Governor Signs California Climate Disclosure Requirements: What Companies Need to Know

Andaye Hill-Espinoza, Associate Director ESG Center of Excellence & Sustainable Operations, Business Performance Improvement
Nicholas You, Associate Director Legal Consulting

In September 2023, California legislators passed the first mandatory climate disclosure bills in the United States. Governor Gavin Newsom signed the two climate-impact reporting measures into law on October 7, 2023. The measures are expected to have far-reaching effects not only for the U.S.-based businesses that are required to comply but also for their trading partners around the world.

Timing: The law will require organizations to report on direct GHG emissions (known as Scope 1 and Scope 2) “starting in 2026 on a date to be determined” and to report on indirect GHG emissions (those their suppliers, customers, employees and others incur, known as Scope 3) sometime in 2027.

Assurance: Reporting entities must have their disclosures verified by an emissions registry or a state-approved external auditor with expertise in GHG accounting. Direct emissions reporting will require a limited assurance level starting in 2026, escalating to a reasonable assurance level in 2030. Indirect emissions may require limited assurance starting in 2030, depending on CARB’s review and evaluation in 2026.[1]

Failure to comply could result in penalties and fines up to $500,000 per year, but the bill provides penalty mitigations for Scope 3 disclosures reasonably estimated in good faith between 2027 and 2030.

  • Senate Bill 261 (SB 261), the Climate-Related Financial Risk Act (CRFRA) will require organizations with prior-fiscal-year revenue of $500 million or more to disclose their climate-related financial risks, as well as the measures to reduce and adapt to those risks. Covered entities must submit reports developed in accordance with Task Force on Climate-Related Financial Disclosures (TCFD) standards to CARB and publish the reports on their websites. Notably, even businesses whose own emissions are low must analyze their susceptibility to risks related to climate change. This means that even organizations in less resource-intensive industries, such as financial services, will feel the impacts of the measure.

Timing: Organizations will have to prepare the first report “on or before January 1, 2026, and biennially thereafter.”

Assurance: Covered entities will have to affirm to California’s secretary of state that reports are “filed pursuant to the statute disclose climate-related financial risk.”

Failure to comply could result in penalties or fines up to $50,000 per year.

Who Must Act: Covered Entities and Everyone Else

The bills will affect thousands of businesses directly. Many other businesses — whether public or private, large or small, throughout the world, and even those not doing business in California themselves — will also feel some effects.

  • SB 253 directly affects 5,300 organizations. Reporting entities include public and private U.S. companies “doing business in California” that engage in any transaction for the purpose of financial gain within California, or are organized or commercially domiciled in California or exceed certain sales, property or compensation benchmarks. SB 253’s inclusion of indirect (Scope 3) GHG emissions reporting will compel reporting entities to work with trading partners to develop information related to “indirect upstream and downstream greenhouse gas emissions . . . from sources that the reporting entity does not own or directly control and may include, but are not limited to, purchased goods and services, business travel, employee commutes, and processing and use of sold products.”
  • SB 261 directly affects over 10,000 organizations. Covered entities include any “business entity formed under the laws of the state, the laws of any other state of the United States or the District of Columbia, or under an act of the Congress of the United States” (but excluding insurance businesses) with prior-fiscal-year global annual revenues of $500 million or more, and that conduct business in California.

Within organizations that must comply — and the trading partners who supply them — both SB 253 and SB 261 warrant the attention of financial, legal, sustainability and compliance executives and experts to gather, review, analyze and report climate- and resource-related data. Leaders will want to look at these regulations from the standpoint of their own compliance obligations while also anticipating the information needs of their trading partners.

When to Act and What to Do

Compliance dates for these bills are closer than they first appear.

  • The first required reporting for SB 253 (for direct GHG emissions) comes in 2026. The reports are based on the reporting entity’s fiscal year. Assuming the fiscal year corresponds to the calendar year, the initial report’s lookback period is all of 2025. Lookback periods for some fiscal years might start earlier than January 2025 for a report date in 2026.
  • SB 261 calls for organizations to prepare their first reports “on or before January 1, 2026,” suggesting 2025 calendar-year data and possibly 2024 data to be included in the first report’s scope.

Implementation details clarified so far suggest that now is the time for organizations to develop the teams, processes and tools via which they’ll satisfy reporting requirements. Accountability and data needs should be established. Solutions for data capture, analysis and reporting should be in place and tested before the first reporting period begins.

For companies that do business in California and are required to comply with these landmark bills, following are actions to consider:

  • Study each bill to understand how the organization is affected:
    • What is it required to report? Who are all the organization’s suppliers and suppliers’ other stakeholders, and what is expected of them?
    • Who are the organization’s customers, and what are their data needs?
  • Enlist finance, legal, compliance, sustainability and procurement executives within the organization to engage in a collaborative effort to comply. Establish an executive committee to oversee and develop the resulting reports.
  • Identify data sources already available for sustainability reporting and identify gaps that need to be addressed to meet the new requirements. Undertake the necessary steps to address identified gaps.
  • Update processes related to developing new product or service offerings to ensure that ensuing climate impacts are captured.
  • Consider other climate change–related reporting requirements the organization already satisfies, such as the European Union’s Corporate Sustainability Reporting Directive (CSRD), and harmonize the new requirements with existing processes.

Implementation Details Forthcoming

Protiviti is tracking developments closely, and will report on implementation details and other developments related to both climate disclosure bills as they become known. There are open implementation questions requiring clarification. For example, what does it mean to do business in California? How is the revenue test applied, e.g., is it determined on a gross or net basis; is it based on worldwide revenue or limited to revenue generated in California; and is it limited to affiliate-based revenue or must it factor in consolidated revenues of the parent? As there apparently has not been a comprehensive assessment of the overall financial impact of the enacted legislation on the businesses affected, it is possible that recommendations will emerge to streamline these disclosure requirements.

Most observers expect that before the end of the year the proposal from the U.S. Securities and Exchange Commission (SEC) for climate-related disclosures for listed companies will be finalized as well. Instead of waiting for the SEC, California legislators decided to act. We advise organizations to do the same by beginning their preparations — climate reporting is not going away. Subscribe to this blog to receive updates of this issue in your inbox.

[1] Reasonable assurance is the more robust level of assurance, stating that the information is correct based on an independent review and testing of processes and controls. Limited assurance relies less on testing and more on management information and may be limited to certain components of the report.

Add comment