On March 19, 2021, Senators Rodriguez and Lundeen introduced the Colorado Privacy Act (“CPA”) bill, which would provide additional protections for the personal data of state residents. If passed, the bill would have a far-reaching impact on businesses collecting and using personal information about Colorado residents, whether operating inside or outside the state. We will continue to monitor developments, but if you have any questions or would like to discuss specific issues in the bill, please reach out to Camila Tobón.

Davis Graham will be hosting a webinar to discuss the bill on Tuesday, April 13, 2021 from noon to 1 p.m. You can register here.

To whom does the CPA bill apply?

The CPA aims to protect the personal data of “consumers,” which means a natural person who is a Colorado resident acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.

The CPA refers to “controllers” and “processors.” A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of the controller. The CPA bill also introduces the concept of a “third party,” which is defined as “a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.”

To be subject to the CPA, legal entities would have to:

1. Conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents; and
2. Either:
   1. Control or process the personal data of 100,000 consumers or more during a calendar year; or
   2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.

What does the CPA bill protect?

The CPA bill protects “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.

The CPA bill excepts certain data sets, including:

• “Protected health information” and other listed patient and health information, as well as information maintained in the same manner by covered entities, business associates, health care facilities or health care providers, and a program or qualified service organization as defined in 42 C.F.R. § 2.11;
• Personal data bearing on a consumer’s creditworthiness that is regulated by the Fair Credit Reporting Act and processed by a consumer reporting agency, a furnisher of information, or a user of a consumer report;
• Personal data collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA);
• Personal data collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act;
• Personal data regulated by the federal Children’s Online Privacy Protection Act and the federal Family Educational Rights and Privacy Act; and
• Data maintained for employment records purposes.

The CPA bill also includes an entity-level exemption for financial institutions or affiliates of a financial institution that are subject to the GLBA. Any personal data processed by these entities would be out of scope of the CPA bill, not just the personal data handled pursuant to the GLBA and its implementing regulations.

Does the CPA define “sale” of personal data?

The CPA defines “sale” as the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties. It includes several exceptions:

• Disclosing data to a processor that processes personal data on behalf of the controller;
• Disclosing personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller;
• The disclosure or transfer of personal data to an affiliate of the controller; or
• The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

What consumer rights does the CPA bill provide?

The CPA would provide consumers with the following rights:

• The right to opt-out of the processing of personal data concerning the consumer, including the right to authorize another person to opt-out of personal data processing for purposes of targeted advertising or “sale” of the consumer’s personal data.
• The right to confirm whether a controller is processing personal data concerning the consumer and access to those data.
• The right to correct inaccurate personal data collected from the consumer.
• The right to delete personal data concerning the consumer.
• The right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance (data portability). This right may be exercised no more than twice per calendar year.

Controllers would have 45 days to respond to requests to exercise consumer rights, which could be extended to 90 days where reasonably necessary. Controllers must provide information free of charge except that a fee (to be calculated pursuant to the state public records statute) may be charged for the second or subsequent request within a twelve-month period.

The CPA bill requires controllers to establish an internal process for consumers to appeal a refusal to act on a request to exercise any of their consumer rights. If the consumer has concerns about the result of the appeal, they can contact the Attorney General.

What does the CPA bill require of “controllers”?

Controllers must provide consumers with a privacy notice describing the categories of personal data collected or processed, the purposes for processing, an estimate of how long personal data will be retained, how and where consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom personal data are shared. If a controller sells personal data to third parties or processes personal data for targeted advertising, it must disclose such sale or processing as well as the manner in which the consumer may exercise the right to object to such sale or processing.

Other requirements imposed on controllers include:

• Purpose specification – collection of personal data must be limited to what is reasonably necessary for the specified purpose;
• Data minimization – controllers must collect only what is reasonably necessary for the specific purpose;
• Secondary uses – controllers must avoid secondary uses that are not reasonably necessary to or compatible with the purposes for which the data are processed;
• Duty of care – controllers must employ reasonable security measures to protect personal data against unauthorized acquisition during both storage and use;
• Nondiscrimination – controllers cannot increase the cost of or decrease the availability of a product or service based solely on the exercise of a right and may not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers.

Controllers must get consent to process “sensitive data,” which include:

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
• genetic or biometric data for the purpose of uniquely identifying a natural person; and
• personal data from a known child.

Controllers must also conduct data protection assessments for processing activities presenting a heightened risk of harm to consumers, which include targeted advertising or profiling; the sale of personal data; and sensitive data processing. Such data protection assessments must be made available to the Attorney General upon request.

What does the CPA bill require of “processors”?

Processors must process personal data according to the controller’s instructions and must assist controllers with the fulfillment of their obligations under the CPA. Processing by a processor must be governed by a binding contract setting out the processing instructions to which the processor is bound.

How would the CPA be enforced?

The CPA would be enforced by the Colorado Attorney General and District Attorneys. Violators would be subject to an injunction and a civil fine as specified in Colo. Rev. Stat. § 6-1-112 (setting out civil penalties in various contexts). There is no private right of action in the CPA bill.

When would the CPA take effect?

The law would take effect on January 1, 2023.

In the last decade, solar energy development has grown annually at an average rate of 49%.[1]
As more land is used for this renewable resource, increased conflicts with the owners of minerals underlying those lands are inevitable. A recent case in Texas, Lyle v. Midway Solar, LLC,[2] highlights how courts may address such conflicts. The court acknowledged that the “accommodation doctrine” may limit the rights of mineral owners to interfere with solar facilities overlaying their minerals. However, application of the doctrine to determine surface rights can only occur after the mineral owner attempts to develop its minerals.

The Facts

The Lyles own 27.5% of the mineral rights in a 315-acre tract in Pecos County, Texas derived from a 1948 Deed. Gary D. Drgac owns 100% of the surface rights in the same tract. The Lyles never leased their mineral interest to an oil and gas operator and have no current plans to develop the minerals. They commissioned no geological studies on the property and never received any offers to lease or purchase the mineral estate. In 2015, Mr. Drgac leased the surface of the property to Midway Solar, LLC (“Midway”) to build a solar energy facility on the property. Under the terms of the lease, Midway could place solar panels on the property, as well as transmission lines, electrical lines, and cable lines. The solar lease acknowledged that the minerals had been severed and identified the rights of the mineral owner as an “encumbrance” on the land.

Drgac and Midway amended the lease to identify “Designated Drillsite Tracts” for future operators to explore for and access minerals. These tracts were exempt from solar facility construction. Midway’s solar facility eventually covered 70% of the surface of the property, leaving the two drillsite tracts undisturbed. Midway obtained surface waiver agreements from adjoining mineral interest owners for purposes of accessing the property but did not obtain a waiver from the Lyles.

The Lawsuit

After construction of the facility, the Lyles sued Midway and Drgac alleging they had breached the terms of the 1948 Deed, denying reasonable access to the minerals by covering 70% of the surface with solar panels and transmission lines. The Lyles also argued that Drgac and Midway were trespassing on their mineral estate. They sought damages for trespass and breach of contract arguing that the solar facility had “destroyed and/or greatly diminished the value” of their minerals.

The Accommodation Doctrine

In Texas, a mineral estate is “dominant,” meaning the mineral owner has the right to use the surface to extract minerals using methods reasonably necessary for extraction. The mineral estate’s dominance is limited by the “accommodation doctrine,” which requires the mineral and surface estates to exercise their respective rights with due regard for the rights of the other. The surface owner carries the burden to show that (1) the mineral owner’s use of the surface completely precludes or substantially impairs the surface owner’s existing use, (2) there is no reasonable alternative method available to the surface owner by which the existing use can be continued, and (3) there are “alternative, reasonable, customary, and industry-accepted methods available to the mineral owner” to recover the minerals. If alternative methods allow mineral development without disturbing the surface owner’s existing use, the accommodation doctrine may require the adoption of that alternative method. If only one method of extracting the minerals is available, the mineral owner may pursue that method, regardless of surface damage. Parties have the right to set their own contractual terms as they see fit, provided such rights do not violate public policy.

The Lyles argued that the 1948 Deed expressly delineated the parties’ rights. The Deed states, “Grantors further reserve unto themselves, their heirs and assigns, the right to such use of the surface estate . . . as may be usual, necessary or convenient
in the use and enjoyment of the oil, gas and general mineral estate.” The Lyles argued the word “usual” evidenced the grantor’s intent to reserve the right to drill vertical wells, the “usual” method of drilling at the time the Deed was signed. Directional and horizontal drilling had not been invented. Therefore, covering 70% of the surface with solar facilities violated that contractual right and preserving small drilling pads for vertical and horizontal wells was insufficient.

The court disagreed because it did not interpret the term “usual” as applying to a specific drilling method. Rather, it referred more generally to the right to use the surface to use and enjoy the mineral estate. The Deed made no reference to specific drilling methods and had the grantors intended such a specific meaning of “usual” they could have explicitly reserved the right to drill vertical wells. The court therefore determined that the contractual language did not override application of the accommodation doctrine, which should inform what rights each party had to the surface.

Attempt to Develop the Minerals

Midway argued that for the Lyles to maintain a claim for trespass, the Lyles must currently be using or plan to use the surface to develop their minerals. The Lyles countered that they had already suffered damages from the solar facility blocking access to the mineral estate.

The court determined that if the Lyles exercised their rights, Midway would have to yield to the degree mandated by the application of the accommodation doctrine. However, until such rights are exercised, there is nothing to be accommodated. To maintain a claim for trespass, the Lyles must have first sought to develop their minerals.

The court’s reasoning is that if a claim for trespass could be maintained without an attempt to develop, mineral owners could simply claim damages from any surface activities that could potentially hinder mineral development in the future. Furthermore, there would be no way to calculate damages since future development would be subject to different markets and technologies.

Although the Lyles’ claim for trespass was premature and therefore dismissed without prejudice, the court acknowledged that the determination of each parties’ rights to the surface would be determined in the future if an actual conflict arises.

Conclusion

Lyle v. Midway Solar, LLC should encourage solar developers to be fully aware of outstanding mineral rights on properties they seek to develop. A review of title ownership and an understanding of contractual rights reserved in mineral deeds may allow solar developers to negotiate surface uses up-front and avoid disruptions to their operations due to con

[1] https://www.seia.org/solar-industry-research-data.

[2] 2020 Tex. App. LEXIS 10385.

If you have further questions, please contact Hayden Weaver.

Under new leadership, the Bureau of Land Management (BLM) announced its termination of proposed amendments to the Desert Renewable Energy Conservation Plan (DRECP). On January 13, 2021, BLM had released draft amendments to the DRECP and a draft environmental impact statement analyzing the draft amendments. The draft amendments were described in a previous article. The draft amendments had faced public opposition from conservation groups and the California Energy Commissioner.

On March 12, 2021, the BLM announced its termination of the land use planning process for the draft amendments. The BLM cited a need to “evaluate consistency with Departmental and Executive priorities related to conservation and promotion of renewable energy development.” The BLM committed to “continue to work with cooperating agencies and stakeholders in the implementation of the existing land use plans.”

If you have further questions, please contact Katie Schroder.

On March 8, 2021, the Principal Deputy Solicitor of the Interior issued a memorandum
withdrawing Solicitor’s Opinion M-37050, which had interpreted the Migratory Bird Treaty Act (MBTA) as only prohibiting affirmative actions that purposefully take or kill migratory birds, their nests, or their eggs, and not prohibiting incidental taking or killing.

The March 8 memorandum marks the latest reinterpretation of the MBTA by the Solicitor’s Office. In the last days of President Barack Obama’s administration, the Solicitor issued Opinion M-37041 – Incidental Take Prohibited Under the Migratory Bird Treaty Act (Jan. 10, 2017). This 30-page opinion concluded that “the MBTA’s broad prohibition on taking and killing migratory birds by any means and in any manner includes incidental taking and killing.”

Solicitor’s Opinion M-37041, however, enjoyed a short life. On February 6, 2017, the incoming administration of President Donald Trump suspended Solicitor’s Opinion M-37041. On December 22, 2017, the Principal Deputy Solicitor issued Solicitor’s Opinion M-37050, which permanently withdrew and replaced Solicitor’s Opinion M-37041. Spanning 41 pages, Solicitor’s Opinion M-37050 concluded that the MBTA’s “prohibitions on pursuing, hunting, taking, capturing, killing, or attempting to do the same apply only to affirmative actions that have as their purpose the taking or killing of migratory birds, their nests, or their eggs.”

The United States District Court for the Southern District of New York, however, found this conclusion to be inconsistent with the language of the MBTA. The court vacated Solicitor’s Opinion M-37050 in its entirety. Natural Res. Defense Council v. U.S. Dep’t of the Interior, 478 F. Supp. 3d 469 (S.D.N.Y. 2020). The Biden administration did not pursue an appeal of this decision.

The March 8, 2021 memorandum cited the litigation over Solicitor’s Opinion M-37050 as justification for permanently revoking and withdrawing it. The memorandum also cited concerns raised by the Government of Canada as to whether M-37050 is consistent with one of the treaties underlying the MBTA. Notably, the memorandum did not reinstate Solicitor’s Opinion M-37041 or otherwise replace Solicitor’s Opinion M-37050.

The withdrawal and revocation of Solicitor’s Opinion M-37050 coincides with the delayed effective date a final rule that formalized the interpretation of “take” set forth in Solicitor’s Opinion M-37050. The U.S. Fish and Wildlife Service (USFWS) published this final rule on January 7, 2021, and it was scheduled to take effect on February 8, 2021. On February 9, 2021, the USFWS published an announcement that it would delay the effective date of this rule until March 8, 2021, and seek additional public comment on it.

If you have further questions, please contact Katie Schroder.

In 2019, the Colorado Legislature passed House Bill 19-1261, known as the Climate Action Plan to Reduce Pollution (“Climate Action Plan”), which includes statewide greenhouse gas (“GHG”) pollution emission targets. By 2025 the bill targets 26% reductions in GHG emissions from 2005 levels, 50% by 2030, and 90% by 2050. In an effort to make coordinated progress toward these goals, Governor Jared Polis directed state agencies to develop a Greenhouse Gas Pollution Reduction Roadmap (“Roadmap”). As part of this effort, the State through various executive agencies has preliminarily estimated 2005 baseline GHG emissions to identify the magnitude of emission reductions required to meet the Climate Action Plan goals and the likely sources of those reductions. It is anticipated that the 2005 baseline emissions inventory will be approved by Air Quality Control Commission (“AQCC”) during a September 2021 hearing.

The Roadmap outlines a strategy for how Colorado can reduce GHG emissions over time ito achieve the reductions identified in the Climate Action Plan. Key strategic elements include: (a) a continued shift away from fossil fuel-based generated energy to renewably generated energy; (b) a focus on reducing methane emissions from the oil and gas sector; (c) accelerated transition to electric buses, trucks, and cars; (d) changes to transportation planning and infrastructure to reduce vehicle miles traveled; (e) increased building efficiency and electrification; (f) reduction of methane emissions from agriculture, landfills, and waste water treatment; (g) strategies to enhance carbon sequestration by natural and working lands; and (h) incentivizing adoption of GHG reduction measures in the agricultural sector. These strategic elements are intended to be implemented through various efforts including:

• rulemakings before the AQCC, the Colorado Department of Transportation, and other state agencies;
• coordinated efforts between the State and private parties, particularly with utilities, in an effort to develop clean energy plans;
• a study on how to incentivize updates to local government regulations, particularly to building codes and zoning regulations;
• public investment in electric vehicles and electric vehicle infrastructure; and
• encouragement for participation in carbon reduction efforts such as the Employer Based Trip Reduction Program, Soil Health Partnership, the Agricultural Energy Efficiency Program, and the Advancing Colorado’s Renewable Energy Efficiency Program (ACRE3) Program.

The Roadmap also explicitly takes a sector-based rather than economy-wide approach to cap GHG emissions. This means that specific emission reduction targets will be set for each identified sector. The primary sectors targeted for reductions are transportation, electric generation, oil and gas, and residential, commercial, and industrial energy use. Each sector has a different target for emission reductions from the 2005 baseline. Importantly, the 2005 baseline emissions are estimated differently for oil and gas sources relative to other sectors. The State has updated its methodology to estimate future GHG emissions from non-oil and gas sources to address some of the limitations with the approach used in estimating historical emissions. For oil and gas sources, the Colorado Department of Public Health and Environment (“CDPHE”) indicated that it would use data collected under Colorado Regulation No. 7 to make improvements to current and future emission estimates for the oil and gas industry, which should result in more accurate estimates of emissions from this industry but could also potentially complicate comparisons of future emissions with the baseline.[1]

The draft of the Roadmap was published on September 30, 2020, and community members and other stakeholders were encouraged to provide comment and feedback. The Roadmap was not developed as part of a rulemaking effort, so it was not subject to the procedural requirements associated with more formal efforts. This also means that the written comments provided on the Roadmap are only available via a Colorado Open Records Act request, and the State was not required to explicitly address or respond to community comments. Some concerns have been raised regarding this process, specifically, as subsequent specific rulemakings will be undertaken in reliance upon the Roadmap, the development of the Roadmap should have occurred in a more transparent process.

While the tremendous effort associated with developing the Roadmap to date has been broadly lauded and appreciated, additional concerns have been raised that the draft Roadmap did not provide a cost-benefit analysis for any of the proposed GHG reduction strategies and did not allow for the flexibility to pursue policies to reduce emissions iteratively and in full consideration of a given policy’s total costs and associated benefits. Technical concerns have also been raised with some of the key assumptions and analyses underlying the Roadmap and its associated emission estimates. The final Roadmap, published on January 14, 2021 and available here, did acknowledge that a detailed cost benefit analysis was not provided but indicated that such cost benefit analyses would be addressed as various strategies were implemented through formal rulemakings.

While there were limited substantive changes between the draft and final Roadmap, the final Roadmap added important discussion about the Roadmap’s larger strategic goal of reducing impacts on communities disproportionately impacted by climate change and how the Climate Equity Framework (developed based on statutory guidelines from HB 19-1261) should be used to guide future action. It also addressed Carbon Capture, Utilization, and Storage (“CCUS”) more specifically and indicated that the State would convene a task force on CCUS starting in mid-2021, “which will report to the Governor within a year on recommended framework, including policies and action steps for advancing CCUS in Colorado.”

The Roadmap is an ambitious effort to address GHG emissions in Colorado. How the Roadmap will be implemented and the exact nature of any resulting programs remains uncertain, but significant changes are on the horizon for Colorado.

[1]
See Section 8.5 of CDPHE’s Draft “2021 Greenhouse Gas Inventory Update Including Projections to 2050” found here.

If you have further questions, please contact Shalyn Kettering or Vasco Roma (Managing Consultant, Ramboll).

When faced with significant market challenges, companies in the energy industry often turn to bankruptcy for solutions. This webinar explores the bankruptcy process, its benefits, its limitations, and unique bankruptcy issues that players face across the energy sector, from oil and gas to mining. Presenters will share their experiences in recent chapter 11 cases and discuss practical considerations and strategies that should be evaluated before and during bankruptcy to avoid a chapter 11 free fall.

The confirmed speakers for this program, which is pending approval for one general Continuing Legal Education credit in the state of Colorado, are as follows:

• Adam Hirsch, Partner, Davis Graham
• Chris Richardson, Partner, Davis Graham

Event Information

Tuesday, March 9

8:00-9:00 AM MST

In this second edition of the Davis Graham Privacy & Data Security Legal Update, we cover Virginia’s Consumer Data Protection Act, which was approved by both legislative chambers, and new bills in Alabama, Florida, Utah, and Washington. On the international front, we cover new guidelines from the European Data Protection Board on breach notification and the latest developments in negotiations over an ePrivacy Regulation.

If you have any comments, questions, or suggestions, please contact the author, Camila Tobón.

U.S. Developments

Virginia set to become second state to enact comprehensive privacy legislation

In early February, both the Virginia House of Delegates and the Virginia Senate passed identical bills for the Virginia Consumer Data Protection Act (HB2307 and SB1392). Governor Ralph Northam is expected to sign the measure, after reconciliation of the two bills. The Act more closely mirrors the Washington Privacy Act (WPA) than the California Consumer Privacy Act (CCPA) and adopts the controller/processor terminology from the GDPR as opposed to the business/service provider/third party terms from the CCPA. It would apply to entities that control or process data of at least 100,000 Virginians, or those that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers. It includes entity-level exemptions for financial institutions subject to the Gramm-Leach Bliley Act and covered entities under the Health Insurance Portability and Accountability Act, among others, as well as data-level exemptions for personal information covered by other state and federal laws, employee data, and business contact data. Controllers must provide the rights of access, correction, deletion, data portability, and opt-out of targeted advertising, sale, and profiling and develop a mechanism for consumers to appeal a controller’s refusal to act on a request. The Act creates an opt-in regime for the processing of sensitive data (which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying a natural person, children’s data, and precise geolocation data). It also requires data protection risk assessments for certain types of processing activities, including processing data for targeted advertising or profiling, sale of data, processing of sensitive data, and any other activity presenting a heightened risk to consumers. The state attorney general is the only entity with enforcement authority and enforcement penalties would be capped at $7,500 per violation. No private right of action is provided. The Act would take effect on January 1, 2023 (the same date the California Privacy Rights Act (CPRA) takes effect).

Comprehensive privacy legislation introduced in Alabama, Florida, and Utah

Earlier this month, HB216 was introduced in the Alabama House. The Alabama Consumer Privacy Act is similar to the California Consumer Privacy Act. Consumers are given the rights of access, information, deletion, opt-out of sale, and non-discrimination. There is also a private right of action for breach of nonencrypted or nonredacted personal information resulting from a failure to implement and maintain reasonable security procedures and practices. Unlike the CCPA, the Alabama Act does not provide for statutory damages, instead requiring courts to determine damages according to a set of factors set out in the bill. If enacted, the law would take effect on October 1, 2022.

In Florida, legislators introduced HB969, which is very similar to the CCPA. It requires businesses that collect personal information from consumers to maintain an online privacy policy, to be updated every 12 months. It provides consumers the rights of access, deletion, correction, opt-out of sale or sharing (where “share” is defined as disclosure for advertising), and non-discrimination. The bill includes contractual requirements for disclosures of personal information between a business and a service provider and a business and a third party, including requiring that the service provider or third party pass through any obligations to subcontractors. The bill provides a private right of action for breach like the CCPA, with the same statutory damages of $100-$750 per incident. If enacted, the law would take effect on January 1, 2022.

SB200 was introduced in Utah for a Consumer Privacy Act. Unlike the Alabama and Florida bills, this one mirrors the Washington Privacy Act. Consumer rights include access, correction, deletion, portability, and opt-out of processing for targeted advertising, sale, or profiling in furtherance of decisions regarding educational enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities as well as opt-in to processing sensitive data. The bill requires that controllers implement a process for appeals of consumer requests and conduct risk assessments for certain high-risk processing activities. The bill does not provide a private right of action. Enforcement would be by the attorney general with penalties not to exceed $1,000 per consumer per violation. The bill would take effect January 1, 2022.

Competing privacy bill introduced in the Washington state house

In late January, a competing privacy bill was introduced in the Washington state house. HB1433, the People’s Privacy Act, significantly differs from the Washington Privacy Act under consideration in the Senate in several respects. The People’s Privacy Act is an opt-in model, requiring affirmative consent for the collection and use of personal information, which must be renewed annually or deemed withdrawn. Individuals are given the rights of access/data portability, information, refusal of consent, correction, deletion, and freedom from surreptitious surveillance. Covered entities must provide a short and long form privacy policy, with examples to be produced by the Department of Commerce within 6 months of the law’s enactment. The Act would allow a private right of action for any violation with statutory damages of $10,000. In addition, the Attorney General could bring an enforcement action seeking $25,000 per violation or up to 4% of annual revenue, whichever is greater.

EU Developments

European Data Protection Board issues additional guidance on breach notification under the GDPR

Last month, the European Data Protection Board (EDPB) issued Guidelines 01/2021 on Examples Regarding Data Breach Notification. Public comments will be accepted through March 2, 2021. In the Guidelines, the EDPB provides examples of the most common breach notification cases such as ransomware attacks, data exfiltration attacks, lost or stolen devices and paper documents, misdirected mail, and social engineering. For each type of attack, the guidelines set out guidance and recommendations, including obligations to notify supervisory authorities and affected individuals. The concrete examples provided in the guidelines should greatly assist organizations with conducting their risk assessments following a breach and determining whether notification is required and to whom. The guidelines will be finalized following the public comment period.

The Council of the European Union issues mandate for negotiating the ePrivacy Regulation with the European Parliament and the European Commission

The EU has been working on an overhaul of the 2002 ePrivacy Directive, which governs privacy and electronic communications, for several years. There are two main goals. First, to harmonize rules over electronic communications data in the EU. As a regulation, the ePrivacy Regulation would become immediately binding in all EU member states upon enactment (as opposed to a directive, which must be implemented in each member state’s national law resulting in diverging applications of the rules). Second, to address new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior. This recent development will kick-start negotiations between the Council of the EU, the European Parliament, and the European Commission over the final text of the ePrivacy Regulation.

On January 28, 2021, and possibly before, members of the Reddit group r/WallStreetBets sent the market (and, apparently Hollywood box office executives) into a frenzy. Rogue day-traders noticed that several institutional investors
were shorting the stock of companies like GameStop, a publicly traded video game retailer. Members of r/WallStreetBets—in an allegedly coordinated effort—began discussing how they, and other retail investors, could “beat” the institutional investors who had shorted (i.e., bet against) GameStop. The group settled on a plan to inflate GameStop’s stock price by going long on GameStop. Undoubtedly, some of these retail investors honestly believed in the fundamentals of the stock and the long-term value of GameStop. Others believed the company’s value was higher than its 2020 price reflected, but really just wanted to drive the stock price up to force institutional investors to cover their short positions at a significant loss—i.e., to engage in a “short squeeze.” This was no secret; these certain investors made their goals known to broad swaths of the investing community.

In 2020, GameStop’s stock price hovered below $20 per share, with a 52-week low of $2.57. The stock price increased drastically
in January 2021 when retail investors began buying the stock and buying long options. It spent most of January under $100 until January 26 when it closed at $146. Then, on January 28, GameStop’s stock price hit an eyepopping high of $483 per share. Retail investors took to the internet to rejoice. During this stock surge, various trading platforms used by retail investors decided to block customers from purchasing additional shares in GameStop (and other companies experiencing similar stock price surges) for part of the day. While many retail investors were effectively prevented from buying more GameStop shares, institutional investors continued to trade, and the stock price fell almost immediately, closing the day at $347.51.

The expansive media coverage, and the Securities and Exchange Commission’s deafening silence, left many people asking: what securities laws and regulations apply to this strikingly odd situation and would the SEC (or worse, the Department of Justice) bring enforcement actions against members of r/WallStreetBets, the online brokerages that facilitated some of the trading, or others?

Frequently, the SEC will charge a so-called “pump and dump” scheme under the antifraud provisions of the ‘33 Act, the ‘34 Act, and/or under SEC Rule 10b-5. However, this situation does not neatly fit into the antifraud box. What were the material misstatements? Were they protected speech? Was there even actual fraud or deceit? Or were the retail investors honestly buying stock to tank the institutional short positions? Two other possibilities:

• Section 9(a)(2) of the ‘34 Act prohibits any seller of stocks from (1) creating actual or apparent active trading in a stock; or (2) raising or depressing the price of a stock, for the purpose of inducing others to purchase or sell that stock.
• Section 17(a) of the ‘33 Act prohibits any seller of stocks from directly or indirectly (1) employing a device, scheme or artifice to defraud another; (2) obtaining money or property by means of a false statement (or omission) of material fact; or (3) engaging in any transaction, practice, or course of business which operates as fraud or deceit upon the purchaser. (Emphasis supplied.)

Like you, we will be watching curiously to see what enforcers do next. This does not look like a clean kill. But can the SEC be still when investors apparently scheme to inflate stock prices based on things other than company fundamentals? We’ll get back to you on this.

If you have further questions, please contact John Elofson, Chad Williams, or Philip Nickerson.

Today, President Biden issued an executive order directing the Department of the Interior to “pause new oil and natural gas leases on public lands or in offshore waters” while the Department completes “a comprehensive review and reconsideration of Federal oil and gas permitting and leasing practices.”

The directed review of federal oil and gas leasing and permitting is broad in scope. The executive order instructs that the review should consider “the Secretary of the Interior’s broad stewardship responsibilities over the public lands and in offshore waters, including potential climate and other impacts associated with oil and gas activities on public lands or in offshore waters.” Furthermore, the executive order directs the Secretary to consider whether to adjust royalties on federal oil and natural gas “to account for corresponding climate costs.”

The executive order does not direct the Department to complete this review within a specified timeframe. Therefore, the “pause” on new oil and natural gas leases is indefinite.

The leasing moratorium is limited to federal public lands and offshore waters only. The moratorium does not apply to Indian leases. It also does not suspend permitting of new oil and natural gas wells on existing federal leases. Separately, however, the Acting Secretary of the Interior has effectively suspended all permitting for 60 days via a Secretarial Order.

Immediately after the President signed the executive order, Western Energy Alliance filed a lawsuit
in the United States District Court for the District of Wyoming challenging the leasing moratorium. At the time of this alert, Western Energy Alliance had not sought preliminary or temporary relief.

The “pause” on federal oil and gas leasing is only one component of this sweeping executive order. The executive order establishes a national policy that “climate considerations shall be an essential element of United States foreign policy and national security” and sets a national goal of net-zero emissions by 2050. It directs federal agencies throughout the United States government to undertake studies and reviews, establish councils and working groups, and promote initiatives. For energy developers on public lands, the executive order most notably:

• Establishes a White House Office of Domestic Climate Policy;
• Establishes a National Climate Task Force comprised of the heads of multiple federal agencies, including the Secretaries of Interior and Agriculture and the Chair of the Council on Environmental Quality;
• Establishes a goal of “conserving at least 30 percent of our lands and waters by 2030” and directs the Secretary of the Interior to submit a report to the National Climate Task Force by April 26, 2021 with recommended steps to achieve this goal;
• Directs the Secretary of the Interior to review siting and permitting processes on public lands and in offshore waters to identify steps to increase renewable energy production on these lands and waters;
• Sets a goal of doubling the amount of offshore wind by 2030;
• Directs the heads of federal agencies to take steps to ensure that federal funding is not directly subsidizing fossil fuels to the extent consistent with law;
• Establishes a goal of achieving a carbon pollution-free electricity sector by 2035; and
• Establishes a working group to provide support for coal and power plant communities.

Given the breadth of the executive order, and the number of actions it directs, we expect to see guidance and reports from federal agencies in the coming months regarding its implementation. Please contact Katie Schroder or Courtney Shephard with questions about the executive order.

On January 13, 2021, during the final week of the Trump administration, the U.S. Army Corps of Engineers (“Corps”) published a new rule (“Rule”) that revises 12 existing 404 Nationwide Permits (“NWPs”) and issued four new ones. NWPs are “general” permits that authorize on a streamlined basis, under Section 404 of the Clean Water Act (“CWA 404”) and Section 10 of the Rivers and Harbors Act of 1899, certain specified activities that have only a minimal adverse effect on the aquatic environment. The vast majority of activities regulated under CWA 404 have historically been authorized under NWPs. The other 40 existing NWPs are not changed or impacted by this new Rule. The Rule is scheduled to take effect on March 15, 2021.

A. Revised NWP 12 Applies Exclusively to Oil and Natural Gas Pipeline Activities

One of the twelve existing NWPs revised and replaced by the Rule was NWP 12, which historically applied to all utility line activities. In this Rule, the former NWP 12 was divided into three separate new NWPs: revised NWP 12 (solely for Oil or Natural Gas Pipeline Activities); new NWP 57 (Electric Utility Line and Telecommunications Activities); and new NWP 58 (Utility Line Activities for Water and Other Substances). This separation was based in part on the ongoing judicial challenges to NWP 12 as previously used to authorize the Keystone XL Pipeline and other oil and gas-related pipelines, is designed to address the differences in how disparate types of utility line projects are constructed and the substances they convey, and was intended to help ensure the covered activities are sufficiently similar within each NWP.

The new revised NWP 12 now covers only activities required for the construction, maintenance, repair, and removal of an “oil and natural gas pipeline” and “associated activities.” It broadly defines “oil or natural gas pipeline’’ to account for the wide variety of products that may be derived from oil or natural gas and transported by pipeline. Specifically, that definition includes “any pipe or pipeline for the transportation of any form of oil or natural gas, including products derived from oil or natural gas, such as gasoline, jet fuel, diesel fuel. heating oil, petrochemical feedstocks, waxes, lubricating oils, and asphalt.” “Associated facilities” covered by revised NWP 12 include pipeline substations and access roads in non-tidal waters. As under the previous NWP 12, the covered work may not permanently fill or destroy more than half an acre of regulated waters or wetlands, but where there are multiple crossings of the same waterbody, or crossings of multiple waterbodies by the same utility line, each crossing is still considered a “separate and complete project” for purposes of this limit and the PCN triggers noted below.

Under the former NWP 12, there were eight conditions that triggered a “pre-construction notification” (“PCN”) requirement. When a PCN is triggered, an applicant must submit prescribed details about the proposed NWP-covered activities to the Corps, which must then evaluate the proposed activities on a case-specific basis, to ensure the activities have only a minimal adverse effect. The revised NWP 12 removes five of the previous PCN triggers and adds a new one. The revised PCN triggers under the replacement NWP 12 are oil and gas pipeline-related activities that: (1) require authorization under Section 10 of the Rivers and Harbors Act of 1899 (because they cross larger “traditionally navigable” waters); (2) will result in a loss of greater than 1/10-acre of waters of the United States; (3) are associated with an overall project that is greater than 250 miles in length and the project purpose is to install a new pipeline (vs. conducting repair or maintenance activities) along most of the length of the project; (4) will adversely affect federally-listed endangered or threatened species; or (5) will adversely affect historic properties. The Rule preamble clarifies, however, that additional PCN requirements may be added by the Corps through regional conditions applicable to a specific state or area.

B. 15 Other New or Revised NWPs

The other eleven replacement NWPs are:

• NWP 21: Surface coal mining activities
• NWP 29: Residential developments
• NWP 39: Commercial and institutional developments
• NWP 40: Agricultural activities
• NWP 42: Recreational activities
• NWP 43: Stormwater management activities
• NWP 44: Mining activities
• NWP 48: Commercial shellfish and mariculture activities
• NWP 50: Underground coal mining activities
• NWP 51: Land-based renewable energy generation facilities
• NWP 52: Water-based renewable energy generation pilot projects

For ten of these revised NWPs, the Corps removed the limits of 300 linear feet of stream bed disturbance and also made some other individual NWP revisions, usually to make the NWP less restrictive. Operators should carefully review these replacement NWPs prior to using or relying on them, to ensure their projects meet the new NWP qualifications, conditions, and requirements.

The four new NWPs are:

• NWP 55: Seaweed mariculture activities
• NWP 56: Finfish mariculture activities
• NWP 57: Electric utility line and telecommunication activities
• NWP 58: Utility line activities for water and other substances

C. The Rule Creates Additional Complexities and May Face an Uncertain Future

The Rule covers only 16 of the now 56 total NWPs. This means moving forward, unless the Rule is revised, rescinded, or replaced, there will be two separate five-year cycles for expiration and reissuance of NWPs. The 16 NWPs covered in this new Rule will expire in March 2026, but the other 40 NWPs will continue to expire in March 2022. The Rule also adopted or made some changes to the General Conditions and related Definitions in the Corps’ NWP rules that are applicable only to the 16 new or revised NWPs. But the other 40 pre-existing NWPs remain subject to the General Conditions and Definitions set out in the previous, January 6, 2017 final NWP rule (82 FR 1860). States and Corps District offices in the coming year also could adopt state or area-specific conditions on the 16 new or revised NWPs that differ from those for in place for the other NWPs issued in 2017. As a result, entities seeking to use NWPs must now more carefully identify which expiration dates, definitions, and general and area-specific conditions apply to a given NWP.

The Rule preamble notes that these changes are partly in response to the recent court decision in Northern Plains Resource Council, et al., v. U.S. Army Corps of Engineers, et al., (Case No. CV 19–44–GF–BMM), in which the federal District Court in Montana ruled that the former NWP 12 as used to authorize stream crossings for the Keystone XL Pipeline failed to comply with the Endangered Species Act (“ESA”). In issuing the new Rule, however, the Corps does not further consult under or otherwise change the NWP program’s approach to ESA compliance. Rather, the preamble simply states that issuance of the NWPs has “no effect on listed threatened and endangered species and designated critical habitat” and does not require ESA Section 7 consultation. Given the prior legal challenges to NWPs related to the ESA, this position may prompt other ESA-related litigation regarding the new Rule.

While the Rule technically is subject to review and rescission by Congress under the Congressional Review Act (“CRA”), it is unlikely the Biden Administration and Congress will go that route. The CRA allows Congress to overturn some rules issued by federal agencies, but if Congress chooses to do so, the CRA prevents Congress from issuing another rule in “substantially the same form” unless specifically authorized by a subsequent law. Given the broad historic use and programmatic nature of the NWP program, the CRA would not seem to provide a practical tool for Congress to address any technical concerns with the Rule.

The Rule is, however, subject to the January 20, 2021 “regulatory freeze” memorandum issued by Ronald A. Klain, President Biden’s Chief of Staff (“Klain Memo”). The Klain Memo applies to agency actions, like this Rule, that have been published in the Federal Register but have not yet taken effect. For these rules, the Klain Memo directs agencies to “consider postponing the rules’ effective dates” for 60 days, until March 21, 2021. If an agency postpones a rule’s effective date, the Klain Memo directs the agency, during this 60-day period, to:

• “[C]onsider opening a 30-day comment period to allow interested parties to provide comments about issues of fact, law, and policy raised by those rules”;
• “[C]onsider pending petitions for reconsideration involving such rules”; and
• “[C]onsider further delaying, or publishing for notice and comment proposed rules further delaying, such rules beyond the 60-day period” (i.e., March 21).

The Klain Memo directs that, after March 21, agencies need not take any action “for those rules that raise no substantial questions of fact, law, or policy.” For rules that do raise “substantial questions of fact, law, or policy,” the next step is unclear; the Klain Memo simply directs agencies to “notify the [Office of Management and Budget] Director and take further appropriate action in consultation with the OMB Director.” As a result, because the Corps’ Rule is subject to the Klain Memo, if the Rule is considered to raise “substantial questions,” the new Administration and the Corps will have the option to open the Rule for further comments, reconsider the Rule (if petitions are received to do so), or further delay the effective date of the Rule.

Any potential NWP users should closely monitor the fate of this Rule and carefully comply with the new or revised qualifications, definitions, and general and area-specific conditions applicable to the affected Nationwide Permits, if and as they are left in place by the Biden Administration.

If you have further questions, please contact Shalyn Kettering, Zach Miller, and Katie Schroder.