Will restrictions on competition soon be a thing of the past? The Federal Trade Commission (FTC) announced a proposed rule earlier this year that would essentially ban the use of non-compete agreements for employees and independent contractors, and require employers to rescind existing agreements. See Non-Compete Clause Rule, 88 Fed. Reg. 3482 (proposed January 19, 2023) (to be codified at 16 C.F.R. pt. 910) (“Rule”). On February 1, 2023, a bipartisan group of U.S. Senators and Representatives introduced legislation to Congress to ban the use of non-compete agreements nationwide. These bills, collectively, are titled the “Workforce Mobility Act of 2023.” See S. 220, 118th Cong. (2023); H.R. 731, 118th Cong. (2023) (together, the “Act”). The Act would restrict the use of non-compete agreements to instances of a dissolution of a partnership or the sale of a business; unlike the Rule, however, the Act would not be retroactive. Will these efforts end restrictions on competition? No, for at least four reasons.
First, neither the Rule nor the Act may ever become law. There are substantial questions as to whether the FTC has the authority to issue any nationwide rule prohibiting non-competes pursuant to Section 6(g) of the Federal Trade Commission Act, 15 U.S.C. § 46(g). See Dissenting Statement of Commissioner Christine S. Wilson Regarding the Notice of Proposed Rulemaking for the Non-Compete Clause Rule, Comm’n File No. P201200-1, 11 (Jan. 5, 2023), FTC, https://www.ftc.gov/system/files/ftc_gov/pdf/p201000noncompetewilsondissent.pdf (citing the United States Supreme Court’s West Virginia v. EPA decision, 142 S. Ct. 2587 (2022), on the major questions doctrine). While Congress indisputably has proper authority, the Act may not pass, as was the case with similar proposed legislation in 2019 and 2021.
Second, if either becomes law, expect substantial narrowing. Instead of a categorical ban on non-competes, there could be a rebuttable presumption of unlawfulness or different standards for different categories of workers. Indeed, the FTC extended the public comment period for the Rule to consider these issues, 88 Fed. Reg. 20441 (Apr. 6, 2023), specifically citing a study that examined whether employers valued the enforceability of non-compete agreements for “threshold wage” workers. Takuya Hiraiwa, Michael Lipsitz & Evan Starr, Do Firms Value Court Enforceability of Noncompete Agreements? A Revealed Preference Approach 3-4, 32 (Feb. 20, 2023 Study), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4364674.
Third, even if enacted in their present form, neither the Rule nor the Act would prohibit most non-solicitation, non-recruitment or confidentiality clauses. In fact, both lawmakers and the FTC cite the availability of trade secret protection as a factor that justifies prohibiting non-competes.
Fourth, the Rule and the Act are impractical solutions to a complex legal problem. While there is ample basis for concluding that non-competes are overused and can constitute anticompetitive restrictions on worker mobility, there is likewise reason to conclude that parties should be able to agree to such restrictions to protect legitimate interests, so long as such restrictions are narrowly tailored and agreed to without “overreaching.” Brown & Brown, Inc. v. Johnson, 25 N.Y.3d 364, 371-72 (2015).
But the Rule and Act not only do too much, they do too little. Legal scholars have long recognized that overbroad confidentiality agreements and baseless trade secret claims are improperly used as anti-competitive tools by former employers just as frequently as are restrictive covenants. See Elizabeth Smith, Eliminating Predatory Litigation in the Context of Baseless Trade Secret Claims: The Need for a More Aggressive Counterattack, 23 Santa Clara L. Rev. 1095 (1983). Nearly 40 years later, in throwing out a pharmaceutical company’s trade secret claim, a federal judge recently recognized that plaintiffs “seem to think that just about anything in the world can be a trade secret.” Trial Tr. 827:11-12, Medidata Sols., Inc. v. Veeva Sys., Inc., No. 17 Civ. 589 (JSR) (S.D.N.Y. July 15, 2022), ECF No. 826. Under that false premise, an employer “could never hire away an employee from another company because [such employee could] reveal something they had learned at their prior employment[.]” See id. at 827:13-16. While the Rule attempts to address this by treating “unusually broad in scope” confidentiality provisions as impermissible non-competes, the Rule largely fails to flesh-out this “functional test.” See 88 Fed. Reg. 3509.
But change is coming no matter its form. All companies should revisit their employment agreements, including restrictive covenants and confidentiality agreements, to ensure they are reasonably tailored to protect legitimate interests. They should also consider whether they can protect their interests with less burdensome covenants such as a limited non-solicitation agreement, reasonable confidentiality provisions, severance payments tied to compliance and/or restricted cash awards.
Companies seeking trade secret protection, not intimidation, should differentiate trade secrets from common trade information. Limit trade secret access only to those who need it; train employees how to handle the specific trade secrets and protect against theft in any manner; and implement sufficient technological controls.
Five comprehensive state data privacy statutes have taken effect in 2023 or will become effective later this year: California (effective January 1, 2023); Virginia (effective January 1, 2023); Colorado (effective July 1, 2023); Connecticut (effective July 1, 2023); and Utah (effective December 31, 2023).
Three other states have enacted comprehensive data privacy laws in the past several months: Iowa (enacted March 28, 2023; effective January 1, 2025); Indiana (enacted May 1, 2023; effective January 1, 2026); and Tennessee (enacted May 11, 2023; effective July 1, 2025). Montana is poised to become the ninth state with a comprehensive data privacy law, with its legislature having passed a data privacy statute in April 2023 that is awaiting approval by the governor. Other states may soon follow suit.
Common consumer rights in these comprehensive privacy laws include data access, data portability, data deletion, data correction and opt-out rights regarding data sales, advertising or profiling. Common business or controller obligations include data processing restrictions (such as notice or consent), consent related to children’s data, privacy notices, data security requirements, assessments, prohibiting discrimination for exercising data rights and requirements for responding to consumer requests.
Although similar, these laws have nuanced requirements and even different thresholds for applicability. Applicability is largely based on annual revenue, consumer data volume, data sale activity and a company’s business activities in the state or directed at consumers in the state. Each law may also have different compliance requirements and limited exemptions, such as for certain federally-regulated entities and/or data. Notably, these laws may apply to businesses located inside and outside the state. For example, the Virginia law may apply to a company that conducts business in the state or produces products or services targeted to Virginia residents if it meets certain data processing or sale thresholds. The Utah law, on the other hand, has an annual minimum revenue threshold of $25 million in addition to certain data processing or sale thresholds.
On November 9, 2022, the New York State Department of Financial Services released proposed amendments to its cybersecurity regulations for financial services companies. If adopted, some of the proposed amendments could take effect within 180 days.
On March 15, 2023, the U.S. Securities and Exchange Commission proposed new cybersecurity rules that would apply to a broad range of market participants that include certain broker-dealers, clearing agencies, security-based swap participants, national securities associations and national securities exchanges. New requirements may include certain written policies and procedures, annual reviews, cybersecurity event reporting and recordkeeping. Proposed cybersecurity rules for investment advisers and investment companies are also pending.
Businesses should be mindful of the constantly evolving landscape of data security and privacy, and examine whether their existing policies, procedures, vendor contracts and data security posture comply with existing, as well as new and emerging laws and regulations.
If you seek additional information about restrictive covenants and/or choice-of-law provisions, please contact Preston L. Zarlock, partner and co-leader of Phillips Lytle’s Commercial Litigation Practice Team, at (716) 847-5496 or pzarlock@phillipslytle.com or Ryan Schelwat at (716) 847-7097 or rschelwat@phillipslytle.com.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now