CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Posted by:

Effective July 1, 2021, annual public disclosure requirements will start to apply to every business that is required to comply with the California Consumer Privacy Act (“CCPA”), and which knows or should know that (alone or in combination) it  buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year. This requires these businesses to compile the following metrics for the previous calendar year (January 1, 2020 through December 31, 2020):

  1. The number of requests to know that the business received, complied with in whole or in part, and denied;
  2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
  3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

This information must be disclosed in the business’s privacy policy or posted on its website and accessible from a link included in the privacy policy.  The metrics must be updated annually by July 1. In the disclosure, a business may choose to disclose the number of requests that were denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

To review, the CCPA, which became effective on January 1, 2020, grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information.  Currently, only for-profit businesses that collect consumers’ personal information and meet one or more of these criteria must comply: (1) the business has an annual gross revenue in excess of $25 million; (2) the business collects, buys, receives, sells, or shares the personal information of 50,000 or more California-resident consumers, household, or devices; or (3) the business derives 50% or more of its annual revenue from selling consumers’ personal information. For more information about the rights afforded to California residents, and businesses’ obligations under the CCPA, see below for some of our previous CCPA blog posts.

Among other requirements, all businesses that are required to comply with the CCPA must maintain records of CCPA consumer requests and how the business responded to the requests for at least 24 months. These businesses are required to implement and maintain reasonable security procedures and practices in maintaining these records. Such records may be maintained in a ticket or log format, provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

In addition, the businesses must establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Attorneys at Conkle, Kremer & Engel are staying current with the CCPA and to guide their clients through compliance with this sweeping data privacy law.

0

The Conkle Firm Helps MANA Evict Domain Name Cybersquatter

Posted by:

What do you do when someone else has taken your trademark and used it in an Internet domain name?  Just accept it, even if they’re offering competing products and services?  Do you have to go to court and file a trademark infringement lawsuit?  Fortunately, these questions all have the same answer: No.   You don’t have to accept it, and there are faster and less expensive ways to force the cybersquatter to give up the infringing domain name.

CK&E recently demonstrated this by helping its client, the Manufacturers’ Agents National Association (commonly known as MANA) defeat a cybersquatter and force the squatter to transfer the “manaonline.com” domain name to MANA.

All domains ending in a generic Top Level Domain (gTLD) – such as .com, .org or .net – are automatically subject to ICANN’s Uniform Domain Name Dispute Resolution Policy, an streamlined arbitration process referred to as UDRP.  UDRP provides an efficient method for a trademark owner to resolve its rights to a domain name that uses a substantial part of the trademark or is otherwise confusingly similar to the trademark.  Instead of going to court to sue for trademark infringement, the business owner can file a complaint online with one of several authorized arbitration providers, such as the National Arbitration Forum (NAF) or the Arbitration and Mediation Center of the World Intellectual Property Organization (WIPO).  Through a process that is conducted entirely online, these arbitration providers are empowered to force a domain name registrar to transfer a domain to its rightful owner.  This is especially useful if the cybersquatter is in some remote offshore location and cannot be reached by regular legal process, because the domain name registrars are always available and can be directed to transfer the domain name.

To force the transfer of a domain through UDRP, the business owner must show:  (1) the domain name is confusingly similar to a trademark owned by the business;  (2) the current registrant has no rights or legitimate interests in the domain name; and  (3) the domain name has been registered and is being used in bad faith.

In the case in which CK&E helped MANA, another company called “Dvlpmnt Marketing” based out of Saint Kitts and Nevis, in the Caribbean, had registered the “manaonline.com” domain name – which was essentially identical to MANA’s “manaonline.org”   Dvlpmnt had used the domain name to park a webpage featuring “pay-per-click” links to other websites offering services competing with those offered by MANA.  Dvlpmnt owns tens of thousands of domains, and has been the subject of several NAF and WIPO proceedings in the past.

CK&E attorney Zachary Page initiated a Complaint with NAF on behalf of MANA, charging Dvlpmnt with cybersquatting by registering and maintaining in bad faith, and with no legitimate rights, the manaonline.com domain name that was confusingly similar to MANA, whose genuine website is found at manaonline.org.  The different gTLD extensions, .com and .org, are legally insignificant in the UDRP process – effectively, the domain names were regarded as identical.  After the UDRP hearing, the NAF Panel held:

“Considering the totality of the circumstances present here—including the similarity between the disputed domain name and Complainant’s domain name, and the content of the website to which the disputed domain name resolves—the Panel infers that Respondent was aware of Complainant when it registered the domain name and that Respondent is using the domain name in a manner intended to exploit confusion with Complainant’s website and service mark.  These inferences are indicative of bad faith.”

Manufacturers’ Agents National Association v. Domain Administrator / DVLPMNT MARKETING, INC., National Arbitration Forum Claim Number FA1404001553434

A successful UDRP claimant generally has a choice to have the domain registration cancelled or to have the domain name transferred to the claimant.  It is almost always better to have the domain name transferred, so that it cannot be taken by another cybersquatter in the future.  CK&E is proud to have helped its client, MANA, successfully force the cybersquatter to transfer the manaonline.com domain name to MANA.

0