How Hemp Retailers Can Comply with Alabama’s Consumable Hemp Law by January 1, 2026
The Traveling Wilburys – perhaps the musical supergroup most aligned with the mood and spirit of the Budding Trends blog – tell us that it’s all right to live the life you please. The state of Alabama, however, has determined that the End of the Line for unregulated consumable hemp is January 1, 2026.
As a reminder, Alabama enacted comprehensive reform of consumable hemp products during the last legislative session. While consumable hemp products are not outright banned under Alabama’s new regime, the who, what, when, where, and how of product offerings are all substantially impacted.
We invite you to read on to see what steps Alabama hemp operators should ensure are taken to comply with each of the provisions of the new law.
What Does HB 445 Prohibit?
Starting on January 1, the sale or possession of consumable hemp products in violation of HB 445 (and sale or possession unlawful hemp products generally) can lead to statutory fines and a class C felony, which includes fines up to $15,000 and potential jail time of one to 10 years.
That is, a person in possession of a Delta-8 vape pen arguably faces the same criminal liability as a person in possession of 1 gram of cocaine or 1 gram of methamphetamine. Don’t ask us why — that’s a question better served for the Alabama Legislature.
And this is not a hypothetical risk. As if hemp operators need a reminder, ABC and local law enforcement will likely enforce HB 445 quickly and harshly. Just before the effective date of HB 445 in July, law enforcement conducted broad, state-wide sweeps of hemp operators, which, in some cases, resulted in the confiscation of up to 60 pounds of product. Consumable hemp operators must be aware that similar sweeps are likely inevitable come January 1, 2026.
What Products Are Impacted?
Any hemp product intended for human or animal consumption. A consumable hemp product is defined as a “finished product that is intended for human or animal consumption and that contains any part of the hemp plant or any compound, concentrate, extract, isolate, or resin derived from hemp. The term includes, but is not limited to, products that contain cannabinoids.” The definition has two important carve outs.
First, any smokable hemp product is not considered a “consumable hemp product.” Smokable is defined to include any product that is heated by combustion, battery, or other means to produce a smoke or vapor. Thus, vapes and flower alike are not consumable hemp products (making them unlawful hemp products).
Second, any product that contains psychoactive cannabinoids that are created by chemical synthesis using non-cannabis materials are not considered “consumable hemp products.” Similarly, those products are also defined as unlawful hemp products, and they are subject to prosecution immediately, even before January 1, 2026.
What Happens if I Sell “Unlawful” Hemp Products?
The sale or possession of an unlawful hemp product, which includes the sale of consumable hemp products by an unlicensed person or a sale that violates the packing restrictions, product content requirements, or labeling requirements, is a class C felony.
Who Can Sell Consumable Hemp Products in Alabama After January 1, 2026?
Only retailers licensed by the ABC Board may sell consumable hemp products in Alabama after the New Year.
Can I Sell Consumable Hemp Products at Just Any Retail Location?
No. Permitted retailer locations generally fall into three categories: 1) hemp “dispensaries;” 2) pharmacies; or 3) grocery stores. Each category requires a location-specific consumable hemp product retailer license, which permits certain retail locations to sell only certain forms of consumable hemp products. For example, hemp dispensaries may sell all forms of consumable hemp products (that is, beverages, edibles, and topical or sublingual products), while retail grocers may only sell consumable hemp beverages. Pharmacies are limited to topical or sublingual consumable hemp products. Of great significance to many, consumable hemp products cannot be sold at convenience stores (currently perhaps the largest point of sale for such products).
In addition, grocery stores and dispensaries must meet certain dimensional requirements, which can be found in Sections 28-12-45(c)(2) and 28-12-45(d)(1), respectively.
Have Noteworthy Hemp Beverage Regulation Changes Been Made Since the Last Set of Proposed Rules?
Yes. The initial regulations promulgated by the ABC Board, which would have required two levels of child-proofing containers, have been modified to allow for the standard type of pop-top typically found on a beer can. This is a significant cost saver for manufacturers. Second, whereas the initial regulations would have required hemp beverages to be locked behind glass and require an employee to retrieve the product, ABC will now allow for unlocked plexiglass that does not require assistance from an employee. In short, while the beverages will be in a different refrigerator from beer, they will be available in the same type of self-service manner as beer. Of course, the beverages will only be available to customers age 21+.
How Do I Sell Consumable Hemp Products in Alabama after January 1, 2026?
Consumable hemp products will be subject to similar types of age-gating (21+), testing, packaging, labeling, and advertising, as will medical cannabis products. And as with medical cannabis products, the first step will be to obtain a license (but not without first running your plans by the local government).
Step 1a: Locate Your Business in a Municipality That Approves of the Sale of Consumable Hemp
For the ABC Board to issue a license, the municipal government covering the jurisdiction in which the retail store is located must approve the retailer’s application for licensure. Thus, practically speaking, a retailer’s first step must be to determine whether the municipality will allow consumable hemp products to be sold (or permit the retailer, specifically, to sell consumable hemp products) within its jurisdiction. This requirement may prove difficult because some municipalities, including Auburn, Millbrook, and Pike Road, have signaled they will not permit the sale of consumable hemp products in their jurisdictions.
Step 1b: Obtain a Consumable Hemp Retailer License
After verifying municipal approval, a written application (and accompanying $50 filing fee) must be submitted to the board by “applicants,” which includes every individual (excluding publicly traded companies) that has a 10% or more stake in the business. This requirement includes the members of any partnerships, associations, or LLCs that meet the ownership threshold as well.
The following information must be included in the application:
Approval letter from the municipality in which the store is located;
Name, DOB, place of birth, address, phone number, driver’s license number, and Social Security number of every applicant;
Proof every applicant is lawfully present in the United States;
Authorization to perform a criminal background check;
Two sets of fingerprints taken by a person trained in fingerprinting;
Complete criminal court record of all arrests and subsequent dispositions for each applicant for the past 10 years;
Acquisition and proof of a $25,000 surety bond for each location;
Proof of ownership or lawful possession of the retail location; and
Certification that all information in the application is accurate.
If the board determines the application is sufficient, it must issue the license, whereupon the licensee must pay a $1,000 licensing fee.
Step 2: Ensure the Product Meets Serving Size and Content Restrictions
Serving sizes for both beverages and edibles are limited to 10 milligrams of THC (topical, sublingual, and other products that are not beverages or edibles may contain 40 milligrams). An edible must be individually wrapped, and a carton of edibles may not contain more than 40 milligrams of THC. For example, a carton containing 10 milligram edibles may only contain four individually wrapped edibles. Similarly, consumable hemp beverages may not exceed 12 fluid ounces and, if in a carton, cannot contain more than four beverages.
Step 3: Test the Product & Obtain a Certificate of Analysis
For starters, each product must be tested by an independent lab and receive a certificate of analysis detailing that the product meets certain requirements and is fit for consumption. As a practical matter, we suggest doing this after ensuring the product meets serving size and content restrictions through in-house potency testing.
The certificate of analysis must include many different product analyses. The certificate must include, but is not limited to, the cannabinoid content and potency; terpene profiles; heavy metal concentrations; chemical concentrations; and residual insecticide, fungicide, herbicide concentrations. The certificate of analysis must identify the products tested by batch number and include the date of certificate issuance, the method of analysis for each test conducted, the product name, a scannable barcode linked to the consumable hemp product’s label, the cannabinoid profile by the percentage dry weight of CBD and total THC (which cannot exceed the amount listed on the product label), and a listing of all ingredients in each product. For a full list of Certificate of Analysis requirements, look to Section 28-12-22.
Step 4: Ensure Proper Packaging of the Product
Consistent with the purpose of Alabama’s hemp regulations, all consumable hemp products must not be packaged in a manner that appeals to children. That is, they may not contain cartoon-like characters of people, animals, or fruit. Additionally, consumable hemp products must not be modeled after a brand of products that is primarily marketed to children (e.g., Warheads, Lemon Drop, Airheads, or other candy or children’s food characters). The product cannot reference terms such as candy, cake, cupcake, or pie in its names or slogan. Similarly, the product cannot contain imagery that imitates school supplies, office supplies, and personal items (e.g., cell phones, earbuds, watches, handheld gaming systems). Finally, the product cannot be branded in a fashion that would lead someone to reasonably believe the package contains anything other than a consumable hemp product.
Step 5: Properly Label the Product and Get the Label Approved
As with many consumable products, hemp products must include a list of all ingredients in descending order of predominance and be labeled with the manufacture date, expiration date, serving size, total number of milligrams in the container, and total number of milligrams per serving size. Like the certificate of analysis, each consumable hemp container must include a scannable barcode or quick response code that is linked to the certificate of analysis. Finally, a myriad of warnings must be included on the label, one of which is a warning to keep the product out of the reach of children. For a full list of label warnings, look to Section 28-12-25.
Finally, a retailer or manufacturer may submit its label, along with a $50 label approval fee, to the board for approval.
Step 6: Comply with Operational and Display Requirements
Certain operational and display requirements apply to each type of license holder.
Hemp dispensaries must only sell consumable hemp products or hold a Lounge Retail Liquor (Class II) license, restrict access to the property for those under 21 years of age (including employees), post a sign (8.5” x 11”) at the entrance detailing the age requirement, and may only sell for purposes of off-premises consumption.
For grocery stores, sales must be limited to consumable hemp beverages. The beverages must be in their own refrigerator or shelved separately (and behind some form of glass or clear plastic) from other alcoholic or non-alcoholic beverages. Importantly, a sign (8.5” x 11”) must be posted on the refrigerator or glass/plastic separator that reads: “These products contain hemp derived compounds. Must be 21 years of age or older to purchase.” Finally, the beverages cannot be visible from an area that contains children’s products.
And for pharmacies, which may only offer topical or sublingual products, all products must be in an area not accessible to the general public. Only a licensed pharmacist or employee directly under their supervision (even if under 21 years of age) may conduct sales for the relevant hemp products.
Step 7: Meet Certain Record Keeping and Reporting Requirements
Licensed retailers must keep and preserve all records related to consumable hemp products for three years. This requirement includes invoices, cancelled checks, and other documentation related to the purchase, sale, exchange, or receipt of all consumable hemp products. And ABC has significant authority to ensure recordkeeping requirements are met. Specifically, ABC “may enter upon the premises of any licensee at any time of the day or night . . . for the detection of violations of this chapter.”
Furthermore, retailers must submit a consolidated report on the last day of the month following the month of receipt or sale of all receipts and sales of consumable hemp products made to customers during the preceding month.
Conclusion
We are less than a month from the implementation of Alabama’s new hemp law, and I get the sense most hemp operators are behind the curve when it comes to understanding and preparing for these significant changes. Those people would be wise to get prepared quickly, because if history is a guide, we can expect law enforcement raids as soon as January 1. Please let us know if we can help you prepare for enactment of the new law.
Thanks for stopping by.
Connecticut, California and New York Reach Landmark Settlement for Student Data Breach
On November 6, 2025, Connecticut Attorney General William Tong, along with California Attorney General Rob Bonta and New York Attorney General Letitia James, announced a significant settlement stemming from the enforcement of Connecticut’s Student Data Privacy Law. This case marked the first enforcement action since the law’s enactment and involved Illuminate Education, Inc. (“Illuminate”), an educational technology provider whose 2022 data breach exposed sensitive information belonging to millions of students.
In December 2021, hackers gained access to Illuminate’s systems using credentials from a former employee. The hackers downloaded unencrypted database files containing sensitive information such as student names, birth dates, IDs, and demographic details. The number of students affected in each state was as follows:
Connecticut: 28,610 students
New York: 1.7 million students
California: 3 million students
Illuminate will pay a total of $5.1 million in penalties, distributed as follows:
$150,000 to Connecticut
$1.7 million to New York
$3.25 million to California
In addition to the monetary penalties above, the settlement requires Illuminate to implement comprehensive security measures, including:
employing specific safeguards, including maintaining data inventories, minimizing data and setting retention limits;
implementing proper access controls and authentication procedures;
conducting data security risk assessments and penetration testing;
monitoring vendors; and
providing a right to data deletion
Environmental Justice Update- December
In the past several months, environmental justice (EJ) has continued to evolve through a shifting balance of federal and state action. While federal agencies have scaled back EJ initiatives, states are increasingly stepping in to fill the gap–advancing new policies, legislation, and regulatory approaches aimed at integrating EJ considerations into environmental permitting and enforcement. In this edition of the Environmental Justice Update, we examine the latest key trends, policy initiatives, and legal developments reshaping the EJ landscape.
Federal
In June 2025, a coalition of almost two dozen nonprofits, tribes, and local governments sued the US Environmental Protection Agency (EPA) for terminating over 400 grants under the Environmental and Climate Justice (ECJ) Block Grants program created under the Inflation Reduction Act (Public Law No: 117-169) (IRA), arguing that the grant terminations were unlawful. The plaintiffs contended that the termination violated the Administrative Procedure Act as arbitrary and capricious, contravened the Presentment Clause and separation of powers, and disregarded Congress’ directive to fund the grants.
In July 2025, California Attorney General Rob Bonta co-led a multistate coalition of 20 attorneys general in submitting an amicus brief supporting the plaintiffs in this class action lawsuit. Among other points, the amicus brief argued that the termination of the program disproportionately harms marginalized and historically disadvantaged communities, undermining the core purpose of Congress’s instruction to EPA when it passed the IRA.
In a 29 August 2025 opinion, US District Judge Richard Leon of the District of Columbia denied the plaintiffs’ motion for a preliminary injunction, saying: “Put simply, I cannot order the Government to reinstate contracts and pay money due on them.” (emphasis in original). Pointing to decisions from earlier this year by the US Supreme Court pertaining to Department of Education grants and grants from the National Institute of Health, Judge Leon also dismissed the case, agreeing with EPA that the suit belonged before the US Court of Federal Claims.
The majority of plaintiffs appealed Judge Leon’s decision to the US Court of Appeals for the DC Circuit on 16 September 2025. Plaintiff’s emergency motion for an injunction pending appeal was denied as the court found “that harm to the plaintiffs if the grant funds were returned to the Treasury was not irreparable.”
As this legal dispute plays out, Congress’s rescission of all unobligated funding under the ECJ Block Grants program as part of the One Big Beautiful Bill Act (Public Law No.: 119-21), increases the potential difficulty plaintiffs may face in quickly reinstating their grants.
Multistate EJ Guidance
In response to the rollback of EJ under the Trump Administration earlier this year,1 many states have recommitted to EJ protections through a multistate EJ guidance. Specifically, in June 2025, a coalition of state attorney generals from 13 states2 issued the “Multi-State Guidance Affirming the Importance and Legality of Environmental Justice Initiatives.” This document aims to identify sources of legal support for state EJ laws and to provide assurances to stakeholders that EJ practices remain legal despite the Trump Administration’s efforts to curtail them.
The “Multi-State Guidance” challenges the Trump Administration’s labeling of EJ as “illegal discrimination,” locating support for EJ in a variety of federal statutes and the US Constitution. Specifically, the document finds key support in:
The US Constitution:
The Tenth Amendment: Granting states the power to pass laws that advance “Public health, safety, and welfare.”
The Equal Protection Clause of the Fourteenth Amendment: Barring state and local governmental entities from discriminating based on race or sex.
The First Amendment: Barring the government from conditioning benefits on the waiver of free speech rights.
Civil rights statutes, including:
Title VI of the Civil Rights Act of 1964: Preventing those receiving federal funds from discriminating based on race, color, and national origin.
Section 504 of the Rehabilitation Act, the Age Discrimination Act of 1975, and Title IX of the Education Amendments of 1972: Preventing federal funding recipients from discriminating on the basis of disability, age, or sex, respectively.
Title VIII of the Federal Fair Housing Act: Outlawing public or private discrimination on the basis of race, color, religion, sex, familial status, or national origin in activities related to housing.
Federal environmental laws, such as the Clean Air Act’s requirement for public notice and public comment.
Nonprofit laws that prevent the revocation of 501(c)(3) status by presidential executive order or directive.
Treaty obligations to Native American tribes.
In addition to laying out what they see as the legal basis for EJ, and based on this analysis, the state attorneys general provide a “non-exhaustive [list of] examples of work that public entities, non-profit and philanthropic organizations, and businesses lawfully undertake to advance environmental justice.” These activities fall into several broad categories:
Education, technical assistance, and funding support
Public engagement and participation
Burden identification and analysis
Preventing and mitigating pollution exposures
Climate readiness and resilience
Enforcement and remedies
In sum, the multistate guidance seeks to offer stability and assurance to stakeholders by providing clarity on the EJ strategies and resources that remain available to communities in the wake of the federal repeal of EJ initiatives.
Alaska
The One Big Beautiful Bill Act (OBBBA), the Republican reconciliation effort passed in July 2025, has impacted US energy and natural resource development across states and industries. Alaska is one state in particular that is positioned to experience a significant change in energy policy as a result of OBBBA. Two key OBBBA provisions—mandatory lease sales in Alaska and an adjustment of revenue sharing rates—have drawn attention from Alaska’s tribal communities, both for their potential to stimulate economic development and for the increased risk of negative environmental impacts that development could bring.
Specifically, OBBBA directs the secretary of the interior to conduct oil and gas lease sales in certain sections of Alaskan land over the next 10 years, repealing the Biden Administration’s limitation on oil and gas leasing on millions of acres in Alaska and restoring leasing policies established under the first Trump Administration. In addition, OBBBA provides an adjustment of future revenue splits from oil and gas royalties between Alaska and the federal government. This change will result in additional revenue to the Alaska Permanent Fund, which provides cash dividends directly to Alaska residents, along with state and local governments and support services.
Responses to the changes in OBBBA from Native American organizations in Alaska have been mixed. Some Native American groups have shared their appreciation for the OBBBA’s reversal of Biden administration land policies, stating that the previous administration ignored “Alaska Native self-determination” by withdrawing millions of acres of Alaskan land from development and eliminating avenues of Tribal tax revenue. Other Tribal organizations in Alaska opposed OBBBA and have expressed serious concerns that the “aggressive” oil, gas, and coal development directed in the bill puts “ecologically sensitive and culturally significant” lands at risk. Tribal groups have argued that increased carbon emissions from new oil and gas developments, combined with local pollution from energy infrastructure, will exacerbate the already-significant environmental risks.
California
Earlier this year, the state of California filed a lawsuit against the city of Tulare, a small city south of Fresno, for alleged violations of the California Environmental Quality Act (CEQA). The suit, filed in January by Attorney General Rob Bonta, claims that Tulare improperly approved a zoning ordinance that allows the development of cold-storage facilities in light and heavy industrial zones. Tulare approved the zoning ordinance in 2024 without conducting an environmental review under CEQA, claiming that the ordinance was exempt from the law’s requirements. Bonta’s suit argues that these cold-storage facilities could pose increased “air pollution and cancer risks” in “a previously racially-segregated community that is now one of the most pollution-burdened and disadvantaged communities in the State.” The case was disposed on 29 April 2025. Notwithstanding, the litigation highlights the state’s efforts to put pressure on a local government to fulfill its legal obligations to mitigate potential environmental harms to residents.
Colorado
This summer, Colorado’s Environmental Justice Action Task Force (Task Force) sought nominations for communities facing environmental inequities to analyze and improve health impacts. The Task Force was originally created on 2 July 2021 with the passing of HB21-1266. Housed in the Colorado Department of Public Health and Environment (CDPHE), the main goal of the Task Force is to propose recommendations to the general assembly on how to address EJ inequalities, particularly in disproportionately impacted communities. On 14 November 2022, the Task Force published a final report detailing their work and findings over the previous year. In this report, the task force recommended that CDPHE develop a branch of the department to conduct environmental equity and cumulative impact analyses (EECIA) across the state. This recommendation led to the passing of HB24-1338 on 28 May 2024.
HB24-1338 created an Office of Environmental Justice (the Office) housed within CDPHE. This Office specifically oversees the development process of EECIAs in selected geographic areas of Colorado with the goal of understanding how environmental factors affect the health and well-being of Colorado residents. When selecting these areas, the Office must choose disproportionately impacted communities, particularly those affected by a heightened exposure to environmental contaminants. Other factors in this selection process include the proportion of low-income families, the percentage of people of color, and locations with a history of environmental racism. Once these areas are selected, the Office will partner with an academic institution or another third-party to develop an EECIA, which involves hiring a contractor to perform scientifically rigorous analyses recommended by the Task Force. Some of these recommendations include increasing oversight at petroleum refineries, improving the response of the Air Pollution Control Division to air pollution complaints, and analyzing the cumulative impacts of pollution in the air, water, and soil of these communities. Within nine months of completing the EECIA, CDPHE will prepare a report identifying its findings and recommending resources to address environmental inequities.
The impact of these EECIA analyses is intended to help direct funds and resources from the state level to the local level to address issues for communities most exposed to environmental stressors, such as pollution and extreme heat conditions.
Illinois
The Illinois Environmental Protection Agency (Illinois EPA) is drafting proposed statutory language to formally codify the agency’s EJ policy and associated environmental permitting review procedures. Illinois EPA is proposing to limit the enhanced permitting review process to census tracts scoring in the 25th percentile or higher based on certain environmental indicators, with the underlying data to be updated every three years.
At the same time, several proposed EJ bills have yet to pass, including SB1307 and SB1686, which propose to amend the Illinois Environmental Protection Act and the Illinois Environmental Justice Act respectively, and the bills remain in Assignments (Committee) after the first readings. Against this backdrop, the Illinois Pollution Control Board opened a docket for interested parties to submit proposals for procedural regulations to “provide guidance to the Board when considering EJ issues, including the selection of screening tools for identifying areas of EJ concern, in its proceedings.” Illinois EPA, the Illinois Attorney General and various environmental interest groups have submitted comments.
The proposed legislation follows a 24 March 2025 EPA announcement that Illinois EPA had satisfied its obligations under the February 2025 Informal Resolution Agreement, which was issued to resolve allegations that Illinois EPA engaged in discriminatory permitting processes. Under the Informal Resolution Agreement, Illinois EPA committed, among other objectives, to “implement[ ] enhancements to its permit review process” and “ensure [Illinois] EPA’s public involvement process will be available to all persons[.]”
Under the current EJ policy, permitting actions in “areas of EJ concern”—defined as “a census block group with a low-income and/or minority population greater than twice the statewide average”—are subject to stricter scrutiny and heightened public participation requirements. Illinois EPA currently utilizes a GIS mapping tool, known as EJ Start, to determine areas of EJ concern within the state.
Massachusetts
Enacted under Senate Bill 2521 in August 2024, the Environmental Justice Trust (Trust) was signed into Massachusetts’ state budget following a joint proposal by Attorney General (AG) Andrea Joy Campbell, Representative Brandy Fluker-Oakley, and Senator Adam Gomez. Funded through civil penalties that are received in judgments and settlements from state cases involving the Massachusetts Environmental Protection Division, the Trust seeks to benefit community health by using these funds to address economic, environmental, and health-related burdens frequently faced by residents in disadvantaged communities. The Trust will help to address longstanding disparities in environmental health faced primarily by lower-income communities in Massachusetts.
The Trust is funded by the penalties accrued from cases against:
Companies that illegally emit or emit beyond permitted amounts, toxins and other pollutants into the air;
Contractors who expose employees to asbestos during demolitions;
Companies that discharge pollutants into local rivers and streams either illegally or beyond the scope of their permits; and
Entities that wrongfully destroy essential areas of wetland and green spaces that increase flood potential in surrounding communities.
The Trust allows monies to be directed at impacted communities to address financial burdens caused by violations, rather than the monies going into the commonwealth’s general fund. The money in the Trust will specifically be used to restore impacted natural resources, investigate environmental pollution or harm caused to local property, benefit the overall health of the affected community, and provide support to academic or government-funded research to further identify environmental protection and conservation measures in these areas.
On 27 January 2025, the AG’s Office announced that the first payments of a consent judgment against four companies, totaling US$155,000, would be placed into the Trust. More recently, on 8 September 2025, a local Massachusetts company reached an agreement with the AG’s Office for a settlement of US$300,000 in civil penalties, of which US$150,000 will be deposited into the Trust for a violation of the Massachusetts Clean Air Act and illegal asbestos removal. On 10 September 2025, the AG’s Office announced another settlement agreement with a Massachusetts based company for US$115,000 in penalties, with US$55,000 going into the Trust, for illegally handling, removing, and storing asbestos.
Maryland
On 17 July 2025, Governor Wes Moore signed the Valuing Opportunity, Inclusion, and Community Equity Executive Order (The VOICE Order). The VOICE Order, which went into effect immediately, creates the Interagency Environmental Justice and Equity Advisory Council (the Council), which will strive to create a unified front among the state’s agencies to deal with the issue of environmental inequity. Made up of representatives from 14 state agencies appointed by the governor, the Council will coordinate state efforts, track relevant spending, and perform several other tasks to advise the agencies on advancing the governor’s EJ priorities. For example, the VOICE Order requires agencies to use Maryland’s EJ mapping tool, MDEnviroScreen, to “track and address disparities related to environmental hazards, exposures, risks, health outcomes, investments and benefits.”
Critically, the Council is tasked with developing enhanced public participation plans for communities with EJ concerns potentially affected by certain resource extraction, waste management, and industrial and manufacturing processes and activities. The Council will also provide technical assistance to localities in developing and implementing EJ programs and making concrete recommendations to the governor regarding how to best address disparate environmental health impacts caused by state action.
Michigan
On 1 July 2025 and 22 July 2025, Senate Bill 479 and House Bill 4742, entitled the “Protecting Overburdened Communities Act,” was introduced to amend Michigan’s Department of Environment, Great Lakes, and Energy (EGLE) environmental permitting review process. The law would require EGLE to consider the cumulative impact of all pollutant types associated with a potential project. Additionally, the bill would require the agency to account for the greater risk of harm that social and economic factors have on communities. EGLE will use its EJ screening tool, MiEJScreen, to assess projects for environmental risk. If EGLE finds a negative impact on overburdened communities without a compelling need for the project, it has authority under the legislation to deny a permit application. Further, the policy requires permit applicants to give their community 60 days’ notice for a public hearing on the permit and prepare a project impact statement. Applicants must publish the information in at least two community newspapers, including a local non-English paper.
The bill was referred to the House Committee on Natural Resources and Tourism and the Senate Committee on Energy and Environment in July and has not progressed further as of the date of this publication.
New Jersey
On 8 October 2025, the New Jersey Appellate Division held oral arguments on the New Jersey Department of Environmental Protection’s (NJDEP) adoption of N.J.A.C. 7:1C (the Rules), which implement the Environmental Justice Law N.J.S.A. 13:1D-157 to -161 (the EJ Law).
Petitioners focused on aspects of the Rules that they argue go beyond the authority granted to NJDEP under the EJ Law, such as the Rules’ application to “zero population blocks”, and the Rules’ definitions for terms such as new facility, existing facility, expansion, and geographic point of comparison. Petitioners and amici further raised the lack of predictability that the Rules provide, particularly in terms of timing of the EJ process and NJDEP’s application of the EJ stressors, which petitioners noted were implemented in the EJMAP tool without being properly subject to administrative procedures.
In response, NJDEP argued that the department reasonably and permissibly filled in the gaps provided in the law using its expertise. NJDEP and its amici also argued that the Rules’ definitions meet the plain language test and are consistent with defined terms in other NJDEP regulatory programs. The court pressed NJDEP on a number of issues including the Rules’ threshold for measuring the contribution of adverse cumulative stressors, NJDEP’s development of its EJMAP, and the fact that the Rules do not factor economic considerations. The court has taken the matter under advisement for further consideration.
Conclusion
Our EJ Task Force continues to closely monitor developments in this rapidly evolving area, including the updates highlighted above. As the EJ focus continues to evolve, businesses—particularly those operating in overburdened communities—should remain vigilant and track policy shifts and enforcement trends at both the federal and state levels. Staying informed and proactive is essential to managing risk and aligning with emerging compliance expectations.
California’s Expanded Protections for Survivors of Sexual Assault
In 2025, California’s lawmakers acted to protect survivors of violence by once again extending their ability to bring expired civil sexual assault claims.
Expanded Statute of Limitations Lookback Window for Sexual Assault Claims
In 2022, Governor Newsom signed AB 2777, which provided survivors of sexual assault with opportunities to bring otherwise-expired claims during defined windows. For a sexual assault that occurred on or after January 1, 2009, AB 2777 provided until December 31, 2026, to file suit. For survivors of sexual assaults that occurred prior to January 1, 2009, AB 2777 opened a one-year “lookback” window – from January 1, 2023, through December 31, 2023 – for a sexual assault survivor to file suit if an entity responsible for their harm had covered up a prior alleged sexual assault by the perpetrator.
The new law, AB 250 – the Justice for Survivors of Sexual Assault Act, will open up a new 2-year window from January 1, 2026, through December 31, 2027, similar to the one-year window created by AB 2777 for survivors of sexual assaults in which an entity responsible for the harm had engaged in a cover-up of prior assault. AB 250 also revives related claims, like wrongful termination or sexual harassment, that stem from a sexual assault.
AB 250 is the most recent of a number of bills extending the time limits survivors have to bring forward their claims. Please see our 2023 post to learn more about these past measures and statutes of limitations for sex assault claims in California. These laws extending timeframes for filing are designed to better address the needs or survivors of assault, because recovery, healing, and moving forward do not happen on a set schedule.
Requirements to Bring a Claim Under AB-250
To bring a claim during the two-year lookback window under AB 250, a survivor will need to claim that:
they were assaulted;
there is a legally responsible entity; and
that a responsible entity had engaged in a cover up or attempted cover up of sexual assault.
A “cover up” in this context, is a “concerted effort” to hide evidence, including efforts to prevent information from becoming public or incentivizing individuals to remain silent. It can include the use of a nondisclosure agreement or a settlement agreement.
Importantly, AB 250 also clarifies that a survivor can bring their claims against the perpetrator under this provision, even if the perpetrator was not involved in the cover-up. For instance, if a company is protecting a “star employee” who has sexually assaulted his coworkers, the “star employee,” as well as the company, may continue to be on the hook for sexual assault, during the time frame provided in the new statute, i.e., during 2026 and 2027, regardless of the original statute of limitations governing their claim.
Here is a potential example:
In 2013, when Mariana was sexually assaulted by her supervisor. Mariana had never heard of anything similar happening in her workplace before, so she focused on her own healing, and decided to stay silent. Later, in talking with other women in her office, she learned that others had had similar “bad” experiences with her supervisor, but that Human Resources had told them that it would be better for them if they did not say anything or make a formal complaint. Under AB 250, Mariana would likely be able to bring claims against her employer and her assailant, including under California’s civil sexual assault laws and sex harassment laws, like the Fair Employment and Housing Act. Even if her specific attacker was not involved in the past cover ups, her employer was, and AB 250 could revive her claims against them both.
California Law AB 2499: Leave and Safety Accommodations for Sexual Assault Survivors and Their Loved Ones
Other recent improvements in California law, such as 2024’s AB 2499, allow survivors of violence access to time off and safety accommodations to help in their healing. This can include time off to go to court, seek supportive services, develop a safety plan, and more. Safety accommodations can include a job transfer, changing a work phone number, installing locks, or other changes to help keep an employee safe. Family members can also access leave to help their loved one recover or improve their safety as well. Employers are prohibited from retaliating against their employees for taking any of these actions.
Here is an example:
Krystal was sexually assaulted on her way home after she left work late in the evening. Krystal seeks a restraining order against her assailant and starts seeing a counselor. Although the assault was not directly connected with her employment and her assailant did not work for her employer, her employer must allow her to take the time off that she needs for related legal hearings and counseling sessions. If Krystal wants her sister to attend the restraining order hearings with her for emotional support, Krystal’s sister can request the time off from her own employer, too.
Krystal also feels unsafe leaving work late at night. Upon her request, her employer must allow her to leave work earlier and work remotely or start her shift earlier, as long as it is not unduly burdensome for her employer.
If Krystal’s employer punishes her for these absences or starts treating her worse for making these requests, she may have claims under California’s Fair Employment and Housing Act.
Every survivor’s needs are different, but California has strong protections in place to allow workers to recover, heal, and seek to protect other employees from future harms.
Employees who experience sexual assault at work or retaliation for requesting related protections may potentially recover for their lost wages, other economic harms, emotional distress, and more.
Schools in Pennsylvania Must Notify Parents About Weapons Incidents
On November 6, 2025, Pennsylvania Governor Josh Shapiro signed a new state law (Senate Bill No. 246) that requires schools to notify parents, guardians, and school employees about any incidents involving a weapon on school property or at a school-sponsored activity. This law increases the legal liability for schools that fail to send an alert.
Quick Hits
Pennsylvania has enacted a law requiring K-12 schools, charter schools, and career and technical schools to promptly notify parents, guardians, and school personnel when there is an incident involving possession of a weapon on school property.
Weapons covered by this law may include guns, knives, and other potentially dangerous instruments.
The new law is set to take effect on January 6, 2026.
Senate Bill No. 246 requires public and private K-12 schools, including charter schools and career and technical schools, to send a notification within twenty-four hours by a communication method “likely to reach” parents, guardians, and school employees. The notification can include information that identifies a student involved in the incident only under limited circumstances.
The law applies to incidents where the possession of a weapon violates state law or school policies, including events that occur on school grounds, those directly related to school-sponsored activities (even if held off school premises), and on school transportation. Senate Bill No. 246 refers to other laws that define a weapon to include a “knife, cutting instrument, cutting tool, nun-chuck stick, firearm, shotgun, rifle and any other tool, instrument or implement capable of inflicting serious bodily injury.”
The new law does not apply to colleges and universities. However, institutions of higher education in Pennsylvania can establish their own policies regarding weapon possession.
The federal Gun-Free School Zones Act of 1990 prohibits the possession of firearms within 1,000 feet of K-12 public or private schools. However, in 1996, Congress amended the law to limit its application to cases where the firearm has “moved in or otherwise affected interstate or foreign commerce.”
In recent years, there have been numerous school shootings across the country, including an incident in Virginia where a six-year-old elementary student shot his teacher. The teacher was awarded a $10 million jury verdict in a case against the school’s former assistant principal, who allegedly failed to respond to multiple warnings that the student had a gun.
Next Steps
K-12 schools in Pennsylvania may wish to revisit their protocols for notifying staff and parents in the event someone has a weapon on school property, and train staff on the new state law regarding notifications. To ensure that the information reaches the intended recipients, notifications can be sent in various formats, including text messages, emails, and through the school system’s online portal. It is essential to maintain accurate and up-to-date contact information for employees, parents, and guardians.
Many K-12 schools, colleges, and universities already have workplace violence prevention plans that encompass staff training, physical security measures, and systems for easily reporting threats. Similarly, numerous K-12 schools, colleges, and universities have established written policies that prohibit weapons, including guns, on school property. These restrictions typically apply to employees, students, parents, and volunteers.
Leah J. Shepherd contributed to this article
Water Legislation from the 89th Texas Legislature
The 89th Texas Legislature advanced several water infrastructure measures during the 2025 legislative session. Most importantly, Senate Bill 7 and House Joint Resolution 7 were passed to expand the tools available for statewide water planning, financing, and project coordination. Texas voters also approved Proposition 4 on Nov. 4, 2025, establishing a dedicated revenue stream for the Texas Water Fund. Together, these actions will create long-term support for water supply development, wastewater and flood infrastructure, and future planning needs across the state.
Texas Water Infrastructure and Supply Planning
Senate Bill 7 makes several updates to the Texas Water Code to strengthen statewide coordination for water supply planning and infrastructure development. The legislation establishes a Water Supply Conveyance Coordination framework, directing the Texas Water Development Board to facilitate joint planning among project sponsors, governmental entities, utilities, and other relevant participants.
The bill also directs the board to develop statewide guidance, standards, and best practices for project design, materials, and system interoperability. To support this work, the agency is authorized to procure professional and consulting services and convene advisory committees to assist in planning and implementation.
Senate Bill 7 expands the range of eligible projects financed through the Texas Water Fund to include desalination, water reuse, out-of-state water acquisition, and other initiatives to diversify the state’s water sources. These projects expand the state’s available water resources by developing alternative water supplies. The bill also broadens funding priorities to include water and wastewater infrastructure, permit-ready projects, water conservation strategies, water loss mitigation, statewide water awareness initiatives, and technical assistance for applicants.
Voter-Approved Dedication of Sales Tax Revenue to the Texas Water Fund
House Joint Resolution 7 proposed a constitutional amendment dedicating a portion of state sales and use tax revenue to the Texas Water Fund, which funds statewide water, wastewater, flood, and conservation infrastructure administered by the Texas Water Development Board. Texas voters overwhelmingly approved this amendment as Proposition 4 on Nov. 4, 2025.
Beginning Sept. 1, 2027, the resolution requires the comptroller of public accounts to deposit up to one billion dollars each fiscal year into the Texas Water Fund once state sales and use tax collections exceed $46.5 billion. The first $46.5 billion in revenue each year will continue to flow into general revenue, with the next one billion dollars dedicated to the Texas Water Fund and maintained in a separate account.
The legislature may, by concurrent resolution adopted by a record vote of a majority of the members in each chamber, direct the comptroller to allocate deposited funds to programs the Texas Water Development Board administers, including the State Water Implementation Fund for Texas, the New Water Supply for Texas Fund, and other authorized accounts. The amendment prohibits using the allocated funds to finance infrastructure transporting non-brackish groundwater, except in limited cases involving aquifer storage and recovery projects. Allocations cannot be modified during the first 10 fiscal years they apply. The legislature may also suspend these allocations during a declared state disaster, allowing temporary redirection of funds with the intent to restore them to the Texas Water Fund when practicable. These provisions will remain in effect until Aug. 31, 2047.
This legislation, culminating in the voter-approved constitutional amendment, creates a long-term funding stream to ensure Texans have the water needed for the continued population and business growth that Texas continues to see each year. This provides opportunities for an array of new water projects, which can serve as another component of the state’s ongoing economic development.
Stay Ahead of the Curve- Essential Employment Law Updates for Retailers in 2026
In today’s rapidly evolving legal landscape, staying informed about changes in employment laws is crucial for employers. Recent updates across the nation have introduced significant shifts that impact workplace policies, employee rights, and compliance requirements. Whether you are managing a small boutique or overseeing a large chain of stores, understanding these changes is essential to maintaining a compliant workplace.
Quick Hits
California and New York are implementing stringent measures to curb “stay or pay” contracts.
A Florida appellate court ruled the state’s open carry ban unconstitutional, allowing open carry throughout the state.
Maryland issued final regulations for its mini-WARN Act, which includes provisions for remote employees.
New pay transparency laws in New Jersey, California, Delaware, and Washington require employers to disclose pay and benefits information in job postings, with violations resulting in warnings and civil penalties.
Stay-or-Pay Contracts in Flux
Significant changes in employment law are on the horizon, particularly concerning “stay or pay” contracts, and retailers must stay alert. These agreements require employees to reimburse their employers for benefits like sign-on bonuses or educational and training expenses if they leave the job within a specified period. Such contracts are increasingly facing scrutiny.
Spearheading this movement are California and New York, which have introduced stringent measures to curb the use of such contracts. California’s newly enacted law (Assembly Bill 692), effective January 1, 2026, is one of the strictest bans on employment-related debt, aiming to prevent employers from using repayment agreements that can deter workers from changing jobs. New York has also proposed a similar law (Bill A564C), which is currently awaiting the governor’s signature. These state-level initiatives emerge as federal regulators, including the Federal Trade Commission and National Labor Relations Board, have retreated from efforts to regulate these contracts nationwide under the new administration.
What implications does this hold for retailers? Many retailers depend on high‑volume hiring and frequently use sign‑on bonuses, onboarding training, and certification programs to prepare associates for the floor. Repayment provisions that once helped to reduce early attrition may be restricted or even unenforceable in key markets.
Florida’s New Open Carry Law
On September 10, 2025, a Florida appellate court ruled that the state’s open carry ban is unconstitutional. This ban made it unlawful for individuals to openly carry firearms or electric weapons, with some limited exceptions. The recent ruling effectively allows open carry throughout Florida, even though it technically only applies to the counties within the First District Court of Appeals. Following the ruling, the Florida Attorney General advised that open carry should be considered lawful statewide, and the Florida Sheriffs Association instructed deputies not to enforce the prior ban, except in specific prohibited areas such as government buildings, schools, and places where conduct is inconsistent with permitted open carry.
This decision does not prevent private employers from prohibiting open carry in the workplace, nor does it change existing laws that permit employees to store secured firearms in their vehicles. Retailers can still control the presence of weapons in the workplace and prohibit weapons on their properties, with violations potentially resulting in charges of armed trespass. However, the decision may complicate the enforcement of these policies due to increased media attention, political contention, potential reluctance from front-line employees, and public pressure through social media.
In response, retailers should consider several strategic actions when implementing or reaffirming policies related to firearms. These include clearly notifying employees and the public about the policies, particularly any prohibitions on carrying firearms, and ensuring these notifications are prominently displayed. It is also important to outline expectations and provide comprehensive training to employees, especially those on the front lines, to help them understand how to enforce these policies safely and effectively.
Maryland Enacts New Mini-WARN Act
Maryland recently issued final regulations for its mini-WARN Act, which requires employers with at least fifty employees provide sixty days’ written notice before making significant reductions in operations. These reductions are defined as either relocating a part of the operation or shutting down part of a workplace that affects at least 25 percent of the workforce or fifteen employees, whichever is greater.
Initially, the notice provisions were voluntary, but they became mandatory in 2020, with enforcement delayed until the final regulations were issued. These regulations, now in effect, closely align with federal WARN Act requirements and include specific provisions for remote and telework employees. However, unlike the federal WARN Act, Maryland does not recognize an exception for unforeseeable business circumstances.
Employers must notify all affected employees, unions, the State Dislocated Worker Unit, and the chief elected official of the political subdivision where the workplace is located, with penalties for non-compliance. Before any reduction in force, retailers operating in Maryland should consult with legal counsel to determine whether they meet the necessary thresholds, including considerations for remote employees assigned to Maryland locations.
EEOC Is Back in Business
With the U.S. Equal Employment Opportunity Commission’s (EEOC) quorum restored, employers can expect more high-profile investigations, broad data requests, and litigation targeting hiring, promotion, compensation, diversity, equity, and inclusion (DEI) programming, and accommodations.
Recent developments at the EEOC, aligned with the administration’s policy priorities, suggest an acceleration of cases targeting DEI programs focused on race and sex, along with a renewed prioritization of religious rights in the workplace. While commissioner charges (including leaked charges) increased during the period when the EEOC lacked a quorum and could not officially act, employers can anticipate an uptick in high-profile investigations, public prelitigation demands with broad data requests, and systemic lawsuits.
On November 6, 2025, President Donald Trump named Andrea R. Lucas as chair of the EEOC. The next day, the U.S. Senate confirmed Brittany Bull Panuccio as commissioner of the EEOC, restoring a quorum of three commissioners.
As the newly configured EEOC advances the president’s America First agenda, employers may want to reevaluate their DEI programming to ensure that initiatives are grounded in individualized, job-related criteria. Employers should consider reviewing their policies that address gender identity, access to facilities, and pronoun usage to ensure compliance with current federal, state, and local law. Furthermore, employers may want to reassess selection procedures, testing methods, and artificial intelligence tools for validation and defensibility, as well as audit accommodation and leave policies in alignment with potential revisions to the Pregnant Workers Fairness Act.
Employers may also want to prepare for increased attention to claims alleging religious discrimination, majority discrimination, or national origin discrimination and ensure that documentation and training support nondiscriminatory decision-making.
A Flurry of New Pay Transparency Laws
Employers looking to hire workers in New Jersey will need to comply with the state’s new pay transparency requirements. The New Jersey Department of Labor and Workforce Development issued proposed regulations under the New Jersey pay transparency law on September 15, 2025, which provide some (though not complete) clarity about the law’s pay and benefit disclosure requirements. The law, which went into effect on June 1, 2025, has two broad requirements (along with several exceptions): (1) an employer must disclose pay and benefits information in postings for “new jobs and transfer opportunities,” and (2) an employer must give notice of “promotional opportunities” to current employees in the affected department.
In October, California’s governor signed legislation (Senate Bill 642) that sets the statute of limitations for civil actions alleging violations of the state’s pay transparency requirements at three years, with a six-year “look-back” period to obtain relief for existing violations. In addition, the new law defines the “pay scale” that employers must disclose in job postings as a “good faith estimate” and expands the definition of “wages” to include all forms of compensation, including stocks and stock options.
On September 26, 2025, Delaware’s governor signed into law legislation (House Substitute No. 2 for House Bill No. 105) requiring employers in Delaware to include wage or salary ranges and information on benefits offered in job postings, making it the latest state to enact a pay transparency law. Employers found to have violated this law will receive a “written warning” for a first offense and could face civil penalties ranging from $500 to $10,000 for each subsequent violation.
The Washington State S+upreme Court recently ruled that job applicants can sue for violations of the state’s pay transparency law without needing to prove they applied for the job in good faith or were otherwise “bona fide” applicants. In Branson v. Washington Fine Wine & Spirits, the plaintiffs brought a class action against a retailer that did not disclose pay information in job postings. In a 6-3 majority decision, the state’s high court held that an individual does not have to show that they are a “bona fide” or “good faith” job applicant. Instead, the court found that a job applicant is any individual who “submits a formal application or request for a job,” regardless of the applicant’s subjective intent to obtain employment.
Employers in these states may wish to carefully review their existing and future job postings to ensure compliance with state pay transparency laws.
Staying up to date with evolving employment laws is essential for retailers to ensure compliance. As regulations continue to change—particularly in areas such as “stay-or-pay” contracts, firearm policies, and mini-WARN laws, retailers must remain vigilant and proactive. By understanding and adhering to these legal requirements, retailers can mitigate risks, avoid penalties, and maintain a positive reputation with both employees and customers.
NYDFS Cybersecurity Crackdown- New Requirements Now in Force, and “Covered Entities” Include HMOs, CCRCs—Are You Compliant?
As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance.
Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.
Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.
The Amended Regulation applies to “covered entities,” i.e., DFS-regulated entities including partnerships, corporations, branches, agencies, and associations—indeed, “any person”—operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Laws.
Notably, health maintenance organizations (HMOs) and continuing care retirement communities (CCRCs) are considered covered entities. NYDFS-authorized New York branches, agencies, and representative offices of out-of-country foreign banks are also covered entities subject to the requirements of Part 500.
While some requirements took effect almost immediately in late 2023, others were delayed to 2024 and 2025. The final set of cybersecurity requirements that became effective November 1 require covered entities to:
expand multifactor authentication (MFA) to include all individuals accessing information systems; and
implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of information systems.
Multi-Factor Authentication (MFA)
The amended Section 500.12 requires covered entities to use multi-factor authentication (MFA) for any individual accessing any information system of a covered entity—regardless of location, type of user, and type of information contained on the Information System being accessed (FAQ 18). Internal networks that would require the use of MFA include email, document hosting, and related services, whether on-premises or in the cloud, such as Office 365 and G-Suite (FAQ 19).
Definition
MFA is defined in the regulation as authentication through verification of at least two of the following types of authentication factors:
knowledge factors, such as a password, passphrase, or personal identification number (PIN);
possession factors, such as a hardware token, authentication app, or smartcard; or
inherence factors, such as a biometric characteristic (fingerprints, facial recognition, or other biometric markers.
Artificial Intelligence and Other Risks
Note that while the definitions include passwords and biometric characteristics as verifiers, caution should be taken, as AI deepfakes may now pose a risk to biometric-based systems. Indeed, NYDFS issued a related letter regarding AI cybersecurity risks in October 2024. The October 2024 letter does not impose new requirements with respect to the Amended Regulation, yet states:
While Covered Entities have the flexibility to decide, based on their Risk Assessments, which authentication factors to use, not all forms of authentication are equally effective. Given the risks…Covered Entities should consider using authentication factors that can withstand AI-manipulated deepfakes and other AI-enhanced attacks by avoiding authentication via SMS text, voice, or video, and using forms of authentication that AI deepfakes cannot impersonate, such as digital-based certificates and physical security keys. Similarly, instead of using a traditional fingerprint or other biometric authentication system, Covered Entities should consider using an authentication factor that employs technology with liveness detection or texture analysis to verify that a print or other biometric factor comes from a live person. Another option is to use authentication via more than one biometric modality at the same time, such as a fingerprint in combination with iris recognition, or fingerprint in combination with user keystrokes and navigational patterns. [Footnotes omitted].
The NYDFS July 2025 Guidance on the MFA requirements stresses the need “for organizations to understand the trade-offs associated with each method in order to make informed, risk-based decisions.” The July 2025 Guidance discusses the tradeoffs with respect to SMS Authentication, App-based Authentication (with and without number matching), and Token-based Authentication. Note that a covered entity’s Chief Information Security Officer (CISO) may approve in writing the use of reasonably equivalent or more secure controls, to be reviewed at least annually.
Limited Exemptions
The covered entity may qualify for a limited exemption pursuant to section 500.19(a), Section 500.19(a) provides limited exemptions for covered entities with:
fewer than 20 employees;
less than $7,500,000 in gross annual revenue in each of the last three years; or
less than $15,000,000 in year-end total assets.
Where one of the limited exemptions applies, MFA should nevertheless be used for:
remote access to the covered entity’s information system;
remote access to third-party applications, including but not limited to those that are cloud-based, from which nonpublic information is accessible; and
all privileged accounts other than service accounts that prohibit interactive login.
Asset Inventory of Information Systems
Section 500.13(a) requires covered entities—as part of their cybersecurity programs—to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems. At a minimum, policies and procedures must include
a method to track specified key information for each asset, including, as applicable:
the owner;
the location;
classification or sensitivity;
support expiration date;
recovery time objectives; and
the frequency required to update and validate the covered entity’s asset inventory.
Section 500.13(b) also requires covered entities to include policies and procedures for the secure disposal on a periodic basis of any nonpublic information (identified in section 500.1(k)(2)-(3)) that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Enforcement
The regulation is to be enforced by the superintendent. Section 500.20 states that the failure to act to satisfy an obligation shall constitute a violation, although the superintendent is directed, when assessing penalties, to consider elements including cooperation, good faith, history of prior violations, the number of violations, and the extent of harm to consumers. In a recent example, in August, NYDFS secured a $2 million settlement with a health insurance provider for violations of Part 500.
Takeaways
Implementation
Covered entities must:
implement MFA for any individual accessing any information systems of a covered entity or meet the requirements of a limited exemption (fewer than 20 employees, less than $7,500,000 in gross annual revenue in each of the last three years; or less than $15,000,000 in year-end total assets). Covered entities should understand the various methods of MFA in order to make informed, risk-based decisions regarding their use; and
implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems, with a method to 1) track key information and 2) the frequency needed to update and validate the asset inventory
The CISO may approve alternative controls in writing, if these are reasonably equivalent or more secure, and reviewed annually.
Compliance Filing
Covered entities must:
submit to NYDFS an annual notice regarding compliance with Part 500—through a Certification of Material Compliance or an Acknowledgment of Noncompliance—by April 15 (covers compliance during the previous calendar year), unless fully exempt and a Notice of Exemption is submitted (FAQ 29);
file separate annual notifications, if holding more than one license;
keep all data and documentation supporting their annual notifications for 5 years and provide that information to the Department upon request;
notify NYDFS of a cybersecurity incident no later than 72 hours after determining that one has occurred (FAQ 20). May have to notify even if the attack is unsuccessful (FAQ 21) or occurs at a third-party service provider (FAQ 23).
Third Parties
Covered entities should ensure compliance with regulations pertaining to third-party service providers, including:
Implementing policies with respect to third-party service providers (Section 500.11).
Undertaking a thorough due diligence process in evaluating the cybersecurity practices of third-party providers; the FAQs state that relying on the latter’s certification of material compliance is insufficient.
Cybersecurity governance: If the CISO is employed by a third-party service provider, the covered entity shall retain responsibility and provide direction and oversight (Section 500.4).
Making a risk assessment regarding appropriate controls for third-party service providers (Section 511(b)).
Note that NYDFS issued “Guidance on Managing Risks Related to Third-Party Service Providers” in October 2025, a Part 500 checklist, an exemption flowchart, and more. Developments are fast-paced in the cybersecurity world and companies have a lot to lose if they pay insufficient attention to all of these new legal requirements, as they set a new floor. While meeting all of these (and other) cyber requirements may not be easy, this remains a space in which an ounce of prevention may well be worth a pound of cure.
EBG will continue to monitor developments in this area. If you have questions or need assistance in implementation of the Amended Regulations within your organization, please reach out to the authors or the EBG attorney with whom you work.
Epstein Becker Green Staff Attorney Ann W. Parks assisted with the preparation of this post.
The State of Employment Law: Rhode Island and Massachusetts Have Special Laws Regarding Work on Holidays
While many of us get most or all federal holidays off work, these days off are generally not mandated by law. Federal law does not require private employers to provide days off for holidays, and many employers are open for business on some or even all holidays. Likewise, there is no federal law that requires holiday premium pay for those who are required to work on a holiday. However, two states have unique laws regarding holiday work.
Rhode Island requires premium pay at a rate of time and a half for most employees if they are required to work on New Year’s Day, Memorial Day, Juneteenth, Independence Day, Victory Day, Labor Day, Indigenous Peoples/Columbus Day, Veterans Day, Thanksgiving, or Christmas. This holiday premium pay requirement does not apply to doctors, dentists, attorneys, accountants, supervisory employees, hotel and restaurant workers, and a few other groups of employees.
Massachusetts does not require premium pay, but its Blue Laws place restrictions on when employees can work on holidays. Retail workers are not allowed to work on Columbus Day (before noon), Veterans Day (before 1 pm), Thanksgiving, or Christmas unless the police have granted their employer a permit. Businesses can operate without a permit on New Year’s Day, Memorial Day, Juneteenth, Independence Day, Labor Day, Columbus Day (after noon), and Veterans Day (after 1 pm), but retail employees have the right to refuse to work on those dates. Businesses may operate without restriction on Martin Luther King Day, President’s Day, Evacuation Day, Patriots’ Day, and Bunker Hill Day. Manufacturers face similar restrictions under the Blue Laws, but their schedule is slightly different. No work without a permit is allowed on Memorial Day, Independence Day, Labor Day, Columbus Day (before noon), Veterans Day (before 1:00), Thanksgiving, and Christmas.
The State of Employment Law: Seven States Give Employees the Right to Sit Down
For people who sit at a desk all day, the right to sit down at work may be taken for granted. However, for many jobs that involve frequent standing or moving around, sitting down can be seen as a luxury. Employee requests to sit often come in the form of disability accommodation requests, and many employers restrict the ability to sit to those with medical restrictions requiring seats. However, there are seven states that require employers to provide seats for a significantly broader group of employees.
Massachusetts law allows practically all employees to sit while working if their jobs allow for it, and allows all employees to sit when they are not performing duties:
Employers shall provide suitable seats for the use of their employees and shall permit such employees to use such seats whenever they are not necessarily engaged in the active duties of their employment, and shall also provide for their use and permit them to use suitable seats while at work, except when the work cannot properly be performed in a sitting position or when such seats may reasonably be expected to result in an unsafe or hazardous working condition. Whoever violates this section shall be punished by a fine of not less than fifty nor more than two hundred dollars.
California law states that “[w]hen the nature of the work reasonably permits the use of seats, suitable seats shall be provided for employees working on or at a machine.” Florida, a state not typically known for its pro-employee laws, requires seats to be provided for employees in stores who are not required to be on their feet for certain duties or are not engaged in active work. Montana, New Jersey, Oregon and Wisconsin have similar seating laws.
Interestingly, significantly more states had seating laws between the 1900s and 1980s. However, those laws applied only to women workers. By the 1980s, many states repealed these laws, and most of the states that maintained their seating laws amended them to be gender-neutral. Utah and the District of Columbia amended their seating laws to be gender-neutral, but subsequently repealed them.
CROWN Act Becomes Law in Pennsylvania- New Protections Against Hair Discrimination
On November 25, 2025, Governor Josh Shapiro signed the Creating a Respectful and Open World for Natural Hair (CROWN) Act into law during a ceremony in Philadelphia, Pennsylvania. With this legislation, Pennsylvania joins twenty-seven other states, including neighboring New Jersey, Delaware, and New York, in prohibiting race-based hair discrimination.
Quick Hits
Governor Josh Shapiro signed the CROWN Act into law on November 25, 2025, making Pennsylvania the twenty-eighth state to prohibit race-based hair discrimination.
The final version of the CROWN Act includes provisions to protect employers’ rights to maintain legitimate workplace safety standards.
The law, effective January 24, 2026, broadens the definition of “race” under the Pennsylvania Human Relations Act to include traits such as hair texture and protective hairstyles.
The milestone follows a previous setback, as an earlier version of the bill stalled in the Pennsylvania Senate at the end of 2024. The final version of the CROWN Act includes specific provisions to protect employers’ rights to maintain legitimate workplace safety standards.
Before the enactment of the CROWN Act, the Pennsylvania Human Relations Commission had already incorporated protections related to the act into its formal guidance. Governor Shapiro noted that in 2022, over 900 complaints of racial discrimination based on hair were filed with the Pennsylvania Human Relations Commission.
The law goes into effect on January 24, 2026.
The CROWN Act broadens the definition of “race” under the Pennsylvania Human Relations Act to include traits historically associated with an individual’s race, such as hair texture and protective hairstyles. As a result, individuals are shielded from discrimination based on natural hairstyles or protective hairstyles commonly linked to their race. The law expressly safeguards a range of protective hairstyles, including locs, braids, twists, coils, Bantu knots, afros, and extensions.
Adding Motions to the Posted Agenda is Once Again Permitted by the Sunshine Act
As Pennsylvania local governments are no doubt well aware, on June 30, 2021, the General Assembly enacted Act 65 of 2021, which amended the Pennsylvania Sunshine Act, 65 Pa.C.S. §§701-716, (Sunshine Act) to require that agencies make their meeting agendas available to the public, and set restrictions on taking official action on any item not listed on the published agenda. The Sunshine Act requires that agencies provide citizens with notice of, and access to, all meeting agendas at which official action and deliberations by a quorum will occur at least 24 hours in advance. The agenda must be posted at the municipal building and on the municipality’s website. There is a process to amend the posted agenda at the meeting, but the Commonwealth Court ruled that the Sunshine Act only permitted such revisions in limited circumstances for emergencies or actions which did not require the expenditure of funds or a contract. On November 24, 2025, the Supreme Court overruled that decision and reinstated the process for amending an agenda for any reason.
Four Exceptions to the Prohibition on Official Action Not Included on Posted Agenda
The legislature included four exceptions to the requirement that items be listed on the agenda before a board can take public action. First, Section 712.1(b) permits the agency to take official action on matters not included in the agenda if they relate to a real or potential emergency involving a clear and present danger to life or property.
Second, Section 712.1(c) permits official action on a matter brought to the attention of the agency within the 24-hour period prior to the meeting, provided the matter is de minimis in nature and does not involve the expenditure of funds or entering into any contract or agreement.
Third, Section 712.1(d) permits business raised by a resident or taxpayer at the meeting to be considered for the purposes of referring it to staff, researching it for inclusion at a later meeting, or for full consideration where it is de minimis and does not involve the expenditure of funds or entering into any contract or agreement.
The fourth and final exception in Section 712.1(e) allows an agency to amend the agenda at the meeting in question. Subsection (e) states that upon a majority vote of the individuals present and voting during the meeting, the agency may add a matter of agency business to the agenda. The agency must announce the reasons for changing the agenda before voting to make those changes. If the vote passes, the agency may then take official action on that matter. If an agency amends its agenda in this manner, it must post the amended agenda on its website no later than the following business day and include the details of the matter added, the vote, and the reasons for the addition in its meeting minutes. Meeting minutes are required to be kept by Section 706 of the Sunshine Act.
The Commonwealth Court Limits the Exceptions
After these four exceptions went into effect with the 2021 amendment, the Commonwealth Court held that Subsection (e) could not be used on its own to amend the agenda at the meeting in question. It could only be utilized in relation to a matter falling under one of the other three exceptions.
However, on November 24, 2025, the Pennsylvania Supreme Court overruled the Commonwealth Court in Coleman v. Parkland School District and found that Section 712.1 of the Sunshine Act unambiguously creates four freestanding exceptions to the general prohibition that an agency cannot take official action on items not listed on the meeting agenda pursuant to the 24-hour notice rule. This includes the majority vote exception as provided by the fourth and final exception in Section 712.1(e). The Supreme Court rejected the Commonwealth Court’s interpretation of Section 712.1(e) and held that “the Commonwealth Court essentially redrafted Section 712.1 to align it with a textually unsustainable view of the ostensible spirit of the Sunshine Act and its 2021 amendment.”
Impact and Considerations
The Pennsylvania Supreme Court’s ruling reinstates the majority vote exception and permits agencies, if they wish, to vote to add matters to the official meeting agenda and then take action on those newly-added agenda items at that public meeting. The ruling also reaffirms the validity of all four exceptions. The reinstatement of this exception in particular will allow for greater efficiency in municipal operations and save money and time on additional advertisements and meetings. However, agencies will need to comply with the specific requirements of Section 712.1 if and when voting to add items to the meeting agenda. And because the Sunshine Act requires an agency to provide an opportunity for public comment before official action is taken, an agency voting to add items to the meeting agenda should allow for public comment as part of the process.