This article was originally published on December 12, 2023 in Reuters and Westlaw Today. It is republished here with permission.

It is indeed a tangled regulatory web woven to potentially trap an organization in the wake of a data incident. Navigating this web can involve significant resources, time, and stress. As we discussed in part two of this series, “Your organization has suffered a data incident: Now here are the regulators it will likely encounter,” Reuters Legal News and Westlaw Today, Oct. 16, 2023, there is no shortage of regulators likely to come calling. Organizations therefore have little margin for error when assessing and responding to an incident.

Despite the federal ban on the sale, use, and possession of cannabis in the U.S., in October, Georgia became the first U.S. state to allow pharmacies to sell low-dose tetrahydrocannabinol (THC) products. Pursuant to statutes passed by the Georgia General Assembly in 2019, certain Georgia pharmacies approved by the Georgia Board of Pharmacy, are permitted to sell low-dose THC products containing up to 5% THC, the intoxicating component found in the cannabis plant. The 5% cap is far lower than the allowable THC levels in most states.

Recently, the City of Denver’s Department of Public Health and Environment (DDPHE) ordered, among other things, the destruction of Titan Health LLC’s (Titan Health) marijuana plants that it deemed to “hav[e] evidence of spider mite influx.” Titan Health appealed the DDPHE’s Notice of Violation (NOV), not only due to the lack of evidence warranting such an extreme remedy, but also because the NOV exceeded the City of Denver’s authority.[1] In fact, according to Titan Health, Colorado state law specifically preempted the NOV. While the merits of the appeal were not ultimately heard, this case exemplifies the importance of understanding state preemption and the limitations placed on localities’ authority.

The principle of open government is foundational to a healthy democracy, and the availability of government records upon request from the public is one of its chief cornerstones. In the U.S., the primary mechanism by which the public gains access to government records is the Freedom of Information Act (FOIA).[1] FOIA serves as a pivotal tool for ensuring governmental transparency by allowing the public to make requests to governmental entities to access specific government records.

A federal judge has denied the Gerald R. Ford International Airport Authority‘s attempt to move an environmental lawsuit to federal court to be filed by Michigan Attorney General (AG) Dana Nessel, alleging that per- and polyfluoroalkyl substance (PFAS) releases by the airport authority contaminated the regional drinking water supply.

Rhode Island Attorney General (AG) Peter F. Neronha and his office filed a motion on November 30, to amend and supplement their complaint against Smart Green Solar, LLC (Smart Green) and its CEO, Jasjit Gotra, for allegedly violating the Rhode Island Deceptive Trade Practice Act. The proposed amended complaint builds on the allegations the office made in June, identifies additional alleged illegal conduct, and adds two more company executives, Christopher Schiavone and George Nixon, as individually named defendants.

In the latest episode of Regulatory Oversight, Troutman Pepper RISE attorneys Jean Gonnell and Cole White are joined by AGA’s Bruce Turcott, legal editor of the Cannabis Law Deskbook, to discuss the evolution of cannabis regulation in Colorado and Washington, the first two states to legalize marijuana. They discuss the challenges and successes of implementing cannabis laws, including the development of licensing systems, the impact of local authority on licensing, and the role of receiverships in the industry.

Republican attorneys general (AGs) from 19 states, led by Utah AG Sean D. Reyes, filed an amicus brief urging the Fifth Circuit to rehear a case after a panel of judges declined to entertain a lawsuit challenging diversity rules.[1] The lawsuit was filed by two conservative groups, the Alliance for Fair Board Recruitment and National Center for Public Policy Research, in their attempt to overturn a Nasdaq rule that requires companies to disclose board diversity data. The AGs argue that the rule, which was approved by the Securities Exchange Commission (SEC), violates the Constitution’s equal protection clause and could undermine state law and policy on corporate board composition and racial and gender preferences.

On November 22, Wisconsin Attorney General (AG) Josh Kaul announced that his office settled a civil enforcement action against Paul Bugar Trucking, Inc. and its owner, Paul J. Bugar. Kaul alleged the defendants violated a Wisconsin Pollution Discharge Elimination System (WPDES) permit for the company’s nonmetallic mining operations in Clark County, WI.

Similar to other state consumer data protection acts enacted over the past two years, the Colorado Privacy Act (CPA) allows Colorado consumers to opt out of the sale of personal data and the processing of such data for targeted advertising purposes. Beginning on July 1, 2024, companies controlling personal data that fall within the purview of the CPA must allow consumers to opt out via a universal opt-out mechanism (UOOM).