Tag: legislation

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.

Article By Eva J. Pulliam, Christine Chong, and Destiny Planter of ArentFox Schiff LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review. 

© 2022 ArentFox Schiff LLP

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

Article By Kristin L. Bryan and Jeffrey L. Turner of Squire Patton Boggs (US) LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Looking into Our (Slightly Hazy) Crystal Ball: What Will the Mississippi Cannabis Market Look Like?

When you do what we do, you get a lot of calls and a lot of questions. Many of the calls and questions are not fruitful. Quite honestly, some of the calls are from folks whose interest in and experience with cannabis is, we suspect, on a purely personal and leisurely level. In the words of Hyman Roth, this is the business we’ve chosen.

But one legitimate question we’re often asked is what we think the cannabis market will look like in Mississippi. And, more specifically, whether Mississippi’s new medical cannabis regime will be similar to the one in Oklahoma.

It’s a loaded question, and one we suspect many questioners don’t fully appreciate. On the one hand, Oklahoma’s medical cannabis program has been compared to the Wild West. At last count, there were more medical cannabis dispensaries than liquor stores or supermarkets in the state. Many have concluded that this is a bad thing and/or that the program is a failure. Others have deemed the program a triumph of capitalism, a survival-of-the-fittest trial where only the “best” will survive.

As is often the case, we think the answer is probably somewhere in the middle.

On the one hand, the obvious and primary similarity between the programs is the absence of an expressed cap on the number of licenses available. While most states limit the number of licenses available, neither Oklahoma nor Mississippi does so. Many believe this feature will lead to Mississippi following the lead of Oklahoma in terms of the proliferation of dispensaries throughout the Magnolia State.

On the other hand, there are a number of differences between the two states and their statutes that indicate to us that Mississippi’s regime will differ in several important ways – ways we are seeing play out now. First, while the license fee for a dispensary in Oklahoma is $2,500, the fee in Mississippi is $25,000, 10 times the amount. And that amount is owed annually and is in addition to the initial $15,000 application fee. As a practical matter, and for better or worse, this feature alone should significantly cull the number of dispensaries because it provides a substantial barrier to entry into the industry.

Second, there may be significantly fewer locations available to open a dispensary in Mississippi than one would expect due to several geographic-limiting features of the law. Initially, localities have until May 3 to opt out of the medical cannabis regime, and several cities have already done so. Also, dispensaries cannot be located within 1,000 feet of any church, school, or daycare facility. For those unfamiliar with Mississippi, it may be tough to find anywhere in the state that isn’t within 1,000 feet of a church. Even more, the law forbids one dispensary from being within 1,500 feet from another dispensary, and dispensaries are only permissible in commercially zoned areas.

Third, the cannabis industry examining the Mississippi market will have the benefit of having lived through the Oklahoma experience. This is likely to minimize the “goldrush” mentality seen in Oklahoma’s early days. Instead, look for larger players to let the dust settle and come in looking to acquire operators who proved successful breaking out of the initial melee.

Conclusion

It seems possible that, at least in the early years, the Mississippi medical cannabis regime may more closely resemble Oklahoma than a state like Florida with strict limitations on the number of licenses. But our prediction is that certain aspects of Mississippi law and culture will lead to less of a free-for-all at the outset, hopefully leading to a more efficient and more orderly transition to a rational cannabis market in Mississippi.

Article By Whitt Steineker and Slates C. Veazey of Bradley Arant Boult Cummings LLP

For more cannabis legal news, click here to visit the National Law Review.

© 2022 Bradley Arant Boult Cummings LLP

Why ‘Don’t Say Gay’ Bills are Antithetical to an Equitable and Inclusive Education

According to2019 GLSEN national survey of LGBTQ+ students, nearly 60% of surveyed students reported they felt unsafe at school because of their sexual orientation and 43% because of their gender expression. Within the same survey, nearly all (98.8%) LGBTQ+ students reported hearing “gay” used in a negative way at school, 95% heard other homophobic remarks, and 87% heard transphobic remarks.

When I was an educator, it was essential to my practice that all my students felt safe. If I were to hear any negative remarks about a student or become aware one of my students felt unsafe due to their identity, it would be my ethical, and moral, obligation to do something to create a safer and more inclusive learning environment; a core part of my role as an educator was to teach empathy and compassion in my students. This could be as simple as having a classroom discussion about the choices of language and how using words such as “gay” with a negative connotation can be hurtful to their classmates. This could also mean sharing my own identity as a queer man so my LGBTQ+ students knew they had someone they could turn to for support, and to normalize queer identities for all my students and their families. Either of these actions would require I discuss the importance of accepting all sexual orientations and gender identities.

In other words, I would have to say “gay.” But in six states — as of now — I would not have been able to do this.

The state of Florida attracted national attention earlier this year with the adoption of H.B. 1557, the “Parental Rights in Education” bill, more commonly known as the “Don’t Say Gay” bill. The bill, which has since been signed into law, dictates classroom instruction by “school staff” on “sexual orientation or gender identity may not occur in kindergarten through grade 3 or in a manner that is not age-appropriate or developmentally appropriate for students.” Five other states, according to the Movement Advancement Project, have similar laws enacted and several more have bills pending in their state legislatures. Some proponents of these bills argue the legislation is necessary to ensure parents have greater say when, if, and how LGBTQ+ issues are discussed with their children.

Yet these laws are designed to ensure only some parents have greater say, as the parents of LGBTQ+ children are certainly not reflected in these efforts.

At a time when youth mental health is reaching a crisis, state legislatures are advancing bills that would perpetuate, and arguably exacerbate, harmful school-based experiences for LGBTQ+ youth and worsen their well-being. A 2022 survey by the Trevor Project found 45% of LGBTQ+ youth seriously considered attempting suicide in the past year, and over half of transgender and nonbinary youth considered suicide. The 2019 GLSEN survey also found LGBTQ+ students who experienced forms of victimization based on their sexual orientation or gender identity (e.g., being bullied, hearing homophobic or transphobic remarks, etc.) had lower levels of self-esteem, higher levels of depression, and were less likely to say they belonged in school.

Some may argue “Don’t Say Gay” bills would not preclude educators from addressing instances of homophobia or transphobia in their classrooms and try to suggest that prohibitions on such actions are not the intent of the bills. However, regardless of intent, these bills often have the insidious impact to “chill” educators’ actions out of fear they may run afoul of the law and open themselves to reprimands, including being terminated.

All students deserve to have a safe, supportive, and affirming learning environment. All educators should be empowered to protect their students, and not feel afraid to step in when they notice a student being bullied because of their identity. And every parent should have the resources to be a partner in their child’s education. Unfortunately, state laws such as the “Don’t Say Gay” bills will only stand in way of these notions from becoming realities.

It is impossible to support all students when LGBTQ+ children continue to be targeted merely because of their identities.

Article By Sean A. Worley of Nelson Mullins

For more legislative legal news, click here to visit the National Law Review.

Copyright ©2022 Nelson Mullins Riley & Scarborough LLP

Heated Debate Surrounds Proposed Federal Privacy Legislation

As we previously reported on the CPW blog, the leadership of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee released a discussion draft of proposed federal privacy legislation, the American Data Privacy and Protection Act (“ADPPA”), on June 3, 2022. Signaling potential differences amongst key members of the Senate Committee on Commerce, Science, and Transportation, Chair Maria Cantwell (D-WA) withheld her support. Staking out her own position, Cantwell is reportedly floating an updated version of the Consumer Online Privacy Rights Act (“COPRA”), originally proposed in 2019.

Early Stakeholder Disagreement

As soon as a discussion draft of the ADPPA was published, privacy rights organizations, civil liberty groups, and businesses entered the fray, drawing up sides for and against the bill. The ACLU came out as an early critic of the legislation. In an open letter to Congress sent June 10, the group urged caution, arguing that both the ADPPA and COPRA contain “very problematic provisions.” According to the group, more time is required to develop truly meaningful privacy legislation, as evidenced by “ACLU state affiliates who have been unable to stop harmful or effectively useless state privacy bills from being pushed quickly to enactment with enormous lobbying and advertising support of sectors of the technology industry that resist changing a business model that depends on consumers not having protections against privacy invasions and discrimination.” To avoid this fate, the ACLU urges Congress to “bolster enforcement provisions, including providing a strong private right of action, and allow the states to continue to respond to new technologies and new privacy challenges with state privacy laws.”

On June 13, a trio of trade groups representing some of the largest tech companies sent their open letter to Congress, supporting passage of a federal privacy law, but ultimately opposing the ADPPA. Contrary to the position taken by the ACLU, the industry groups worry that the bill’s inclusion of a private right of action with the potential to recover attorneys’ fees will lead to litigation abuse. The groups took issue with other provisions as well, such as the legislation’s restrictions on the use of data derived from publicly-available sources and the “duty of loyalty” to individuals whose covered data is processed.

Industry groups and consumer protection organizations had the opportunity to voice their opinions regarding the ADPPA in a public hearing on June 14. Video of the proceedings and prepared testimony of the witnesses are available here. Two common themes arose in the witnesses’ testimony: (1) general support for federal privacy legislation; and (2) opposition to discrete aspects of the bill. As has been the case for the better part of a decade in which Congress has sought to draft a federal privacy bill, two fundamental issues continue to drive the debate and must be resolved in order for the legislation to become law: the private right of action to enforce the law and preemption of state laws or portions of them. . While civil rights and privacy advocacy groups maintain that the private right of action does not go far enough and that federal privacy legislation should not preempt state law, industry groups argue that a private right of action should not be permitted and that state privacy laws should be broadly preempted.

The Path Forward

The Subcommittee on Consumer Protection and Commerce of the House Energy and Commerce Committee is expected to mark up the draft bill the week of June 20. We expect the subcommittee to approve the draft bill with little or no changes. The full Energy and Commerce Committee should complete work on the bill before the August recess. Given the broad bipartisan support for the legislation in the House, we anticipate that the legislation, with minor tweaks, is likely to be approved by the House, setting up a showdown with the Senate after a decade of debate.

With the legislative session rapidly drawing to a close, the prospects for the ADPPA’s passage remain unclear. Intense disagreement remains amongst key constituency groups regarding important aspects of the proposed legislation. Yet, in spite of the differences, a review of the public comments to date regarding the ADPPA reveal one nearly unanimous opinion: the United States needs federal privacy legislation. In light of the fact that most interested parties agree that the U.S. would benefit from federal privacy legislation, Congress has more incentive than ever to reach compromise regarding one of the proposed privacy bills.

Article By Shea Leitch, Jeffrey L. Turner, Kristin L. Bryan, and Kyle R. Fath of Squire Patton Boggs (US) LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

By Law, Everything Is Possible In California

The California Civil Code includes a number of decidedly gnomic provisions.  Section 1597 is one of these.  It purports to answer the question of what is possible:

Everything is deemed possible except that which is impossible in the nature of things.

The problem with the statute is that it doesn’t fully answer the question because to know what is possible, one must know what is impossible and the statute doesn’t provide a definition of impossibility.  In this regard, I am reminded of the following lines from James Joyce’s Ulysses: 

But can those have been possible seeing that they never were?  Or was that only possible which came to pass?

But why define what is possible?  The reason is that Civil Code requires that the object of a contract must, among other things, be possible by the time that it is to be performed.  Cal. Civ. Code § 1596.  When a contract that has a single object that is impossible of performance, the entire contract is void.  Cal. Civ. Code § 1598.

Happy Bloomsday!

Today is Bloomsday.  Joyce chose June 16, 1904 as the day on which most (but not all) of the action in Ulysses takes place.  It is called Bloomsday because the hero of the novel is Leopold Bloom.  It was on June 16, 1904 that Joyce and his future wife, Nora Barnacle, had their first date (and intimate contact).

1C8E1253-FA65-4ED3-B026-ABF4D9098AAC

Finn’s Hotel in Dublin, where Nora worked in 1904

Article By Keith Paul Bishop of Allen Matkins Leck Gamble Mallory & Natsis LLP

For more legislative legal news, click here to visit the National Law Review.

© 2010-2022 Allen Matkins Leck Gamble Mallory & Natsis LLP

Uyghur Forced Labor Prevention Act Is Coming… Are You Ready? CBP Issues Hints at the Wave of Enforcement To Come

US Customs and Border Protection (CBP) has issued some guidance relating to its enforcement of the Uyghur Forced Labor Prevention Act (UFLPA) prior to June 21, 2022, the effective date of the rebuttable presumption.

What to Know

  • US Customs and Border Protection (CBP) has issued some guidance relating to its enforcement of the Uyghur Forced Labor Prevention Act (UFLPA) prior to June 21, 2022, the effective date of the rebuttable presumption.
  • The new guidance imposes tighter timelines and a higher burden of evidence on importers to rebut the presumption that merchandise was produced with forced labor. If CBP does not make a decision within specific timeframes, goods will automatically be deemed excluded.
  • CBP is expected to issue additional technical guidance at the end of May or early June. The Department of Homeland Security (DHS) is also expected to issue guidance closer to June 21, 2022.
  • CBP is scheduled to host informational webinars detailing their UFLPA guidance in the coming weeks.

What’s New: Tighter Timelines  

While US importers were eagerly anticipating the issuance of technical guidance regarding implementation of the UFLPA from CBP last week, which is now expected this week, CBP did post a new guidance document summarizing the UFLPA and forced labor Withhold Release Orders (WRO) enforcement mechanisms. Specifically, CBP’s authority to detain merchandise under the UFLPA will be pursuant to 19 CFR § 151.16, which provides for a much different timeline for the detention of merchandise than the WRO process. Under this process, if Customs does not make a timely decision regarding admissibility, goods are automatically excluded.

UFLPA Timeline Enforcement under 19 CFR § 151.16

Number of Days

Actions
5 Days from Presentation for Examination

CBP must decide whether to release or detail merchandise

  • If the merchandise is not released, it is detained
5 Days after Decision to Release or Detain

CBP will issue a notice to importer advising them of:

  • The initiation of detention
  • Date merchandise examined
  • Reason for detention
  • Anticipated length of detention
  • Nature of tests and inquiries to be conducted
  • Information to accelerate disposition
  Upon written request, CBP must provide importer with testing procedures, methodologies used, and testing results
Within 30 Days of Examination

CBP will make a final determination as to the admissibility of merchandise

  • If CBP does not make a determination within the 30-day period, the merchandise will be deemed excluded
  • This means any submission to rebut the presumption should be made before this 30 day period
Within 180 Days of CBP Determination/Exclusion Importers may protest CBP’s final determination
Within 30 Days After Protest Submitted The protest is deemed denied if CBP does not grant or deny the protest within 30 days
Within 180 Days after the Date the Protest is Denied

The importer may commence a court action contesting the denied protest (28 U.S.C. § 1581(a))

  • In a court action, CBP must establish by a preponderance of the evidence that an admissibility decision has been reached for good cause
  • Customs can decide to grant the protest after the deemed denial but before a court case is filed

This is a much shorter timeline than the WRO process. Importantly, a company contesting CBP’s detention of merchandise pursuant to the UFLPA would be required to submit documentation to rebut the presumption within the 30-day period that CBP is assessing admissibility, whereas the WRO process permits 90 days. Like the WRO process, the importer may also file a protest 180 days after CBP makes its final determination regarding the exclusion.

CBP Listening Session: A Higher Burden of Evidence 

On Tuesday, May 24, 2022, CBP provided information regarding the publication of guidance and enforcement of the UFLPA:

  • CBP Publication of Guidance. CBP’s guidance regarding its enforcement of the rebuttable presumption and the UFLPA is scheduled to be published the week of May 30.
  • DHS Publication of Guidance. DHS guidance will be published on or about June 21, 2022, which will include information relating to supply chain due diligence, importer guidance, and the entity lists.
  • Clear and Convincing Evidence Required to Rebut the Presumption that Merchandise was Produced with Forced Labor. It was confirmed that the UFLPA will have a much higher burden of evidence required to rebut the presumption that merchandise was produced with forced labor than that of a WRO. Any exception to the rebuttable presumption must be reported to Congress, and thus the level of evidence that will be required to overcome the rebuttable presumption is very high. As a practical matter, it appears that very few detained entries will be released. Importers are advised to start conducting due diligence on supply chains in order to ensure that they will be able to obtain documentation should merchandise be detained once the rebuttable presumption goes into effect. Importantly, products that are subject to an existing WRO from Xinjiang will now be enforced under the UFLPA process instead of the WRO process.
  • Evidence Required if Merchandise is Detained. The forthcoming guidance will set forth information regarding how an importer may meet the exception to the rebuttable presumption and to demonstrate that merchandise was not produced with forced labor, by meeting the following three criteria:
    • Demonstrate compliance with the Forced Labor Enforcement Task Force/DHS strategy;
    • Demonstrate compliance with CBP’s guidance and any inquiries that CBP raises; and
    • Provide clear and convincing evidence that the supply chain in question is free of forced labor.
  • Binding Rulings. Importers may apply for a binding ruling to confirm or request an exception to the rebuttable presumption under the UFLPA. Although CBP is still finalizing the process for importers to apply for a binding ruling, importers would be required to prove by clear and convincing evidence that merchandise is not produced with forced labor. If the ruling is granted, it applies to future shipments for the specific supply chain in question.
  • Known Importer Letters and Detention Notices. Going forward, CBP will not issue Known Importer letters, and CBP will notify importers that merchandise is subject to the UFLPA through the issuance of detention notices.
  • Detention of Merchandise. If goods are detained by CBP because they are suspected of having a nexus to Xinjiang Uyghur Autonomous Region (XUAR) of the People’s Republic of China (PRC), importers may either provide clear and convincing evidence that merchandise was not produced with forced labor or export the products. If detained products that fall under the UFLPA are comingled with other products that are not subject to the UFLPA, importers may request the segregation of the merchandise that is not subject to the UFLPA.
  • Chain of CBP Review for Importer Submissions Relating to Detained Merchandise. Chain of CBP review for the request of an exception to the rebuttable presumption has not been finalized yet. However, importers will be required to submit evidence that rebuts the presumption that merchandise was produced with forced labor to the applicable CBP Port Director. For the moment, the CBP Commissioner is the final individual who can ultimately make an exception to the rebuttable presumption, but CBP is deciding if it will delegate this responsibility to any additional persons.

Upcoming CBP Informational Webinars

CBP will be holding three webinar sessions, all covering the same material, to discuss and review its guidance relating to the UFLPA. The dates of the webinars and the registration links are listed below.

Article By Angela M. Santos, Christine E. Hintze, and Jodi Tai of ArentFox Schiff LLP

For more immigration legal news, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Alabama Enacts New Telemedicine Law

Alabama Governor Kay Ivey recently signed SB 272 into law, setting forth telemedicine practice standards and abolishing Alabama’s previous “special purpose license” that allowed physicians licensed in other states to practice across state lines into Alabama. The law is effective July 11, 2022.

The law creates a new article in the Code of Alabama (Sections 34-24-701 through 34-24-707 of Chapter 24, Title 34). The statutory language is lengthy, but the key provisions are summarized below.

Medical License

Unless the physician meets an exception to licensure (e.g., peer-to-peer consultations, irregular or infrequent services), a physician must obtain either a full Alabama medical license or a license via the Interstate Medical Licensure Compact in order to provide “telehealth medical services” to a patient located in Alabama.

  • Telehealth medical services means “[d]igital health, telehealth, telemedicine, and the applicable technologies and devices used in the delivery of telehealth. The term does not include incidental communications between a patient and a physician.
  • The term “irregular or infrequent” services refers to “telehealth medical services” occurring less than 10 days in a calendar year or involving fewer than 10 patients in a calendar year.

Defined Terms and Allowable Modalities

  • Telehealth is defined as “[t]he use of electronic and telecommunications technologies, including devices used for digital health, asynchronous and synchronous communications, or other methods, to support a range of medical care and public health services.”
  • Telemedicine is defined as “[a] form of telehealth referring to the provision of medical services by a physician at a distant site to a patient at an originating site via asynchronous or synchronous communications, or other devices that may adequately facilitate and support the appropriate delivery of care.” The term includes digital health, but does not include incidental communications between a patient and a physician.
  • Digital Health is defined as “[t]he delivery of health care services, patient education communications, or public health information via software applications, consumer devices, or other digital media.”
  • Asynchronous is defined as “[t]he electronic exchange of health care documents, images, and information that does not occur in real time, including, but not limited to, the collection and transmission of medical records, clinical data, or laboratory results.”
  • Synchronous is defined as “[t]he real-time exchange of medical information or provision of care between a patient and a physician via audio/visual technologies, audio only technologies, or other means.”

Physician-Patient Relationship

A physician-patient relationship may be formed via telehealth without a prior in-person exam.

Telemedicine Prescribing of Medications and Controlled Substances

A practitioner may prescribe a legend drug, medical supplies, or a controlled substance to a patient via telehealth. However, a prescription for a controlled substance may only be issued if:

  1. The telehealth visit includes synchronous audio or audio-visual communication using HIPAA compliant equipment;
  2. The practitioner has had at least one in-person encounter with the patient within the preceding 12 months; and
  3. The practitioner has established a legitimate medical purpose for issuing the prescription within the preceding 12 months.

In-Person Visit for Unresolved Medical Condition

If a physician or practice group provides telehealth medical services more than 4 times in a 12-month period to the same patient for the same medical condition without resolution, the physician must either see the patient in-person within 12 months or refer the patient to a physician who can provide the in-person care within 12 months. This in-person visit requirement does not apply to the provision of mental health services.

The Alabama Board of Medical Examiners and the Alabama Medical Licensure Commission are currently developing administrative rules in accordance with the new law.

Article By Kristen A. Murphy and Jacqueline N. Acosta of Foley & Lardner LLP

For more health law legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

PFAS Air Regulations Proposed By House

In the latest federal legislative move to try to force the EPA to take quicker action than contemplated by the agency’s PFAS Roadmap of 2021, a bill was recently introduced in the House that would require the EPA to set air emission limits for all PFAS under the Clean Air Act. PFAS air regulations are something that advocates concerned about PFAS pollution issues beyond just drinking water have advocated for in the past few years. There are barriers, though, to achieving the desired results even if the legislation passes. Nevertheless, the federal legislative activity underscores the need for all companies that are currently using PFAS in their manufacturing or industrial processes to understand the full scope of compliance needs when and if PFAS air regulations become a reality.

House Bill For PFAS Air Regulations

On March 17, 2022, a bipartisan group in the House introduced the “Prevent Release Of Toxics Emissions, Contamination, and Transfer Act of 2022” (also known as the PROTECT Act of 2022 or HR 7142). The aim of the bill is to require the EPA to list all PFAS as hazardous air pollutants (HAPs) under the Clean Air Act. If passed, the designation as HAPs would require the EPA to develop regulatory limits for the emission of PFAS into the air.

The proposed steps, however, go well beyond the EPA’s own plan for potential PFAS air regulations as detailed in the EPA’s PFAS Strategic Roadmap 2021. In the PFAS Roadmap, the EPA indicates that it commits to performing ongoing investigation to:

  • Identify sources of PFAS air emissions;
  • Develop and finalize monitoring approaches for measuring stack emissions and ambient concentrations of PFAS;
  • Develop information on cost-effective mitigation technologies; and
  • Increase understanding of the fate and transport of PFAS air emissions to assess their potential for impacting human health via contaminated groundwater and other media pathways.

The EPA committed to using this information and data in order to, by the Fall of 2022, “evaluate mitigation options”, which could include listing “certain PFAS” as HAPs. However, the EPA also indicated that it might use other regulatory or non-regulatory tools to achieve results similar to formal PFAS air regulations under the Clean Air Act.

The bill, therefore, would considerably accelerate the EPA’s process for potential HAPs, which in turn could result in legal challenges to any rushed HAPs, as the EPA would not have had the opportunity to collect all necessary data and evaluate the soundness of the science behind any HAP designation.

Impact On Business

Any designation of PFAS as HAPs under the Clean Air Act will of course immediately impact companies that are utilizing PFAS and emitting PFAS into the air. While it remains to be seen whether the PROTECT Act will pass, if it were to pass and the EPA’s HAP designations were to survive any legal challenges, the impacts on businesses would be significant. Companies would need to undertake extensive testing of air emissions to determine their risk of Clean Air Act violations, which will be complicated due to limitations on current technology to do this type of testing. Companies may also need to pivot their production practices to reduce or limit PFAS air emissions, which would add unplanned costs to balance sheets. Finally, companies may wish to explore substitutes for PFAS rather than navigate Clean Air Act regulatory compliance, which is a significant undertaking that takes time and money.

It is also worth noting that a designation as a HAP for any PFAS would also trigger significant regulatory challenges to businesses that might have nothing to do with air emissions. Any substance listed as a HAP under the Clean Air Act is automatically designated as a “hazardous substance” under CERCLA (the Superfund law). Once a substance is classified as a “hazardous substance” under CERCLA, the EPA can force parties that it deems to be polluters to either cleanup the polluted site or reimburse the EPA for the full remediation of the contaminated site. Without a PFAS Superfund designation, the EPA can merely attribute blame to parties that it feels contributed to the pollution, but it has no authority to force the parties to remediate or pay costs. The designation also triggers considerable reporting requirements for companies. Currently, those reporting requirements with respect to PFAS do not exist, but they would apply to industries well beyond just PFAS manufacturers. Superfund site cleanup costs can be extensive, even as high as hundreds of millions of dollars, depending on the scope of pollution at issue and the amount of territory involved in the site.

Article By John Gardella of CMBG3 Law

For more environmental legal news, click here to visit the National Law Review.

©2022 CMBG3 Law, LLC. All rights reserved.

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.