and other procedural matters, as well as rolling back some of the requirements of the CFIUS Pilot Program on critical technologies, are expected in the near future.

CFIUS is an interagency committee chaired by the Secretary of the Treasury that is authorized to review certain foreign investment transactions in the United States that pose a threat to national security. Since its inception in 1975, CFIUS has confronted both shifting concepts of national security and a changing global economic order, marked by the rise of new emerging markets and state-led firms that are playing a more active role in the global economy.

Established by President Gerald Ford to respond to fears that OPEC investments in the U.S. economy were threatening national security, CFIUS has subsequently tackled evolving concerns sparked by various global developments. These include Japanese investments in the 1980s that resulted in congressional passage of the Exon-Florio law, granting the president the power to block proposed or pending foreign mergers, acquisitions, or takeovers that threatened to impair national security; Arab investments in the wake of 9/11 that culminated in the political firestorm caused by Dubai Ports World's proposed takeover of the U.S. maritime terminal operations of P&O Ports resulting in the Foreign Investment and National Security Act of 2007 (FINSA), which specifically called transactions involving critical infrastructure as subject to CFIUS jurisdiction and codified CFIUS practices; and recently Chinese investments on the background of geopolitical and technological ambitions – particularly in the areas of semiconductors and 5G technology – have resulted in FIRRMA and the new CFIUS regulations.

With some changes to accommodate industry comments from more than 60 organizations, the new CFIUS regulations build on the Nov. 10, 2018, Pilot Program concerning critical technologies and the proposed rules of Sept. 17, 2019. The new rules include an interim rule on the new definition for "principal place of business," on which CFIUS is seeking public comments by Feb. 18, 2020.1

CFIUS also plans to issue additional rules to scale back some of the requirements introduced by the Pilot Program (reportedly moving away from North American Industry Classification System (NAICS) codes to export controlled categories), and introducing filing fees.

Major Changes Under the New Regulations

Before FIRRMA, CFIUS reviews were only triggered when an acquisition resulted in foreign "control" of a U.S. business that might pose a threat to U.S. national security. CFIUS termed these acquisitions "covered transactions." The concept of "national security" was purposefully not defined and interpreted broadly by CFIUS to allow maximum flexibility in determining the outcome of a transaction.

FIRRMA expanded CFIUS jurisdiction in two key ways. First, FIRRMA permits CFIUS to review certain "other" investments – namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as TID businesses for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business's decision-making with respect to the technology, infrastructure, or data.

Second, FIRRMA allows CFIUS to review certain real estate transactions, which would not otherwise fall under the jurisdiction of CFIUS, including undeveloped land, which were previously exempt from review as "greenfield" investments. Broadly, the proposed regulations define covered real estate as real estate that is: a) located within or functioning as part of a "covered port" (either airport or maritime port), b) located within close proximity of military installations and other government facilities, c) located within an extended range of certain military installations or d) any part of certain military installations located within the territorial sea of the United States. (See Holland & Knight's previous alert, "Foreign Ownership of Real Estate: New Rules from CFIUS," Oct. 16, 2019.)

This alert focuses on some of the most significant changes to CFIUS review of investment in a U.S. business, whether controlling or non-controlling investments (Part 800 of the CFIUS regulations). It also analyzes CFIUS' response to industry concerns with the proposed regulations, and how the rule was modified in the final regulations.

1. Non-Controlling Investments in a TID Business

Under the new regulations, in addition to controlling investments, foreign non-controlling investments (or covered investments) are subject to CFIUS jurisdiction if 1) the acquired U.S. business qualifies as a TID business and 2) the minority foreign investment is allowed a) access to material nonpublic technical information, b) membership or observer rights on the board of directors or equivalent governing body or c) substantive involvement in the U.S. business' decision-making with respect to the technology, infrastructure, or data.2,3

  • Technologies: Critical technologies are defined as (i) items on the United States Munitions List, (ii) items on the Commerce Control List, (iii) nuclear equipment controlled under 10 C.F.R. Part 110; (iv) select agents and toxins covered under 7 C.F.R. Part 331, 9 C.F.R. Part 121, or 42 C.F.R. Part 73; or (v) "emerging and foundational technologies" controlled under the Export Control Reform Act of 2018 (ECRA).4
  • Infrastructure: Covered investment critical infrastructure is a new term introduced by CFIUS in drafting the new regulations. This is a subset of critical infrastructure5 specifically listed in Appendix A to new Part 800 that a U.S. business owns, operates, manufactures, supplies or services. Non-controlling investments in this category are now also subject to CFIUS jurisdiction. Examples include certain internet protocol networks, telecommunication services, internet exchange points, submarine cable systems and landing facilities, financial market utilities, rail lines that service U.S. Department of Defense (DOD) installations, etc.
  • Data: Businesses that engage with "sensitive personal data" are those that maintain or collect, directly or indirectly, the sensitive personal data of U.S. citizens,6 if identifiable, as opposed to aggregate, which (i) targets or tailors its products to sensitive U.S. government personnel or contractors; (ii) maintains or collects data on more than 1 million individuals; or (iii) has a demonstrated business interest in collecting data on more than 1 million individuals and that data is a part of the U.S. business's primary products or services. Sensitive data is defined to include 10 categories of data maintained or collected by U.S. businesses. These include data used to analyze or determine an individual's financial distress or hardship; the set of data in a consumer report; the set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance; data relating to the physical, mental, or psychological health condition of an individual; nonpublic electronic communication; geolocation data; biometric enrollment data; data stored and processed for generating a state or federal ID card; data concerning U.S. government personnel security clearance status; and the set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust. Genetic information is also included in the definition regardless of whether it meets (i), (ii), or (iii).7

Genetic Data and Biotechnology. The definition of sensitive personal data was left in FIRRMA to be developed by CFIUS. Under the final regulations, and in response to comments from industry participants, the final regulations recalibrate the provision on genetic testing in two ways: 1) by focusing the definition on genetic tests and 2) by limiting the coverage of the rule to identifiable data.8 CFIUS will be closely observing biotechnology and life sciences companies that operate in these sectors and identifying instances in which a foreign investment raises a national security concern. CFIUS will have expanded jurisdiction over U.S. businesses that collect or maintain records relating to a U.S. citizen's genetic information, such as a genetic test or individual or family history. This is the type of information that biotechnology or life sciences companies might collect and could lead to review.

2. Mandatory Filings

Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remain mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.

  • A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person.9,10
  • CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of "export control licensing requirements." In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.

For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to CFIUS.11 These provisions are expanded in the new, final regulations.12 The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition (M&A) transaction. This may act as a deterrent to the use of this mechanism.

3. Excepted Foreign States and Excepted Investors

FIRRMA issued a high-level directive13 to limit the application of CFIUS to particular groups of investors, thereby reining in the expanded jurisdiction but leaving CFIUS to develop these limitations. CFIUS published the list of the initial excepted states at the time it published the final regulations on Jan. 13, 2020. It includes Australia, Canada, and the UK. However, the new rules introduce a number of requirements before an investor from an excepted sate would qualify as an "excepted investor."14 To qualify, a foreign person must have a substantial connection to an excepted foreign state and additionally not have violated certain U.S. laws, including not having submitted material misstatement to CFIUS, violated material provision of a mitigation agreement, been subject to a presidential action under section 721, violated export control laws, or been convicted of a felony in U.S.

The rule proposes that the excepted foreign state15 definition operate as a two-factor conjunctive test. First, the state must be included in a defined group of eligible foreign states, which is separately published, effectively establishing a "white list." The countries on this initial list will have two years to ensure that their national security-based foreign investment review process and bilateral cooperation with the U.S. on such a process meet the requirements of the new regulations.16 This requires the establishment of a robust process to assess foreign investments for national security risk and to facilitate coordination with the United States. Beginning Feb. 13, 2022, CFIUS may add other countries to the initial list published on Jan. 13, 2020.17

In addition, the foreign investor must ensure that the "minimum excepted ownership"18– at least 50 percent of a publicly traded company or at least 80 percent of a privately held fund or entity – is held by U.S. persons or citizens of the excepted foreign state who are not also citizens of other countries. In addition, the investor must satisfy several specific tests – including having all of its directors, observers, and 10 percent or greater owners be from an excepted foreign state19 – before it can qualify for excepted status.

We expect considerable lobbying activity both by industry groups and states regarding the white list of excepted foreign states, vying for excepted foreign state privileges.

4. Private Equity Funds

Certain exceptions apply to investment by private equity funds in a TID business. Under FIRRMA, U.S. private equity funds with foreign limited partners will not be considered foreign – and thus within the reach of CFIUS – if four conditions are met.20 First, a fund with a foreign limited partner must be managed exclusively by a general partner (or equivalent) who is not a foreign person. Second, the firm's advisory board on which the foreign person sits may not have the ability to control in any way the investment decisions of the firm. Third, the foreign person may not have the ability to control the fund, including through investment decisions, ability to approve or disapprove decisions made by the managing partner, or unilaterally determine the compensation of the general partner. Finally, the foreign person may not have access to material, nonpublic technical information.

As a corollary to this exception, if a decision by a board requires a unanimous vote by the limited partners, CFIUS may find that the foreign limited partner control the investing fund or general partner. Similarly, if the foreign limited partner has been granted negative rights, CFIUS may find sufficient control by the foreign person to justify a review, regardless of whether the rights are exercised.

This treatment of private equity funds is in line with CFIUS' well-established practices and prior regulations.

5. Penalties

FIRRMA directs CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation.21 Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.22 Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction.23 Further guidance on penalties is expected in new rules by CFIUS.

6. Procedural Changes and Filing Fees

FIRRMA imposes a number of procedural changes to the CFIUS process. FIRRMA maintains core components of the current CFIUS three-step process for evaluating proposed or pending investments in U.S. firms, but increases the allowable time for reviews and investigations: 1) a 30-day declaration filing; 2) a 45-day national security review (from 30 days), including an expanded time limit for analysis by the Director of National Intelligence (from 20 to 30 days)24; 3) a 45-day national security investigation, with an option for a 15-day extension in extraordinary circumstances25; and 4) a 15-day presidential determination (unchanged).26 Beyond new timing requirements and decision timelines, FIRRMA introduces a filing fee of 1 percent of the transaction, not to exceed $300,000.27 Thus, the funding for CFIUS will be sourced from a $20 million annual appropriation, the filing fees, and through penalties. This funding will be critical as CFIUS estimates that under the new regime they will receive approximately 1,000 filings per year for review. New CFIUS regulations on filing fees are expected soon.

Comments from Interested Parties

As already noted, more than 60 companies and organizations submitted comments with regard to the proposed CFIUS regulations that took effect on Feb. 13, 2020. In summary, below are some of the more significant concerns of industry:

a) Definition of U.S. Business

No fewer than 10 organizations commented on the proposed definition of a U.S. business. In the original language, a U.S. business was defined as: "any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce." Under FIRRMA, the final clause is eliminated. It was commenters' position that the traditional jurisdiction should be maintained, as it would be counterproductive to remove that language from the definition. Businesses with no assets in the United States should not be considered U.S. businesses. Commenters also requested clarification with regard to whether an ownership interest in a U.S. business that invests in another U.S. business results in a covered transaction. CFIUS suggested "any entity, irrespective of nationality of the persons that control it, engaged in interstate commerce in the United States." Parties have until Feb. 18, 2020, to comment on this proposed definition.

b) Narrow the Scope of Sensitive Personal Data

Many organizations also commented on the scope of sensitive personal data. Biotechnology companies noted that they have access to genetic information and suggested that they be removed from the list of industries covered by the mandatory declaration requirement. Other companies requested that sensitive personal data be tailored to actual national security risks, positing that the current formulation is overbroad. In the final regulations, CFIUS declined to raise the threshold from 1 million individuals, but narrowed the definition of "genetic tests" and limited the coverage of the rule to identifiable data.

c) Foreign Excepted States

It was the position of a number of companies that "foreign excepted states" should be broadly designated, and that the definition should be clarified. Canada, the UK, Singapore, Australia, Japan, and Switzerland all requested excepted state status. Others commented that foreign excepted states should be tied to existing government lists (including all U.S. economic and military allies). There have been calls to clarify the "minimum excepted ownership" process, and suggestions that the rate be lowered from 90 percent to 75 percent. In the final regulations, CFIUS did lower the rate of minimum excepted ownership to 75 percent. Additionally, it named Australia, Canada, and the UK to an initial list of foreign excepted states.

Commenters were outraged that directors, observers, and 5 percent or greater owners of a company must be from an excepted foreign state before it can qualify for excepted status. They termed 5 percent "arbitrarily" and "unnecessarily low." They suggested either eliminating the requirement entirely, or raising the cap to at least 20 percent. In response, CFIUS revised the board member nationality criterion to allow up to 25 percent representation by foreign nationals of foreign states that are not excepted foreign states. In addition, it revised the percentage ownership limit for an individual investor in an excepted state from 5 percent to 10 percent.

d) Excepted Foreign Investor

Several companies submitted comments regarding excepted foreign investors, many indicating that the definition was too limited. Some requested clarification regarding which crimes would strip an entity of excepted foreign investor status, and whether an excepted foreign investor could be a dual-citizen. Some noted that the test for serving as an excepted investor is extremely difficult to satisfy even for well-respected investors from U.S. allied countries. Others promoted expanding the benefits awarded to excepted foreign investors, and implementing a more inclusive definition that should be based on certain criteria and not just on an excepted state. Finally, some proposed that CFIUS allow "excepted trusted investors" who are not from excepted foreign states be afforded the same excepted status. CFIUS made no changes to this rule in this regard.

e) Veto Rights v. Voting Rights

A number of companies sought to reaffirm the distinction between veto rights and voting rights, and sought a clarification of "voting interests" and the scope of "limited partner voting interest." They posited that voting interest should not include consent, veto, or other special rights, and should only include voting rights with regard to operations of the business. CFIUS made no change to this rule in response to comments.

f) Mandatory v. Voluntary Filing

Many organizations submitted comments regarding mandatory versus voluntary declarations. Most noted that the roles of the declarations should be narrowed and clarified, emphasizing that parties should be incentivized to file voluntary declarations, and that those declarations should be fast-tracked. They requested a carve-out from any mandatory filing requirements investments in early-stage research and development biotechnology companies. They expressed concern regarding the fact that CFIUS can still request a full notice after the 30-day review period and that this would inadvertently increase filing time. They further requested that the scope of the mandatory filing requirements for critical technology businesses be narrowed. Finally, they requested a clarification of the "substantial interest" requirement.

CFIUS noted in its guidance to the final published regulations that the rule integrates the mandatory declaration requirement from the Pilot Program. However, CFIUS anticipates issuing a separate notice of proposed rulemaking that would replace this requirement with a mandatory declaration requirement based upon export control licensing requirements. Additionally, in response to public comments, the rule exempts certain transactions from the critical technology mandatory declaration requirement. These exemptions relate to excepted investors, among others. According to the guidance, CFIUS anticipates that these exemptions will continue to apply even if the scope of the mandatory declaration requirement is modified.

g) Other Comments

  • Waivers: Certain organizations commented that there should be a waiver system in place from mandatory filing requirements. They suggested CFIUS create a waiver process through which a foreign person may petition to be exempted from mandatory filing requirements for a specified period, such as five years. They point out that FIRRMA creates a mechanism for this, but it does not appear in the regulations. The rule makes no change in response to these comments.
  • "Material nonpublic information": Several commenters wrote that "access" to material nonpublic information should be limited to actual access, not potential access. The rule makes no change in response to these comments.


FIRRMA and the much-awaited final regulations make a variety of sweeping changes to the CFIUS process that promise to bring more transactions under the scope of CFIUS review. These changes were implemented in response to increased national security concerns that were broadly shared by members of Congress. Although CFIUS will now be subjecting certain non-controlling investments to more scrutiny, the rules were carefully tailored so as not to stymie welcome foreign direct investment in the United States.


1 Interested persons may submit comments electronically through the federal government's eRulemaking portal or by mailing comments to: U.S. Department of the Treasury, Attention: Laura Black, Director of Investment Security Policy and International Relations, 1500 Pennsylvania Ave. NW, Washington, DC 20220.

2 New 31 C.F.R. §800.211.

3 FIRRMA §1703(a)(4)(D)(i)(I)-(III); 31 CFR §800.211(b).

4 FIRRMA §1703(a)(4)(B)(iii); new 31 C.F.R. §800.215.

5 Critical infrastructure is generally defined as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security. FIRRMA §1703(a)(5); 31 CFR §800.214. This definition closely tracks the definition of "critical infrastructure" under FINSA and prior CFIUS regulations.

6 FIRRMA §1703(a)(4)(B)(iii)(III); 31 CFR §800.248(c).

7 31 CFR §800.241.

8 31 C.F.R. 241(a).

9 FIRRMA §1705(v)(IV)(bb)(AA).

10 31 CFR §800.244.

11 FIRRMA §1706(v)(1).

12 31 CFR §800.401.

13 FIRRMA §1703(a)(4)(E).

14 31 CFR §800.219.

15 31 CFR §800.218.

16 31 C.F.R. 800.218; 31 C.F.R. 802.1001

17 See Frequently Asked Questions on Final CFIUS Regulations Implementing FIRRMA, Jan. 13, 2020

18 31 CFR §800.233,

19 19 C.F.R. 800.219(a)(3)(iv).

20 FIRRMA §1703(a)(4)(D)(iv)(I).

21 31 C.F.R. 800.901(a).

22 31 C.F.R. 800.901(b).

23 31 C.F.R. 800.901(c).

24 31 C.F.R. 800.503(b).

25 31 C.F.R. 800.508(e).

26 FIRRMA §1714.

27 FIRRMA §1723(3)

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP

Holland & Knight LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.