California's Legislature has passed two new climate disclosure bills, SB 253, the Climate Corporate Data Accountability Act (CCDAA), and SB 261, the Climate-Related Financial Risk Act (CRFRA), which together will require a wide array of entities doing business in the state to calculate and disclose their carbon footprint and climate risk. The Governor has announced his intention to sign both SB 253 and SB 261. These new legal requirements, which will go into effect beginning in 2025 if not challenged successfully in court, will add to and, in some ways surpass, a growing array of disclosure requirements and could, as we have seen many times, expose entities to a new set of consumer class action risks. These laws, which govern both public and private entities with revenues exceeding certain thresholds (enumerated below), are expected to impact over 5,000 businesses.

SB 253, Climate Corporate Data Accountability Act

CCDAA applies to US entities "doing business in California" with annual revenues exceeding $1 billion (calculated on a global basis, based on the prior fiscal year). The law will require covered entities annually to disclose Scopes 1, 2 and 3 greenhouse gas (GHG) emissions for the prior fiscal year in conformance with the Greenhouse Gas Protocol standards and guidance. The reporting obligations begin in 2026 for Scope 1 and 2 and in 2027 for Scope 3.

What is truly unique about this requirement is that entities will for the first time have mandatory requirements in the United States to estimate and report on so-called "Scope 3 emissions," which include emissions from the company's "full value chain," including from entities that the company does not own or directly control, such as customers who buy and use the company's products. Considering that a successful company seeks to sell more products to more consumers, these emissions may appear to grow over time, creating tension between corporate commitments to "net zero," for example, and reports that this law will require. Considering that the science and implementation of measuring Scope 3 emissions is lacking at present, covered entities will have to estimate such emissions at first, and likely refine their methods over time. Estimating Scope 3 emissions is likely by definition to be inexact, so plaintiffs' attorneys may seek to exploit these reports in litigation. Moreover, entities subject to these requirements also will have to solicit data from suppliers and vendors in order to meet their own reporting obligations.

The law will require entities to obtain third-party assurance for their emissions reporting at a so-called "limited assurance level," beginning in 2026 for Scopes 1 and 2 emissions, and at a more stringent, "reasonable assurance level" in 2030. The third-party assurance for Scope 3 emissions shall be performed at a limited assurance level beginning in 2030. Practically speaking, many entities may choose to engage consultants for this work as early as 2024, leading to a GHG consulting firm bonanza. If these laws remain in effect, some private entities that do not have disclosure obligations right now will have to start disclosing their emissions in the near future.

Entities will be allowed to submit reports prepared to meet other national and international reporting requirements, including any reports required by the federal government, as long as those reports satisfy all of the requirements of this law.

These requirements are to be overseen by the California Air Resources Board (CARB), which is expected to publish implementing regulations.

SB 261, Climate-Related Financial Risk Act

CRFRA also applies to US public and private entities (other than insurance businesses) "doing business in California" but covers those with annual revenues exceeding $500 million (calculated on a global basis based on revenue for the prior fiscal year). Covered entities will have to publish on its own website a biannual climate-related financial risk reports that disclose (i) their "climate-related financial risk" in accordance with the recommended framework and disclosures of the Task Force on Climate-Related Financial Disclosures; and (ii) measures adopted to mitigate and adapt to that climate-related financial risk.

"Climate-related financial risk," as defined in the bill, includes all material risk of harm to immediate and long-term financial outcomes due to physical and transitional risks, such as risks to operations, provision of goods and services, supply chains, employee health and safety, capital and financial investments, institutional investments, financial standing of loan recipients and borrowers, shareholder value, consumer demand, and financial markets and economic health. The bill provides that entities may satisfy this biannual reporting requirement by complying with a comparable climate-related financial risk reporting framework, such as the International Sustainability Standards Board (ISSB) scheme. Thus, even if the company's own emissions are low, the law will require a probing analysis of the susceptibility of the business to climate-change driven risk. As such, this law could impact a wide variety of entities, including, for example, financial institutions.

Relationship to other laws

There is a possibility that these new California requirements will leapfrog the Securities and Exchange Commission's (SEC) climate rule, which, if adopted in 2023, will probably have a long phase-in period. The California requirements would likely impact more entities, as it covers both private and public entities exceeding certain revenue thresholds.

Many of these same entities will also be required to comply with the Corporate Sustainability Reporting Directive (CSRD), which was adopted by the EU. The CSRD imposes reporting obligations on non-EU parent entities and subsidiaries doing business in Europe, even if the parent entities are not listed on a European exchange. The CSRD has far lower revenue thresholds and is expected to cover many more entities. It is possible, subject to CARB's implementing rules, that entities complying with CSRD will be able automatically to satisfy the California laws.

Implications

As noted above, these laws pose imminent data challenges to covered entities. While many large entities have evaluated their GHG emissions, this will require public disclosure. The laws also will create new legal risks for private and public entities.

This will likely be the first legal requirement for many entities to gather and report on Scope 3 emissions, which includes emissions from third-parties such as vendors, suppliers and customers. The potential enormity of the data gathering exercise suggests that retaining a good consultant and advance planning will be required.

Finally, the litigation that could ensue must be considered. There, of course, may be cases brought against entities that do not comply, and civil penalties for noncompliance will be steep. However, there also could be litigation filed against entities that comply with the laws perfectly but publish previously confidential emissions information deemed to be at odds with their own prior advertisements and public GHG commitments. Moreover, activists and plaintiffs will almost certainly be reviewing initial and subsequent reports for evidence of backsliding. All of this increases legal risk.