Beyond Fingerprints: Navigating the Biometric Amendment to the Colorado Privacy Act
On July 1, 2025, the Biometric Data Privacy Amendment to the Colorado Privacy Act will take effect, creating a new, stand-alone set of obligations for any entity—whether or not it is otherwise subject to the consumer-facing portions of the Colorado Privacy Act—that collects, captures, purchases, receives, or otherwise obtains “biometric identifiers” or “biometric data” from individuals in Colorado. See C.R.S. § 6-1-1314.
Quick Hits
Starting July 1, 2025, the Biometric Data Privacy Amendment to the Colorado Privacy Act will impose new obligations on entities collecting biometric data from individuals in Colorado, including employees and job applicants.
The amendment introduces a consent paradigm limiting when employers can require biometric data, allowing mandatory consent only for specific purposes like secure access and workplace safety.
Employers must comply with a strict data-deletion schedule and maintain a written incident-response protocol for biometric data, with enforcement by the Colorado attorney general and district attorneys.
Although the underlying Colorado Privacy Act expressly excludes employees and job applicants from the definition of “consumer,” the amendment overrides that exclusion in part by imposing employer-facing duties any time an employer collects or uses employees’ or applicants’ biometric identifiers. As a result, companies that have historically viewed Colorado’s privacy law as a purely business-to-consumer (B2C) concern must now evaluate, document, and potentially redesign workplace practices that rely on fingerprints, facial geometry, iris scans, voiceprints, or any other unique biological characteristic used to identify a specific individual.
The centerpiece of the amendment is a new consent paradigm that sharply limits the circumstances in which an employer may condition employment—or continued employment—on an employee’s agreement to provide a biometric identifier. Mandatory consent is permissible only when the biometric identifier is collected and used for one of four narrowly defined workplace purposes: (1) granting access to secure physical areas or secure electronic hardware, software, or systems; (2) recording the start and end of the workday, including meal and rest breaks that exceed thirty minutes; (3) improving or monitoring workplace safety or security, or protecting the safety or security of employees; and (4) improving or monitoring public safety or security during an emergency or crisis.
If an employer’s use case falls outside these four categories—for example, tracking an employee’s physical location throughout the day, measuring productivity through keystroke dynamics, or gauging time spent inside a specific software application—the employer must offer a genuine choice. The employee may not be denied employment, disciplined, or otherwise retaliated against for withholding consent.
Two statutory carve-outs eliminate the consent requirement altogether, yet they present substantial compliance risk because they overlap and arguably conflict with other state and federal laws. The amendment waives consent when the employee “reasonably should expect” biometric collection based on the employee’s job description—for example, a security guard whose duties inherently involve biometric gate controls. It waives consent for job applicants when collection is “based on reasonable background check, application, or identification requirements,” such as fingerprints for a criminal background screen.
Employers may want to approach both exceptions with caution. In the applicant context, the federal Fair Credit Reporting Act (FCRA) already mandates written authorization before initiating any background check, including fingerprint-based checks, so reliance on the amendment’s consent waiver would invite a direct conflict with FCRA disclosure and authorization requirements. Similarly, other state biometric or privacy statutes—including the Illinois Biometric Information Privacy Act (BIPA), the California Privacy Rights Act (CPRA) as applied to employee data, the Texas Capture or Use of Biometric Identifier law (CUBI), and Washington’s biometric statute—either provide no comparable waiver or impose more stringent notice and consent mandates.
(The CPRA is an amendment to the California Consumer Protection Act (CCPA). While structured more like the European Union’s General Data Protection Regulation than BIPA, the CPRA does require employers to provide notice and obtain the consent (or “opt-in”) of employees before collecting or using their biometric templates, if they intend to sell that information. The CPRA also requires employers to provide employees notice of their rights to “opt out” of their collection practices and give employees two means of opting out: generally, by email, cell phone, or website contact.)
Accordingly, Colorado employers with multistate operations may not want to treat the amendment’s two consent waivers as safe harbors. Instead, employers may want to adopt a uniform, nationwide approach that honors the highest common denominator across jurisdictions.
Beyond consent, the amendment imposes a strict data-deletion schedule that requires covered entities to permanently destroy biometric data at the earliest of three possible trigger points: (a) once the original purpose for collection has been fulfilled; (b) twenty-four months after the employee’s or applicant’s last interaction with the employer; or (c) within forty-five days after the employer determines that continued retention is no longer necessary, adequate, or relevant to the collection purpose. Although subsections (a) and (c) appear to overlap—both hinge on satisfaction of the collection purpose—employers may want to treat each prong as an independent obligation and document retention decisions accordingly.
The amendment also requires covered entities to maintain and implement a written incident-response protocol tailored to biometric data. At a minimum, the protocol should incorporate Colorado’s existing breach-notification statute—which, unlike many states, already applies to biometric data. Prompt notification to affected individuals and, when thresholds are met, to the Colorado attorney general, must occur in accordance with statutory timelines whenever there is “reasonable belief” that a security incident has compromised biometric identifiers. See C.R.S. § 6-1-716.
Finally, while the amendment does not provide a private right of action, exclusive enforcement by the Colorado attorney general and district attorneys should not lull employers into complacency. Key operational steps between now and July 1, 2025, include:
inventorying systems and devices that capture biometric identifiers of Colorado employees or applicants;
verifying that each use fits within the four categories that allow mandatory consent and providing for voluntary consent for all other uses;
drafting or revising a biometric privacy policy and consent form that describes collection purposes, retention schedules, destruction methods, notice provisions, and incident-response obligations;
evaluating whether vendor agreements that require downstream compliance with the amendment’s retention, deletion, and incident-response obligations are needed; and
training human resources, security, and IT personnel on the new statutory framework.
HRSA Announces New Requirements for FQHCs to Provide Insulin and Epinephrine at or below 340B Price
On June 24, HRSA announced that it had issued new grant award terms to its HRSA-funded health centers to provide insulin and injectable epinephrine at or below the 340B price paid by the health center for the drugs. HRSA encouraged health centers to “begin implementing these updated award terms immediately to ensure full compliance and maximize patient benefit.” The announcement comes in response to the Trump Administration’s April 14, 2025 Executive Order on “Lowering Drug Prices by Once Again Putting Americans First” (the “Executive Order”).[1] The Executive Order had instructed the Secretary of the Department of Health and Human Services to, within 90 days, ensure grants available under section 330(e) of the Public Health Services Act are conditioned upon health centers establishing practices to make insulin and injectable epinephrine available to low-income patients at or below the 340B price paid by the health center.
In a Q&A session hosted by HRSA on June 24, 2025, HRSA representatives clarified that this requirement does not currently apply to FQHC Look-Alikes, nor does it apply to any grantees that do not participate in the 340B Program. HRSA also stated that grantees would be required to report and demonstrate on their Form 1C (in conjunction with the annual Budget Period Progress Report (or “BPR”)) that they have the necessary practices and policies in place to comply with these requirements.
Although HRSA issued this condition to its grant terms, HRSA did not specify how HRSA grantees must implement this requirement. Thus, HRSA grantees must individually come up with internal practices and methods to ensure that low-income patients obtain the insulin or injectable epinephrine at the 340B price paid. Because 340B drug prices typically change on a quarterly basis, HRSA grantees should consider methods that update the patients’ cost of these drugs based on the mostly recent 340B price paid.
FOOTNOTES
[1] Exec. Order No. 14273, 90 Fed. Reg. 16441 (April 18, 2025).
Listen to this post
OCC Enters Consent Orders Against New York-based Bank
On May 14, the OCC entered into a formal agreement with a New York-based bank after determining that the institution is in “troubled condition.” In its findings, the OCC cited alleged unsafe or unsound practices tied to the bank’s strategic planning and earnings performance.
The agreement does not cite specific statutory violations and imposes no monetary penalties. Instead, it places the bank under heightened supervisory scrutiny and requires extensive corrective action. Specifically, the bank must develop and implement two core remediation plans:
Three-year strategic plan. By September 30, the bank must submit a plan that sets measurable goals for risk management, earnings, growth, capital, and product strategy. A board-level compliance committee will oversee implementation and submit quarterly progress reports to the OCC.
Earnings improvement program. Also due by September 30, the bank must identify expense-reduction and revenue-generation opportunities, including branch and technology optimization, compensation review, and strategies to grow non-interest income while remaining compliant with consumer-protection laws.
Operations and succession. The bank’s plan must include an evaluation of its internal operations, staffing levels, management-information systems, policies, and procedures, and incorporate a management employment and succession plan to ensure adequate staffing and leadership continuity.
The board must create a compliance committee of independent directors within 15 days to oversee implementation and provide quarterly progress reports to the OCC. The agreement will remain in force until the OCC verifies that all corrective actions are fully and sustainably completed.
Putting It Into Practice: While the CFPB continues to scale back its regulatory and enforcement efforts, other federal and state agencies are continuing their oversight. What is notable here however, is that the OCC entered into a consent order without requiring the bank to pay a civil money penalty. This approach raises questions about the OCC’s enforcement posture—particularly when compared to the often-penalty-driven actions of the CFPB in recent years. The absence of a monetary penalty may signal a more collaborative or rehabilitative stance by federal regulators. Only time will tell.
Listen to this post
Jurisdictional Boundaries of the Federal Circuit in ITC-Related Matters Are Limited
In Realtek Semiconductor Corporation v. ITC (23-1187), the Federal Circuit concluded that it lacked jurisdiction to decide whether the International Trade Commission (ITC) correctly denied Realtek’s motion for sanctions against Future Link Systems, LLC because the ITC decision did not involve a final determination affecting the entry of articles. As a result, the panel did not address the merits of Realtek’s appeal.
Background
In 2019, Future Link entered into a license agreement with MediaTek, Inc., which stipulated a lump sum payment if Future Link filed a lawsuit against Realtek. After filing a complaint with the ITC accusing Realtek of patent infringement, Future Link subsequently settled with a third party and told Realtek that the settlement resolved the underlying investigation. Realtek filed a motion for sanctions alleging that the agreement between Future Link and MediaTek was improper.
Despite expressing concern about the agreement between Future Link and MediaTek, the administrative law judge (ALJ) denied the sanctions motion on the basis that the agreement did not influence Future Link’s decision to file the complaint. Future Link then withdrew its complaint, and the investigation was successfully terminated. As such, there was no final determination on the merits by the Commission.
Once the ITC adopted the ALJ’s order, Realtek appealed the denial of the sanctions motion to the Federal Circuit.
Jurisdictional Analysis
The Federal Circuit’s jurisdiction to hear appeals from the ITC is governed by 28 U.S.C. § 1295(a)(6), which allows for the review of final determinations under 19 U.S.C. § 1337.
On appeal, Realtek was not able to persuade the panel that the ITC’s denial of the sanctions motion was a final determination within Section 1295(a)(6). Rather, the panel explained that Realtek’s position misconstrued Federal Circuit case law and that a final decision on the merits, such that it would trigger jurisdiction under 28 U.S.C. § 1295(a)(6), must be a decision that is tied to the entry of articles. In doing so, the panel harkened back to an almost 40-year old decision in which the appellant asked the Federal Circuit to review a decision by the Commission regarding the declassification of certain materials. More specifically, in Viscofan, S.A. v. U.S. International Trade Commission, the Federal Circuit found that it did not have jurisdiction to review an ITC decision on declassification because (1) 28 U.S.C. § 1295(a)(6) only gave the Federal Circuit exclusive jurisdiction to review final determinations “relating to unfair practices in import trade” and (2) Congress specifically defined final determinations to include those set forth in the first sentence of Section 1337(c):
The Commission shall determine, with respect to each investigation conducted by it under this section, whether or not there is a violation of this section, except that the Commission may, by issuing a consent order or on the basis of an agreement between the private parties to the investigation, including an agreement to present the matter for arbitration, terminate any such investigation, in whole or in part, without making such a determination.
In other words, ITC decisions that do not affect the validity of an exclusion order are not within the Federal Circuit’s jurisdiction. Since Realtek’s appeal sought sanctions unrelated to the entry of articles, the appeal did not meet this requirement and was dismissed.
Takeaways
While the Federal Circuit did not reach the merits of Realtek’s appeal on the sanctions issue, this decision highlights the importance of understanding the specific jurisdictional boundaries of the Federal Circuit in ITC-related matters, particularly concerning sanctions and other issues that are not ancillary to a final determination. As an aside, the panel did lend some insight into what “ancillary issues” would still be deemed to fall within Federal Circuit jurisdiction under 28 U.S.C. § 1295(a)(6). In this aspect, a decision not to institute an investigation or dismissal for lack of subject matter jurisdiction would be an ancillary issue appropriate for appellate review under Section 1295(a)(6) because they have the effect of conclusively denying the complainant’s request to exclude particular items from entry.
However, the panel recognizes that, based on the statute, it remains an open question which court can review this type of matter. The only guidance from the panel on this question is that “in other settings, courts have held that, in the absence of an indication of where judicial review will take place, ‘the normal default rule is that persons seeking review of agency action go first to district court rather than to a court of appeals.’”
Listen to this post
Federal Reserve Board Removes Reputational Risk from Examination Ratings
On June 23, the Federal Reserve Board announced that reputational risk will no longer be a component of its bank-examination program. The same day, the Board released a revised edition of its Guidelines for Rating Risk Management at State Member Banks and Bank Holding Companies, which deletes every reference to reputational risk.
The announcement states that examiners will now focus on specific, quantifiable categories of financial, operational, legal, and compliance risk. To ensure uniform implementation, the Federal Reserve will train examination staff, update supervisory manuals, and coordinate with other federal banking agencies to promote consistent practices.
The updated SR 95-51 substitutes discussions of “material financial risks” for all reputational references. Going forward, examination reports will not cite or downgrade banks for perception-based concerns; supervisory ratings will hinge solely on measurable risk metrics. Banks may still track reputational considerations internally, but those metrics will no longer influence federal examination outcomes.
Putting It Into Practice: The Fed’s move, following similar actions by the OCC and FDIC confirms a coordinated shift toward objective, metrics-driven supervision. With the Fed, OCC and FDIC all removing reputational risk from examination ratings, institutions examined by multiple regulators can expect more consistent procedures across the prudential regulators.
General Mills and Kraft Heinz Announce Voluntary Phase Outs of Synthetic Color Additives
On June 17, 2025, General Mills announced its plans to remove certified color additives from all of its U.S. cereals and what the company referred to as its K-12 school portfolio by summer 2026. Certified color additives authorized for use in food in the United States are found in FDA’s color additive regulations, specifically 21 CFR part 74, subpart A.
The same day, Kraft Heinz similarly pledged to remove the certified color additives from its U.S. portfolio before the end of 2027. Jeff Harmening, chairman and CEO of General Mills, calls the company’s scheduled change an example of meeting “evolving consumer needs.”
These moves come a few months after the U.S. Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS) encouraged the food industry to phase out the use of certified color additives (see previous blog here). FDA has not initiated any formal regulatory process to revoke the authorizations for synthetic color additives, but instead will likely continue to encourage voluntary phase outs and possibly state bans (see here).
Texas Federal Court Vacates Most of 2024 HIPAA Rule on Reproductive Health Information
In 2024, the U.S. Department of Health and Human Services’ (“HHS”) implemented a new privacy rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that applied specifically to reproductive health information (the “2024 Rule”). On June 18, 2025, Judge Matthew J. Kacsmaryk of the U.S. District Court for the Northern District of Texas issued an opinion largely vacating the 2024 Rule. The decision in Purl v. U.S. Department of Health and Human Services nullifies the 2024 Rule, except for technical provisions unrelated to reproductive health information.
Judge Kacsmaryk held that HHS exceeded its statutory authority when it created “special protections for medical information produced by politically favored medical procedures…” without a clear congressional mandate. Relying on the major questions doctrine and principles of federalism, the opinion concludes that HIPAA does not authorize HHS to distinguish among categories of protected health information to advance policy goals. The court further found that the 2024 Rule impermissibly: limited state public health and child abuse reporting laws; redefined the terms “person” (to exclude unborn humans) and “public health”; required an attestation prior to the release of certain information; and forced HIPAA covered entities to ascertain the lawfulness of the reproductive services provided before responding to information requests (an obligation Judge Kacsmaryk deemed unworkable).
Because the court vacated the 2024 Rule based on the Administrative Procedure Act, the HIPAA framework in place prior to the 2024 Rule is back in effect. Under that framework, disclosures of protected health information for law enforcement and public health purposes are permissible, but not mandatory (without the need for an attestation regarding how the information will be used), subject to the existing HIPAA Privacy Rule conditions and any state law protections more stringent than HIPAA.
Judge Kacsmaryk’s ruling is effective nationwide, but HHS could seek a stay or pursue an appeal to the Fifth Circuit.
Mastering Information Governance with the ARMA IGIM 2.1 FrameworkPart 1: Introduction to the ARMA IGIM Framework
Today, organizations face unprecedented data challenges. The sheer volume of information, evolving regulations, and the rising momentum of artificial intelligence (AI) revolutionizing industries make it clear that information governance (IG) is not optional. The ARMA IGIM 2.1 framework provides organizations with a practical, structured approach to manage data effectively, enabling them to meet these challenges head-on.
The IGIM Framework and Its Importance
At its core, the IGIM framework breaks down IG into eight domains:
Steering Committee
Authorities
Support Functions
Procedural Framework
Capabilities
Information Lifecycle
Architecture
Infrastructure
These eight domains work to ensure that every piece of information within your organization is secure and usable throughout its lifecycle. Adopting IGIM benefits organizations by streamlining workflows, reducing compliance risks, and increasing operational efficiency. But the advantages don’t end there.
Why IG is Indispensable for AI Adoption
AI thrives on high-quality, well-governed data. AI tools rely on accurate, accessible, and structured information to generate actionable insights. Without a proper IG framework, organizations often struggle with:
Data Silos: Making it difficult to consolidate or analyze data.
Dirty Data: Leading to inaccurate AI outputs.
Compliance Risks: Exposing organizations to penalties from data misuse.
By establishing effective governance practices, organizations create the foundation needed for AI to optimally perform. For example, banks using the IGIM framework to organize customer data see faster AI-driven credit risk assessments because the information is clean, structured, and easily retrievable.
Through this series, you’ll discover how the IGIM framework enables not only effective governance but also maximizes the value of AI investments. Next week, we’ll discuss laying the foundation for your IG program.
What can you do now? Assess your current data governance practices and consider how well-structured data could drive your AI initiative forward.
EPA Signals Approval of Texas’ Class VI Injection Well Primacy: Streamlining Carbon Capture and Climate Action
In a significant move for environmental policy and energy innovation, the U.S. Environmental Protection Agency (EPA) has proposed to approve Texas’ application to administer its own Class VI underground injection well program. This decision, announced on June 9, 2025, marks a pivotal step in accelerating carbon capture and sequestration (CCS) efforts across the state and potentially the nation.[1]
Results of the EPA Announcement
The EPA’s proposal grants Texas the authority to issue permits for Class VI wells—specialized underground injection wells used to store carbon dioxide (CO2) deep underground. These wells are a cornerstone of CCS technology, which captures CO2 emissions from industrial sources and power plants and stores the CO2 underground, preventing it from entering the atmosphere.
Under the Safe Drinking Water Act (SDWA), the EPA typically oversees the permitting of these wells. However, states can apply for “primacy,” or the right to manage the permitting process themselves, provided they meet stringent federal standards. Texas’ application, led by the Texas Railroad Commission, has now received the EPA’s preliminary approval, pending a final rule.
Streamlining Permits and Boosting Investor Confidence
Once finalized, one of the most immediate benefits of this decision is the expected reduction in permitting times for CCS projects. Under federal oversight, the permitting process for Class VI wells has often been criticized for being slow and cumbersome, sometimes taking several years. By shifting control to Texas, which has decades of experience managing other classes of underground injection wells within their state, the process is expected to become significantly more efficient.
This streamlining is crucial for attracting private investment. Carbon capture projects are capital-intensive and require long-term planning. With Texas now poised to manage its own Class VI program, companies and investors can expect faster approvals, more accurate timelines, and more predictable regulatory outcomes.
A Catalyst for Carbon Capture and Sequestration?
The EPA’s move may not be just a bureaucratic shift—it can be a catalyst for broader adoption of CCS technologies and greater utilization of Texas well space. Companies engaging in CSS may qualify for tax credits, with benefits ranging from $17 to $180 per metric ton of CO2 captured.[2] However, investors may still want to proceed with caution: while the administration has taken steps to ease permitting and regulatory barriers, the 2026 federal budget includes cuts to several CCS-related funding programs, potentially limiting the financial viability of some projects.[3]
Texas, as a leader in both energy production and geological storage potential, is uniquely positioned to scale up CCS. Much of the state’s vast underground formations, particularly saline aquifers and depleted oil and gas reservoirs, offer ideal conditions for long-term CO2 storage. By enabling Texas to take the reins, the EPA may be clearing a path for a new wave of potential CCS projects. This could include retrofitting existing power plants, supporting industrial decarbonization, and even facilitating direct air capture (DAC) technologies that remove CO2 directly from the atmosphere. Still, the long-term success of these efforts may hinge on whether financial incentives can keep pace with the regulatory momentum.
Cooperative Federalism in Action
The EPA’s decision also reflects a broader philosophy of “cooperative federalism,” where federal and state governments work together to achieve shared goals. Administrator Zeldin framed the move as a return to this principle, emphasizing that states like Texas are best equipped to manage their own environmental programs.
This approach has garnered bipartisan support in Texas, with both federal and state officials applauding the decision. It also sets a precedent for other states seeking primacy over Class VI wells, potentially accelerating CCS deployment nationwide.
Looking Ahead
While the EPA’s proposal is not yet final, it represents a major milestone. A public comment period will follow, after which the agency will issue a final rule. If approved, Texas will join the growing list of states with full authority over Class VI well permitting, similar to the state’s management of existing Class I, II, III, IV, and V wells.
This development may spur rapid adoption of CCS technologies, not just in Texas but across the U.S. as the EPA continues to delegate authority to other states. Such changes promise faster project timelines, increased investor confidence, and a stronger foundation for meaningful climate action.
Footnotes
[1] https://www.epa.gov/newsreleases/epa-proposes-approve-texas-application-administer-class-vi-underground-injection-well
[2] https://www.rrc.texas.gov/about-us/faqs/oil-gas-faq/class-vi-wells-in-texas/
[3] https://www.whitehouse.gov/wp-content/uploads/2025/05/Ending-the-Green-New-Scam-Fact-Sheet.pdf
Ninth Circuit Ruling Bolsters Ability of Whistleblowers to Combat Customs and Tariff Fraud
On June 23, 2025, the U.S. Court of Appeals for the Ninth Circuit issued a ruling in Island Industries v. Sigma Corporation, a False Claims Act case involving whistleblower allegations of customs duty evasion. The ruling, in favor of the whistleblower, bolsters the ability of whistleblowers to use the False Claims Act to hold companies accountable for committing customs and tariff fraud.
Companies can be liable under the FCA for so-called “reverse” false claims when they knowingly conceal and improperly avoid an obligation to pay or transmit money to the U.S. government. Thus, when an individual or company knowingly evades paying custom duties on goods it knowingly violates the FCA. Under the FCA’s qui tam provisions, a whistleblower may file a suit alleging FCA violations on behalf of the U.S. government and is entitled to a share of the recovery if the suit is successful.
The case stems from a qui tam whistleblower lawsuit filed by Island Industries, a competitor of the defendant, which alleged that Sigma Corporation violated the False Claims Act by evading federal antidumping duties on pipe fittings it imported into the United States.
The Ninth Circuit ruling touched on a number of issues concerning the ability of whistleblowers to leverage the False Claims Act against customs fraud. First, it held that qui tam suits alleging evasion of customs duties can be brought in federal district courts, and are not required to be heard before the Court of International Trade despite that court’s usual jurisdiction over trade matters.
Second, the ruling held that companies who engage in customs duties fraud may be held liable both by the government under 19 U.S.C. § 1592 and by a whistleblower or the government under the False Claims Act. The Court explained that “Section 1592 does not state that it is an exclusive remedy. And the FCA expressly contemplates that FCA cases can proceed in parallel with the government’s pursuit of ‘any alternate remedy available to the Government, including any administrative proceeding to determine a civil money penalty.’”
Third, the court ruled that Sigma Corporation did have an “obligation” to pay money to the government in regards to the antidumping duties despite the fact that the amount of duties owed was not fixed until later in time. According to the ruling, an importer who is required to pay antidumping duties on products it imports has an “obligation” to pay the United States at the time of the importing, and can thus be found liable under the False Claims Act for not making such payments.
Lastly, the Court held that there was sufficient evidence of scienter (or knowledge of the wrongdoing) for Sigma to be found liable under the False Claims Act. The Court ruled that an importer has an obligation to make an attempt to understand whether customs duties are owed on its imports and cannot avoid liability by simply choosing not to make such inquiries. The court explained that “FCA scienter encompasses ‘the ‘ostrich’ type situation where an individual has buried his head in the sand and failed to make simple inquiries which would alert him that false claims are being submitted.’”
Overall, the ruling bolsters the ability of whistleblowers and the government to hold companies accountable for customs fraud under the False Claims Act by striking down potential avenues for defendants to escape liability under the law. The ruling is particularly notable given that the Ninth Circuit covers the West Coast of the United States, home to some of the busiest ports in the nation.
In February, Deputy Assistant Attorney General Michael Granston promised that under the Trump administration the DOJ “plans to continue to aggressively enforce the False Claims Act,” and specifically touched on aggressive enforcement of customs and tariff fraud.
“The False Claims Act has also proven to be a powerful tool for combatting those who seek to avoid the payment of customs duties on imported goods, including goods subject to anti-dumping or countervailing duties, which are intended to protect the American economy against illegal foreign trade practices,” Granston stated.
“You can therefore expect the department to continue to use the False Claims Act to help enforce these trade laws,” Granston added.
Individuals considering blowing the whistle on customs or tariff fraud should first consult an experienced FCA whistleblower attorney to help ensure they file an effective qui tam suit and that they are protected from retaliation.
Privacy Tip #448 – Privacy Tips for 2025: A Timely Reminder
After writing over 500 privacy tips in my career, it gets a little difficult to find new content to keep the tips relevant and timely. I came across a recent post by the CyberGuy, Kurt Knutsson, that I thought our readers would get some insightful tips from, including up to date ideas on how and why to keep your identifiable information from AI tools like ChatGPT.
The post provides “11 easy ways” to protect your privacy from being “collected, tracked, and sometimes even sold.” The 11 steps are practical and easy to follow. There are even diagrams and screen shots on how to make changes to your privacy settings. A new one for me is the second tip—how to protect your inbox with email aliases and disposable addresses. This is an interesting strategy for personal email accounts, so the alias email address receives the spam, and your real email account is not inundated, or if there is a breach, the alias email address is compromised and not your real one. Kurt suggests using StartMail, which allows users to create unlimited customized aliases.
I agree with all of his suggestions and tips. Although you have to be vigilant to limit the information about you available online, these suggestions will help. Try them out.
Florida Legislature Passes Bill to End Sales Tax Exemption for Sub-100 MW Data Centers
The Florida legislature has passed a bill that would end the data center sales tax exemption for existing data centers with a critical IT load of less than 100 megawatts (MW), effective Aug. 1, 2025. This may materially impact existing sub-100 MW data center owners and tenants, in addition to developers who are currently developing and constructing sub-100 MW data centers.
HB 7031: Understanding the New 100 MW Threshold for Sales Tax Exemption
The Florida data center exemption currently allows the owner, tenants, and construction contractors to purchase necessary equipment and materials to construct, equip, and operate a data center free of the states’ 6% sales tax (plus local option tax of typically 1% to 1.5%). Whether it was the legislative intent to end the sales tax exemption for existing and under construction sub-100 MW data centers is unclear, but this appears to be the practical effect of HB 7031, the legislature’s 200-page 2025 tax bill.
This exemption’s termination as of Aug. 1, 2025, may materially impact continuing operations even though all of the data center equipment and components have been purchased tax-free prior to Aug. 1, because the sales tax exemption applies not only to construction and equipment purchases but also to ongoing purchases of electricity. Since the exemption was meant to be permanent, and the benefit thereof was intended to be passed through to data center tenants, the loss of the exemption for electricity may hinder landlords’ ability to keep existing tenants and attract new ones to their data centers. The loss of the exemption might also result in a material breach of the owner’s covenants under some existing leases with tenants and possibly their loan agreement with lenders, ultimately impacting the underwriting and valuations attributable to these assets.
The language would eliminate, as of Aug. 1, 2025, the exemption for existing sub-100 MW data centers because the exemption statute requires a data center owner to go through a review process every five years to maintain their permanent exemption certificate. As part of this review process, the owner must certify that the data center’s critical IT load is 100 MW or higher. This means that when a sub-100 MW data center goes through its five-year review process after the Aug. 1, 2025, effective date, it would not be able to provide this certification and lose the exemption. Furthermore, the statute provides that in the event of a sales tax audit, if tax-free purchases were made after the data center lost its eligibility for the exemption, then the owner and tenants must pay back taxes, penalties, and interest on a retroactive basis. Since the new 100 MW requirement takes effect Aug. 1, then all purchases that owners and tenants of sub-100 MW data centers make after the effective date would appear to be subject to sales tax. The amendment to the exemption statute provides no grandfather rule for existing sub-100 MW data centers.
Potential Implications for Existing Data Center Owners, Tenants, and Contractors
As for sub-100 MW data centers currently under construction, this change would also impact the contractors and subcontractors constructing the projects. The data center exemption law allows contractors to also use this sales tax exemption when purchasing materials to “construct, outfit, operate, support, power, cool, dehumidify, secure, or protect a data center and any contiguous dedicated substations.” Under Florida sales tax law – for most types of construction contracts – the contractor (including a subcontractor) is considered the ultimate consumer of the materials they purchase, and therefore the contractor must pay sales tax on their purchases to carry out their contract. As a result, a contractor on a data center project under construction may have priced their bid on the assumption that no sales tax would be paid on many of the items purchased to fulfill their contract. If this bill is signed into law, contractors may no longer be able to purchase items tax-free after Aug. 1, and new developments may see higher costs. Data center operators with projects currently under development in the state should review their construction agreements to determine who bears the risk.
This amendment did not become a part of HB 7031 until a few days before the legislature passed this 200-page bill on June 16, and there is no detail in the bill’s staff analysis. Furthermore, HB 7031 also repealed the sales tax on commercial leases in Florida, which tenants must pay on their data center lease payments (typically 3% – 3.5% of the lease payment, depending on the county), which might have been a justification for the legislature to terminate the data center exemption for equipment and electricity.
Key Takeaways
Even if the legislature addresses this concern in next year’s legislative session, this may leave sub-100 MW data centers in limbo until that occurs. If the lease agreement with a data center tenant provides that the loss of the sales tax exemption is a breach thereunder, some tenants might use that as a reason to terminate their lease or further amend to the terms thereof.
This data center exemption is a small portion of HB 7031. Because this tax bill is integral to the legislature’s budget bill, which must be enacted by July 1, it is included among several provisions that are expected to move forward. It is possible that, if concerns are raised, Gov. DeSantis might instruct the Department of Revenue to consider issuing guidance delaying the enforcement of the loss of exemption for existing sub-100 MW data centers until after the legislature has the opportunity to address this next year.