Category: Legislation

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.

Article By Eva J. Pulliam, Christine Chong, and Destiny Planter of ArentFox Schiff LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review. 

© 2022 ArentFox Schiff LLP

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

Article By Kristin L. Bryan and Jeffrey L. Turner of Squire Patton Boggs (US) LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

NYS Sexual Harassment Hotline Goes Live

Effective July 14, 2022 (pursuant to legislation amending the New York State Human Rights Law that was signed by New York State Governor Kathy Hochul in March 2022), New York established a telephone hotline that employees can use to report incidents of sexual harassment to the New York State Division of Human Rights.   The hotline number is 800-HARASS-3 ((800) 427-2773) and will be staffed, on a pro bono basis, by NYS attorneys who have expertise in employment law and sexual harassment issues.  The hotline can be called Monday through Friday, 9:00 a.m. to 5:00 p.m.

Because, under the law, information about the hotline must be contained in workplace policies and postings about sexual harassment, employers need to revise their anti-harassment policies promptly to include this information.

Article By Jonathan A. Wexler of Vedder Price

For more labor and employment legal news, click here to visit the National Law Review.

© 2022 Vedder Price

Erasing the Stigma—Michael Kasdan [PODCAST]

Men often hide their mental health struggles deeming it not manly for them to acknowledge weakness. Michael Kasdan was there at one point in his career, but he’s long since learned better. Today, Michael is an active member of the Good Men Project, sharing his personal struggles with depression with others in the legal profession and beyond. Now, he shares his story and perspective on the state of men’s mental health with Mark Yacano in this episode of Erasing the Stigma.

Michael Kasdan is a partner in Wiggin & Dana’s Intellectual Property Group. He focuses on all areas of intellectual property law, providing his clients with full- service IP expertise that ranges from patent, trademark, copyright and trade secret litigation to IP-related transactions – including licensing and monetization – to helping companies to protect and reap maximum value from their own innovations and brands.

Michael was listed as one of the world’s-leading IP Strategists in the 2103 and 2017 – 2021 editions of IAM Strategy 300 – The World’s Leading IP Strategists and has regularly been listed in Super Lawyers. Clients describe him as creative, energetic, and easy to work with and seek his insight into the business, technology, and legal facets of their IP issues.

Michael writes and speaks extensively. His articles have appeared in Intellectual Asset Management (IAM) Magazine, LEXIS, Thomson/Reuters, Practical Law Company, IP Law360, Bloomberg/BNA, Managing IP Magazine, The National Law Review, and elsewhere. Michael is the sole author of Practical Law Company’s Practice Note on Patent Law and the Lexis Practice Advisor on Patent Licensing and is a co-author of Practical Law Company’s Practice Notes on Global Patent Litigation and Licensing and on Tracking and Privacy.

A member of the firm’s Inclusion, Diversity and Equity Committee, Michael has been the keynote speaker at conferences addressing topics such as diversity and mentorship. He is also a passionate advocate for mental health and wellness in the legal profession and the world at large and serves on the Communications Committee of The Institute for Well-Being in Law.

Michael serves as on the Board and as Director of Communications and Development of the nonprofit MyChild’sCancer and on the Board of the SouthNextFestival. He was formerly Chairman of the Board of the nonprofit CityScience, which focuses on improving STEM education in cities. He is also the Director of Special Projects and Sr. Sports Editor for The Good Men Project.

Michael received his J.D. magna cum laude from New York University School of Law. He was a member of the NYU Law Review and the Order of the Coif, was Fish & Neave Fellow for the Engelberg Center on Innovation Law and Policy, and served as President of the Intellectual Property and Entertainment Law Society. After law school, he clerked for the Honorable Judge Roderick R. McKelvie in the U.S. District Court for the District of Delaware. Michael received a B.S.E. in electrical engineering magna cum laude from the University of Pennsylvania, with a minor in mathematics. He was a member of Eta Kappa Nu, Tau Beta Pi, and the Penn Parliamentary Debate Team.

©2022 Major, Lindsey & Africa, an Allegis Group

A Rule 37 Refresher – As Applied to a Ransomware Attack

Federal Rule of Civil Procedure 37(e) (“Rule 37”) was completely rewritten in the 2015 amendments.  Before the 2015 amendments, the standard was that a party could not generally be sanctioned for data loss as a result of the routine, good faith operation of its system. That rule didn’t really capture the reality of all of the potential scenarios related to data issues nor did it provide the requisite guidance to attorneys and parties.

The new rule added a dimension of reasonableness to preservation and a roadmap for analysis.  The first guidepost is whether the information should have been preserved. This rule is based upon the common law duty to preserve when litigation is likely. The next guidepost is whether the data loss resulted from a failure to take reasonable steps to preserve. The final guidepost is whether or not the lost data can be restored or replaced through additional discovery.  If there is data that should have been preserved, that was lost because of failure to preserve, and that can’t be replicated, then the court has two additional decisions to make: (1) was there prejudice to another party from the loss OR (2) was there an intent to deprive another party of the information.  If the former, the court may only impose measures “no greater than necessary” to cure the prejudice.  If the latter, the court may take a variety of extreme measures, including dismissal of the action. An important distinction was created in the rule between negligence and intention.

So how does a ransomware attack fit into the new analytical framework? A Special Master in MasterObjects, Inc. v. Amazon.com (U.S. Dist. Court, Northern District of California, March 13, 2022) analyzed Rule 37 in the context of a ransomware attack. MasterObjects was the victim of a well-documented ransomware attack, which precluded the companies access to data prior to 2016. The Special Master considered the declaration from MasterObjects which explained that, despite using state of the art cybersecurity protections, the firm was attacked by hackers in December 2020.  The hack rendered all the files/mailboxes inaccessible without a recovery key set by the attackers.  The hackers demanded a ransom and the company contacted the FBI.  Both the FBI and insurer advised them not to pay the ransom. Despite spending hundreds of hours attempting to restore the data, everything prior to 2016 was inaccessible.

Applying Rule 37, the Special Master stated that, at the outset, there is no evidence that any electronically stored information was “lost.”  The data still exists and, while access has been blocked, it can be accessed in the future if a key is provided or a technological work-around is discovered.

Even if a denial of access is construed to be a “loss,” the Special Master found no evidence in this record that the loss occurred because MasterObjects failed to take reasonable steps to preserve it. This step of the analysis, “failure to take reasonable steps to preserve,” is a “critical, basic element” to prove spoliation.

On the issue of prejudice, Amazon argued that “we can’t know what we don’t know” (related to missing documents).  The Special Master did not find Amazon’s argument persuasive. The Special Master concluded that Amazon’s argument cannot survive the adoption of Rule 37(e). “The rule requires affirmative proof of prejudice in the specific destruction at issue.”

Takeaways:

  1. If you are in a spoliation dispute, make sure you have the experts and evidence to prove or defend your case.

  2. When you are trying to prove spoliation, know the new test and apply it in your analysis (the Special Master noted that Amazon did not reference Rule 37 in its briefing).

  3. As a business owner, when it comes to cybersecurity, you must take reasonable and defensible efforts to protect your data.

Article By Gretchen E. Moore of Strassburger McKenna Gutnick & Gefsky

For more cybersecurity and media legal news, click here to visit the National Law Review.

©2022 Strassburger McKenna Gutnick & Gefsky

Medical Marijuana, Workers’ Compensation, and the CSA: Hazy Outlook for Employers As States Wrestle With Cannabis Reimbursement as a Reasonable Medical Expense

While each state has its own unique workers’ compensation program, workers’ compensation generally requires employers to reimburse the reasonable medical expenses of employees who are injured at work. Depending on the injury, these expenses can include hospital visits, follow-up appointments, physical therapy, surgeries, and medication, among other medical care. In recent years, medical cannabis has become increasingly common to treat a myriad of ailments—as of February 2022, 37 states, the District of Columbia, and three territories now allow the use of medical cannabis.

While that is good news for patients seeking treatment for issues like chronic pain, medical cannabis laws can cause a major headache for employers. The federal law known as the Controlled Substances Act (CSA) classifies cannabis as a Schedule I substance, meaning that under federal law, it is not currently authorized for medical treatment anywhere in the United States and is not considered safe for use even under medical supervision. So, what happens when an employee is injured at work, is eligible for workers’ compensation, and is prescribed medical cannabis to treat their work-related injury in a state that authorizes medical cannabis?

Employers are faced with a tricky dilemma: They can reimburse the employee’s medical cannabis as a reasonable medical expense and risk violating the federal prohibition against aiding and abetting the possession of cannabis. Or, they can refuse to reimburse the otherwise reasonable medical expense and risk violating the state’s workers’ compensation law.

Usually, where it is impossible for an employer to comply with both state and federal law, federal law wins—a legal concept called conflict preemption. Unfortunately for employers, however, clarity on this issue will have to wait—the U.S. Supreme Court recently declined two requests to review state supreme court cases on this issue and definitively decide whether the CSA preempts state workers’ compensation laws that require reimbursement of medical cannabis. In the absence of federal guidance, national employers with workers in different states must follow the decisions of the handful of state courts that have taken up the question. The state courts who have decided the issue have come to inconsistent conclusions—thus, whether an employer should reimburse medical cannabis will vary depending on the state where the employee is injured.

For example, in Maine and Minnesota, both states’ highest courts have concluded that employers are not required to pay for their injured employees’ medical cannabis. These courts reasoned that employers would face liability under the CSA for aiding and abetting the purchase of a controlled substance. The employer, if reimbursing employees for using medical cannabis, would knowingly subsidize the employee’s purchase of marijuana in direct violation of federal law. However, in such a case, the employer would also violate state law for refusing to reimburse the employee’s reasonable medical expenses. Deeming it impossible for the employer to comply with both laws, these states’ courts concluded that the federal prohibition on cannabis preempts the state workers’ compensation laws.

States such as New Jersey have gone the other way, requiring employers to reimburse employee’s medical cannabis. The New Jersey Supreme Court concluded that there was no conflict between the prohibitions of the CSA and the demands of the New Jersey workers’ compensation law. Thus, the federal law did not preempt New Jersey’s state law, and employers were required to comply by reimbursing medical cannabis as a reasonable reimbursement.

Meanwhile, Massachusetts followed Maine and Minnesota’s approach, but did so based on its own medical marijuana statute, not the CSA. The Massachusetts law explicitly exempts health insurance providers or any government agency or authority from the reimbursement requirement because doing so violates federal law.

Given this patchwork of state decisions, employers should be cautious in determining whether to approve or deny medical cannabis as a reasonable medical expense under state workers’ compensation laws. While the answer is relatively clear (for now) in the states discussed above, there are still over 30 states with medical cannabis programs that have not addressed this issue. It is important to note that many state medical cannabis laws include provisions like Massachusetts that exempt employers from reimbursing employees for cannabis—a clear indicator that these laws were designed with federal prohibitions in mind. But these provisions are not necessarily determinative—New Jersey’s medical cannabis law has a similar provision, yet New Jersey employers are still required to reimburse for medical cannabis.

The bottom line is that federal CSA violations can be hefty, including a mandatory $1,000 fine, possible incarceration of up to one year, and possibly more if “aggravating factors” are found, such as prior convictions. Employers should therefore pay careful attention to their respective state medical cannabis laws, workers’ compensation laws, as well as the CSA and consult with counsel to determine the best approach in their particular jurisdiction. It is likely that more of these cases will be brought in the future, so be sure to check back for further developments in this evolving area of law.

Article By Amanda C. Hibbler of Foley & Lardner LLP. This article was prepared with the assistance of 2022 summer associate Zack Sikora.

For more cannabis legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

District Court Rules Most Plaintiffs in Case Do Not Have Standing to Block Florida Stop W.O.K.E. Act

There are two key cases pending before the U.S. District Court for the Northern District of Florida on Florida’s “Stop W.O.K.E. Act”: the Falls, et al. v. DeSantis, et al., matter (No. 4:22-cv-00166) and the Honeyfund.com, et al. v. DeSantis, et al., matter (No. 4:22-cv-00227). The Northern District of Florida has issued its first order on the Act, which went into effect on July 1, 2022.

In an Order Denying Preliminary Injunction, in Part, in the Falls matter, the court concluded that the K-12 teachers, the soon-to-be kindergartner, and the diversity and inclusion consultant who sued Governor Ron DeSantis and other officials to block the Stop W.O.K.E. Act did not have standing to pursue preliminary injunctive relief. The court reserved ruling pending additional briefing on the question of whether the college professor, who also sued, has standing.

Stop W.O.K.E. Act

The Stop W.O.K.E. Act expands an employer’s civil liability for discriminatory employment practices under the Florida Civil Rights Act if the employer endorses certain concepts in a “nonobjective manner” during training or other required activity that is a condition of employment.

Court Order

In the Falls case, a diverse group of plaintiffs claiming they were regulated by the Stop W.O.K.E. Act filed a lawsuit challenging the Act on the grounds that it violates their First and Fourteenth Amendment Rights to free expression, academic freedom, and to access information.

The court, however, did not reach the question of constitutionality. It also did not determine whether the case can move forward, an issue that will be decided when the court rules on the defendants’ pending motion to dismiss.

Instead, the court denied the plaintiffs’ request for a preliminary injunction on the threshold question of standing. It found the plaintiffs (other than the college professor) did not show they have suffered an injury-in-fact that is traceable to DeSantis or another defendant that can likely be redressed by a favorable ruling.

The court found the consultant is not an employer as defined by the Florida Civil Rights Act. Therefore, she could not assert standing on that basis. Instead, she argued she has third-party standing to assert the rights of the employers who would otherwise hire her, and she is harmed by the Act because employers will no longer hire her. The court rejected both theories, finding the consultant-employer relationship is not sufficiently “close” to create standing; employers are not hindered in raising their First Amendment rights on their own; and, based on the evidence presented, the court could not reasonably infer that the consultant has lost or will lose business because of the Act.

Importantly, the court specifically held that it was not ruling on the legality of the Act, whether it was moral, or whether it constituted good policy.

Private Employer

The court highlighted that the sister case pending in the Northern District of Florida (Honeyfund.com) involves a private employer under the Florida Civil Rights Act. In that case, the plaintiffs allege the Stop W.O.K.E. Act violates their right to free speech by restricting training topics and their due process rights by being unconstitutionally vague. Honeyfund.com, Inc. and its co-plaintiffs request that the court enjoin enforcement of the law. The case has been transferred to District Court Judge Mark Walker. The Honeyfund.com case will likely have the largest effect on Florida employers and questions surrounding the enforceability of the Act as to diversity and inclusion training.

***

Since the Stop W.O.K.E. Act took effect, employers are understandably unclear how to proceed with training. Employers should continue to train their employees, but review their training programs on diversity, inclusion, bias, equal employment opportunity, and harassment prevention through the lens of the new law. Employers should also ensure they train the trainers who are conducting these important programs. Finally, employers should understand potential risks associated with disciplining or discharging employees who refuse to participate in mandatory training programs, even if employers do not consider the programs to violate the new law.

Article By Stephanie L. Adler-Paindiris, Samia M. Kirmani, Amanda Simpson, and Lindsay Dennis Swiger of Jackson Lewis P.C.

For more litigation legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

Colorado PFAS Act Likely Just the Beginning of New PFAS Chemical Regulation

Key Takeaways

  • How does the recent increase in state regulation of PFAS chemicals in consumer products impact your business?
  • Potential federal regulations of PFAS chemicals
  • Need for implementation of quality control practices
  • How best to identify and correct improper use of PFAS chemicals in consumer products

Introduction

Colorado has become the most recent state to regulate the use of PFAS chemicals in consumer products. It is important that manufacturers and retailers become aware of these restrictions now to avoid future compliance issues since the state regulations of PFAS chemical use are not the same state to state. Further the compliance issues imposed by state regulations will be compounded if the federal government fulfills its promise to regulate PFAS chemicals. Multiple federal agencies have indicated that such federal regulations may be forthcoming in the near future.

Definition of PFAS

Per- and polyfluoroalyyl substances (PFASs, CnF2n+1–R) are a group of man-made chemicals that includes PFOA, PFOS and GenX chemicals.These chemicals are widely used, long lasting chemicals that contain components that break down very slowly over time. PFAS chemicals are used to make fluoropolymer coatings and products that resist heat, oil, stains, grease, and water. These can include clothing, furniture, adhesives, food packaging, and many other products.2 Because of their widespread use and persistence in the environment, many PFAS are found in the blood stream of people and animals all over the world and are present at low levels in a variety of food products and in the environment.

Colorado Joins a Growing List of States to Implement PFAS Regulations for Consumer Products

Colorado recently adopted into law the Perfluoroalkyl and Polyfluoroalkyl Chemcials Consumer Protection Act (the “Colorado PFAS Act”)3, which regulates the use of perfluoroalkyl and polyflupralkyl substances (“PFAS chemicals”) in certain consumer products. The Colorado General Assembly concluded that such regulation is necessary upon the determination that “PFAS chemicals pose[] a significant threat to the environment of the state and the health of its residents.”4 Accordingly, by its terms, the Colorado PFAS Act was implemented into law in order “to create a regulatory scheme that phases out the sale or distribution of certain products and product categories in the state that contain intentionally added PFAS chemicals.”5 In furtherance of this goal, the Colorado PFAS Act will phase out the sell and distribution of certain consumer products that contain “intentionally added PFAS chemicals” from January 1, 2024 through January 1, 2027.6

These phase out regulations within the Colorado PFAS Act are consistent with a national trend of states regulating the sale and distribution of consumer products containing PFAS chemicals. For example, the Colorado PFAS Act establishes that Colorado is now one of at least 8 states that will regulate the sale and distribution of “food packaging” that contains intentionally added PFAS chemicals.

Beyond the differing timeline in the above chart, it is important to note these regulations are not synonymous since the term “food packaging” is defined differently by each regulating state.

Ignorance Is No Defense

The Colorado PFAS Act also does not allow ignorance on the contents of a commercial product as prohibiting the enforcement of its regulations. It is true that the Colorado PFAS Act prohibits the sell and distribution of certain products that contain “intentionally added PFAS chemicals.”7 However, the Colorado PFAS Act defines “intentionally added PFAS chemicals” as “PFAS chemicals that a manufacturer has intentionally added to a product and that have a functional or technical effect on the product.”8 Here the “intent” element necessary to trigger the regulations of the Colorado PFAS Act is the intent to add any chemistry which includes any listed PFAS chemicals. The Colorado PFAS Act defines “product” to “include” any product components.”9 Thus, a “manufacturer” of consumer goods must understand all additive materials to its products through each stage of the supply chain.

Likely Federal regulation by the end of the year (2022)10

The EPA is expected to propose a regulation for groups of PFAS in drinking water in the Fall of 2022 before the Agency’s statutory deadline in March 2023. A final rule is anticipated in Fall 2023 after considering public comments on the proposal. In a new health advisory, EPA reduced the acceptable levels for two PFAS (perfluorooctane sulfonate (PFOS) and perfluorooctanoic acid (PFOA)) in drinking water from 70 parts per trillion down to just 0.004 parts per trillion for PFOA and 0.02 parts per trillion for PFOS.11 Issuing a health advisory is generally considered to be a preliminary step in the process of setting maximum contaminant levels.12 Some states have set their own enforceable drinking water standards for PFOA and PFOS. Vermont, Michigan, and New Jersey have all set limits ranging from 8 to 20 parts per trillion for both chemicals.13 The issuance of the health advisory by the EPA will have States reevaluating their own regulations to conform with the standards set by the Agency.14

By Winter 2022 the EPA plans to leverage federally-issued NPDES permits to reduce PFAS discharges and will propose monitoring requirements at facilities where PFAS are expected or suspected to be present in wastewater and storm water discharges, using its recently published analytical method 1633, which covers 40 unique PFAS. EPA will issue new guidance recommending that state-issued permits that do not already include monitoring requirements for PFAS use the method 1633 at facilities where PFAS is expected or suspected to be present in wastewater and storm water discharges. In addition, the new guidance will recommend the full suite of permitting approaches that EPA will use in federally-issued permits. The EPA expects to publish a multi-laboratory validation method to detect up to 40 specific PFAS compounds in eight environmental matrices with the Department of Defense online by Fall 2022.

Discussion of Proposed RCRA and CERCLA changes

a. Proposed RCRA Changes15

In recent months, EPA has set the stage for greater regulation and firm federal standards PFAS chemicals that could significantly impact cleanup requirements. In October of 2021, the EPA responded to a petition from Governor Michelle Lujan Grisham of New Mexico to tackle PFAS contamination under the Resource Conservation and Recovery Act (RCRA). EPA outlined plans to initiate rulemaking process for two new actions under the hazardous waste law. The first rulemaking effort will initiate the process to propose adding four PFAS chemicals as RCRA Hazardous Constituents under Appendix VIII, by evaluating the existing data for these chemicals and establishing a record to support a proposed rule. The four PFAS chemicals EPA will evaluate are: perfluorooctanoic acid (PFOA), perfluorooctane sulfonic acid (PFOS), perfluorobutane sulfonic acid (PFBS), and GenX. Adding these chemicals as RCRA hazardous Constituents would ensure they are subject to corrective action requirements and would be a necessary building block for future work to regulate PFAS as a listed hazardous waste. The second rulemaking effort will clarify in EPA regulations that the RCRA Corrective Action Program has the authority to require investigation and cleanup for wastes that meet the statutory definition of hazardous waste, as defined under RCRA section 1004(5). This modification would clarify that emerging contaminants such as PFAS can be cleaned up though the RCRA corrective action process.

b. Proposed CERCLA Changes16

In June 2021, EPA restarted the process to designate PFOA and PFOS as Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA) hazardous substances. A proposed rule was expected in the Spring of 2022, no such rule has been proposed. According the EPA’s “PFAS Strategic Roadmap” a final rule is expected in the Summer of 2023 and EPA is currently developing a Notice of Proposed Rulemaking to designate PFOA and PFOS as CERCLA hazardous substances. Such designations would require facilities across the country to report on PFOA and PFOS releases that meet or exceed the reportable quantity assigned to these substances. The hazardous substance designations would also enhance the ability of federal, Tribal, state, and local authorities to obtain information regarding the location and extent of releases. EPA or other agencies could also seek cost recovery or contributions for costs incurred for the cleanup.

The designation PFOA and PFOS as a hazardous substance under CERCLA could substantially impact existing and new cleanup sites. Site owners and responsible parties who release PFOA or PFAS, and possibly other PFAS chemicals will be obligated to report releases, quantify the location and amounts released to stakeholders, and may be liable for partial or total cleanup. Regulatory changes may also delay cleanup and add significant analytical costs for companies who need to evaluate PFAS in various media prior to releases of any kind to waste streams. The designation of PFAS as hazardous substances has not yet been ratified at a federal level. However, several states (e.g., Washington DOE) have enacted Public Health Goals for surface and drinking waters and cleanup standards – several that incorporate federal hazardous substances lists, ensuring that the impending PFAS regulations will extend beyond federally designated cleanup sites.

The Importance of Following the Discussion Leading up to New TSCA Regulations17

The Toxics Release Inventory (TRI) helps the EPA compile data and information on releases of certain chemicals and supports decisions by companies, regulatory agencies, and the public. The EPA intends to implement a rulemaking in 2022 to categorize the PFAS on the TRI list as “Chemicals of Special Concern” and remove the de minimis eligibility from supplier notification requirements for all “Chemicals of Special Concern.” It is expected for the EPA to continue to update and add to the list of PFAS subject to the TRI. EPA’s proposed rule would require all manufacturers (including importers) of PFAS in any year since 2011 to report information related to chemical identity, categories of use, volumes manufactured and processed, byproducts, environmental and health effects, worker exposure, and disposal. There is still opportunity for public comments as the rule is not set to finalize until January of 2023.

Industries Should Take Protective Measures

Both the implementation of the Colorado PFAS Act and the recent actions of the EPA establish that the time for manufacturers and retailers to act is now. Specifically, manufacturers and retailers should implement quality control practices directed towards identifying—and where necessary altering—the chemical contents of their consumer products.

To implement such quality control practices, manufacturers and retailers should review their wastewater handling processes and insurance policies for periods of past PFAS chemicals use. These previous processes and insurance policies likely identify the specific components of PFAS chemicals that were deemed to violate state waste water regulations, as well as the internal changes implemented to eliminate the use of such chemicals. Similar practices can likely be implemented in the sale and distribution of consumer products that include PFAS chemicals. Manufacturers and retailers should implement practices now to limit exposure and costs once regulation of PFAS consumer products become both effective and more prevalent. If you have any questions regarding PFAS regulations, please contact the authors of this article.

ENDNOTES

1 Zhanyun Wang et al., A Never-Ending Story of Per- and Polyfluoroalkyl Substances (PFASs)?, 51 ENV’L SCI. TECH. 2508.

2 CTR. FOR DISEASE CONTROL AND PREVENTION, https://www.cdc.gov/biomonitoring/PFAS_FactSheet.html (last visited June 24, 2022).

3 C.R.S.A. § 25-15-601 et seq.

4 C.R.S.A. § 25-15-602(1)(a).

5 C.R.S.A. § 25-15-602(2).

6 C.R.S.A. §§ 25-15-604(1), (3)-(4).

7 C.R.S.A. § 25-15-604(1), (3), and (5).

8 C.R.S.A. § 25-15-603(12)(a).

9 C.R.S.A. § 25-15-603(20)(b).

10 All information gathered in this section coms from: ENV’L PROT. AGENCY https://www.epa.gov/system/files/documents/2021-10/pfas-roadmap_final-508.pdf (last visited June 24, 2022).

11 Juan Carlos Rodriguez, 3 Takeaways from EPA’s Guidance on PFAS in Drinking Water, Law360 (June 22, 2022, 8:48 PM EDT).

12Id.

13Id.

14Id.

15 Information on RCRA changes comes from: EPA Press Release, responding to New Mexico Governor’s petition to tackle PFAS contamination under RCRA (Oct. 26, 2021).

16 All information gathered in this section coms from: EPA, PFAS Strategic Roadmap: EPA’s Commitments to Action 2021-2024 (Oct. 2021).

17 Information comes from: EPA (last visited June 24, 2022).

 

Article By Daniella D. Landers, Michael J. Sullivan, and Brendan H. White of Womble Bond Dickinson (US) LLP. Audrey Capra, Summer Associate, also contributed to this alert.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.

Minnesota Inadvertently Allows Unregulated Intoxicating Cannabis Edible Products

As of July 1, 2022, unregulated intoxicating THC products derived from hemp have been legalized in Minnesota, apparently as the result of confusion by state legislators about the new law’s actual effect. Although the express intent of the statute is to allow the sale of products that contain so-called “non-intoxicating cannabinoids” to consumers in Minnesota, the new law contains a massive loophole that effectively legalizes all forms of THC sold in edible products at levels that intoxicate with only a bare minimum of regulatory oversight.

This surely cannot have been the goal of many Minnesota legislators who voted for the bill. In fact, the Minneapolis Star Tribune has reported that at least one senator in the state’s Republican-controlled Senate confirmed that he did not realize that the new law would legalize edible products with all forms of THC. 

The Loophole

The new law changes section 151.72 of the Minnesota Statutes by defining “non-intoxicating cannabinoid” as “substances extracted from certified hemp plants that do not produce intoxicating effects when consumed by any route of administration.” The bill then incongruously allows for cannabinoid edible products to be sold to consumers in the state so long as the product contains no more than 0.3 percent of any THC and no more than 5 mg of any THC in a single serving, or more than a total of 50 mg of any THC per package.

Most states are now being forced to grapple with how to respond effectively to the problem of unregulated intoxicating hemp cannabinoids being sold openly and online. Edible products with intoxicating levels of hemp-derived delta-8 THC, delta-9 THC, delta-10 THC and THC-O Acetate are sold widely as legal and less-expensive alternatives to regulated marijuana products. States have employed various strategies to, by varying degrees, limit, regulate or prohibit intoxicating hemp cannabinoids, and lawsuits on the subject have been initiated in several states.

No state has created a loophole quite like what exists in Minnesota’s new law. Although Minnesota seeks, at least nominally, to only allow the sale of products that contain “non-intoxicating cannabinoids,” food and beverages that contain less than 0.3 percent THC concentration may nevertheless be intoxicating due to the large amounts that may be consumed easily.

To illustrate the problem of hemp products that contain less than 0.3 percent delta-9 THC concentration but are nevertheless intoxicating, consider this:

  • A typical energy bar of 60 grams would be allowed to have up to 180 mg THC if limited to 0.3 percent THC concentration by weight.
  • Regulated cannabis edible products, by comparison, typically may be sold only in a serving size of no more than 10 mg, with a limit of up to 100 mg per package.
  • A four-gram hemp gummy product, however, could have 10 mg of THC and still fall below the allowable concentration threshold.
  • Minnesota’s new law allows up to 5 mg THC per serving and 50 mg THC per package.

The intoxicating potential here is evident. One need only consume two servings to ingest the same amount of THC allowed in a standard regulated marijuana product serving. Ingesting 50 mg of THC will heavily intoxicate all but the most jaded stoner. Nowhere in the new law, however, is there any requirement to warn that the cannabis edible product may cause intoxication when consumed as suggested.

The Goal Informs the Solution

States should focus on the goal of prohibiting or properly regulating intoxicating hemp products that are currently sold as an unregulated and less-expensive alternative to regulated cannabis. We have previously warned that any state that decides to allow hemp-derived THC in edible products must necessarily grapple with tricky questions over how to regulate maximum serving size, active cannabinoid concentration per serving size, the number of servings per container, consumer warnings and similar questions to mitigate the risk to public health and safety. Cannabis and hemp industry leaders have likewise warned against “percentage” thresholds of cannabinoids as an appropriate measure for foods and beverages for the reasons described above.

In comparison to Minnesota, other states are proceeding in a more cautious manner. California’s recent Assembly Bill 45, for example, draws attention to the above-mentioned issues but acknowledges that more study is needed by the California Department of Public Health (CDPH) before implementing regulations are issued. The bill provides that CDPH “may regulate and restrict the cap on extract and may cap the amount of total THC concentration at the product level based on the product form, volume, number of servings, ratio of cannabinoids to THC in the product, or other factors, as needed.”

Analysis

Exacerbating the problem is the fact that product contamination, label inaccuracies and outright fraud are pervasive within the hemp cannabinoid market. Products often are marketed with misleading or false claims, and many fail to incorporate any explicit warning of intoxicating effects. Because the Minnesota statute incorrectly assumes that consumers will not become intoxicated from compliant cannabis edible products, no such warnings are mandated. This is a mistake.

It appears that better education around hemp-derived edible products could have led to more thoughtful legislation in Minnesota. This example may nevertheless provide a learning opportunity for other states that are studying how to regulate intoxicating hemp products.

Article By Ian A. Stewart of Wilson Elser Moskowitz Edelman & Dicker LLP

For more biotech, food, and drug legal news, click here to visit the National Law Review.

© 2022 Wilson Elser

Looking into Our (Slightly Hazy) Crystal Ball: What Will the Mississippi Cannabis Market Look Like?

When you do what we do, you get a lot of calls and a lot of questions. Many of the calls and questions are not fruitful. Quite honestly, some of the calls are from folks whose interest in and experience with cannabis is, we suspect, on a purely personal and leisurely level. In the words of Hyman Roth, this is the business we’ve chosen.

But one legitimate question we’re often asked is what we think the cannabis market will look like in Mississippi. And, more specifically, whether Mississippi’s new medical cannabis regime will be similar to the one in Oklahoma.

It’s a loaded question, and one we suspect many questioners don’t fully appreciate. On the one hand, Oklahoma’s medical cannabis program has been compared to the Wild West. At last count, there were more medical cannabis dispensaries than liquor stores or supermarkets in the state. Many have concluded that this is a bad thing and/or that the program is a failure. Others have deemed the program a triumph of capitalism, a survival-of-the-fittest trial where only the “best” will survive.

As is often the case, we think the answer is probably somewhere in the middle.

On the one hand, the obvious and primary similarity between the programs is the absence of an expressed cap on the number of licenses available. While most states limit the number of licenses available, neither Oklahoma nor Mississippi does so. Many believe this feature will lead to Mississippi following the lead of Oklahoma in terms of the proliferation of dispensaries throughout the Magnolia State.

On the other hand, there are a number of differences between the two states and their statutes that indicate to us that Mississippi’s regime will differ in several important ways – ways we are seeing play out now. First, while the license fee for a dispensary in Oklahoma is $2,500, the fee in Mississippi is $25,000, 10 times the amount. And that amount is owed annually and is in addition to the initial $15,000 application fee. As a practical matter, and for better or worse, this feature alone should significantly cull the number of dispensaries because it provides a substantial barrier to entry into the industry.

Second, there may be significantly fewer locations available to open a dispensary in Mississippi than one would expect due to several geographic-limiting features of the law. Initially, localities have until May 3 to opt out of the medical cannabis regime, and several cities have already done so. Also, dispensaries cannot be located within 1,000 feet of any church, school, or daycare facility. For those unfamiliar with Mississippi, it may be tough to find anywhere in the state that isn’t within 1,000 feet of a church. Even more, the law forbids one dispensary from being within 1,500 feet from another dispensary, and dispensaries are only permissible in commercially zoned areas.

Third, the cannabis industry examining the Mississippi market will have the benefit of having lived through the Oklahoma experience. This is likely to minimize the “goldrush” mentality seen in Oklahoma’s early days. Instead, look for larger players to let the dust settle and come in looking to acquire operators who proved successful breaking out of the initial melee.

Conclusion

It seems possible that, at least in the early years, the Mississippi medical cannabis regime may more closely resemble Oklahoma than a state like Florida with strict limitations on the number of licenses. But our prediction is that certain aspects of Mississippi law and culture will lead to less of a free-for-all at the outset, hopefully leading to a more efficient and more orderly transition to a rational cannabis market in Mississippi.

Article By Whitt Steineker and Slates C. Veazey of Bradley Arant Boult Cummings LLP

For more cannabis legal news, click here to visit the National Law Review.

© 2022 Bradley Arant Boult Cummings LLP