Author: Jessica S. High

In 2020, the California State Legislature passed the California Consumer Financial Protection Law (“CCFPL’) as AB 1864. This law provided the Department of Financial Protection and Innovation (“DFPI”) with authority to oversee several areas of the financial marketplace, including private postsecondary education financing. 

DFPI recently finalized new regulations requiring providers of postsecondary education financing to register and submit data to DFPI. Providers subject to registration requirements must file an application by February 15, 2025. 

The DFPI is requesting all postsecondary institutions to do one of the following:

•  If you are a postsecondary institution that offers or provides education financing to California residents and required to register, please file an application for CCFPL registration by February 15, 2025, to continue operating legally in the state.

•   If you are a postsecondary institution that offers or provides education financing to California residents through a partnership with a third-party, please alert any third party partners of this registration requirement and send an email to CCFPL. CCFPL.Inquiries@dfpi.ca.gov explaining why you do not intend to register.

•  If you are a postsecondary institution that is not subject to this registration requirement, please send an email to CCFPL.Inquiries@dfpi.ca.gov explaining why you do not intend to register.

Under the CCFPL, no person shall engage in the business of offering or providing postsecondary education financing to California residents without first registering with the DFPI. Postsecondary institutions should contact counsel to determine if its educational financing (including providing institutional loans) triggers registration. 

On January 9, 2025, a federal court vacated the Biden administration’s 2024 Title IX rule, effectively reinstating the 2020 regulations nationwide.

The 2024 Title IX rule was subject to litigation after it went into effect on August 1, 2024, and was enjoined in more than half of the country. This January 9 final decision from the Eastern District of Kentucky resolves the uncertainty that resulted from the various temporary injunctions in place since the 2024 Title IX rule went into effect.

The court’s decision to invalidate the 2024 Title IX rule was based on a number of reasons, including that the U.S. Department of Education exceeded its statutory authority in expanding the definition of “on the basis of sex” to include gender identity and sexual orientation. Because the 2024 Title IX rule was vacated and cannot be applied to “all who would otherwise be subject to its operation[,]” the rule is vacated on a nationwide basis. The ruling could be appealed, but given the imminent transition to a new administration, it is unlikely that the decision will be appealed.

Our current understanding is that the 2020 Title IX rule (which went into effect during President-elect Trump’s first administration) is now controlling. The 2020 Title IX regulations include:

• A definition for “sexual harassment” and the requirement that complaints be formal complaints;
• Grievance procedures that contain a live hearing with cross-examination;
• Publication of training materials and certain contact information; and
• A narrowing of reporting obligations for individuals with knowledge of sexual misconduct.

About Duane Morris

Duane Morris attorneys are available to help institutions review the 2020 Title IX rule regulations and discuss the impact on polices, publications and training. We will continue to monitor this matter and will provide further updates.

For More Information

If you have any questions about this Alert, please contact any of the attorneys in our Higher Education Group or the attorney in the firm with whom you are regularly in contact.

Non-compete agreements are unenforceable in California unless given in connection with the sale of a business, sale of equity in a business or dissolution of a partnership or LLC.  Effective January 1, 2024, Business and Professions Code 16600 has been amended (and section 16600.1 has been added) to make clear that these provisions are unenforceable and require businesses to notify current and former employees.

Business and Professions Code 16600 has been amended to make clear that it is impermissible to include non-compete provisions in any employment agreement or to attempt to enforce them. Business and Professions Code section 16600.1 has been added requiring an employer that has included these restrictions in employment agreements in the past to notify the employees or former employees in writing that these restrictive covenants will not be enforced.  This is an affirmative obligation, and the notification must be individually addressed and sent by February 14, 2024.

Persons who need to be notified are current and former employees who have or had an agreement with the company that contained impermissible noncompete or nonsolicit restrictions, and who worked for the company for any period of time after January 1, 2022.

A failure to send the notice is declared in 16600.1 to be an act of unfair competition.

Please see the Duane Morris Client Alert for additional details.

If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit.

The Federal Trade Commission’s (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June 9, 2023. The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. The U.S. Department of Education has increased enforcement authority by requiring auditors to verify an institution’s compliance with components of the Safeguard Rule.

In March, the U.S. Department updated the Guide for Financial Statement Audits of Propriety Schools and For Compliance Attestation Examination Engagements of Proprietary Schools and Third-Party Servicers Administering Title IV Programs (“Audit Guide”). The Audit Guide is effective for fiscal years beginning on or after January 1, 2023, and will be in place for all audits conducted in 2024 and beyond.

The Audit Guide reinforces that Title IV institutions must adhere to the strict cybersecurity requirements set forth in the Safeguards Rule including a requirement to “develop, implement, and maintain a written, comprehensive information security program.” The objective is to “Determine whether the school designated an individual to oversee, implement, and enforce the school’s information security program and whether the school’s written information security program addresses six additional required elements.”

In addition to verifying that the institution has designated a qualified individual, the auditor must also verify:

1.     The information security program is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;

2.     Design and implementation of eight safeguards set forth in the regulation to control the risks the school or servicer identifies through its risk assessment;

3.     Regular testing or otherwise monitoring the effectiveness of the safeguards implemented;

4.     Implementation of policies and procedures to ensure that personnel are able to enact the information security program;

5.     How the school or servicer will oversee its information system service providers; and

6.     The evaluation and adjustment of an institution’s information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.

An institution’s failure to implement an information security program with the required elements by June 9, 2023 (the effective date of the Safeguards Rule) may result in an audit finding. If an institution has not implemented an information security program with the required elements by December 31, 2023, the institution will receive an audit finding and must submit a Corrective Action Plan (“CAP”). Moreover, FSA’s Cybersecurity Team and the Federal Trade Commission (FTC) will be informed of the audit findings regarding the Safeguards Rule and may request additional information to assess the level of risk to student data.

In an Electronic Announcement issued in February 2023 regarding cybersecurity compliance, the Department stated that a finding of non-compliance will be resolved as part of the Department’s determination of an institution’s administrative capability. Additionally, repeated non-compliance may result in administrative action impacting Title IV participation.

On April 6, 2023, the U.S. Deptartment of Education released a new Notice of Proposed Rulemaking (“NPRM”) on Title IX.  This NPRM focuses on the application of Title IX to gender in student sports.

The current Title IX rule (last amended in 2020 under the Trump Administration) does not expressly address the criteria a school should use to determine eligibility to participate on a male or female athletic team. This NPRM proposes to change that and “would establish that policies violate Title IX when they categorically ban transgender students from participating on sports teams consistent with their gender identity.” However, in the NPRM, the Department states that it recognizes that in some instances, “particularly in competitive high school and college athletic environments, some schools may adopt policies that limit transgender students’ participation.” Through the proposed rule, the Department is attempting to provide schools with a “framework for developing eligibility criteria to protect students from being denied equal athletic opportunity, while giving schools the flexibility to develop their own participation policies.” 

Under the proposed framework, a one-size-fits-all policy banning transgender students from participating in athletics consistent with their gender identity is prohibited. The proposed regulation would be in the Title IX regulations at section 106.41(b)(2): 

“If a recipient adopts or applies sex-related criteria that would limit or deny a student’s eligibility to participate on a male or female team consistent with their gender identity, such criteria must, for each sport, level of competition, and grade or education level: (i) be substantially related to the achievement of an important educational objective, and (ii) minimize harms to students whose opportunity to participate on a male or female team consistent with their gender identity would be limited or denied.”

This NPRM will be open for public comment for 30 days from publication in the Federal Register and we expect comments to be strongly divided. Once the comment period closes, the Department will review the comments received and will either proceed with the rule as proposed, issue a new modified proposal or withdraw the proposal. 

Student Test Taker Privacy Protection Act (SB-1172), limits the collection of personal data by proctoring services. The pandemic created a surge of online-proctoring services which utilize various types of personal information, such as a driver’s license, other identification and/or biometric data, to verify a student’s identity during a proctored exam. SB-1172 seeks to establish data protections for the online test taker. The Act prohibits a proctoring service from collecting, retaining, using, or disclosing personal information except to the extent necessary to provide the proctoring services. 

Most higher education institutions use outside proctoring services (such as Proctorio, ProctorU, Exmanity and ExamSoft) to administer proctored online exams so the institutions would be directly responsible for regulating the information collected. However, higher education institutions should take steps to ensure that the proctoring services utilized adhere to the bill’s restrictions. Current proctoring service contracts should be analyzed and likely amended to at a minimum include that the service provider will not collect, retain, use or disclose student personal information except to the extent necessary to provide the proctoring services.   

Last year, the Federal Trade Commission (FTC) amended the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. In response to reports of personnel shortages and supply chain issues, on November 15, 2022, the FTC announced that it has extended the compliance deadline by six months (to June 9, 2023) for provisions of the rule that were originally to become effective on December 9, 2022. 

The GLBA is a federal law enforced by the FTC. It governs financial institutions regarding their use and collection of customer personally identifiable information. The specific cybersecurity requirements of the GLBA are set forth in the Safeguards Rule. The U.S. Department of Education―via the Program Participation Agreement, several Dear Colleague Letters, the FSA Handbook and the audit guide―has made it clear that Title IV schools are considered financial institutions and subject to the legal obligations to protect student information required under the GLBA. As such, Title IV schools must meet these strengthened security requirements to better protect consumer (student) financial information.

To view details about what Safeguards Rule provisions are included in the extension, please see our Alert. 

These requirements are not policies and procedures that can be implemented overnight. Considering the shortage of qualified personnel to implement information security programs and the various supply chain issues, schools may need every bit of those six months to develop an information security program that meets the rule’s comprehensive requirements. Schools should work with legal counsel and an information security professional to draft or revise a comprehensive cybersecurity program to protect student records and ensure compliance with the updated Safeguards Rule.

On June 23, 2022, the 50^th Anniversary of the Title IX statute, the U.S. Department of Education released the Notice of Proposed Rulemaking (“NPRM”) for the Title IX rule. The proposed rule is expected to be published in the Federal Register on June 27, 2022. Following publication, interested parties will have 60 days to submit public comment. 

First, the Department proposed to amend Title IX regulations to:
• Require recipients to adopt grievance procedures that provide for the prompt and equitable resolution of complaints of sex discrimination and take other necessary steps to provide an educational environment free from sex discrimination;
• Clarify the Department’s view of the scope of Title IX’s prohibition on sex discrimination, including related to a hostile environment under the recipient’s education program or activity, as well as discrimination on the basis of sex stereotypes, sex characteristics, pregnancy or related conditions, sexual orientation, and gender identity; and
• Clarify a recipient’s obligations to students and employees who are pregnant or experiencing pregnancy-related conditions.

With regard to sex-based harassment, the proposed regulations would:
• Define sex-based harassment to include but not be limited to sexual harassment;
• Provide and clarify, as appropriate, definitions of various terms related to a recipient’s obligations to address sex discrimination, including sex-based harassment;
• Clarify how a recipient is required to take action to end any sex discrimination that has occurred in its education program or activity, prevent its recurrence, and remedy its effects; and
• Clarify a recipient’s obligations related to the grievance procedures and other necessary steps when it receives a complaint of sex discrimination. 

With regard to discrimination against individuals who are pregnant or parenting, the proposed regulations would:
• Define the term “pregnancy or related conditions” and the term “parental status,” and prohibit discrimination against students and applicants for admission or employment on the basis of current, potential, or past pregnancy or related conditions; and
• Clarify a recipient’s obligations to students and employees who are pregnant or experiencing related conditions. 

In addition, the proposed regulations would:
• Articulate the Department’s understanding that sex discrimination includes discrimination on the basis of sex stereotypes, sex characteristics, pregnancy or related conditions, sexual orientation, and gender identity;
• Clarify and streamline administrative requirements with respect to designating a Title IX Coordinator, disseminating a nondiscrimination notice, adopting grievance procedures, and recordkeeping;
• Specify that a recipient must train a range of relevant persons on the recipient’s obligations under Title IX;
• Clarify that, unless otherwise provided by Title IX or the regulations, a recipient must not carry out any otherwise permissible different treatment or separation on the basis of sex in a way that would cause more than de minimis harm, including by adopting a policy or engaging in a practice that prevents a person from participating in an education program or activity consistent with their gender identity; and
• Clarify a recipient’s obligation to address retaliation.

Duane Morris is in the process of reviewing the proposed rule in detail and will prepare bullet points and a full summary in the coming days.