New York City Mayor Signs Hotel Safety and Licensing Law Imposing New Compliance Requirements on Hotel Operators

On November 4, 2024, New York City Mayor Eric Adams signed legislation to ensure hotel safety that will mandate a comprehensive licensing system for hotels to operate in New York City, implement several consumer safety protections, and require hotels to maintain continuous front-desk coverage, directly employ certain “core” employees, and provide human trafficking recognition training.

Quick Hits
New York City enacted a new hotel safety law that will require hotels to obtain a license to operate in the city and impose certain staffing requirements.
The law will require hotels to directly employ core employees, mainly housekeepers and front desk staff, avoiding the use of third-party staffing agencies.
The law is set to take effect 180 days after signing, or May 3, 2025.
The Safe Hotels Act, Int. No. 0991-2024, represents a significant shift in the regulatory landscape for New York City hotel operators, imposing several new employment and consumer compliance requirements as the city’s tourism industry rebounds from the pandemic.

“Our top priority from day one has been to keep people safe, and that includes protecting workers and tourists at our city’s hotels,” Mayor Adams said in a statement announcing the signing of the law. “That’s why we are expanding protections for the working-class New Yorkers who run our hotels and the guests who use them.”

Here is a breakdown of the key aspects of the new law.

Licensing
Under the new law, all hotel operators must obtain a license to operate within New York City. The license, valid for two years, requires a fee of $350. Hotel operators must submit detailed applications demonstrating their compliance with various staffing, safety, and operational standards. Violations of the new licensing requirements can result in significant civil penalties, ranging from $500 for a first offense to $5,000 for repeated offenses.

Staffing
The law will require hotel operators to provide continuous front desk coverage, either through front desk staff or, during overnight shifts, a security guard trained in human trafficking recognition. Large hotels (those with more than 400 rooms) must also maintain continuous security guard coverage on the premises.

Further, the law will require large hotels to directly employ certain “core employees,” aiming to eliminate the use of third-party contractors for core staffing needs. The law defines “core employees” as “any employee whose job classification is related to housekeeping, front desk, or front service at a hotel.” The law exempts small hotels, defined as those with fewer than 100 rooms.

The law will also prohibit hotel operators from retaliating against employees who report violations, participate in investigations, or refuse to engage in practices they believe to be illegal or unsafe.

Consumer Protections
Hotels will be required to maintain the cleanliness of guest rooms and common areas. Daily cleaning and trash removal are mandatory unless explicitly declined by the guest. Hotels will not be allowed to charge fees for daily room cleaning or offer incentives to guests to forgo this service.

Safety
The law will require hotels to provide panic buttons to employees whose duties involve entering occupied guest rooms. Additionally, all core employees must receive human trafficking recognition training within sixty days of employment.

Key Takeaways
Hotel operators may want to consider reviewing and updating policies to align with the new requirements, including updating staff training programs, security protocols, and cleaning schedules. They may also want to assess their staffing arrangements to ensure that core employees are directly employed.

The law is set to take effect 180 days after signing, or May 3, 2025.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
by: Simone R.D. Francis Zachary V. Zagger of Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

For more news on New York City’s Hotel Regulations ,visit the NLR Consumer Protection section.

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

Court Affirmed Holding That Plaintiffs Did Not Have Standing To Sue Regarding A Charitable Trust

In Dao v. Trinh, a group of five individuals who contributed money for membership in a religious community sued the person who they alleged misapplied their money for the benefit of a different religious community. No. 14-23-00131-CV, 2024 Tex. App. LEXIS 3208 (Tex. App.—Houston [14th Dist.] May 9, 2024, no pet. history). The plaintiffs brought fraud claims for alleged misrepresentations and breach of contract. The defendant filed a plea to the jurisdiction, alleging that the plaintiffs did not have standing to sue. The trial court entered an order dismissed the plaintiff’s claims with prejudice and expressly found that the plaintiffs lacked standing to bring their fraud and breach of contract claims.

The court of appeals affirmed. The court first discussing standing to sue over a charitable trust:

No party disputes that the Cao Dai organization in question, for which Trinh is the founder and director, is a “charitable trust”. This is particularly significant because the attorney general “is the representative of the public and is the proper party to maintain” a suit “vindicating the public’s rights in connection with that charity.” A private individual has standing to maintain a suit against a public charity only if the person seeks vindication of some peculiar or individual rights, distinct from those of the public at large. Moreover, a private individual must similarly establish standing in a case such as this, brought against the trustee of a public charity in connection with their office or service.

Id. The court concluded that whether framed as a fraud or breach of contract claim, the plaintiffs did not have standing to sue for the return of their donations:

Based on the holding in Eshelman, we conclude the Temple Donor Parties’ allegations and proof for their fraud claims pertaining to their donations to a charitable fails to establish standing to bring their claims (whether under a fraud theory or conditional gift theory); that is, the facts alleged and undisputed do not vindicate of some peculiar or individual rights, distinct from any other donor or from the public at large.

Id.

AI Regulation Continues to Grow as Illinois Amends its Human Rights Act

Following laws enacted in jurisdictions such as ColoradoNew York CityTennessee, and the state’s own Artificial Intelligence Video Interview Act, on August 9, 2024, Illinois’ Governor signed House Bill (HB) 3773, also known as the “Limit Predictive Analytics Use” bill. The bill amends the Illinois Human Rights Act (Act) by adding certain uses of artificial intelligence (AI), including generative AI, to the long list of actions by covered employers that could constitute civil rights violations.

The amendments made by HB3773 take effect January 1, 2026, and add two new definitions to the law.

“Artificial intelligence” – which according to the amendments means:

a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

The definition of AI includes “generative AI,” which has its own definition:

an automated computing system that, when prompted with human prompts, descriptions, or queries, can produce outputs that simulate human-produced content, including, but not limited to, the following: (1) textual outputs, such as short answers, essays, poetry, or longer compositions or answers; (2) image outputs, such as fine art, photographs, conceptual art, diagrams, and other images; (3) multimedia outputs, such as audio or video in the form of compositions, songs, or short-form or long-form audio or video; and (4) other content that would be otherwise produced by human means.

The plethora of AI tools available for use in the workplace continues unabated as HR professionals and managers vie to adopt effective and efficient solutions for finding the best candidates, assessing their performance, and otherwise improving decision making concerning human capital. In addition to understanding whether an organization is covered by a regulation of AI, such as HB3773, it also is important to determine whether the technology being deployed also falls within the law’s scope. Assuming the tool or application is not being developed inhouse, this analysis will require, among other things, working closely with the third-party vendor providing the tool or application to understand its capabilities and risks.

According to the amendments, covered employers can violate the Act in two ways. First, an employer that uses AI with respect to – recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment – and which has the effect of subjecting employees to discrimination on the basis of protected classes under the Act may constitute a violation. The same may be true for employers that use zip codes as a proxy for protected classes under the Act.

Second, a covered employer that fails to provide notice to an employee that the employer is using AI for the purposes described above may be found to have violated the Act.

Unlike the Colorado or New York City laws, the amendments to the Act do not require a impact assessment or bias audit. They also do not provide any specifics concerning the notice requirement. However, the amendments require the Illinois Department of Human Rights (IDHR) to adopt regulations necessary for implementation and enforcement. These regulations will include rules concerning the notice, such as the time period and means for providing same.

We are sure to see more regulation in this space. While it is expected that some common threads will exist among the various rules and regulations concerning AI and generative AI, organizations leveraging these technologies will need to be aware of the differences and assess what additional compliance steps may be needed.

It’s Official – BIPA’s “Per-Scan” Damages Are Out; Electronic Signatures Are In

If you heard a collective sigh of relief last week, it was probably businesses reacting as Illinois Governor Pritzker finally signed Senate Bill 2979, officially reforming BIPA for the first time since 2008. As a reminder, SB 2979 was passed back in May, but has been awaiting the Governor’s signature.

This development is significant for two reasons. First, the new law prohibits the recovery of “per-scan” damages. This means that if a business collects or discloses an individual’s biometric data without consent, then that business is only liable for one BIPA violation as to that individual. In 2023, the Illinois Supreme Court’s decision in Cothron v. White Castle Systems decided that violations were accrued on a “per-scan” basis, leading to an outpouring of claims. This law effectively overrules that decision. Second, the bill permits businesses to fulfill the “written release” requirement for consent via “electronic signature.” This will make it easier for businesses to collect – and individuals to provide – consent for the collection and retention of biometric information.

Putting it into Practice: These amendments became effective on August 2, 2024. Businesses that anticipated costly litigation from a “per-scan” BIPA demand may have cause for relief. However, the prohibition on “per-scan” damages may not apply retroactively to pending BIPA actions. Additionally, businesses can reconfigure their consent flows to enable electronic signatures.

Listen to this post here

by: David M. Poell Kathryn Smith of Sheppard, Mullin, Richter & Hampton LLP

For more news on the Illinois Biometric Information Privacy Act (BIPA), visit the NLR Consumer Protection section.

Michigan Employers Take Note: New Ruling Impacts Paid Leave and Minimum Wage

Today, July 31, 2024, the Michigan Supreme Court released a highly anticipated opinion in the case of Mothering Justice v. Nessel. This case assessed the constitutionality of the Michigan Legislature’s 2018 “adopt-and-amend” strategy under which the Legislature adopted, and then immediately changed, two ballot proposals that would otherwise have been included on the November 2018 ballot for decision by Michigan voters. The ballot proposals pertained to Michigan minimum wage and paid sick leave requirements, and were originally entitled the Earned Sick Time Act (ESTA) and Improved Workforce Opportunity and Wage Act (IWOWA). The Legislature’s “adopt-and-amend” action had narrowed the original ballot proposal language, and resulted instead in the enactment of the Michigan Paid Medical Leave Act (PMLA) and current minimum wage provisions in effect since early 2019.

After years of legal challenge, the Michigan Supreme Court reversed a 2023 decision of the Michigan Court of Appeals, and ruled that the “adopt-and-amend” approach utilized by the Michigan Legislature violated the Michigan Constitution. The Court determined both of the ballot initiatives as originally adopted by the Legislature should be reinstated in lieu of current, amended versions. In the interests of justice and equity, the Court ordered the reinstatement to occur, but only after a time period the same as that which employers would have been provided to prepare for the new laws absent their improper amendment.

Therefore, significant new legal requirements will become effective February 21, 2025. These include:

  1. The paid leave ballot proposal as initially adopted by the Legislature in 2018, in the form of the ESTA, is reinstated effective February 21, 2025, in place of the PMLA. All covered employers must amend existing paid leave policies or implement new leave policies as applicable that comply with the ESTA by February 21, 2025. Key elements of the ESTA include:
    • All Michigan employers, except for the U.S. government, are covered.
    • All employees of a covered employer, rather than only certain categories of employees as provided under the PMLA, are covered.
    • Covered employers must accrue sick time for covered employees, at a rate of at least one hour of earned sick time for every 30 hours worked.
    • Employers with 10 or more employees, as defined by the ESTA, must allow employees to use up to 72 hours of paid earned sick time per year.
    • Employers with fewer than 10 employees, as defined by the ESTA, must provide up to 40 hours of earned paid sick time, and are permitted to provide remaining earned sick leave up to the required 72 hours per year on an unpaid basis, rather than paid.
    • Employers may not prohibit the carryover or cap the accrual of unused earned sick time.
    • Employers may limit the use of earned sick time in any year to 72 hours.
  2. The minimum wage ballot proposal as originally adopted by the Legislature in 2018, in the form of the IWOWA, is also effective February 21, 2025, subject to a phase in of certain requirements that remains to be determined at this time. The IWOWA will replace the narrower amendments that previously were enacted and took effect in 2019. Key provisions effective February 21, 2025, include:
    • The state minimum wage rate will be $10.00 plus the state treasurer’s inflation adjustment, which has yet to be calculated and released.
    • Future increases will be calculated annually based on inflation as specified in the IWOWA.
    • The existing “tip credit” provisions employers of tipped employees currently utilize to calculate whether they have been paid minimum wage will be phased out over a period of years and eliminated entirely by February 21, 2029.
    • Employees will have expanded rights as to how they are compensated for overtime work, including “comp time” as an alternative to customary payment of overtime wages.

The above will be applicable absent further judicial, legislative, or voter-driven constitutional action that prescribes a different course. As to judicial action, opportunities for appeal or rehearing of a state Supreme Court decision are limited and discretionary. As to voter-driven constitutional action, such as a referendum, the timing of the Court’s decision may well not permit for such action to be included on the 2024 ballot, even if sufficient support for such action were shown.

In terms of any legislative action to amend, such action could only occur in a future legislative session, meaning January 2025 or later. As to the level of support required, because the ballot proposals were adopted by the Legislature rather than approved by a majority of Michigan voters in an election process, the normal requirements will apply. Had the ballot proposals been approved by a majority of Michigan voters in the election, a 75% supermajority of both houses of the Legislature would have been required for any amendment passage.

by: Luis E. AvilaMaureen Rouse-AyoubStephanie R. SetteringtonElizabeth Wells SkaggsHannah A. Cone, and Ashleigh E. Draft of Varnum LLP

For more news on Michigan Employment Laws, visit the NLR Labor & Employment law section.

Michigan Supreme Court Expands Employer Exposure to Public Policy Retaliation Claims

In Michigan, various state employment laws prohibit employers from retaliating against employees. But can an employee pursue a public policy retaliation claim against the employer in addition to a statutory retaliation claim?

On July 22, 2024, the Michigan Supreme Court ruled that anti-retaliation provisions in two important workplace safety laws—the federal Occupational Safety and Health Act (“OSHA”) and Michigan’s Occupational Safety and Health Act (“MIOSHA”)—do not preclude a plaintiff from also asserting a violation of public policy in court. Stegall v. Resource Technology Corp (Case No. 165450, decided July 22, 2024).

Cleveland Stegall, an IT specialist working at FCA through the staffing agency Resource Technology, complained internally about asbestos insulation issues at the assembly plant and threatened to file complaints with the government. He was subsequently terminated. Stegall sued both entities for wrongful discharge under OSHA and MIOSHA’s anti-retaliation provisions, as well as termination in violation of public policy.

At-will employees generally may be terminated for any reason (or no reason at all). But one exception to this rule is that certain terminations violate public policy and therefore create an actionable legal claim. This includes firings for “failure or refusal to violate a law” or exercising a right conferred by the Michigan Legislature.

Both the trial court and the Court of Appeals dismissed Stegall’s public policy claim because they concluded that the OSHA and MIOSHA laws already forbid retaliation. The Michigan Supreme Court reversed. It reasoned that the remedies under OSHA and MIOSHA are insufficient, pointing to the truncated 30-day period to file a complaint with the relevant government agency, the discretion granted to the respective investigating agency, and the employee’s lack of control over what occurs after a complaint has been filed. See 29 U.S.C. §660(c)(2) and MCL 408.1065(2).

What does this case mean for employers? The Michigan Supreme Court’s decision provides another avenue for employees to pursue retaliation claims, particularly where the employee raises workplace safety concerns. It is unclear, however, whether courts will extend this ruling and allow employees to pursue public policy wrongful discharge claims if the employee is also seeking relief under another anti-retaliation statute.

NJDEP Proposes Bald Eagle Removal and Other Changes to New Jersey’s Threatened and Endangered Species Lists

On June 3, 2024, the New Jersey Department of Environmental Protection announced a rule proposal which would update the endangered species and the nongame species lists promulgated by the Fish & Wildlife Endangered and Nongame Species Program (“ENSP”). These proposed updates would reflect, among other changes, the recategorization of the conservation status of certain species from the ENSP lists along with other structural and organizational amendments.

Primarily, the proposal celebrates the prospective reduced conservation status of three species, including the Peregrine Falcon, Bobcat, and Cope’s Gray Treefrog which each will have their conservation status reduced from “Endangered” to “Threatened.”

More significantly, the Bald Eagle, Red-headed Woodpecker, and Osprey are proposed to have their status reduced to “Special Concern” or “Secure/Stable.” The Department has further proposed partial conservation status reductions for the non-breeding populations of certain bird species including the Yellow-crowned Night-Heron, and Red-headed Woodpecker which have both been reduced to “Special Concern” for non-breeding activities. In effect, these species are being delisted, which is significant for Land Resource permitting under the Coastal Rules and Freshwater Wetlands Protection Act. This also should impact permitting under Pinelands Commission regulations.

Inapposite to those species having their conservation status reduced, the Department has proposed increased conservation designations for thirty (30) species, including select species particularly impactful to development and redevelopment initiatives in New Jersey. Those include three species of bat, the Northern Myotis, Little Brown Bat, and Tricolored Bat, which will each move from an undetermined/unknown status to “Endangered.”

Lastly, the Department proposes moving currently threatened species listed on the nongame species list at N.J.A.C. 7:25-4.17 to the endangered species list at N.J.A.C. 7:25-4.13. This restructuring will leave the species’ conservation status unchanged and includes a number of special species for New Jersey development and redevelopment, such as the Bobolink and Grasshopper Sparrow.

In addition to these conservation status changes, the Department has proposed a new procedure which would allow the addition of species to the list of endangered species by notice of administrative change when that species has been added to the Federal list of endangered and threatened species of wildlife pursuant to the Endangered Species Act of 1973 at 16 U.S.C. § 1531 et seq. and is indigenous to New Jersey. The Department notes this procedure seeks to further the goal of creating a listing that is more consistent with the Federal standard but in doing so the State will obviate the typical Administrative Procedure Act public comment process.

Matthew L. Capone contributed to this article

Illinois Passes Comprehensive Law Governing Carbon Capture, Utilization and Sequestration Projects in Illinois

On May 26, the Illinois legislature passed comprehensive carbon capture, utilization, and sequestration (CCUS) legislation. CCUS involves the capture of carbon dioxide directly from ambient air or uses processes to separate carbon dioxide from industrial or energy-related sources, either for use or for underground injection for long-term storage.
The Safety and Aid for the Environment in Carbon Capture and Sequestration Act (SAFE CCS Act), establishes, among other requirements, protections for pore space owners, additional requirements for CO2 pipeline development, and a permitting program for sequestration projects. CCUS projects not grandfathered from the SAFE CCS ACT will now need to adhere to Illinois state sequestration requirements in addition to existing federal regulations.

Pore Space

First, the SAFE CCS Act sets forth requirements and procedures to obtain “pore space” for sequestration. “Pore space” is defined in the Act as the “portion of the geologic media … that can be used to store carbon dioxide.” Illinois has an abundance of geologic media appropriate for sequestration, according to the Illinois State Geologic Survey, and the areas are generally far underground (from 2000 to 7000 ft below ground surface). The SAFE CCS Act specifies that title to pore space remains in the surface owner, but pore space can be leased or subject to an easement. The owner or operator of a sequestration facility must obtain pore space rights from at least 75% of the landowners that may be affected and can petition the US Department of Natural Resources for “unitization” if “holdouts” occur. Certain documents must be provided to the Department and no “pore space” can be used until a federal Class VI well permit has been issued by the US Environmental Protection Agency (EPA).

CO2 Pipelines

Second, the SAFE CCS Act amends Illinois’ existing Carbon Dioxide Transportation and Sequestration Act (CO2 Act), including the requirements for an owner or operator of a CO2 pipeline to receive a “certificate of authority” from the Illinois Commerce Commission (ICC) to construct and operate a CO2 pipeline. The Act further requires that the ICC verify compliance with applicable Pipeline and Hazardous Materials Safety Administration (PHMSA) safety rules. The SAFE CCS ACT purports to prohibit the ICC from issuing any certificates of authority for new CO2 pipelines until the earlier of July 2026, or PHMSA’s completion of a current rulemaking process to update its CO2 pipeline safety standards. The Safe CCS Act does clarify the intention that (1) an operator receiving a certificate of authority under the CO2 Act does not have to also obtain a certificate from the ICC as a common carrier by pipeline under the Illinois Common Carrier by Pipeline Law (220 ILCS 5/15-101 et seq.); and (2) grants of certificates of authority under the CO2 Act are not limited only to pipelines transporting carbon dioxide captured from sources using coal.

Emergency Response

Third, the SAFE CCS Act requires detailed emergency response planning for CCS projects. The ACT assigns emergency response authority to the Illinois Emergency Management Agency, providing a number of responsibilities and resources to the Agency to enhance training, oversight, and enforcement capability pertaining to emergency response for CCS facilities.

Sequestration Permit Program

Fourth, the SAFE CCS Act requires sequestration facility operators to obtain a permit from the Illinois EPA prior to constructing any portion of the sequestration project. This permit is in addition to, and goes beyond the requirements of, the existing requirement to obtain a federal Class VI injection well permit from US EPA. The permitting regime under the SAFE CCS Act requires various evaluations and reports, including an evaluation of the impact on water resources used by the sequestration facility. The Illinois environmental permit will cover long-term reporting, monitoring, and financial assurance mechanisms.

Liability

Finally, the SAFE CCS Act includes provisions on the assignment of liability associated with the sequestration, storage, and management of CO2. Specifically, the SAFE CCS Act specifies that the operator of the sequestration facility, not the state, is responsible for any personal or property damage caused by the sequestration. It clarifies that the sequestered gas remains the property of the operator of the sequestration, not the owner of the pore space.

The Act also requires a variety of fees and the creation of various funds to support the administration, emergency preparedness, and environmental justice initiatives across the state. It also appears to prohibit the use of captured carbon dioxide for enhanced oil recovery processes.

Governor J.B. Pritzker has indicated he will sign the legislation when it reaches his desk. If enacted, it is expected that the Illinois EPA, the Illinois Department of Natural Resources, and the ICC will promulgate rules to assist with implementing the Act.

On July 1, 2024, Texas May Have the Strongest Consumer Data Privacy Law in the United States

It’s Bigger. But is it Better?

They say everything is bigger in Texas which includes big privacy protection. After the Texas Senate approved HB 4 — the Texas Data Privacy and Security Act (“TDPSA”), on June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation.[1]

Like many state consumer data privacy laws enacted this year, TDPSA is largely modeled after the Virginia Consumer Data Protection Act.[2] However, the law contains several unique differences and drew significant pieces from recently enacted consumer data privacy laws in Colorado and Connecticut, which generally include “stronger” provisions than the more “business-friendly” laws passed in states like Utah and Iowa.

Some of the more notable provisions of the bill are described below:

More Scope Than You Can Shake a Stick At!

  • The TDPSA applies much more broadly than any other pending or effective state consumer data privacy act, pulling in individuals as well as businesses regardless of their revenues or the number of individuals whose personal data is processed or sold.
  • The TDPSA applies to any individual or business that meets all of the following criteria:
    • conduct business in Texas (or produce goods or services consumed in Texas) and,
    •  process or sell personal data:
      • The “processing or sale of personal data” further expands the applicability of the TDPSA to include individuals and businesses that engage in any operations involving personal data, such as the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
      • In short, collecting, storing or otherwise handling the personal data of any resident of Texas, or transferring that data for any consideration, will likely meet this standard.
  • Uniquely, the carveout for “small businesses” excludes from coverage those entities that meet the definition of “a small business as defined by the United States Small Business Administration.”[3]
  • The law requires all businesses, including small businesses, to obtain opt-in consent before processing sensitive personal data.
  • Similar to other state comprehensive privacy laws, TDPSA excludes state agencies or political subdivisions of Texas, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education. But, TDPSA uniquely excludes electric utilities, power generation companies, and retail electric providers, as defined under Section 31.002 of the Texas Utilities Code.
  • Certain categories of information are also excluded, including health information protected by HIPAA or used in connection with human clinical trials, and information covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act of 1974, the Farm Credit Act of 1971, emergency contact information used for emergency contact purposes, and data necessary to administer benefits.

Don’t Mess with Texas Consumers

Texas’s longstanding libertarian roots are evidenced in the TDPSA’s strong menu of individual consumer privacy rights, including the right to:

  • Confirm whether a controller is processing the consumer’s personal data and accessing that data;
  • Correct inaccuracies in the consumer’s personal data, considering the nature of the data and the purposes of the processing;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to a controller in a portable and readily usable format, if the data is available digitally and it is technically feasible; and
  • Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces legal or similarly significant legal effects concerning the consumer.

Data controllers are required to respond to consumer requests within 45 days, which may be extended by 45 days when reasonably necessary. The bill would also give consumers a right to appeal a controller’s refusal to respond to a request.

Controller Hospitality

The Texas bill imposes a number of obligations on data controllers, most of which are similar to other state consumer data privacy laws:

  • Data Minimization – Controllers should limit data collection to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection that have been disclosed to a consumer. Consent is required before processing information in ways that are not reasonably necessary or not compatible with the purposes disclosed to a consumer.
  • Nondiscrimination – Controllers may not discriminate against a consumer for exercising individual rights under the TDPSA, including by denying goods or services, charging different rates, or providing different levels of quality.
  • Sensitive Data – Consent is required before processing sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data processed for purposes of uniquely identifying an individual; personal data collected from a child known to be under the age of 13, and precise geolocation data.
    • The Senate version of the bill excludes data revealing “sexual orientation” from the categories of sensitive information, which differs from all other state consumer data privacy laws.
  • Privacy Notice – Controllers must post a privacy notice (e.g. website policy) that includes (1) the categories of personal data processed by the controller (including any sensitive data), (2) the purposes for the processing, (3) how consumers may exercise their individual rights under the Act, including the right of appeal, (4) any categories of personal data that the controller shares with third parties and the categories of those third parties, and (5) a description of the methods available to consumers to exercise their rights (e.g., website form or email address).
  • Targeted Advertising – A controller that sells personal data to third parties for purposes of targeted advertising must clearly and conspicuously disclose to consumers their right to opt-out.

Assessing the Privacy of Texans

Unlike some of the “business-friendly” privacy laws in Utah and Iowa, the Texas bill requires controllers to conduct data protection assessments (“Data Privacy Protection Assessments” or “DPPAs) for certain types of processing that pose heightened risks to consumers. The assessments must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer as mitigated by any safeguards that could reduce those risks. In Texas, the categories that require assessments are identical to those required by Connecticut’s consumer data privacy law and include:

  • Processing personal data for targeted advertising;
  • The sale of personal data;
  • Processing personal data for profiling consumers, if such profiling presents a reasonably foreseeable risk to consumers of unfair or deceptive treatment, disparate impact, financial, physical or reputational injury, physical or other intrusion upon seclusion of private affairs, or “other substantial injury;”
  • Processing of sensitive data; and
  • Any processing activities involving personal data that present a “heightened risk of harm to consumers.”

Opting Out and About

Businesses are required to recognize a universal opt-out mechanism for consumers (or, Global Privacy Control signal), similar to provisions required in Colorado, Connecticut, California, and Montana, but it would also allow businesses more leeway to ignore those signals if it cannot verify the consumers’ identity or lacks the technical ability to receive it.

Show Me Some Swagger!

The Attorney General has the exclusive right to enforce the law, punishable by civil penalties of up to $7,500 per violation. Businesses have a 30-day right to cure violations upon written notice from the Attorney General. Unlike several other laws, the right to cure has no sunset provision and would remain a permanent part of the law. The law does not include a private right of action.

Next Steps for TDPSA Compliance

For businesses that have already developed a state privacy compliance program, especially those modeled around Colorado and Connecticut, making room for TDPSA will be a streamlined exercise. However, businesses that are starting from ground zero, especially “small businesses” defined in the law, need to get moving.

If TDPSA is your first ride in a state consumer privacy compliance rodeo, some first steps we recommend are:

  1. Update your website privacy policy for facial compliance with the law and make sure that notice is being given at or before the time of collection.
  2. Put procedures in place to respond to consumer privacy requests and ask for consent before processing sensitive information
  3. Gather necessary information to complete data protection assessments.
  4. Identify vendor contracts that should be updated with mandatory data protection terms.

Footnotes

[1] As of date of publication, there are now 17 states that have passed state consumer data privacy laws (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Massachusetts, Montana, New Jersey, New Hampshire, Tennessee, Texas, Utah, Virginia) and two (Vermont and Minnesota) that are pending.

[2] See, Code of Virginia Code – Chapter 53. Consumer Data Protection Act

[3] This is notably broader than other state privacy laws, which establish threshold requirements based on revenues or the amount of personal data that a business processes. It will also make it more difficult to know what businesses are covered because SBA definitions vary significantly from one industry vertical to another. As a quick rule of thumb, under the current SBA size standards, a U.S. business with annual average receipts of less than $2.25 million and fewer than 100 employees will likely be small, and therefore exempt from the TDPSA’s primary requirements.

For more news on State Privacy Laws, visit the NLR Consumer Protection and Communications, Media & Internet sections.