In January 2021, the Federal Permitting Improvement Steering Council (“FPISC” or “Council”) voted to include mining infrastructure projects as an eligible sector for coverage under the Fixing America’s Surface Transportation Act (“FAST-41” or “Act”). The purpose of the Act is to streamline the Federal environmental review process for large-scale infrastructure projects. Renewable energy projects have been eligible for FAST-41 review since 2015, when the Act was passed by Congress. Mining and renewable energy development are necessarily intertwined from a supply chain standpoint, and the addition of the mining sector to FAST-41 is an indicator that the federal government is conscious of the need to shore up related domestic industries if the U.S. is going to be able to reach its carbon reduction goals through mass deployment of renewable projects around the country.

FAST-41 established a program to improve the timeliness, predictability, and transparency of the analysis and permitting phases for infrastructure proposals. The Act enhances federal coordination by requiring all agencies relevant to a project’s review to develop a plan and schedule outlining the necessary steps for project authorization within 60 days of a project’s FAST-41 eligibility being established. FAST-41 limits an agency’s ability to revise their timeline within 30 days of the original posted deadline, and the FPISC acts to ensure each agency meets its deadline. To deter delays, FAST-41 requires the FPISC to report to Congress whenever a modification to the timeline results in a 150% delay of the original schedule.

The Act implemented the Permitting Dashboard, a public website displaying the actual and scheduled timeframes for current projects, allowing for increased transparency related to the permitting process. FAST-41 also set the statute of limitations to challenge a project’s authorization at two years, and established guidelines for judicial review and dispute resolution, all in an effort to minimize delays caused by litigation.

To be eligible for FAST-41 coverage, the project:

1. Must be located in the United States and require environmental review and authorization by a federal agency;
2. Must be subject to NEPA review;
3. Must be likely to require an investment of $200,000,000 or more; and
4. Must not qualify for any other abbreviated environmental review.

If a project sponsor believes their infrastructure proposal qualifies for FAST-41 coverage, they must submit a FAST-41 Initiation Notice to the Executive Director of the FPISC and the facilitating Federal agency. The FPISC will coordinate with the lead agency to determine eligibility, potential concerns and mitigation, and the first necessary steps in the permitting process. A decision regarding the project’s eligibility must be issued by the lead agency within 14 days. If the project is approved, the relevant agencies will create a Coordinated Project Plan and the project’s permitting process will immediately begin.

The federal environmental review process is often plagued with long delays and sluggish progress. At its induction, FAST-41 covered renewable and conventional energy production, electricity transmission, surface transportation, aviation, ports and waterways, water resource projects, broadband, pipelines, and manufacturing. Since the Act’s passage, 23 renewable energy generation projects have been deemed eligible for streamlined permitting, and nine large-scale renewable projects have already been completed. In light of such a successful track record, the addition of mining as an eligible sector has drawn both praise and criticism, with some applauding the decision to expedite the permitting process (mining project review typically takes seven to ten years) and increased access to battery minerals and other mining products necessary for renewable energy production, while others oppose any acceleration of the development of the mining sector.

If you have further questions, please contact Almira Moronne or Kelsey Johnson.

On March 19, 2021, Senators Rodriguez and Lundeen introduced the Colorado Privacy Act (“CPA”) bill, which would provide additional protections for the personal data of state residents. If passed, the bill would have a far-reaching impact on businesses collecting and using personal information about Colorado residents, whether operating inside or outside the state. We will continue to monitor developments, but if you have any questions or would like to discuss specific issues in the bill, please reach out to Camila Tobón.

Davis Graham will be hosting a webinar to discuss the bill on Tuesday, April 13, 2021 from noon to 1 p.m. You can register here.

To whom does the CPA bill apply?

The CPA aims to protect the personal data of “consumers,” which means a natural person who is a Colorado resident acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.

The CPA refers to “controllers” and “processors.” A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of the controller. The CPA bill also introduces the concept of a “third party,” which is defined as “a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.”

To be subject to the CPA, legal entities would have to:

1. Conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents; and
2. Either:
   1. Control or process the personal data of 100,000 consumers or more during a calendar year; or
   2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.

What does the CPA bill protect?

The CPA bill protects “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.

The CPA bill excepts certain data sets, including:

• “Protected health information” and other listed patient and health information, as well as information maintained in the same manner by covered entities, business associates, health care facilities or health care providers, and a program or qualified service organization as defined in 42 C.F.R. § 2.11;
• Personal data bearing on a consumer’s creditworthiness that is regulated by the Fair Credit Reporting Act and processed by a consumer reporting agency, a furnisher of information, or a user of a consumer report;
• Personal data collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA);
• Personal data collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act;
• Personal data regulated by the federal Children’s Online Privacy Protection Act and the federal Family Educational Rights and Privacy Act; and
• Data maintained for employment records purposes.

The CPA bill also includes an entity-level exemption for financial institutions or affiliates of a financial institution that are subject to the GLBA. Any personal data processed by these entities would be out of scope of the CPA bill, not just the personal data handled pursuant to the GLBA and its implementing regulations.

Does the CPA define “sale” of personal data?

The CPA defines “sale” as the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties. It includes several exceptions:

• Disclosing data to a processor that processes personal data on behalf of the controller;
• Disclosing personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller;
• The disclosure or transfer of personal data to an affiliate of the controller; or
• The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

What consumer rights does the CPA bill provide?

The CPA would provide consumers with the following rights:

• The right to opt-out of the processing of personal data concerning the consumer, including the right to authorize another person to opt-out of personal data processing for purposes of targeted advertising or “sale” of the consumer’s personal data.
• The right to confirm whether a controller is processing personal data concerning the consumer and access to those data.
• The right to correct inaccurate personal data collected from the consumer.
• The right to delete personal data concerning the consumer.
• The right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance (data portability). This right may be exercised no more than twice per calendar year.

Controllers would have 45 days to respond to requests to exercise consumer rights, which could be extended to 90 days where reasonably necessary. Controllers must provide information free of charge except that a fee (to be calculated pursuant to the state public records statute) may be charged for the second or subsequent request within a twelve-month period.

The CPA bill requires controllers to establish an internal process for consumers to appeal a refusal to act on a request to exercise any of their consumer rights. If the consumer has concerns about the result of the appeal, they can contact the Attorney General.

What does the CPA bill require of “controllers”?

Controllers must provide consumers with a privacy notice describing the categories of personal data collected or processed, the purposes for processing, an estimate of how long personal data will be retained, how and where consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom personal data are shared. If a controller sells personal data to third parties or processes personal data for targeted advertising, it must disclose such sale or processing as well as the manner in which the consumer may exercise the right to object to such sale or processing.

Other requirements imposed on controllers include:

• Purpose specification – collection of personal data must be limited to what is reasonably necessary for the specified purpose;
• Data minimization – controllers must collect only what is reasonably necessary for the specific purpose;
• Secondary uses – controllers must avoid secondary uses that are not reasonably necessary to or compatible with the purposes for which the data are processed;
• Duty of care – controllers must employ reasonable security measures to protect personal data against unauthorized acquisition during both storage and use;
• Nondiscrimination – controllers cannot increase the cost of or decrease the availability of a product or service based solely on the exercise of a right and may not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers.

Controllers must get consent to process “sensitive data,” which include:

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
• genetic or biometric data for the purpose of uniquely identifying a natural person; and
• personal data from a known child.

Controllers must also conduct data protection assessments for processing activities presenting a heightened risk of harm to consumers, which include targeted advertising or profiling; the sale of personal data; and sensitive data processing. Such data protection assessments must be made available to the Attorney General upon request.

What does the CPA bill require of “processors”?

Processors must process personal data according to the controller’s instructions and must assist controllers with the fulfillment of their obligations under the CPA. Processing by a processor must be governed by a binding contract setting out the processing instructions to which the processor is bound.

How would the CPA be enforced?

The CPA would be enforced by the Colorado Attorney General and District Attorneys. Violators would be subject to an injunction and a civil fine as specified in Colo. Rev. Stat. § 6-1-112 (setting out civil penalties in various contexts). There is no private right of action in the CPA bill.

When would the CPA take effect?

The law would take effect on January 1, 2023.

In the last decade, solar energy development has grown annually at an average rate of 49%.[1]
As more land is used for this renewable resource, increased conflicts with the owners of minerals underlying those lands are inevitable. A recent case in Texas, Lyle v. Midway Solar, LLC,[2] highlights how courts may address such conflicts. The court acknowledged that the “accommodation doctrine” may limit the rights of mineral owners to interfere with solar facilities overlaying their minerals. However, application of the doctrine to determine surface rights can only occur after the mineral owner attempts to develop its minerals.

The Facts

The Lyles own 27.5% of the mineral rights in a 315-acre tract in Pecos County, Texas derived from a 1948 Deed. Gary D. Drgac owns 100% of the surface rights in the same tract. The Lyles never leased their mineral interest to an oil and gas operator and have no current plans to develop the minerals. They commissioned no geological studies on the property and never received any offers to lease or purchase the mineral estate. In 2015, Mr. Drgac leased the surface of the property to Midway Solar, LLC (“Midway”) to build a solar energy facility on the property. Under the terms of the lease, Midway could place solar panels on the property, as well as transmission lines, electrical lines, and cable lines. The solar lease acknowledged that the minerals had been severed and identified the rights of the mineral owner as an “encumbrance” on the land.

Drgac and Midway amended the lease to identify “Designated Drillsite Tracts” for future operators to explore for and access minerals. These tracts were exempt from solar facility construction. Midway’s solar facility eventually covered 70% of the surface of the property, leaving the two drillsite tracts undisturbed. Midway obtained surface waiver agreements from adjoining mineral interest owners for purposes of accessing the property but did not obtain a waiver from the Lyles.

The Lawsuit

After construction of the facility, the Lyles sued Midway and Drgac alleging they had breached the terms of the 1948 Deed, denying reasonable access to the minerals by covering 70% of the surface with solar panels and transmission lines. The Lyles also argued that Drgac and Midway were trespassing on their mineral estate. They sought damages for trespass and breach of contract arguing that the solar facility had “destroyed and/or greatly diminished the value” of their minerals.

The Accommodation Doctrine

In Texas, a mineral estate is “dominant,” meaning the mineral owner has the right to use the surface to extract minerals using methods reasonably necessary for extraction. The mineral estate’s dominance is limited by the “accommodation doctrine,” which requires the mineral and surface estates to exercise their respective rights with due regard for the rights of the other. The surface owner carries the burden to show that (1) the mineral owner’s use of the surface completely precludes or substantially impairs the surface owner’s existing use, (2) there is no reasonable alternative method available to the surface owner by which the existing use can be continued, and (3) there are “alternative, reasonable, customary, and industry-accepted methods available to the mineral owner” to recover the minerals. If alternative methods allow mineral development without disturbing the surface owner’s existing use, the accommodation doctrine may require the adoption of that alternative method. If only one method of extracting the minerals is available, the mineral owner may pursue that method, regardless of surface damage. Parties have the right to set their own contractual terms as they see fit, provided such rights do not violate public policy.

The Lyles argued that the 1948 Deed expressly delineated the parties’ rights. The Deed states, “Grantors further reserve unto themselves, their heirs and assigns, the right to such use of the surface estate . . . as may be usual, necessary or convenient
in the use and enjoyment of the oil, gas and general mineral estate.” The Lyles argued the word “usual” evidenced the grantor’s intent to reserve the right to drill vertical wells, the “usual” method of drilling at the time the Deed was signed. Directional and horizontal drilling had not been invented. Therefore, covering 70% of the surface with solar facilities violated that contractual right and preserving small drilling pads for vertical and horizontal wells was insufficient.

The court disagreed because it did not interpret the term “usual” as applying to a specific drilling method. Rather, it referred more generally to the right to use the surface to use and enjoy the mineral estate. The Deed made no reference to specific drilling methods and had the grantors intended such a specific meaning of “usual” they could have explicitly reserved the right to drill vertical wells. The court therefore determined that the contractual language did not override application of the accommodation doctrine, which should inform what rights each party had to the surface.

Attempt to Develop the Minerals

Midway argued that for the Lyles to maintain a claim for trespass, the Lyles must currently be using or plan to use the surface to develop their minerals. The Lyles countered that they had already suffered damages from the solar facility blocking access to the mineral estate.

The court determined that if the Lyles exercised their rights, Midway would have to yield to the degree mandated by the application of the accommodation doctrine. However, until such rights are exercised, there is nothing to be accommodated. To maintain a claim for trespass, the Lyles must have first sought to develop their minerals.

The court’s reasoning is that if a claim for trespass could be maintained without an attempt to develop, mineral owners could simply claim damages from any surface activities that could potentially hinder mineral development in the future. Furthermore, there would be no way to calculate damages since future development would be subject to different markets and technologies.

Although the Lyles’ claim for trespass was premature and therefore dismissed without prejudice, the court acknowledged that the determination of each parties’ rights to the surface would be determined in the future if an actual conflict arises.

Conclusion

Lyle v. Midway Solar, LLC should encourage solar developers to be fully aware of outstanding mineral rights on properties they seek to develop. A review of title ownership and an understanding of contractual rights reserved in mineral deeds may allow solar developers to negotiate surface uses up-front and avoid disruptions to their operations due to con

[1] https://www.seia.org/solar-industry-research-data.

[2] 2020 Tex. App. LEXIS 10385.

If you have further questions, please contact Hayden Weaver.

Under new leadership, the Bureau of Land Management (BLM) announced its termination of proposed amendments to the Desert Renewable Energy Conservation Plan (DRECP). On January 13, 2021, BLM had released draft amendments to the DRECP and a draft environmental impact statement analyzing the draft amendments. The draft amendments were described in a previous article. The draft amendments had faced public opposition from conservation groups and the California Energy Commissioner.

On March 12, 2021, the BLM announced its termination of the land use planning process for the draft amendments. The BLM cited a need to “evaluate consistency with Departmental and Executive priorities related to conservation and promotion of renewable energy development.” The BLM committed to “continue to work with cooperating agencies and stakeholders in the implementation of the existing land use plans.”

If you have further questions, please contact Katie Schroder.

On March 8, 2021, the Principal Deputy Solicitor of the Interior issued a memorandum
withdrawing Solicitor’s Opinion M-37050, which had interpreted the Migratory Bird Treaty Act (MBTA) as only prohibiting affirmative actions that purposefully take or kill migratory birds, their nests, or their eggs, and not prohibiting incidental taking or killing.

The March 8 memorandum marks the latest reinterpretation of the MBTA by the Solicitor’s Office. In the last days of President Barack Obama’s administration, the Solicitor issued Opinion M-37041 – Incidental Take Prohibited Under the Migratory Bird Treaty Act (Jan. 10, 2017). This 30-page opinion concluded that “the MBTA’s broad prohibition on taking and killing migratory birds by any means and in any manner includes incidental taking and killing.”

Solicitor’s Opinion M-37041, however, enjoyed a short life. On February 6, 2017, the incoming administration of President Donald Trump suspended Solicitor’s Opinion M-37041. On December 22, 2017, the Principal Deputy Solicitor issued Solicitor’s Opinion M-37050, which permanently withdrew and replaced Solicitor’s Opinion M-37041. Spanning 41 pages, Solicitor’s Opinion M-37050 concluded that the MBTA’s “prohibitions on pursuing, hunting, taking, capturing, killing, or attempting to do the same apply only to affirmative actions that have as their purpose the taking or killing of migratory birds, their nests, or their eggs.”

The United States District Court for the Southern District of New York, however, found this conclusion to be inconsistent with the language of the MBTA. The court vacated Solicitor’s Opinion M-37050 in its entirety. Natural Res. Defense Council v. U.S. Dep’t of the Interior, 478 F. Supp. 3d 469 (S.D.N.Y. 2020). The Biden administration did not pursue an appeal of this decision.

The March 8, 2021 memorandum cited the litigation over Solicitor’s Opinion M-37050 as justification for permanently revoking and withdrawing it. The memorandum also cited concerns raised by the Government of Canada as to whether M-37050 is consistent with one of the treaties underlying the MBTA. Notably, the memorandum did not reinstate Solicitor’s Opinion M-37041 or otherwise replace Solicitor’s Opinion M-37050.

The withdrawal and revocation of Solicitor’s Opinion M-37050 coincides with the delayed effective date a final rule that formalized the interpretation of “take” set forth in Solicitor’s Opinion M-37050. The U.S. Fish and Wildlife Service (USFWS) published this final rule on January 7, 2021, and it was scheduled to take effect on February 8, 2021. On February 9, 2021, the USFWS published an announcement that it would delay the effective date of this rule until March 8, 2021, and seek additional public comment on it.

If you have further questions, please contact Katie Schroder.

In 2019, the Colorado Legislature passed House Bill 19-1261, known as the Climate Action Plan to Reduce Pollution (“Climate Action Plan”), which includes statewide greenhouse gas (“GHG”) pollution emission targets. By 2025 the bill targets 26% reductions in GHG emissions from 2005 levels, 50% by 2030, and 90% by 2050. In an effort to make coordinated progress toward these goals, Governor Jared Polis directed state agencies to develop a Greenhouse Gas Pollution Reduction Roadmap (“Roadmap”). As part of this effort, the State through various executive agencies has preliminarily estimated 2005 baseline GHG emissions to identify the magnitude of emission reductions required to meet the Climate Action Plan goals and the likely sources of those reductions. It is anticipated that the 2005 baseline emissions inventory will be approved by Air Quality Control Commission (“AQCC”) during a September 2021 hearing.

The Roadmap outlines a strategy for how Colorado can reduce GHG emissions over time ito achieve the reductions identified in the Climate Action Plan. Key strategic elements include: (a) a continued shift away from fossil fuel-based generated energy to renewably generated energy; (b) a focus on reducing methane emissions from the oil and gas sector; (c) accelerated transition to electric buses, trucks, and cars; (d) changes to transportation planning and infrastructure to reduce vehicle miles traveled; (e) increased building efficiency and electrification; (f) reduction of methane emissions from agriculture, landfills, and waste water treatment; (g) strategies to enhance carbon sequestration by natural and working lands; and (h) incentivizing adoption of GHG reduction measures in the agricultural sector. These strategic elements are intended to be implemented through various efforts including:

• rulemakings before the AQCC, the Colorado Department of Transportation, and other state agencies;
• coordinated efforts between the State and private parties, particularly with utilities, in an effort to develop clean energy plans;
• a study on how to incentivize updates to local government regulations, particularly to building codes and zoning regulations;
• public investment in electric vehicles and electric vehicle infrastructure; and
• encouragement for participation in carbon reduction efforts such as the Employer Based Trip Reduction Program, Soil Health Partnership, the Agricultural Energy Efficiency Program, and the Advancing Colorado’s Renewable Energy Efficiency Program (ACRE3) Program.

The Roadmap also explicitly takes a sector-based rather than economy-wide approach to cap GHG emissions. This means that specific emission reduction targets will be set for each identified sector. The primary sectors targeted for reductions are transportation, electric generation, oil and gas, and residential, commercial, and industrial energy use. Each sector has a different target for emission reductions from the 2005 baseline. Importantly, the 2005 baseline emissions are estimated differently for oil and gas sources relative to other sectors. The State has updated its methodology to estimate future GHG emissions from non-oil and gas sources to address some of the limitations with the approach used in estimating historical emissions. For oil and gas sources, the Colorado Department of Public Health and Environment (“CDPHE”) indicated that it would use data collected under Colorado Regulation No. 7 to make improvements to current and future emission estimates for the oil and gas industry, which should result in more accurate estimates of emissions from this industry but could also potentially complicate comparisons of future emissions with the baseline.[1]

The draft of the Roadmap was published on September 30, 2020, and community members and other stakeholders were encouraged to provide comment and feedback. The Roadmap was not developed as part of a rulemaking effort, so it was not subject to the procedural requirements associated with more formal efforts. This also means that the written comments provided on the Roadmap are only available via a Colorado Open Records Act request, and the State was not required to explicitly address or respond to community comments. Some concerns have been raised regarding this process, specifically, as subsequent specific rulemakings will be undertaken in reliance upon the Roadmap, the development of the Roadmap should have occurred in a more transparent process.

While the tremendous effort associated with developing the Roadmap to date has been broadly lauded and appreciated, additional concerns have been raised that the draft Roadmap did not provide a cost-benefit analysis for any of the proposed GHG reduction strategies and did not allow for the flexibility to pursue policies to reduce emissions iteratively and in full consideration of a given policy’s total costs and associated benefits. Technical concerns have also been raised with some of the key assumptions and analyses underlying the Roadmap and its associated emission estimates. The final Roadmap, published on January 14, 2021 and available here, did acknowledge that a detailed cost benefit analysis was not provided but indicated that such cost benefit analyses would be addressed as various strategies were implemented through formal rulemakings.

While there were limited substantive changes between the draft and final Roadmap, the final Roadmap added important discussion about the Roadmap’s larger strategic goal of reducing impacts on communities disproportionately impacted by climate change and how the Climate Equity Framework (developed based on statutory guidelines from HB 19-1261) should be used to guide future action. It also addressed Carbon Capture, Utilization, and Storage (“CCUS”) more specifically and indicated that the State would convene a task force on CCUS starting in mid-2021, “which will report to the Governor within a year on recommended framework, including policies and action steps for advancing CCUS in Colorado.”

The Roadmap is an ambitious effort to address GHG emissions in Colorado. How the Roadmap will be implemented and the exact nature of any resulting programs remains uncertain, but significant changes are on the horizon for Colorado.

[1]
See Section 8.5 of CDPHE’s Draft “2021 Greenhouse Gas Inventory Update Including Projections to 2050” found here.

If you have further questions, please contact Shalyn Kettering or Vasco Roma (Managing Consultant, Ramboll).

When faced with significant market challenges, companies in the energy industry often turn to bankruptcy for solutions. This webinar explores the bankruptcy process, its benefits, its limitations, and unique bankruptcy issues that players face across the energy sector, from oil and gas to mining. Presenters will share their experiences in recent chapter 11 cases and discuss practical considerations and strategies that should be evaluated before and during bankruptcy to avoid a chapter 11 free fall.

The confirmed speakers for this program, which is pending approval for one general Continuing Legal Education credit in the state of Colorado, are as follows:

• Adam Hirsch, Partner, Davis Graham
• Chris Richardson, Partner, Davis Graham

Event Information

Tuesday, March 9

8:00-9:00 AM MST

In this second edition of the Davis Graham Privacy & Data Security Legal Update, we cover Virginia’s Consumer Data Protection Act, which was approved by both legislative chambers, and new bills in Alabama, Florida, Utah, and Washington. On the international front, we cover new guidelines from the European Data Protection Board on breach notification and the latest developments in negotiations over an ePrivacy Regulation.

If you have any comments, questions, or suggestions, please contact the author, Camila Tobón.

U.S. Developments

Virginia set to become second state to enact comprehensive privacy legislation

In early February, both the Virginia House of Delegates and the Virginia Senate passed identical bills for the Virginia Consumer Data Protection Act (HB2307 and SB1392). Governor Ralph Northam is expected to sign the measure, after reconciliation of the two bills. The Act more closely mirrors the Washington Privacy Act (WPA) than the California Consumer Privacy Act (CCPA) and adopts the controller/processor terminology from the GDPR as opposed to the business/service provider/third party terms from the CCPA. It would apply to entities that control or process data of at least 100,000 Virginians, or those that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers. It includes entity-level exemptions for financial institutions subject to the Gramm-Leach Bliley Act and covered entities under the Health Insurance Portability and Accountability Act, among others, as well as data-level exemptions for personal information covered by other state and federal laws, employee data, and business contact data. Controllers must provide the rights of access, correction, deletion, data portability, and opt-out of targeted advertising, sale, and profiling and develop a mechanism for consumers to appeal a controller’s refusal to act on a request. The Act creates an opt-in regime for the processing of sensitive data (which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying a natural person, children’s data, and precise geolocation data). It also requires data protection risk assessments for certain types of processing activities, including processing data for targeted advertising or profiling, sale of data, processing of sensitive data, and any other activity presenting a heightened risk to consumers. The state attorney general is the only entity with enforcement authority and enforcement penalties would be capped at $7,500 per violation. No private right of action is provided. The Act would take effect on January 1, 2023 (the same date the California Privacy Rights Act (CPRA) takes effect).

Comprehensive privacy legislation introduced in Alabama, Florida, and Utah

Earlier this month, HB216 was introduced in the Alabama House. The Alabama Consumer Privacy Act is similar to the California Consumer Privacy Act. Consumers are given the rights of access, information, deletion, opt-out of sale, and non-discrimination. There is also a private right of action for breach of nonencrypted or nonredacted personal information resulting from a failure to implement and maintain reasonable security procedures and practices. Unlike the CCPA, the Alabama Act does not provide for statutory damages, instead requiring courts to determine damages according to a set of factors set out in the bill. If enacted, the law would take effect on October 1, 2022.

In Florida, legislators introduced HB969, which is very similar to the CCPA. It requires businesses that collect personal information from consumers to maintain an online privacy policy, to be updated every 12 months. It provides consumers the rights of access, deletion, correction, opt-out of sale or sharing (where “share” is defined as disclosure for advertising), and non-discrimination. The bill includes contractual requirements for disclosures of personal information between a business and a service provider and a business and a third party, including requiring that the service provider or third party pass through any obligations to subcontractors. The bill provides a private right of action for breach like the CCPA, with the same statutory damages of $100-$750 per incident. If enacted, the law would take effect on January 1, 2022.

SB200 was introduced in Utah for a Consumer Privacy Act. Unlike the Alabama and Florida bills, this one mirrors the Washington Privacy Act. Consumer rights include access, correction, deletion, portability, and opt-out of processing for targeted advertising, sale, or profiling in furtherance of decisions regarding educational enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities as well as opt-in to processing sensitive data. The bill requires that controllers implement a process for appeals of consumer requests and conduct risk assessments for certain high-risk processing activities. The bill does not provide a private right of action. Enforcement would be by the attorney general with penalties not to exceed $1,000 per consumer per violation. The bill would take effect January 1, 2022.

Competing privacy bill introduced in the Washington state house

In late January, a competing privacy bill was introduced in the Washington state house. HB1433, the People’s Privacy Act, significantly differs from the Washington Privacy Act under consideration in the Senate in several respects. The People’s Privacy Act is an opt-in model, requiring affirmative consent for the collection and use of personal information, which must be renewed annually or deemed withdrawn. Individuals are given the rights of access/data portability, information, refusal of consent, correction, deletion, and freedom from surreptitious surveillance. Covered entities must provide a short and long form privacy policy, with examples to be produced by the Department of Commerce within 6 months of the law’s enactment. The Act would allow a private right of action for any violation with statutory damages of $10,000. In addition, the Attorney General could bring an enforcement action seeking $25,000 per violation or up to 4% of annual revenue, whichever is greater.

EU Developments

European Data Protection Board issues additional guidance on breach notification under the GDPR

Last month, the European Data Protection Board (EDPB) issued Guidelines 01/2021 on Examples Regarding Data Breach Notification. Public comments will be accepted through March 2, 2021. In the Guidelines, the EDPB provides examples of the most common breach notification cases such as ransomware attacks, data exfiltration attacks, lost or stolen devices and paper documents, misdirected mail, and social engineering. For each type of attack, the guidelines set out guidance and recommendations, including obligations to notify supervisory authorities and affected individuals. The concrete examples provided in the guidelines should greatly assist organizations with conducting their risk assessments following a breach and determining whether notification is required and to whom. The guidelines will be finalized following the public comment period.

The Council of the European Union issues mandate for negotiating the ePrivacy Regulation with the European Parliament and the European Commission

The EU has been working on an overhaul of the 2002 ePrivacy Directive, which governs privacy and electronic communications, for several years. There are two main goals. First, to harmonize rules over electronic communications data in the EU. As a regulation, the ePrivacy Regulation would become immediately binding in all EU member states upon enactment (as opposed to a directive, which must be implemented in each member state’s national law resulting in diverging applications of the rules). Second, to address new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior. This recent development will kick-start negotiations between the Council of the EU, the European Parliament, and the European Commission over the final text of the ePrivacy Regulation.

On January 28, 2021, and possibly before, members of the Reddit group r/WallStreetBets sent the market (and, apparently Hollywood box office executives) into a frenzy. Rogue day-traders noticed that several institutional investors
were shorting the stock of companies like GameStop, a publicly traded video game retailer. Members of r/WallStreetBets—in an allegedly coordinated effort—began discussing how they, and other retail investors, could “beat” the institutional investors who had shorted (i.e., bet against) GameStop. The group settled on a plan to inflate GameStop’s stock price by going long on GameStop. Undoubtedly, some of these retail investors honestly believed in the fundamentals of the stock and the long-term value of GameStop. Others believed the company’s value was higher than its 2020 price reflected, but really just wanted to drive the stock price up to force institutional investors to cover their short positions at a significant loss—i.e., to engage in a “short squeeze.” This was no secret; these certain investors made their goals known to broad swaths of the investing community.

In 2020, GameStop’s stock price hovered below $20 per share, with a 52-week low of $2.57. The stock price increased drastically
in January 2021 when retail investors began buying the stock and buying long options. It spent most of January under $100 until January 26 when it closed at $146. Then, on January 28, GameStop’s stock price hit an eyepopping high of $483 per share. Retail investors took to the internet to rejoice. During this stock surge, various trading platforms used by retail investors decided to block customers from purchasing additional shares in GameStop (and other companies experiencing similar stock price surges) for part of the day. While many retail investors were effectively prevented from buying more GameStop shares, institutional investors continued to trade, and the stock price fell almost immediately, closing the day at $347.51.

The expansive media coverage, and the Securities and Exchange Commission’s deafening silence, left many people asking: what securities laws and regulations apply to this strikingly odd situation and would the SEC (or worse, the Department of Justice) bring enforcement actions against members of r/WallStreetBets, the online brokerages that facilitated some of the trading, or others?

Frequently, the SEC will charge a so-called “pump and dump” scheme under the antifraud provisions of the ‘33 Act, the ‘34 Act, and/or under SEC Rule 10b-5. However, this situation does not neatly fit into the antifraud box. What were the material misstatements? Were they protected speech? Was there even actual fraud or deceit? Or were the retail investors honestly buying stock to tank the institutional short positions? Two other possibilities:

• Section 9(a)(2) of the ‘34 Act prohibits any seller of stocks from (1) creating actual or apparent active trading in a stock; or (2) raising or depressing the price of a stock, for the purpose of inducing others to purchase or sell that stock.
• Section 17(a) of the ‘33 Act prohibits any seller of stocks from directly or indirectly (1) employing a device, scheme or artifice to defraud another; (2) obtaining money or property by means of a false statement (or omission) of material fact; or (3) engaging in any transaction, practice, or course of business which operates as fraud or deceit upon the purchaser. (Emphasis supplied.)

Like you, we will be watching curiously to see what enforcers do next. This does not look like a clean kill. But can the SEC be still when investors apparently scheme to inflate stock prices based on things other than company fundamentals? We’ll get back to you on this.

If you have further questions, please contact John Elofson, Chad Williams, or Philip Nickerson.

Today, President Biden issued an executive order directing the Department of the Interior to “pause new oil and natural gas leases on public lands or in offshore waters” while the Department completes “a comprehensive review and reconsideration of Federal oil and gas permitting and leasing practices.”

The directed review of federal oil and gas leasing and permitting is broad in scope. The executive order instructs that the review should consider “the Secretary of the Interior’s broad stewardship responsibilities over the public lands and in offshore waters, including potential climate and other impacts associated with oil and gas activities on public lands or in offshore waters.” Furthermore, the executive order directs the Secretary to consider whether to adjust royalties on federal oil and natural gas “to account for corresponding climate costs.”

The executive order does not direct the Department to complete this review within a specified timeframe. Therefore, the “pause” on new oil and natural gas leases is indefinite.

The leasing moratorium is limited to federal public lands and offshore waters only. The moratorium does not apply to Indian leases. It also does not suspend permitting of new oil and natural gas wells on existing federal leases. Separately, however, the Acting Secretary of the Interior has effectively suspended all permitting for 60 days via a Secretarial Order.

Immediately after the President signed the executive order, Western Energy Alliance filed a lawsuit
in the United States District Court for the District of Wyoming challenging the leasing moratorium. At the time of this alert, Western Energy Alliance had not sought preliminary or temporary relief.

The “pause” on federal oil and gas leasing is only one component of this sweeping executive order. The executive order establishes a national policy that “climate considerations shall be an essential element of United States foreign policy and national security” and sets a national goal of net-zero emissions by 2050. It directs federal agencies throughout the United States government to undertake studies and reviews, establish councils and working groups, and promote initiatives. For energy developers on public lands, the executive order most notably:

• Establishes a White House Office of Domestic Climate Policy;
• Establishes a National Climate Task Force comprised of the heads of multiple federal agencies, including the Secretaries of Interior and Agriculture and the Chair of the Council on Environmental Quality;
• Establishes a goal of “conserving at least 30 percent of our lands and waters by 2030” and directs the Secretary of the Interior to submit a report to the National Climate Task Force by April 26, 2021 with recommended steps to achieve this goal;
• Directs the Secretary of the Interior to review siting and permitting processes on public lands and in offshore waters to identify steps to increase renewable energy production on these lands and waters;
• Sets a goal of doubling the amount of offshore wind by 2030;
• Directs the heads of federal agencies to take steps to ensure that federal funding is not directly subsidizing fossil fuels to the extent consistent with law;
• Establishes a goal of achieving a carbon pollution-free electricity sector by 2035; and
• Establishes a working group to provide support for coal and power plant communities.

Given the breadth of the executive order, and the number of actions it directs, we expect to see guidance and reports from federal agencies in the coming months regarding its implementation. Please contact Katie Schroder or Courtney Shephard with questions about the executive order.