Design-Code Laws: The Future of Children’s Privacy or White Noise?

Design-Code Laws: The Future of Children's Privacy or White Noise?

In recent weeks, there has been significant buzz around the progression of legislation aimed at restricting minors’ use of social media. This trend has been ongoing for years but continues to face resistance. This is largely due to strong arguments that all-out bans on social media use not only infringe on a minor’s First Amendment rights but, in many cases, also create an environment that allows for the violation of that minor’s privacy.

Although companies subject to these laws must be wary of the potential ramifications and challenges if such legislation is enacted, these concerns should be integrated into product development rather than driving business decisions.

Design-Code Laws

A parallel trend emerging in children’s privacy is an influx in legislation aimed at mandating companies to proactively consider the best interest of minors as they design their websites (Design-Code Laws). These Design-Code Laws would require companies to implement and maintain controls to minimize harms that minors could face using their offerings.

At the federal level, although not exclusively a Design-Code Law, the Kids Online Safety Act (KOSA) included similar elements, and like those proposed bills, placed the responsibility on covered platforms to protect children from potential harms arising from their offerings. Specifically, KOSA introduced the concept of “duty of care,” wherein covered platforms would be required to act in the best interests of minors under 18 and protect them from online harms. Additionally, KOSA would require covered platforms to adhere to multiple design requirements, including enabling default safeguard settings for minors and providing parents with tools to manage and monitor their children’s online activity. Although the bill has seemed to slow as supporters try to account for prospective challenges in each subsequent draft of the law, the bill remains active and has received renewed support from members of the current administration.

At the state level, there is more activity around Design-Code Laws, with both California and Maryland enacting legislation. California’s law, which was enacted in 2022, has yet to go into effect and continues to face opposition largely centered around the law’s alleged violation of the First Amendment. Similarly, Maryland’s 2024 law is currently being challenged. Nonetheless, seven other states (Illinois, Nebraska, New Mexico, Michigan, Minnesota, South Carolina and Vermont) have introduced similar Design-Code Laws, each taking into consideration challenges that other states have faced and attempting to further tailor the language to withstand those challenges while still addressing the core issue of protecting minors online.

Why Does This Matter?

While opposition to laws banning social media use for minors has demonstrated success in the bright line rule restricting social media use, Design-Code Laws not only have stronger support, but they will also likely continue to evolve to withstand challenges over time. Although it’s unclear exactly where the Design-Code Laws will end up (which states will enact them, which will withstand challenges and what the core elements of the laws that withstand challenges will be), the following trends are clear:

  • There is a desire to regulate how companies collect data from or target their offerings to minors in order to protect this audience. The scope of the Design-Code Laws often does not stop at social media companies, rather, the law is intended to regulate those companies that provide an online offering that is likely to be accessed by children under the age of 18. Given the nature and accessibility of the web, many more companies will be within the scope of this law than the hotly contested laws banning social media use.
  • These laws bring the issue of conducting data privacy impact assessments (DPIAs) to the forefront. Already mandated by various state and international data protection laws, DPIA requirements compel companies to establish processes to proactively identify, assess and mitigate risks associated with processing personal information. Companies dealing with minor data in these jurisdictions will need to:
    • Create a DPIA process if they do not have one.
    • Build in additional time in their product development cycle to conduct a DPIA and address the findings.
    • Consider how to treat product roll-out in jurisdictions that do not have the same stringent requirements as those that have implemented Design-Code Laws.

As attention to children’s privacy continues to escalate, particularly on the state level, companies must continue to be vigilant and proactive in how they address these concerns. Although the enactment of these laws may seem far off with continued challenges, the emerging trends are clear. Proactively creating processes will mitigate the effects these laws may have on existing offerings and will also allow a company to slowly build out processes that are both effective and minimize the burden on the business.

Varnum’s Data Privacy and Cybersecurity Team is closely monitoring these legislative developments and stands ready to guide clients through the complexities of the new regulations. Should these laws be enacted, businesses will need to swiftly adapt to avoid legal risks and ensure they are effectively protecting the rights and safety of younger users.

Two Employer-Friendly ACA Changes

Two Employer-Friendly ACA Changes

Two recent developments make significant changes to Affordable Care Act (ACA) compliance, both effective immediately and offering important benefits for employers. 

Providing Forms 1095 to Employees

Since ACA was first implemented, employers have been required to report their offers of health care coverage to employees by filing Form 1095-B or 1095-C with the IRS and providing a copy of the form to employees.

Beginning with the 2024 tax year, which the reporting forms were set to be distributed in early 2025, employers are no longer required to automatically provide these forms to employees, provided two requirements are met. First, employers must notify employees that the employer will no longer automatically provide Form 1095, including a statement saying employees may request a copy and instructions on how to do so. Second, employers must provide a copy of Form 1095 to any employee who requests it, within 30 days of the request.

Note that employers must still file Form 1094 and Form 1095 with the IRS; this new rule simply relieves the responsibility to provide a copy to employees. Employers who wish to take advantage of the new rule should continue to coordinate with their service providers to ensure that Forms 1095 are prepared in time for filing to the IRS, and available to provide to employees upon request. This change may help employers save on the cost and administrative responsibility of sending the forms to each employee.

ACA Penalty Statute of Limitations 

Congress has also established a new six-year statute of limitations for employer penalty assessments under the ACA. While this may seem lengthy, especially considering the common three-year statute of limitations that applies to many tax assessments, the IRS had previously taken the position that there was no statute of limitations because Forms 1094 and 1095 were not tax returns.

This change is particularly important due to frequent delays between an employer’s alleged failure to comply with ACA requirements and the IRS’s notification of a proposed penalty assessment. This delay could be multiple years, meaning that if an employer had a systematic issue regarding its offers of coverage or reporting, penalties could be assessed for several years before the employer was notified that a change was necessary for compliance. Especially in corporate transactions, this change will help provide clarity and limit exposure for ACA compliance. 

If you have questions or want assistance with ACA compliance, contact a member of our Employee Benefits Practice Team

The Impact of AI Regulations on Insurtech

The Impact of AI Regulations on Insurtech

Insurtech is steeped in artificial intelligence (AI), leveraging the technology to improve insurance marketing, sales, underwriting, claims processing, fraud detection and more. Insurtech companies are likely only scratching the surface of what is possible in these areas. In parallel, the regulation of AI is expected to create additional legal considerations at each step of the design, deployment and operation of AI systems working in these contexts. 

Legal Considerations and AI Exposure

As with data privacy regulations, the answer to the question “Which AI laws apply?” is highly fact-specific and often dependent on the model’s exposure or data input. Applicable laws tend to trigger based on the types of data or location of the individuals whose data is leveraged in training the models rather than the location of the designer or deployer. As a result, unless a model’s use is strictly narrowed to a single jurisdiction, there is likely to be exposure to several overlapping regulations (in addition to data privacy concerns) impacting the design and deployment of an Insurtech AI model. 

Managing Regulatory Risk in AI Design

Given this complexity, the breadth of an Insurtech AI model’s exposure can be an important threshold design consideration. Companies should adequately assess the level of risk from the perspective of limiting unnecessary regulatory oversight or creating the potential for regulatory liabilities, such as penalties or fines. For instance, an Insurtech company leveraging AI should consider if the model in question is intended to be used for domestic insurance matters only and if there is value in leveraging data related to international data subjects. Taking steps to ensure that the model has no exposure to international data subjects can limit the application of extraterritorial, international laws governing AI and minimize the potential risk of leveraging an AI solution. On the other hand, if exposure to the broadest possible data is desirable from an operations standpoint, for instance, to augment training data, companies need to be aware of the legal ramifications of such decisions before making them. 

Recent State-Level AI Legislation

In 2024, several U.S. states passed AI laws governing the technology’s use, several of which can impact Insurtech developers and deployers. Notably, state-level AI bills are not uniform. These laws range from comprehensive regulatory frameworks, such as Colorado’s Artificial Intelligence Act, to narrower disclosure-based laws such as California’s AB 2013, which will require AI developers to publicly post documentation detailing their model’s training data. Several additional bills relating to AI regulation are already pending in 2025, including:

  • Massachusetts’ HD 3750: Would require health insurers to disclose the AI use including, but not limited to, in the claims review process and submit annual reports regarding training sets as well as an attestation regarding bias minimization.
  • Virginia’s HB 2094: Known as the High-Risk Artificial Intelligence Developer and Deployer Act, would require the implementation of a risk management policy and program for “high-risk artificial intelligence systems,” defined to include “any artificial intelligence system that is specifically intended to autonomously make, or be a substantial factor in making, a consequential decision (subject to certain exceptions).
  • Illinois’ HB 3506: Among other things, this bill would require developers to publish risk assessment reports every 90 days and to complete annual third-party audits.

The Growing Importance of Compliance

With the federal government’s evident step back in pursuing an overarching AI regulation, businesses can expect state authorities to take the lead in AI regulation and enforcement. Given the broad and often consequential use of AI in the Insurtech context, and the expectation that this use will only increase over time given its utility, businesses in this space are advised to keep a close watch on current and pending AI laws to ensure compliance. Non-compliance can raise exposure not only to state regulators tasked with enforcing these regulations but also potentially to direct consumer lawsuits. As noted in our prior advisory, being well-positioned for compliance is also imperative for the market from a transactional perspective. 

The Insurtech space is growing in parallel with the expanding patchwork of U.S. AI regulations. Prudent growth in the industry requires awareness of the associated legal dynamics, including emerging regulatory concepts across the nation. Varnum’s Data Privacy and Cybersecurity Practice Team continues to monitor these developments and assess their impact on the Insurtech industry to help your business stay one step ahead.  

Governor Whitmer Signs New Minimum Wage Law

Governor Whitmer Signs New Minimum Wage Law

On February 21, 2025, Governor Gretchen Whitmer signed legislation that preserves Michigan’s tip credit and scales back an increase to the state’s minimum wage. On Wednesday, February 19, 2025, just days before this legislation and the new Earned Sick Time Act (ESTA) were set to take effect, amendments to the minimum wage law received final approval from both the House and Senate. As a result, Governor Whitmer signed both pieces of legislation into law. For more information about changes to ESTA, see Varnum’s advisory here.  

Under the amendments to the minimum wage law, the new minimum hourly wage rate is:

Hourly Rate
Effective Date
$12.48
February 21, 2025
$13.73
January 1, 2026
$15.00
January 1, 2027

The new minimum hourly wage rate for tipped employees is:

Hourly Wage Rate
Effective Date
38% of the minimum hourly wage rate
February 21, 2025
40% of the minimum hourly wage rate
January 1, 2026
42% of the minimum hourly wage rate
January 1, 2027
44% of the minimum hourly wage rate
January 1, 2028
46% of the minimum hourly wage rate
January 1, 2029
48% of the minimum hourly wage rate
January 1, 2030
50% of the minimum hourly wage rate
January 1, 2031

The bill also stipulates that beginning in October 2027, the state’s minimum wage must increase based on the rate of inflation. The state treasurer will calculate the increase by multiplying the otherwise applicable minimum wage by the 12-month percentage increase, if any, in the Consumer Price Index for the Midwest region, CPI-U or a successor index as published by the Bureau of Labor Statistics.

Additionally, the bill transfers oversight from the Department of Licensing and Regulatory Affairs to the Department of Labor and Economic Opportunity. It also subjects employers to a civil fine of no more than $2,500 for failing to pay the minimum hourly wage to employees who receive gratuities in the course of their employment.

Contact your Varnum labor and employment attorney for guidance on compliance with either of these laws. 

Michigan’s Earned Sick Time Act Amended: Employer Takeaways

Michigan's Earned Sick Time Act Amended: Employer Takeaways

On February 20, 2025, Michigan lawmakers voted to amend the Earned Sick Time Act (ESTA) to provide greater clarity and flexibility to both employees and employers with respect to paid time off, taking immediate effect. This action followed earlier votes this week by the Michigan legislature on the minimum wage law. Governor Whitmer has now signed both pieces of legislation into law. For more information about changes to the minimum wage law,
see our advisory here.

Key Changes to ESTA as of February 21, 2025:

  • Employers are expressly permitted to frontload at least 72 hours of paid sick time per year, for immediate use, to satisfy ESTA’s leave requirement. Employers who frontload hours do not need to carry over unused paid sick time year to year and do not have to calculate and track the accrual of paid sick time for full-time employees. For part-time employees, frontloading in lieu of carryover is also an option, including frontloading a prorated number of hours. Employers choosing to frontload a prorated amount must follow notice, award amount, and true-up requirements. 
  • If paid sick time is not frontloaded, employees still must accrue 1 hour of paid sick leave for every 30 hours worked, but employers may cap usage at 72 hours per year. Only 72 hours of unused paid sick time is required to roll over from year to year for employers who provide leave via accrual.
  • New hires can be required to wait until 120 days of employment before they can use accrued paid sick time, which could potentially benefit seasonal employers. This waiting period appears to be permitted for frontloading and accruing employers alike, although the bill’s language with respect to frontloading employers is somewhat unclear. This may be an issue for clarification by the Department of Labor and Economic Opportunity, which under the amendment will be responsible for all enforcement of the law.
  • ESTA now provides several exemptions, including:
    • An individual who follows a policy allowing them to schedule their own hours and prohibits the employer from taking adverse personnel action if the individual does not schedule a minimum number of working hours is no longer an “employee” under ESTA.
    • Unpaid trainees or unpaid interns are now exempt from ESTA.
    • Individuals employed in accordance with the Youth Employment Standards Act, MCL 409.101-.124, are also exempt from ESTA.
  • Small businesses, defined as those with 10 or fewer employees, are only required to provide up to 40 hours of paid earned sick time. The additional 32 hours of unpaid leave, required under the original version of ESTA, is no longer required. Small businesses, like other employers, are permitted to provide leave via a frontload of this entire applicable amount or to provide the time via accrual. If small businesses use the accrual method (1 hour of paid sick time for every 30 hours worked), they may cap paid sick time usage at 40 hours per year and only permit carryover of up to 40 hours of unused paid sick time year to year. Small businesses have until October 1, 2025, to comply with several ESTA requirements, including the accrual or frontloading of paid earned sick time and the calculation and/or tracking of earned sick time.
  • Employers can now use a single paid time off (PTO) policy to satisfy ESTA. Earned sick time may be combined with other forms of PTO, as long as the amount of paid leave provided meets or exceeds what is otherwise required under ESTA. The paid leave may be used for ESTA purposes or for any other purpose.
  • The amendments clarify that an employee’s normal hourly rate for ESTA purposes does not include overtime pay, holiday pay, bonuses, commissions, supplemental pay, piece-rate pay, tips or gratuities
  • The amendments specify that the Department of Labor and Economic Opportunity is responsible for enforcement of the Act. Prior provisions that included a private right of action for employees to sue their employers for possible ESTA violations have been removed.
  • The amendments remove a “rebuttable presumption” of retaliation that was contained in the original Act.
  • ESTA now permits employers to choose between one-hour increments or the smallest increment used to track absences as the minimum increment for using earned sick time.  

The amendments allow a means for employers to require compliance with absence reporting guidelines for unforeseeable ESTA use. To do this, an employer must comply with steps outlined in the amendment including disclosure of such requirements to employees in writing.

  • The amendments specify that employers must provide written notice to employees including specified information about the Act within 30 days of the effective date. This would mean a date of March 23, 2025.
  • The amendments allow for postponement of the effective date of ESTA for employees covered by a collective bargaining agreement that “conflicts” with the Act. The effective date for such employees is the expiration date of the current collective bargaining agreement.
  • The amendments likewise allow for the postponement of ESTA’s effective date for employees who are party to existing written employment agreements that “prevent compliance” with the Act. Reliance on such provisions requires notification to the state. 

Ongoing Ambiguities and Clarifications Needed:

  • The amended law continues to contain a provision requiring the display of a poster from the Department of Labor and Economic Growth, which appears to be effective immediately upon the date the bill is signed into law. Employers are advised to update their posters accordingly.
  • The statute’s reference to “conflict” between a collective bargaining agreement and ESTA is not well defined, including how this provision will apply to a collective bargaining agreement that, perhaps intentionally through prior negotiations, includes no current provisions for sick time. 
  • Whether the amended law is intended to exclude nonprofit organizations from the scope of covered employers is unclear. The reference to nonprofits was stricken, but there is no affirmative language excluding them from the broad “employer” definition that remains in the law.
  • The availability of a 120-day waiting period for a frontloading employer is somewhat unclear, due to the provisions that frontloaded time must be “available for immediate use.”
  • The date employees may first use earned sick time, in relation to the time frame for employers to finalize and issue policies, would benefit from clarification. The amendment states that accrual begins on the effective date of the Act, and time may be used “when it is accrued.” However, employers appear to have a 30-day time frame to finalize and issue policies defining how they choose to provide ESTA’s benefits.
  • The extent of employer recordkeeping and/or inspection obligations are unclear under the current law. Previous provisions detailing such requirements are no longer included.

Varnum’s labor and employment attorneys are continuing to monitor developments with these new and amended laws. Please contact a member of our Labor and Employment Team for guidance on compliance with ESTA, the minimum wage law and best practices moving forward. 

ESTA Amendment Submitted to Gov. Whitmer- What it Means for Employers This Morning

READ THE LATEST ON THE ESTA

The Michigan House and Senate recently agreed on bills to amend both the Michigan Improved Workforce Opportunity Wage Act and the Earned Sick Time Act (ESTA). The bills have been submitted to Governor Whitmer for signature.  

Varnum attorneys are analyzing these changes that are expected to be approved and signed into law. Stay tuned for a more comprehensive advisory regarding these changes to follow.

In the meantime, employers who planned to roll out ESTA policies and programs today should pause their efforts in light of this development. The ESTA amendments may impact many employer policies and approaches to ESTA compliance. More will be clear shortly based on the Governor’s review and analysis of the changes.

Varnum’s Labor and Employment Practice Team will continue to monitor updates and action on these bills.

U.S. Senate Advances KOSMA Bill Targeting Social Media Use by Minors

U.S. Senate Advances KOSMA Bill Targeting Social Media Use by Minors

Varnum Viewpoints:

KOSMA Restrictions: The Kids Off Social Media Act (KOSMA) aims to ban social media for kids under 13 and limit targeted ads for users under 17.

Bipartisan Support & Opposition: While KOSMA has bipartisan backing, critics argue it could infringe on privacy and First Amendment rights.

Business Impact: KOSMA could affect companies targeting minors, requiring compliance with new privacy regulations alongside existing laws like COPPA.

While COPPA 2.0 and KOSA are discussed more frequently when it comes to protecting the privacy of minors online, the U.S. Senate is advancing new legislation aimed at regulating social media use by those 17 and under. In early February, the Senate Committee on Commerce, Science and Transportation voted to advance the Kids Off Social Media Act (KOSMA), bringing it closer to a full Senate vote.

KOSMA Restrictions

KOSMA would prohibit children under 13 from accessing social media. Additionally, social media companies would be prohibited from leveraging algorithms to promote targeted advertising or personalized content to users under 17. Further, schools receiving federal funding would be required to limit the use of social media on their networks. The bill would also grant enforcement authority to the Federal Trade Commission and state attorneys general.

Bipartisan Support & Opposition

KOSMA has received bipartisan support, with advocates such as Senator Brian Schatz (D-HI), who introduced the bill in January, citing the growing mental health crisis amongst minors due to social media use. Supporters argue that while existing laws like COPPA protect children’s data, they do not adequately address the considerations of social media since they predate the platforms. However, much like similar state laws that have come before it, KOSMA is rife with opposition as well. Opponents argue that this type of regulation could erode privacy and impose unconstitutional restrictions on young people’s ability to engage online. Instituting a ban as opposed to mandating appropriate safeguards, opponents argue, infringes on First Amendment rights.

Business Impact

Although KOSMA only applies to “social media platforms,” the definition of this term could be interpreted broadly and potentially include many companies that publish user-generated content within the scope of KOSMA’s restrictions. KOSMA identifies specific types of companies that would be exempt from the definition of social media platforms, such as teleconferencing platforms or news outlets. If KOSMA were to go into effect, companies across the country that are knowingly collecting data from minors or targeting them with personalized content or advertising would have an additional layer of regulatory consideration when assessing their privacy practices pertaining to the processing of data related to minors—on top of existing federal and state laws.

Varnum’s Data Privacy and Cybersecurity team is well-equipped to help companies navigate these challenges, ensure compliance with evolving privacy laws, and safeguard the rights and safety of younger users. Please contact us if you have questions on the myriad of children’s privacy laws and how they may apply to your company’s practices.

Corporate Transparency Act’s Reporting Obligations Revived

Corporate Transparency Act's Reporting Requirements Revived

Once again, Beneficial Ownership Information (BOI) reporting obligations under the Corporate Transparency Act (CTA) have been revived. On February 17, a federal judge lifted the stay he had ordered on January 7 in Smith v. U.S. Department of the Treasury, 6:24-cv-00336 (E.D. Tex.), which had prevented the Government from enforcing the BOI Rule on a nationwide basis.

On February 18, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) released a notice that announced the following key updates:

  1. Unless subject to a later deadline, the new deadline to file an initial, updated and/or corrected BOI report with FinCEN is now March 21, 2025.
  2. Before March 21, 2025, FinCEN may “further modify deadlines” for entities that do not pose significant national security risks. If FinCEN does so, it will provide yet another update “recognizing that reporting companies may need additional time to comply[.]”
  3. Importantly, “FinCEN also intends to initiate a process this year to revise the BOI reporting rule to reduce burden for lower-risk entities, including many U.S. small businesses.” This is the strongest signal yet that the current Administration will seek formal amendments to the BOI Rule, although no details regarding proposed changes have been publicly released.

Businesses and others impacted by the CTA should prepare now to meet the March 21 deadline.

In the meantime, numerous cases challenging the CTA, including Smith, will continue to work their way through the legal process and Congress might take preemptive action. On February 10, the U.S. House of Representatives unanimously passed H.R.736, which would give FinCEN authority to extend the compliance deadline for pre-2024 reporting companies to January 1, 2026. A companion bill in the U.S. Senate. Bills to repeal the CTA remain pending as well.

Varnum’s CTA Taskforce is closely tracking these developments and will provide updates as they become available. For background on BOI reporting, please refer to Varnum’s CTA Resource Center.