On August 23, 2021, the FDA announced the Pfizer COVID-19 vaccine is now fully approved.  With this news, more and more employers are adopting, or considering whether to adopt, vaccine mandates for their workforces.  One issue that a vaccine mandate raises is whether employers can lawfully ask job applicants about their COVID-19 vaccination status after they have adopted a vaccine requirement.  The short answer is that yes, you can, but it is advisable to wait to ask about an applicant’s vaccination status until after extending a conditional job offer.

Under the Americans with Disabilities Act (“ADA”), employers may not ask job applicants questions that are likely to reveal the existence of a disability before making a job offer.  The administrative agency charged with enforcement of the ADA, the federal Equal Employment Opportunity Commission (“EEOC”), issued guidance on a number of COVID-related legal issues earlier this year, and among the questions addressed was whether its legal to ask employees whether they are vaccinated.  The EEOC clarified that inquiring about vaccination status alone is not asking a question that is likely to reveal the existence of a disability, because there are many reasons why an employee may not be vaccinated besides having a disability.

While asking the vaccination question alone is not a disability-related inquiry, any follow-up questions could reveal the applicant has not been vaccinated due to a disability or religious objection.  Or, the applicant may simply volunteer this information as an explanation for why they are not vaccinated.  Interviewers need to avoid these types of inquiries or voluntary disclosures because they raise a risk of an unselected applicant suing for disability discrimination under the ADA or for religious discrimination under Title VII of the Civil Rights Act.

To eliminate these risks, employers could instead avoid asking about vaccination status until after extending a job offer that is conditional upon showing proof of vaccination, absent a need for reasonable accommodation for a disability or sincerely-held religious beliefs against vaccination.

So, what about Texas’s ban on “vaccine passports”?  Does this impact the analysis?  The short answer is, no, not for private employers.  On June 7, 2021, Texas Governor Greg Abbott signed into law new legislation that prohibits government entities from requiring proof of vaccination from individuals and strongly discourages private business from requiring that customers be vaccinated.  The Texas law simply does not apply to a private employer’s ability to require or encourage COVID-19 vaccinations for employees.

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com

On August 13, 2021, the Occupational Safety and Health Administration (OSHA) updated its COVID-19 guidance for non-healthcare employers.  The updates to OSHA’s “Protecting Workers: Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace” publication follow the CDC’s July 27, 2021 updated mask and testing recommendations for fully vaccinated people.

Some key takeaways:

  • OSHA now recommends masks in indoor spaces in areas of substantial or high COVID-19 infection – even for fully-vaccinated employees and including customers and other visitors.
    • Of note, the CDC has currently designated about 94% of the country as areas of substantial or high COVID-19 infection.
    • OSHA recommends employers provide masks to employees who request them free of charge.
  • OSHA recommends that employers help facilitate employees to get vaccinated, including, for example, giving paid time off to get vaccinated and to recover from any side effects.
  • OSHA “suggests that employers consider adopting policies that require workers to get vaccinated or to undergo regular COVID-19 testing – in addition to mask wearing and physical distancing – if they remain unvaccinated.”
    • Note that employers issuing vaccination mandates must keep in mind their duties of reasonable accommodation for employees who have a medical condition or sincerely held religious belief that would preclude vaccination.
  • If a fully vaccinated employee has a known exposure to COVID-19, OSHA recommends the employee (a) get tested 3-5 days after the exposure, and (b) wear a mask in indoor spaces for 14 days or until they receive a negative test result.
  • And for employees who are not fully vaccinated with a known exposure to COVID-19, OSHA recommends (a) the employee quarantine at home, (b) be tested immediately, and (c) if negative, tested again in 5-7 days after last exposure or immediately if symptoms develop during quarantine.

OSHA guidance is not a regulation; rather, it is advisory in nature and does not have the full force of law.  Nevertheless, because employers have a general duty to protect the health and safety of their workers, following OSHA’s guidance is generally advisable.

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com

“Long COVID” or “long-haul COVID” are terms coined to describe a range of new or ongoing systems that can last weeks or months after first being infected with the COVID-19 virus.  The CDC’s website lists many commonly reported symptoms among “long haulers,” which list includes:

  • Difficulty breathing or shortness of breath
  • Tiredness or fatigue
  • Symptoms that get worse after physical or mental activities
  • Difficulty thinking or concentrating (i.e., “brain fog”)
  • Cough
  • Chest or stomach pain
  • Headaches
  • Heart palpitations (fast-beat or pounding heart)
  • Joint or muscle pain
  • Pins-and-needles feeling
  • Diarrhea
  • Sleep problems
  • Fever
  • Dizziness/lightheadedness
  • Rash
  • Mood changes
  • Changes in smell or taste
  • Changes in menstrual cycles

Employers must now consider whether employees reporting ongoing physical and/or mental impairments following a COVID-19 diagnosis will qualify as “disabled” under the Americans with Disabilities Act (“ADA”).  On July 28, 2021, the U.S. Department of Health and Human Services (“DHHS”) and U.S. Department of Justice (“DOJ”) jointly issued guidance explaining that long COVID may be a disability under provisions of the ADA applicable to state and local government and public accommodations (respectively, Titles II and III), among other federal statutes.

Although the guidance did not expressly apply to Title I of the ADA, which applies to private employers, the guidance is nevertheless useful to private employers in assessing whether long COVID sufferers qualify as disabled – because the definition of “disability” is the same under every title of the Act.

The July 28 joint guidance explains that long COVID is not necessarily a disability – but it may be.  The guidance instructs that an individualized assessment is necessary to determine whether a person’s symptoms “substantially limit” one or more “major life activities,” as those terms are defined in the ADA, which would deem a person disabled within the meaning of the Act.  The guidance then gives some examples of when long COVID could qualify as a disability, including aggregations of symptoms that substantially limit individuals in the major life activities of respiratory function, gastrointestinal function, and brain function.  The guidance further notes that “[e]ven if the impairment comes and goes, it is considered a disability if it would substantially limit a major life activity when the impairment is active.”

The U.S. Equal Employment Opportunity Commission (“EEOC”) is the administrative agency responsible for enforcing the employment provisions of the ADA under Title I.  To date, the EEOC has not addressed long COVID in its COVID-related resources.  However, the DHHS and DOJ’s July 28 joint guidance is still instructive and private employers should be mindful that those employees complaining of long COVID symptoms may qualify as “disabled” under the ADA and require reasonable accommodation.

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com

With many employees shifting to work remotely long-term in the wake of the COVID-19 pandemic, employers must be mindful of how to comply with their employment-law posting requirements vis-à-vis their remote workers.  The commonly used laminated collage of posters hanging on an employee bulletin board back at the office will not suffice for these workers.  So how does one comply?  The U.S. Department of Labor’s Wage and Hour Division has issued a Field Assistance Bulletin (“FAB”) [https://www.dol.gov/sites/dolgov/files/WHD/legacy/files/fab_2020_7.pdf] that provides guidance on how to comply electronically, and the answer is not as easy as simply emailing remote workers a single copy of the required posters.

By its own terms, the FAB applies to the poster obligations of four federal statutes, including the Fair Labor Standards Act (“FLSA”), Family and Medical Leave Act (“FMLA”), Employee Polygraph Protection Act (“EPPA”) and the Service Contract Act (“SCA”), but its guidance should prove helpful for compliance with other federal, state and local employee poster requirements.

Because several employment statutes require continuous posting (using language such as “post and keep posted” or provide notice “at all times”), the FAB explains that a single mailing of the requisite poster to employees is insufficient.

Where employers have both remote and on-site workers, hard-copy posting in company offices/facilities should continue, with electronic posting supplementing the hard-copy posting for those employees who work remotely.  Additionally, electronic substitution for the continuous posting requirement will be acceptable only where (a) employees customarily receive information from the employer via electronic means, and (b) employees have ready access to the electronic posting.

Whether posting on an intranet site, internet website, shared network drive, or other electronic file system will suffice will depend on the particular facts involved with each employer – with the key determination being whether affected employees can readily access the posting.  Key factual issues to keep in mind, include:

(1) access should be available without having to specifically request permission to view a file or access a computer;

(2) affected workers should be notified where and how to access the notices electronically; and

(3) affected workers should be able to easily determine which postings are applicable to them.

As the FAB explicitly warns, “[p]osting on an unknown or little-known electronic location has the effect of hiding the notice, similar to posting a hard-copy notice in an inconspicuous place, such as a custodial closet or little-visited basement.”

Because some statutes, such as the FMLA and EPPA, require notice to applicants as well, employers who interview and hire remotely will need to be sure to make such notices readily available electronically to applicants, in addition to employees.

Both the U.S. Department of Labor’s and the Texas Workforce Commission’s websites include additional helpful guidance on employer poster and recordkeeping duties, with links to the requisite posters for free downloading and printing (with many posters available in multiple languages):

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com

A significant amendment to the Texas statute that allows for recovery of attorneys’ fees by a prevailing plaintiff in an action for breach of contract will take effect on September 1, 2021.  Previously, Texas courts have interpreted Texas Civil Practice and Remedies Code section 38.001 to award attorney fees against only individuals and corporations, not limited liability companies, partnerships or other types of entities.

In three prior legislative sessions, unsuccessful attempts have been made to amend the statute to broaden its reach to other entity forms.  In May 2021, the Texas Legislature adopted House Bill 1578 (Bill Text: TX HB1578 | 2021-2022 | 87th Legislature | Enrolled | LegiScan), which finally amends section 38.001 to address other entities besides a corporation.

More specifically, the amendment adds a new subsection to section 38.001 defining an “organization” to mean the same as defined in section 1.002(62) of the Texas Business Organizations Code, which includes:  “a corporation, limited or general partnership, limited liability company, business trust, real estate investment trust, joint venture, joint stock company, cooperative, association, bank, insurance company, credit union, savings and loan association, or other organization, regardless of whether the organization is for-profit, nonprofit, domestic, or foreign.”

The amended statute does, however, specifically exclude quasi-governmental entities authorized to perform a function by state law, religious organizations, charitable organizations, and charitable trusts.

Because the amendments explicitly apply only to new cases filed on or after September 1, 2021, a plaintiff who is about to file a claim for breach of contract should consider holding off until September 1 to file (barring any statute of limitations or other considerations that make immediate suit warranted).

Notably, section 38.001 does not allow for an award of attorneys’ fees to a defendant who successfully defends against a breach of contract claim, and the recent amendments do not change this.  Contracting parties should keep the parameters of section 38.001 in mind (especially in view of these recent amendments) when drafting or amending their contracts.  Under Texas law, a contract may provide that the prevailing party, whether the plaintiff or defendant, will recover its attorneys’ fees against the other party, or that the statutory right for a prevailing plaintiff to recover its fees under section 38.001 is waived leaving no party able to recover its fees.

Thus, besides effecting litigation after September 1, the recent amendments to section 38.001 may also weigh into decisions made when drafting and amending contracts to potentially provide for either mutual or no fee entitlement at all.

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com

Several significant expansions of Texas sexual harassment law will take effect on September 1, 2021 (see Senate Bill 45 – TX SB45 | 2021-2022 | 87th Legislature | LegiScan).  These expansions make it critical for virtually all Texas businesses to adopt formal written policies and train workers on the prohibitions against sexual harassment.

First, any employer that employs only “one or more employees” will now be subject to sexual harassment claims under Texas law.  This new law is a substantial change from current law, which holds only those employers with fifteen or more employees can be held liable for such claims.

Second, as of September 1, Texas law will define a potentially liable “employer” to include any person who “acts directly in the interests of an employer in relation to an employee” – signaling the possibility for individual liability against members of company management and owners in addition to entity liability.

Third, Texas Labor Code section 21.141 will include an arguably heightened standard for an employer’s response to complaints of sexual harassment, requiring employers to take “immediate and appropriate corrective action” when the employer knows or should know about the harassment.  The legislature’s use of the word “immediate” differs from the widely accepted interpretations of federal and state equal employment opportunity statutes requiring “prompt” remedial action, and thus, it will remain to be seen whether the courts interpret this new language to impose a requirement for quicker action by employers upon their discovery of sexual harassment in their workplaces.

Fourth, the Texas legislature has also expanded the deadline for a claimant to file an administrative Charge of Discrimination from 180-days to 300-days from the alleged conduct (see House Bill 21 – TX HB21 | 2021-2022 | 87th Legislature | LegiScan).

Notably, these provisions for (1) small-employer liability, (2) potential individual liability, (3) a possible heightened standard for an employer’s response and (4) a longer statute of limitations have not been expanded to claims for other types of unlawful discrimination, such as, for example, racial harassment or retaliation claims, and instead are limited to claims for sexual harassment.

Now is a great time to adopt new or review and fortify existing corporate policies against sexual harassment and remind all employees of their duties to avoid and report this type of misconduct.

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com

On July 9, 2021, President Biden signed the Executive Order on Promoting Competition in the American Economy While the Order is aspirational and a policy road map, it does not operate to ban, or otherwise restrict in any way, the enforcement of employee noncompete agreements.

In the week that followed, many news outlets published articles heralding a national demise of employee noncompete agreements.  But President Biden’s Order did not effectuate any change to the laws regarding the enforceability of covenants not to compete. The Order is, rather, a wide-sweeping directive to various federal agencies advising of the policy-making goals of the Biden Administration.

As the White House’s Fact Sheet describing the Order explained the July 9 Order “includes 72 initiatives by more than a dozen federal agencies” intended to promote competition and constrain big corporations from consolidating power in a broad array of business sectors ranging from airlines to chicken farmers. The topic of noncompete agreements is but one of myriads of topics addressed in the Order, and the Order is devoid of details on how or to what extent noncompete laws should be reformed.  In the Order, President Biden simply encourages the Federal Trade Commission (one of the federal agencies responsible for enforcing anti-trust laws) to “curtail” the “unfair use” of noncompete agreements, stating:  “To address agreements that may unduly limit workers’ ability to change jobs, the Chair of the FTC is encouraged to consider working with the rest of the Commission to curtail the unfair use of non-compete clauses or other clauses or agreements that may unfairly limit worker mobility.”

It remains to be seen what, if any, action the FTC takes in response to the Order.  If the FTC does take up the invitation to act in this area, the agency’s rulemaking process is typically slow, with any rules it passes to bar or constrain noncompete agreements likely facing numerous legal challenges – especially since there is no body of federal noncompete law because this area has been the province of state law.

So, have noncompetes been banned in any material way? In short, the answer is, No. The President has not implemented any ban on employer use of noncompete agreements, or their close cousin, non-solicitation agreements that prohibit former employees from soliciting or doing business with a company’s customers or other employees.  Well-crafted noncompete and non-solicitation agreements can help protect a company’s trade secrets and other confidential information, investment in employee training, and business goodwill.  Texas has codified the enforceability of covenants not to compete at Texas Business and Commerce Code section 15.50, which generally allows for the enforcement of noncompete agreements to the extent they contain reasonable limitations as to time, geographical area, and scope of activity to be restrained.  The July 9 Executive Order does not alter the Texas legal landscape in this area.

For further information on this topic, please reach out to blog author, April Walter, at april.walter@keanmiller.com.

Effective today, July 1, the NCAA has officially suspended the organization’s rules prohibiting athletes from selling the rights to their names, images, and likenesses (“NIL”). Despite the NCAA’s longstanding principles that payments to athletes while attending college would undermine amateurism of college athletics, the organization’s Division I board of directors decided Wednesday that it would allow all athletes to earn money from their NIL.

The decision by the NCAA comes just one day before multiple states had NIL laws set to go into effect allowing athletes to profit from NIL. To prevent athletes at schools in those states (including Texas, Mississippi, and Alabama) from gaining an advantage, the NCAA has allowed students in all states to profit from NIL until a nation-wide NIL law is approved by Congress.

Starting today, players will be able to monetize their social media accounts, sign autographs, teach camps, start their own businesses, create intellectual property, and participate in advertising campaigns. One thing this does not do is grant schools the ability to pay athletes salaries for their athletic performance or use payments for recruiting purposes. Individual schools will be able to create their own guidelines and rules for their individual athletes. Athletes are also now allowed to sign with agents to help them negotiate and sign endorsement deals without risking their college eligibility.

Texas Tech QB, Tyler Shough, and University of Texas running back, Bijan Robinson, who is a top 10 Heisman trophy candidate, are both expected to profit from their NIL from social media engagement and recognition.

According to the Action Network, LSU gymnast, Olivia Dunne, and LSU basketball player, Shareef O’Neal, are 2 of the top 3 athletes who are favored to capitalize the most on NIL due to social media followings and name recognition. Derek Stingley, Jr., LSU defensive back, also projects to cash in from his NIL due to popularity.

NIL deals began rolling in as soon as the clock struck midnight, ushering in a whole new era of college athletics. Miami QB, D’Eriq King, has already signed an endorsement deal with “College Hunks Hauling Junk” which will reportedly net King $20,000.00. King’s deal was the first NIL deal that reported the monetary payout to the athlete. Wisconsin QB, Graham Mertz, has also already filed for a trademark for his personal brand logo. I expect players to get creative with their newfound freedoms as college athletics navigates these new waters.

Originally published in the Ark-La-Tex Association of Professional Landmen Register

Carbon capture and storage (“CCS”) is the process of capturing carbon dioxide emissions from large point sources, and then transporting it to a storage location for deposit in underground formations where it will not re-enter the atmosphere.  By returning CO2 emissions that resulted from the oxidation of carbon when fossil fuels are burned to the place where the fossil fuels were extracted, CCS can reduce the amount of pollutants released into the atmosphere, thus, potentially limiting climate change.  It is estimated that technologies for carbon capture, use, and storage may eventually be able to capture a vast majority of carbon dioxide emissions from power plants, refineries, petrochemical plants and other industrial facilities.  Optimistically, at least a portion of the carbon dioxide captured from this technology can be put to productive use in enhanced oil recovery or the manufacture of fuels, building materials, and more.  CCS is viewed as the primary practical way to achieve deep decarbonization in the industrial sector and could contribute 14 percent of the global greenhouse gas emissions reductions required under carbon neutral target goals and regulations by 2050.

Focusing on innovation, rather than elimination, this trend of development parallels the evolution of the oil and gas industry into an energy industry — one that invests in low-carbon and CCS technologies.

Notably, CCS technologies are being advanced out of the Natural Energy Technology Laboratory in West Virginia and other institutions. However, latent problems associated with global warming, including severe weather, that would be tackled by CCS aren’t always far from home.  While it can be debated whether climate change was a contributing cause, the State of Texas was ambushed by an unprecedented winter storm in February 2021, leaving almost the entire state with no power.  This prompted the new Energy Secretary Jennifer Granholm to advise the State of Texas to consider upgrading its connectivity to the national grid so that neighbors can help in times of crisis.

But the future need not be bleak. This April, Exxon called for expansive industry-government collaboration to develop large carbon capture and storage projects around Houston, Texas, namely, due to Houston’s footing as a home for major refining, petrochemical, manufacturing and power facilities. Exxon reported that it has already briefed government officials and industry groups, including Texas Governor Greg Abbott, Houston Mayor Sylvester Turner, U.S. Senator John Cornyn, House members in the Region, and the Greater Houston Partnership. Infrastructure estimates predict that facilities in Houston could capture and store 50 million metric tons of carbon dioxide annually by 2030 and 100 million by year 2040. The benefits of this project don’t end there, as Exxon’s proposal says the innovation in Houston could be deployed to other U.S. areas with heavy industry near storage sites, like the Midwest and the Gulf region.

British Petroleum also recently announced that it will spend $1.3 billion to build a network of pipelines and associated infrastructure to collect and capture natural gas produced as a byproduct from oil wells in the Permian Basin and in New Mexico.  Natural gas is a potent greenhouse gas, and this project sought to eliminate the routine flaring of natural gas by 2025.  This is viewed as a precedent setting carbon capture and reuse project.

Next door in Louisiana, U.S. Senator Bill Cassidy has joined a bipartisan group of lawmakers in introducing the nation’s first comprehensive carbon dioxide infrastructure package, namely, the Storing CO2 and Lowering Emissions (SCALE) Act, which could make Louisiana a national hub for carbon capture and sequestration. The bill would support the buildout of infrastructure to transport CO2 from the sites of capture to locations where it can be either used in manufacturing or sequestered safely and securely in underground formations. The legislation could also provide critical regional economic opportunities and create thousands of jobs. An analysis released by the Decarb America Project projects the possible effects as creating 13,000 direct and indirect jobs per year through the 5-year authorization. However, the Project acknowledged this estimate is conservative, as it does not include the thousands of jobs likely to be created by retrofitting energy-intensive facilities, such as cement and steel plants, or by building direct air capture plants.

The cost-benefit analysis of CCS technology is also improving daily. As part of a marathon research effort to lower the cost of carbon capture, chemists have demonstrated a way to seize carbon dioxide by using a different solvent (EEMPA) in the capture system that reduces costs by 19 percent compared to current technology. Notably, the U.S. Department of Energy’s Pacific Northwest National Laboratory (“PNNL”) plans to produce 4,000 gallons of EEMPA in 2022 at a 0.5-megawatt scale inside testing facilities at the National Carbon Capture Center in Shelby County, Alabama.  This project is led by the Electric Power Research Institute in partnership with Research Triangle Institute International and PNNL. The eventual goal is to reach the U.S. Department of Energy’s goal of deploying commercially available technology that can capture CO2 at a cost of $30 per metric ton or less by 2035.

CCS is a promising phoenix set to arise from the ashes of the world’s aging industrial practices, and America has a unique opportunity to emerge smarter and stronger than before as a leader in CCS technology. No matter the source, no matter the strategy, CCS is on the rise and evolving into an integral part of the energy industry.

This article was written and submitted by Hattie Guidry, Arielle Anderson, Jourdan Curet, and Kristi Obafunwa with Kean Miller LLP.  Kean Miller LLP is a full-service law firm located in Texas and Louisiana that counsels clients on a wide variety of substantive legal areas and state and federal laws, including a specialized practice in the energy and environmental industry.  Our attorneys are some of the leading practitioners in their field, including many who have helped shape the legal landscape.

In March 2021, Virginia’s Governor Ralph Northam signed the Consumer Data Protection Act (CDPA), making Virginia the second state to enact comprehensive data privacy protections for its residents. If you are feeling blindsided by this news, you are not alone.[1] Unlike California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) or the European Union’s General Data Protection Regulation (GDPR), which were heavily debated in both the legislature and public commentary for months on end, the Virginia legislature introduced this legislation in mid-January 2021, with Governor Northam signing the CDPA in less than two months’ time.

The CDPA will not go into effect until January 1, 2023 (ironically, the same day that most provisions of the CPRA also become effective). In the meantime, Virginia is assembling a working group to study the implementation of this act comprising “the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates … to review the provisions of this act and issues related to its implementation.” The findings of this work group are due on November 1, 2021, and that group’s notes will likely provide recommendations for compliance. While November may seem far away, businesses in Virginia or with significant Virginia consumer contacts may be wise to become familiar with the Act and the impending responsibilities.

Who must comply with the CDPA?

The first consideration before beginning compliance preparations is whether the CDPA will even apply to your business. The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:

  • Control or process the personal data of at least 100,000 consumers during a calendar year; or
  • Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.[2]

For those familiar with California’s CCPA’s $25 million revenue threshold, the lack of a revenue threshold here is a notable omission. The result of that omission is that even large companies can be excused from compliance because they do not process the required amount of covered consumer data, while smaller companies (such as those offering low-cost direct-to-consumer products) will be required to comply regardless of revenue levels.

The definition of “sale of personal data” is also much more restrictive than the CCPA. The CCPA generally defines “sale” as exchange of information for monetary or other valuable consideration. Conversely, the Virginia definition of “sale of personal data” is only an exchange for monetary consideration, with some notable exceptions, such as exchange of personal data during a merger or acquisition.[3]

Do any exceptions exist for certain entity types?

Yes. The CDPA does not apply to the Virginia government, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), nonprofits, or “institutions of higher learning.” However, the CDPA does appear to apply to third-party processors of government entities, nonprofits, and institutions of higher learning that meet the required data processing thresholds. Broadly speaking, there also exist certain carve outs for data subject to GLBA, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA).

Who does the CDPA protect?

The CDPA protects the personal information of “consumers”, which are defined as natural persons who are residents of Virginia “acting only in an individual or household context.” The definition explicitly excludes individuals “acting in a commercial or employment context”, which has the effect of excluding business to business communications and large amounts of human resources data. Thus, companies that only collect and hold Virginia consumer data in an employment or business to business context may be able to avoid compliance.

What personal data is protected by the CDPA?

The CDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Identified or identifiable natural person” is defined as “a person who can be readily identified, directly or indirectly.” Special protections are also included for “sensitive data”, which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data for uniquely identifying a natural person, data collected from a person known to be a younger than 13 years old, and “precise” geolocation data (locating an individual within a radius of 1,750 feet). Collecting sensitive data will require the consumer’s consent (or the consent of a parent if the consumer is under 13 years old).

The CDPA also excludes “publicly available information” from compliance and defines “publicly available” more broadly than other existing regulations. Unlike California’s limitation on “publicly available” only data that is lawfully obtainable from a government entity, the CDPA constitutes “publicly available information” to include information that a business has “a reasonable basis to believe [that the information is] lawfully made publicly available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” Information that could thus fall under “publicly available information” in Virginia would include personal information posted publicly on social media; for example, a picture of a COVID-19 vaccine card posted on a public Instagram page.

What rights are Virginia consumers granted in the CDPA?

The rights granted through the CDPA are like those in the CCPA and GDPR. Consumers will generally be granted rights to access, correct, delete or receive copies of the personal data held by applicable businesses. Consumers will be able to opt out of targeted advertising and sale of their personal data, and businesses will also be required to make additional disclosures surrounding their personal data processing activities, the rights, and how consumers may exercise their rights. The specific mechanisms through which customers are able to exercise these rights are detailed and extensive, so thorough review of the CDPA’s specific mechanisms for compliance are recommended for businesses beginning compliance preparations.

What are the penalties for non-compliance with the CDPA?

Virginia’s Attorney General will be the sole enforcement authority of the CDPA. If the Virginia AG provides notice of a violation and the non-compliant business does not cure the compliance issue within 30 days of notice, the Virginia AG can institute enforcement action which carries statutory damages of up to $7,500 per violation for intentional violations. Unlike the CCPA, there is no private right of action.

Conclusion

Much like the CCPA, businesses can expect that regulations will be generated by the Virginia AG that will provide more detail about the CDPA requirements. While the final texts of those regulations are far off, businesses that will need to comply should begin preparations now—especially if they are not currently compliant with the GDPR or CCPA. Consultation with experienced privacy counsel and consultants can provide significant assistance in compliance efforts.

******************************************************************************************************************************************************************************************************************

[1] Joseph Duball, “Challenge accepted: Initial Virginia CDPA Reactions, Considerations”, IAPP (Mar. 4, 2021) (https://iapp.org/news/a/challenge-accepted-initial-virginia-cdpa-reactions-considerations/?mkt_tok=MTM4LUVaTS0wNDIAAAF7nWl2kuMyzbn5dKcD8W3Y4fggbDxNg2PM84osNdKWpMvPYHWeJcjIqQy1i4dSpHpMQHLs0yruSK6OoqCCkkzJXqhhnHOByJMIE7AxjkbfRlLv).

[2] § 59.1-572(A).

[3] Other exceptions include disclosures: (1) to a processor; (2) to a third party for the purposes of providing a product or service requested by the consumer; (3) to a controller’s affiliate; or (4) of information generally made available by the data subject through a mass media channel that is not restricted to a particular audience. The CDPA’s definitions of “processor”, “controller”, and “third party” are virtually identical to the GDPR.