On June 24, 2021, Governor Polis signed into law a bill to advance the state’s goal to reduce greenhouse gas (“GHG”) emissions from gas distribution utilities. Senate Bill 21-264 requires gas distribution utilities (“GDUs”) to implement clean heat plans which demonstrate the GDU’s strategy to meet specified clean heat targets.

The bill defines a GDU as a gas public utility with over 90,000 retail customers. Each GDU must file a clean heat plan with the Colorado Public Utilities Commission (“PUC”) that explains their proposal to reduce carbon dioxide and methane emission levels by 4% in 2025 (only 1% can be from recovered methane) and 22% in 2030 (only 5% can be from recovered methane). The calculation for baseline and projected emissions must include (1) leaked methane from the transportation and delivery of gas, (2) carbon dioxide emissions resulting from gas combustion, and (3) leaked methane emissions from gas delivery to local distributors. Each GDU’s clean heat plan must address the following scenarios:

1. The GDU will use the maximum practicable clean heat resources, comply with the cost cap (determined by the PUC), list leak reductions, and may or may not meet the clean heat targets, but demonstrates overall reductions in methane emissions; and
2. The GDU will meet the clean heat targets, using only clean heat resources, but will not meet the cost cap.

The GDU has discretion to include additional scenarios and the PUC may also request supplementary scenarios. Colorado’s largest GDU (determined by volume of gas sold) must submit a clean heat plan by August 1, 2023. All other GDUs must submit their plans by January 1, 2024.

The new legislation also provides clean heat plan requirements for municipal GDUs (a municipally owned utility that provides gas services to over 90,000 customers) and small GDUs (a public utility providing gas services to 90,000 customers or less). A municipal GDU must implement a clean heat plan by February 1, 2023 that demonstrates compliance with the 4% reduction of GHG emissions by 2025 and 22% reduction by 2030 and the plan must be approved by the entity’s governing body. A small GDU may file a clean heat plan pursuant to the same requirements as a GDU or it may submit a plan that proposes its own reduction targets, subject to the cost cap.

Colorado GDUs are encouraged to use already available tools, including energy efficiency, biomethane, hydrogen, recovered methane, beneficial electrification of customer end uses, and cost-effective leak reductions on the utility’s distribution systems to achieve GHG emission reductions. Additionally, where practicable, GDUs are requested to use their own employees to implement clean heat plan projects. For projects that require competitive solicitation, the GDU must inquire about the use of Colorado-based and out-of-state labor.

When approving a clean heat plan, the PUC must consider a cost test that includes the social cost of carbon and methane. Moreover, the PUC must ensure the clean heat plan advances the public interest, by analyzing the use of clean heat resources, the air quality, environmental and health benefits of the plan, the reliability and cost of the plan, and whether investments in the plan prioritize communities historically impacted by pollution.

Senate Bill 21-264 also requires the PUC to propose rules establishing recovered methane protocols by September 1, 2022. Further, the PUC must evaluate requisite resources for the effective regulation of GHG sequestration and report its findings by December 1, 2021.

Similarly, in Governor Polis’ 2021 GHG Pollution Reduction Roadmap,[1] the state government announced its plan to form a task force on carbon capture, use, and sequestration to research policies and action plans that align with Colorado’s GHG emission reduction goals. As the state government’s role in carbon sequestration policy grows, it is important for inquiries into sequestration regulation to address pore space ownership, the balance between carbon sequestration and advancing reductions in pollution, public incentives, and economic development related to carbon capture.

The purpose of Senate Bill 21-264 is to equitably and reasonably reduce Colorado’s greenhouse gas emissions and transition to a decarbonized economy. Implementation of these clean heat plans, along with support from the PUC, will promote Colorado’s overall goals to reduce GHG emissions to slow global warming and protect our environment.

If you have further questions, please contact John Jacus or Kelsey Johnson.

[1] https://drive.google.com/file/d/1jzLvFcrDryhhs9ZkT_UXkQM_0LiiYZfq/view

Welcome to another edition of the Davis Graham Privacy & Data Security Legal Update! The goal is to keep you apprised of the latest developments in privacy and data security law. If you have any comments, questions, suggestions, or feedback, please reach out to the author,Camila Tobón.

In this edition, we focus on privacy bills at the U.S. state and federal levels. The states have been the most active, with nearly half the states considering some form of comprehensive privacy legislation. A few bills have also been introduced at the federal level. It’s possible that another one or two states will join California and Virginia with a privacy law. But a federal privacy law still seems far off.

U.S. Developments

Comprehensive privacy legislation pending in several U.S. states

On March 19, 2021, Colorado Senators Rodriguez and Lundeen introduced a bill providing additional protections for the personal data of Colorado residents called the Colorado Privacy Act (SB21-190). To read more about this bill, read our March update here. The bill came up for hearing before the Senate Business, Labor & Technology Committee on May 5, 2021. The Committee approved amendments to the bill, including:

• Clarifications to the definitions of “sale” and “targeted advertising”;
• Narrowing the right to opt-out to targeted advertising, sale, or profiling;
• Shifting sensitive data processing from an opt-in basis to notice and opt-out;
• Adding a notice and 60-day period to cure before an enforcement action can be initiated.

The bill now moves to the Senate Appropriations Committee.

In our prior editions we also covered bills introduced in Alabama, Florida, Minnesota, New York, Oklahoma, Utah, Virginia, and Washington. The Virginia bill has now become law, when it was signed by the governor on March 2, 2021. The Virginia Consumer Data Protection Act (VCDPA) will apply to personal information collected on or after January 1, 2022 and takes effect on January 1, 2023. The law follows a different model than the California Consumer Privacy Act (CCPA). To read more on it, please see our prior update here.

Several other states introduced privacy bills this legislative session. Below is a chart of the currently pending state bills.

State	Bill No.	Summary
Alabama	HB 216	This bill is similar to the CCPA. It is before the House Committee on Technology and Research.
Alaska	SB 116 and HB 159	These bills are a modified version of the CCPA and include provisions for a data broker registry. Both bills have been referred to Labor & Commerce.
Colorado	SB 190	This bill is like the new law in Virginia except that the opt-out applies to all personal data processing. It is pending before the Senate Appropriations Committee.
Connecticut	SB 893	This bill is like the new law in Virginia. A public hearing was held in late February and a substitute bill was then filed. The bill is now before the full Senate.
Illinois	HB 3910	This bill is like the CCPA. It is before the House Rules Committee.
Massachusetts	SD 1726	The Senate bill differs from the other bills because it creates duties of care, loyalty, and confidentiality and requires consent before personal information is collected and processed. It has been referred to the committee on Advanced Information Technology, the Internet and Cybersecurity.
Minnesota	HF 36 and HF 1492	HF 36 is like the CCPA while HF 1492 is like the new Virginia law. Both bills have been referred to the Commerce Finance and Policy Committee.
New Jersey	AB 3283 and AB 3255	AB 3283 is like the GDPR in that it requires a legal basis for processing personal information. AB 3255 is like the CCPA. Both bills are before the Science, Innovation and Technology Committee.
New York	S 567, A 6042 and A 680	SB 567 is like the CCPA. A6042 would require opt-in consent for processing personal information. A680 requires consent to use, process, and disclose, and imposes a fiduciary duty of care. These bills are pending in committee.
North Carolina	SB 569	This bill is like the VCDPA. It passed first reading in the Senate and has been referred to committee.
Pennsylvania	HB 1126	This bill is like the CCPA. It was referred to the Consumer Affairs Committee in the House.
Texas	HB 3741	This bill is different from the CCPA and Virginia law. It imposes restrictions on use of personal information, in addition to providing consumer rights. The bill is before the Business & Industry Committee.

Bills filed in Arizona, Florida, Kentucky, Maryland, Mississippi, North Dakota, Oklahoma, Utah, Washington, and West Virginia have died.

From this legislative activity it is clear that two distinct models are emerging – the CCPA model and the VCDPA model. Although both focus on transparency – where covered entities provide clear notice of their personal data handling practices – and control – where consumers are given specific rights with respect to their data – the requirements and implementation differ. As legislative sessions come to a close in the coming weeks, it will be interesting to see which states join California and Virginia and which model emerges as the leading standard.

Four federal privacy bills introduced in 2021

Rep. Suzan DelBene, D-WA, introduced the Information Transparency and Personal Data Control Act in March. The bill directs the Federal Trade Commission (FTC) to enact regulations governing the use of sensitive personal information (SPI), which broadly includes data typically associated with breach notification laws as well as information considered sensitive under the CCPA and VCDPA as well as the content of communications and personal call detail records. With regard to non-SPI, the bill establishes a right to opt out any personal information processing. No private right of action is provided. Instead, enforcement would be by the FTC and state attorneys general.

Sen. Brian Schatz, D-HI, introduced the Data Care Act in March. The bill requires online service providers to (1) reasonably secure individual-identifying data from unauthorized access, (2) refrain from using such data in a way that will result in reasonably foreseeable harm to the end user, and (3) not disclose such data to another party unless that party is also bound by the duties established in the bill. The bill authorizes the Federal Trade Commission and specified state officials to take enforcement actions with respect to breaches of such duties.

Sen. Ron Wyden, D-OR, introduced a bill to amend the FTC Act in late April. As of May 13, 2021, the bill text has not been received for S.1444. But a bill summary states that it establishes requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes.

Sen. Jerry Moran, R-KS, introduced A bill to protect the privacy of consumers also in late April. As of May 13, 2021, text has not been received for S.1494.

The late April rally to introduce new legislation signals a continued interest in data privacy issues. However, it is unlikely that any of these bills will gain traction in the near term. The activity continues to be focused at the state level.

In January 2021, the Federal Permitting Improvement Steering Council (“FPISC” or “Council”) voted to include mining infrastructure projects as an eligible sector for coverage under the Fixing America’s Surface Transportation Act (“FAST-41” or “Act”). The purpose of the Act is to streamline the Federal environmental review process for large-scale infrastructure projects. Renewable energy projects have been eligible for FAST-41 review since 2015, when the Act was passed by Congress. Mining and renewable energy development are necessarily intertwined from a supply chain standpoint, and the addition of the mining sector to FAST-41 is an indicator that the federal government is conscious of the need to shore up related domestic industries if the U.S. is going to be able to reach its carbon reduction goals through mass deployment of renewable projects around the country.

FAST-41 established a program to improve the timeliness, predictability, and transparency of the analysis and permitting phases for infrastructure proposals. The Act enhances federal coordination by requiring all agencies relevant to a project’s review to develop a plan and schedule outlining the necessary steps for project authorization within 60 days of a project’s FAST-41 eligibility being established. FAST-41 limits an agency’s ability to revise their timeline within 30 days of the original posted deadline, and the FPISC acts to ensure each agency meets its deadline. To deter delays, FAST-41 requires the FPISC to report to Congress whenever a modification to the timeline results in a 150% delay of the original schedule.

The Act implemented the Permitting Dashboard, a public website displaying the actual and scheduled timeframes for current projects, allowing for increased transparency related to the permitting process. FAST-41 also set the statute of limitations to challenge a project’s authorization at two years, and established guidelines for judicial review and dispute resolution, all in an effort to minimize delays caused by litigation.

To be eligible for FAST-41 coverage, the project:

1. Must be located in the United States and require environmental review and authorization by a federal agency;
2. Must be subject to NEPA review;
3. Must be likely to require an investment of $200,000,000 or more; and
4. Must not qualify for any other abbreviated environmental review.

If a project sponsor believes their infrastructure proposal qualifies for FAST-41 coverage, they must submit a FAST-41 Initiation Notice to the Executive Director of the FPISC and the facilitating Federal agency. The FPISC will coordinate with the lead agency to determine eligibility, potential concerns and mitigation, and the first necessary steps in the permitting process. A decision regarding the project’s eligibility must be issued by the lead agency within 14 days. If the project is approved, the relevant agencies will create a Coordinated Project Plan and the project’s permitting process will immediately begin.

The federal environmental review process is often plagued with long delays and sluggish progress. At its induction, FAST-41 covered renewable and conventional energy production, electricity transmission, surface transportation, aviation, ports and waterways, water resource projects, broadband, pipelines, and manufacturing. Since the Act’s passage, 23 renewable energy generation projects have been deemed eligible for streamlined permitting, and nine large-scale renewable projects have already been completed. In light of such a successful track record, the addition of mining as an eligible sector has drawn both praise and criticism, with some applauding the decision to expedite the permitting process (mining project review typically takes seven to ten years) and increased access to battery minerals and other mining products necessary for renewable energy production, while others oppose any acceleration of the development of the mining sector.

If you have further questions, please contact Almira Moronne or Kelsey Johnson.

On March 19, 2021, Senators Rodriguez and Lundeen introduced the Colorado Privacy Act (“CPA”) bill, which would provide additional protections for the personal data of state residents. If passed, the bill would have a far-reaching impact on businesses collecting and using personal information about Colorado residents, whether operating inside or outside the state. We will continue to monitor developments, but if you have any questions or would like to discuss specific issues in the bill, please reach out to Camila Tobón.

Davis Graham will be hosting a webinar to discuss the bill on Tuesday, April 13, 2021 from noon to 1 p.m. You can register here.

To whom does the CPA bill apply?

The CPA aims to protect the personal data of “consumers,” which means a natural person who is a Colorado resident acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.

The CPA refers to “controllers” and “processors.” A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of the controller. The CPA bill also introduces the concept of a “third party,” which is defined as “a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.”

To be subject to the CPA, legal entities would have to:

1. Conduct business in Colorado or produce products or services that are intentionally targeted to Colorado residents; and
2. Either:
   1. Control or process the personal data of 100,000 consumers or more during a calendar year; or
   2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.

What does the CPA bill protect?

The CPA bill protects “personal data,” which means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.

The CPA bill excepts certain data sets, including:

• “Protected health information” and other listed patient and health information, as well as information maintained in the same manner by covered entities, business associates, health care facilities or health care providers, and a program or qualified service organization as defined in 42 C.F.R. § 2.11;
• Personal data bearing on a consumer’s creditworthiness that is regulated by the Fair Credit Reporting Act and processed by a consumer reporting agency, a furnisher of information, or a user of a consumer report;
• Personal data collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA);
• Personal data collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act;
• Personal data regulated by the federal Children’s Online Privacy Protection Act and the federal Family Educational Rights and Privacy Act; and
• Data maintained for employment records purposes.

The CPA bill also includes an entity-level exemption for financial institutions or affiliates of a financial institution that are subject to the GLBA. Any personal data processed by these entities would be out of scope of the CPA bill, not just the personal data handled pursuant to the GLBA and its implementing regulations.

Does the CPA define “sale” of personal data?

The CPA defines “sale” as the exchange of personal data for monetary or other consideration by a controller to a third party for purposes of licensing or selling personal data at the third party’s discretion to additional third parties. It includes several exceptions:

• Disclosing data to a processor that processes personal data on behalf of the controller;
• Disclosing personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller;
• The disclosure or transfer of personal data to an affiliate of the controller; or
• The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

What consumer rights does the CPA bill provide?

The CPA would provide consumers with the following rights:

• The right to opt-out of the processing of personal data concerning the consumer, including the right to authorize another person to opt-out of personal data processing for purposes of targeted advertising or “sale” of the consumer’s personal data.
• The right to confirm whether a controller is processing personal data concerning the consumer and access to those data.
• The right to correct inaccurate personal data collected from the consumer.
• The right to delete personal data concerning the consumer.
• The right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance (data portability). This right may be exercised no more than twice per calendar year.

Controllers would have 45 days to respond to requests to exercise consumer rights, which could be extended to 90 days where reasonably necessary. Controllers must provide information free of charge except that a fee (to be calculated pursuant to the state public records statute) may be charged for the second or subsequent request within a twelve-month period.

The CPA bill requires controllers to establish an internal process for consumers to appeal a refusal to act on a request to exercise any of their consumer rights. If the consumer has concerns about the result of the appeal, they can contact the Attorney General.

What does the CPA bill require of “controllers”?

Controllers must provide consumers with a privacy notice describing the categories of personal data collected or processed, the purposes for processing, an estimate of how long personal data will be retained, how and where consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom personal data are shared. If a controller sells personal data to third parties or processes personal data for targeted advertising, it must disclose such sale or processing as well as the manner in which the consumer may exercise the right to object to such sale or processing.

Other requirements imposed on controllers include:

• Purpose specification – collection of personal data must be limited to what is reasonably necessary for the specified purpose;
• Data minimization – controllers must collect only what is reasonably necessary for the specific purpose;
• Secondary uses – controllers must avoid secondary uses that are not reasonably necessary to or compatible with the purposes for which the data are processed;
• Duty of care – controllers must employ reasonable security measures to protect personal data against unauthorized acquisition during both storage and use;
• Nondiscrimination – controllers cannot increase the cost of or decrease the availability of a product or service based solely on the exercise of a right and may not process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers.

Controllers must get consent to process “sensitive data,” which include:

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;
• genetic or biometric data for the purpose of uniquely identifying a natural person; and
• personal data from a known child.

Controllers must also conduct data protection assessments for processing activities presenting a heightened risk of harm to consumers, which include targeted advertising or profiling; the sale of personal data; and sensitive data processing. Such data protection assessments must be made available to the Attorney General upon request.

What does the CPA bill require of “processors”?

Processors must process personal data according to the controller’s instructions and must assist controllers with the fulfillment of their obligations under the CPA. Processing by a processor must be governed by a binding contract setting out the processing instructions to which the processor is bound.

How would the CPA be enforced?

The CPA would be enforced by the Colorado Attorney General and District Attorneys. Violators would be subject to an injunction and a civil fine as specified in Colo. Rev. Stat. § 6-1-112 (setting out civil penalties in various contexts). There is no private right of action in the CPA bill.

When would the CPA take effect?

The law would take effect on January 1, 2023.

In the last decade, solar energy development has grown annually at an average rate of 49%.[1]
As more land is used for this renewable resource, increased conflicts with the owners of minerals underlying those lands are inevitable. A recent case in Texas, Lyle v. Midway Solar, LLC,[2] highlights how courts may address such conflicts. The court acknowledged that the “accommodation doctrine” may limit the rights of mineral owners to interfere with solar facilities overlaying their minerals. However, application of the doctrine to determine surface rights can only occur after the mineral owner attempts to develop its minerals.

The Facts

The Lyles own 27.5% of the mineral rights in a 315-acre tract in Pecos County, Texas derived from a 1948 Deed. Gary D. Drgac owns 100% of the surface rights in the same tract. The Lyles never leased their mineral interest to an oil and gas operator and have no current plans to develop the minerals. They commissioned no geological studies on the property and never received any offers to lease or purchase the mineral estate. In 2015, Mr. Drgac leased the surface of the property to Midway Solar, LLC (“Midway”) to build a solar energy facility on the property. Under the terms of the lease, Midway could place solar panels on the property, as well as transmission lines, electrical lines, and cable lines. The solar lease acknowledged that the minerals had been severed and identified the rights of the mineral owner as an “encumbrance” on the land.

Drgac and Midway amended the lease to identify “Designated Drillsite Tracts” for future operators to explore for and access minerals. These tracts were exempt from solar facility construction. Midway’s solar facility eventually covered 70% of the surface of the property, leaving the two drillsite tracts undisturbed. Midway obtained surface waiver agreements from adjoining mineral interest owners for purposes of accessing the property but did not obtain a waiver from the Lyles.

The Lawsuit

After construction of the facility, the Lyles sued Midway and Drgac alleging they had breached the terms of the 1948 Deed, denying reasonable access to the minerals by covering 70% of the surface with solar panels and transmission lines. The Lyles also argued that Drgac and Midway were trespassing on their mineral estate. They sought damages for trespass and breach of contract arguing that the solar facility had “destroyed and/or greatly diminished the value” of their minerals.

The Accommodation Doctrine

In Texas, a mineral estate is “dominant,” meaning the mineral owner has the right to use the surface to extract minerals using methods reasonably necessary for extraction. The mineral estate’s dominance is limited by the “accommodation doctrine,” which requires the mineral and surface estates to exercise their respective rights with due regard for the rights of the other. The surface owner carries the burden to show that (1) the mineral owner’s use of the surface completely precludes or substantially impairs the surface owner’s existing use, (2) there is no reasonable alternative method available to the surface owner by which the existing use can be continued, and (3) there are “alternative, reasonable, customary, and industry-accepted methods available to the mineral owner” to recover the minerals. If alternative methods allow mineral development without disturbing the surface owner’s existing use, the accommodation doctrine may require the adoption of that alternative method. If only one method of extracting the minerals is available, the mineral owner may pursue that method, regardless of surface damage. Parties have the right to set their own contractual terms as they see fit, provided such rights do not violate public policy.

The Lyles argued that the 1948 Deed expressly delineated the parties’ rights. The Deed states, “Grantors further reserve unto themselves, their heirs and assigns, the right to such use of the surface estate . . . as may be usual, necessary or convenient
in the use and enjoyment of the oil, gas and general mineral estate.” The Lyles argued the word “usual” evidenced the grantor’s intent to reserve the right to drill vertical wells, the “usual” method of drilling at the time the Deed was signed. Directional and horizontal drilling had not been invented. Therefore, covering 70% of the surface with solar facilities violated that contractual right and preserving small drilling pads for vertical and horizontal wells was insufficient.

The court disagreed because it did not interpret the term “usual” as applying to a specific drilling method. Rather, it referred more generally to the right to use the surface to use and enjoy the mineral estate. The Deed made no reference to specific drilling methods and had the grantors intended such a specific meaning of “usual” they could have explicitly reserved the right to drill vertical wells. The court therefore determined that the contractual language did not override application of the accommodation doctrine, which should inform what rights each party had to the surface.

Attempt to Develop the Minerals

Midway argued that for the Lyles to maintain a claim for trespass, the Lyles must currently be using or plan to use the surface to develop their minerals. The Lyles countered that they had already suffered damages from the solar facility blocking access to the mineral estate.

The court determined that if the Lyles exercised their rights, Midway would have to yield to the degree mandated by the application of the accommodation doctrine. However, until such rights are exercised, there is nothing to be accommodated. To maintain a claim for trespass, the Lyles must have first sought to develop their minerals.

The court’s reasoning is that if a claim for trespass could be maintained without an attempt to develop, mineral owners could simply claim damages from any surface activities that could potentially hinder mineral development in the future. Furthermore, there would be no way to calculate damages since future development would be subject to different markets and technologies.

Although the Lyles’ claim for trespass was premature and therefore dismissed without prejudice, the court acknowledged that the determination of each parties’ rights to the surface would be determined in the future if an actual conflict arises.

Conclusion

Lyle v. Midway Solar, LLC should encourage solar developers to be fully aware of outstanding mineral rights on properties they seek to develop. A review of title ownership and an understanding of contractual rights reserved in mineral deeds may allow solar developers to negotiate surface uses up-front and avoid disruptions to their operations due to con

[1] https://www.seia.org/solar-industry-research-data.

[2] 2020 Tex. App. LEXIS 10385.

If you have further questions, please contact Hayden Weaver.

Under new leadership, the Bureau of Land Management (BLM) announced its termination of proposed amendments to the Desert Renewable Energy Conservation Plan (DRECP). On January 13, 2021, BLM had released draft amendments to the DRECP and a draft environmental impact statement analyzing the draft amendments. The draft amendments were described in a previous article. The draft amendments had faced public opposition from conservation groups and the California Energy Commissioner.

On March 12, 2021, the BLM announced its termination of the land use planning process for the draft amendments. The BLM cited a need to “evaluate consistency with Departmental and Executive priorities related to conservation and promotion of renewable energy development.” The BLM committed to “continue to work with cooperating agencies and stakeholders in the implementation of the existing land use plans.”

If you have further questions, please contact Katie Schroder.

On March 8, 2021, the Principal Deputy Solicitor of the Interior issued a memorandum
withdrawing Solicitor’s Opinion M-37050, which had interpreted the Migratory Bird Treaty Act (MBTA) as only prohibiting affirmative actions that purposefully take or kill migratory birds, their nests, or their eggs, and not prohibiting incidental taking or killing.

The March 8 memorandum marks the latest reinterpretation of the MBTA by the Solicitor’s Office. In the last days of President Barack Obama’s administration, the Solicitor issued Opinion M-37041 – Incidental Take Prohibited Under the Migratory Bird Treaty Act (Jan. 10, 2017). This 30-page opinion concluded that “the MBTA’s broad prohibition on taking and killing migratory birds by any means and in any manner includes incidental taking and killing.”

Solicitor’s Opinion M-37041, however, enjoyed a short life. On February 6, 2017, the incoming administration of President Donald Trump suspended Solicitor’s Opinion M-37041. On December 22, 2017, the Principal Deputy Solicitor issued Solicitor’s Opinion M-37050, which permanently withdrew and replaced Solicitor’s Opinion M-37041. Spanning 41 pages, Solicitor’s Opinion M-37050 concluded that the MBTA’s “prohibitions on pursuing, hunting, taking, capturing, killing, or attempting to do the same apply only to affirmative actions that have as their purpose the taking or killing of migratory birds, their nests, or their eggs.”

The United States District Court for the Southern District of New York, however, found this conclusion to be inconsistent with the language of the MBTA. The court vacated Solicitor’s Opinion M-37050 in its entirety. Natural Res. Defense Council v. U.S. Dep’t of the Interior, 478 F. Supp. 3d 469 (S.D.N.Y. 2020). The Biden administration did not pursue an appeal of this decision.

The March 8, 2021 memorandum cited the litigation over Solicitor’s Opinion M-37050 as justification for permanently revoking and withdrawing it. The memorandum also cited concerns raised by the Government of Canada as to whether M-37050 is consistent with one of the treaties underlying the MBTA. Notably, the memorandum did not reinstate Solicitor’s Opinion M-37041 or otherwise replace Solicitor’s Opinion M-37050.

The withdrawal and revocation of Solicitor’s Opinion M-37050 coincides with the delayed effective date a final rule that formalized the interpretation of “take” set forth in Solicitor’s Opinion M-37050. The U.S. Fish and Wildlife Service (USFWS) published this final rule on January 7, 2021, and it was scheduled to take effect on February 8, 2021. On February 9, 2021, the USFWS published an announcement that it would delay the effective date of this rule until March 8, 2021, and seek additional public comment on it.

If you have further questions, please contact Katie Schroder.

In 2019, the Colorado Legislature passed House Bill 19-1261, known as the Climate Action Plan to Reduce Pollution (“Climate Action Plan”), which includes statewide greenhouse gas (“GHG”) pollution emission targets. By 2025 the bill targets 26% reductions in GHG emissions from 2005 levels, 50% by 2030, and 90% by 2050. In an effort to make coordinated progress toward these goals, Governor Jared Polis directed state agencies to develop a Greenhouse Gas Pollution Reduction Roadmap (“Roadmap”). As part of this effort, the State through various executive agencies has preliminarily estimated 2005 baseline GHG emissions to identify the magnitude of emission reductions required to meet the Climate Action Plan goals and the likely sources of those reductions. It is anticipated that the 2005 baseline emissions inventory will be approved by Air Quality Control Commission (“AQCC”) during a September 2021 hearing.

The Roadmap outlines a strategy for how Colorado can reduce GHG emissions over time ito achieve the reductions identified in the Climate Action Plan. Key strategic elements include: (a) a continued shift away from fossil fuel-based generated energy to renewably generated energy; (b) a focus on reducing methane emissions from the oil and gas sector; (c) accelerated transition to electric buses, trucks, and cars; (d) changes to transportation planning and infrastructure to reduce vehicle miles traveled; (e) increased building efficiency and electrification; (f) reduction of methane emissions from agriculture, landfills, and waste water treatment; (g) strategies to enhance carbon sequestration by natural and working lands; and (h) incentivizing adoption of GHG reduction measures in the agricultural sector. These strategic elements are intended to be implemented through various efforts including:

• rulemakings before the AQCC, the Colorado Department of Transportation, and other state agencies;
• coordinated efforts between the State and private parties, particularly with utilities, in an effort to develop clean energy plans;
• a study on how to incentivize updates to local government regulations, particularly to building codes and zoning regulations;
• public investment in electric vehicles and electric vehicle infrastructure; and
• encouragement for participation in carbon reduction efforts such as the Employer Based Trip Reduction Program, Soil Health Partnership, the Agricultural Energy Efficiency Program, and the Advancing Colorado’s Renewable Energy Efficiency Program (ACRE3) Program.

The Roadmap also explicitly takes a sector-based rather than economy-wide approach to cap GHG emissions. This means that specific emission reduction targets will be set for each identified sector. The primary sectors targeted for reductions are transportation, electric generation, oil and gas, and residential, commercial, and industrial energy use. Each sector has a different target for emission reductions from the 2005 baseline. Importantly, the 2005 baseline emissions are estimated differently for oil and gas sources relative to other sectors. The State has updated its methodology to estimate future GHG emissions from non-oil and gas sources to address some of the limitations with the approach used in estimating historical emissions. For oil and gas sources, the Colorado Department of Public Health and Environment (“CDPHE”) indicated that it would use data collected under Colorado Regulation No. 7 to make improvements to current and future emission estimates for the oil and gas industry, which should result in more accurate estimates of emissions from this industry but could also potentially complicate comparisons of future emissions with the baseline.[1]

The draft of the Roadmap was published on September 30, 2020, and community members and other stakeholders were encouraged to provide comment and feedback. The Roadmap was not developed as part of a rulemaking effort, so it was not subject to the procedural requirements associated with more formal efforts. This also means that the written comments provided on the Roadmap are only available via a Colorado Open Records Act request, and the State was not required to explicitly address or respond to community comments. Some concerns have been raised regarding this process, specifically, as subsequent specific rulemakings will be undertaken in reliance upon the Roadmap, the development of the Roadmap should have occurred in a more transparent process.

While the tremendous effort associated with developing the Roadmap to date has been broadly lauded and appreciated, additional concerns have been raised that the draft Roadmap did not provide a cost-benefit analysis for any of the proposed GHG reduction strategies and did not allow for the flexibility to pursue policies to reduce emissions iteratively and in full consideration of a given policy’s total costs and associated benefits. Technical concerns have also been raised with some of the key assumptions and analyses underlying the Roadmap and its associated emission estimates. The final Roadmap, published on January 14, 2021 and available here, did acknowledge that a detailed cost benefit analysis was not provided but indicated that such cost benefit analyses would be addressed as various strategies were implemented through formal rulemakings.

While there were limited substantive changes between the draft and final Roadmap, the final Roadmap added important discussion about the Roadmap’s larger strategic goal of reducing impacts on communities disproportionately impacted by climate change and how the Climate Equity Framework (developed based on statutory guidelines from HB 19-1261) should be used to guide future action. It also addressed Carbon Capture, Utilization, and Storage (“CCUS”) more specifically and indicated that the State would convene a task force on CCUS starting in mid-2021, “which will report to the Governor within a year on recommended framework, including policies and action steps for advancing CCUS in Colorado.”

The Roadmap is an ambitious effort to address GHG emissions in Colorado. How the Roadmap will be implemented and the exact nature of any resulting programs remains uncertain, but significant changes are on the horizon for Colorado.

[1]
See Section 8.5 of CDPHE’s Draft “2021 Greenhouse Gas Inventory Update Including Projections to 2050” found here.

If you have further questions, please contact Shalyn Kettering or Vasco Roma (Managing Consultant, Ramboll).

When faced with significant market challenges, companies in the energy industry often turn to bankruptcy for solutions. This webinar explores the bankruptcy process, its benefits, its limitations, and unique bankruptcy issues that players face across the energy sector, from oil and gas to mining. Presenters will share their experiences in recent chapter 11 cases and discuss practical considerations and strategies that should be evaluated before and during bankruptcy to avoid a chapter 11 free fall.

The confirmed speakers for this program, which is pending approval for one general Continuing Legal Education credit in the state of Colorado, are as follows:

• Adam Hirsch, Partner, Davis Graham
• Chris Richardson, Partner, Davis Graham

Event Information

Tuesday, March 9

8:00-9:00 AM MST

In this second edition of the Davis Graham Privacy & Data Security Legal Update, we cover Virginia’s Consumer Data Protection Act, which was approved by both legislative chambers, and new bills in Alabama, Florida, Utah, and Washington. On the international front, we cover new guidelines from the European Data Protection Board on breach notification and the latest developments in negotiations over an ePrivacy Regulation.

If you have any comments, questions, or suggestions, please contact the author, Camila Tobón.

U.S. Developments

Virginia set to become second state to enact comprehensive privacy legislation

In early February, both the Virginia House of Delegates and the Virginia Senate passed identical bills for the Virginia Consumer Data Protection Act (HB2307 and SB1392). Governor Ralph Northam is expected to sign the measure, after reconciliation of the two bills. The Act more closely mirrors the Washington Privacy Act (WPA) than the California Consumer Privacy Act (CCPA) and adopts the controller/processor terminology from the GDPR as opposed to the business/service provider/third party terms from the CCPA. It would apply to entities that control or process data of at least 100,000 Virginians, or those that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers. It includes entity-level exemptions for financial institutions subject to the Gramm-Leach Bliley Act and covered entities under the Health Insurance Portability and Accountability Act, among others, as well as data-level exemptions for personal information covered by other state and federal laws, employee data, and business contact data. Controllers must provide the rights of access, correction, deletion, data portability, and opt-out of targeted advertising, sale, and profiling and develop a mechanism for consumers to appeal a controller’s refusal to act on a request. The Act creates an opt-in regime for the processing of sensitive data (which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying a natural person, children’s data, and precise geolocation data). It also requires data protection risk assessments for certain types of processing activities, including processing data for targeted advertising or profiling, sale of data, processing of sensitive data, and any other activity presenting a heightened risk to consumers. The state attorney general is the only entity with enforcement authority and enforcement penalties would be capped at $7,500 per violation. No private right of action is provided. The Act would take effect on January 1, 2023 (the same date the California Privacy Rights Act (CPRA) takes effect).

Comprehensive privacy legislation introduced in Alabama, Florida, and Utah

Earlier this month, HB216 was introduced in the Alabama House. The Alabama Consumer Privacy Act is similar to the California Consumer Privacy Act. Consumers are given the rights of access, information, deletion, opt-out of sale, and non-discrimination. There is also a private right of action for breach of nonencrypted or nonredacted personal information resulting from a failure to implement and maintain reasonable security procedures and practices. Unlike the CCPA, the Alabama Act does not provide for statutory damages, instead requiring courts to determine damages according to a set of factors set out in the bill. If enacted, the law would take effect on October 1, 2022.

In Florida, legislators introduced HB969, which is very similar to the CCPA. It requires businesses that collect personal information from consumers to maintain an online privacy policy, to be updated every 12 months. It provides consumers the rights of access, deletion, correction, opt-out of sale or sharing (where “share” is defined as disclosure for advertising), and non-discrimination. The bill includes contractual requirements for disclosures of personal information between a business and a service provider and a business and a third party, including requiring that the service provider or third party pass through any obligations to subcontractors. The bill provides a private right of action for breach like the CCPA, with the same statutory damages of $100-$750 per incident. If enacted, the law would take effect on January 1, 2022.

SB200 was introduced in Utah for a Consumer Privacy Act. Unlike the Alabama and Florida bills, this one mirrors the Washington Privacy Act. Consumer rights include access, correction, deletion, portability, and opt-out of processing for targeted advertising, sale, or profiling in furtherance of decisions regarding educational enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities as well as opt-in to processing sensitive data. The bill requires that controllers implement a process for appeals of consumer requests and conduct risk assessments for certain high-risk processing activities. The bill does not provide a private right of action. Enforcement would be by the attorney general with penalties not to exceed $1,000 per consumer per violation. The bill would take effect January 1, 2022.

Competing privacy bill introduced in the Washington state house

In late January, a competing privacy bill was introduced in the Washington state house. HB1433, the People’s Privacy Act, significantly differs from the Washington Privacy Act under consideration in the Senate in several respects. The People’s Privacy Act is an opt-in model, requiring affirmative consent for the collection and use of personal information, which must be renewed annually or deemed withdrawn. Individuals are given the rights of access/data portability, information, refusal of consent, correction, deletion, and freedom from surreptitious surveillance. Covered entities must provide a short and long form privacy policy, with examples to be produced by the Department of Commerce within 6 months of the law’s enactment. The Act would allow a private right of action for any violation with statutory damages of $10,000. In addition, the Attorney General could bring an enforcement action seeking $25,000 per violation or up to 4% of annual revenue, whichever is greater.

EU Developments

European Data Protection Board issues additional guidance on breach notification under the GDPR

Last month, the European Data Protection Board (EDPB) issued Guidelines 01/2021 on Examples Regarding Data Breach Notification. Public comments will be accepted through March 2, 2021. In the Guidelines, the EDPB provides examples of the most common breach notification cases such as ransomware attacks, data exfiltration attacks, lost or stolen devices and paper documents, misdirected mail, and social engineering. For each type of attack, the guidelines set out guidance and recommendations, including obligations to notify supervisory authorities and affected individuals. The concrete examples provided in the guidelines should greatly assist organizations with conducting their risk assessments following a breach and determining whether notification is required and to whom. The guidelines will be finalized following the public comment period.

The Council of the European Union issues mandate for negotiating the ePrivacy Regulation with the European Parliament and the European Commission

The EU has been working on an overhaul of the 2002 ePrivacy Directive, which governs privacy and electronic communications, for several years. There are two main goals. First, to harmonize rules over electronic communications data in the EU. As a regulation, the ePrivacy Regulation would become immediately binding in all EU member states upon enactment (as opposed to a directive, which must be implemented in each member state’s national law resulting in diverging applications of the rules). Second, to address new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior. This recent development will kick-start negotiations between the Council of the EU, the European Parliament, and the European Commission over the final text of the ePrivacy Regulation.