CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Posted by:

CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Effective July 1, 2021, annual public disclosure requirements will start to apply to every business that is required to comply with the California Consumer Privacy Act (“CCPA”), and which knows or should know that (alone or in combination) it  buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year. This requires these businesses to compile the following metrics for the previous calendar year (January 1, 2020 through December 31, 2020):

  1. The number of requests to know that the business received, complied with in whole or in part, and denied;
  2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
  3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

This information must be disclosed in the business’s privacy policy or posted on its website and accessible from a link included in the privacy policy.  The metrics must be updated annually by July 1. In the disclosure, a business may choose to disclose the number of requests that were denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

To review, the CCPA, which became effective on January 1, 2020, grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information.  Currently, only for-profit businesses that collect consumers’ personal information and meet one or more of these criteria must comply: (1) the business has an annual gross revenue in excess of $25 million; (2) the business collects, buys, receives, sells, or shares the personal information of 50,000 or more California-resident consumers, household, or devices; or (3) the business derives 50% or more of its annual revenue from selling consumers’ personal information. For more information about the rights afforded to California residents, and businesses’ obligations under the CCPA, see below for some of our previous CCPA blog posts.

Among other requirements, all businesses that are required to comply with the CCPA must maintain records of CCPA consumer requests and how the business responded to the requests for at least 24 months. These businesses are required to implement and maintain reasonable security procedures and practices in maintaining these records. Such records may be maintained in a ticket or log format, provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

In addition, the businesses must establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Attorneys at Conkle, Kremer & Engel are staying current with the CCPA and to guide their clients through compliance with this sweeping data privacy law.

30
JUN
0

Banking and Finance, Beauty Industry, California Trade Regulations, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Privacy, Privacy Rights, Real Estate & Construction, Sales, Technology

, , , , , , , , , , , ,

Can Employers Require Employees to be Vaccinated Against COVID-19?

Posted by:

Can Employers Require Employees to be Vaccinated Against COVID-19?

As we have discussed in previous Coronavirus-related blog posts, employers have a general duty to provide a safe and healthy workplace that is free from serious recognized hazards where possible (meaning that such hazards are either nonexistent, eliminated, or reduced to a safe or acceptable level).  While most regions have tiered or priority programs in which newly-released COVID-19 vaccines will only be made available to certain age groups or industry sectors after higher-risk individuals are vaccinated, as the vaccines are made more widely available, “essential” employers and employers who may be planning to resume or increase the scope of their on-premises operations may see vaccination as an important tool to ensure the maximum level of safety within their workplaces.

These employers likely have many questions about COVID-19 vaccines, such as whether they may be able to require employees to be vaccinated against COVID-19 as a condition to being permitted at the workplace, how a vaccination program implicates disability and other related privacy issues and laws, and whether not requiring such vaccinations (or leaving it up to employees) could open them up to potential liability.

Addressing some of these concerns, the federal Equal Employment Opportunity Commission (EEOC) recently released guidance for employers regarding workplace vaccine mandates (see Section K). While the EEOC guidance does not make any blanket rule regarding the permissibility of mandatory vaccinations, it does give recommendations on how an employer should navigate the various concerns that arise in administering a vaccination program.  (But be aware that state health departments may release guidance or rules different from the EEOC and that union workers in particular may have collective bargaining agreements containing particular rules that must be taken into account.)

Vaccines are not Medical Examinations Under the ADA, but Employers Should be Careful with Inquiries Surrounding a Vaccine

The EEOC guidance initially provides that the administration of Coronavirus vaccines is not considered a “medical examination” under the Americans with Disabilities Act (ADA), but that employers should be careful when posing any pre-screening vaccination questions to their employees that might implicate the ADA’s rules regarding inquiries which are likely to elicit information about an employee disability.  Any pre-screening questions (i.e. to determine whether there is a medical reason that would prevent the employee from receiving the vaccine) must be job-related and consistent with business necessity – an employer must have a reasonable belief, based on objective evidence, that an employee that does not answer pre-screening questions and does not receive the vaccine will pose a direct threat to the health or safety of herself or others.  Though the EEOC has previously stated that “based on the guidance of the CDC and public health authorities […] the COVID-19 pandemic meets the direct threat standard,” this assessment may change moving forward, and an employer’s response to the “direct threat” concern will likely differ depending on industry and other workplace contexts.  In workplaces with significant worker density or customer contact, the threat is generally considered greater than in workplaces with limited interpersonal contact or the ability to work from home.  Under the guidance, these concerns apply equally to requests for an employee to show proof of a COVID-19 vaccine – the request by itself is not a disability-related inquiry, but any questions asking for reasons for not obtaining a vaccine may be.

The guidance identifies two circumstances in which disability-related screening questions can be asked of employees without needing to satisfy the “job-related and consistent with business necessity” requirement.  First, if the vaccination program is voluntary rather than mandatory, an employee’s decision to answer screening questions is also voluntary.  In such case, if an employee declines to answer screening questions an employer can decline to administer the vaccine, but the employer cannot retaliate against that employee in any manner for her decision.  The second circumstance is when employees receive an employer-required vaccination from a third party not under contract with the employer, such as a pharmacy.  However, the guidance cautions that any employee medical information obtained in the course of a vaccination program must be kept confidential by the employer, and that employers should advise employees not to provide medical information to the employer when providing proof of vaccination.

If an Employee Cannot Receive the Vaccine due to Disability or Religious Belief, Employers Must Try to Make Accomodations Where Feasible

Per the guidance, if an employee indicates that she is unable to receive a COVID-19 vaccination because of a disability, employers must conduct an individualized assessment of four factors in determining whether there is a direct threat to the health or safety of others in the workplace – the duration of the risk, the nature and severity of the potential harm, the likelihood that the potential harm will occur, and the imminence of the potential harm.  An employer cannot exclude an unvaccinated employee from the workplace unless there is no way to provide a reasonable accommodation to that employee that will eliminate or satisfactorily reduce the threat without undue hardship to the employer.  If such a threat cannot be reduced to an acceptable level, the employer can forbid the employee’s physical presence at the workplace.  However, this does not mean the employer may automatically terminate the employee – in some cases, the employee may be able to work remotely or may be eligible to take leave under various Coronavirus-related legislation, state law, or the employer’s own policies.  Employers should be sensitive to accommodation requests by employees and should engage in an interactive process that takes into account the nature of the industry, the employee’s role, CDC or other health official guidance regarding the current prevalence and severity of Coronavirus outbreaks, and whether an accommodation poses significant expense or difficulty to the employer.

The same standards and practices apply if an employee’s sincerely held religious belief prevents the employee from receiving the vaccine – while an employer should assume that a professed belief is sincerely held, if there is an objective basis for questioning the claimed belief, the employer may be justified in requesting additional information.

Further, the guidance refers to FDA literature providing that particularly because the COVID-19 vaccine is available under an Emergency Use Authorization (EUA) instead of traditional FDA approval, any person may opt out of receiving the vaccine.  As such, even if it is unclear whether disability or religious concerns motivate an employee’s decision to decline a vaccine, an employer should still likely make whatever reasonable accommodations are possible based on individualized assessments of the four factors described above.

The Genetic Information Nondiscrimination Act (GINA) is not Implicated by Employer Administration of a Coronavirus Vaccine

The guidance provides that because the COVID-19 vaccines, even though they use mRNA technology, do not involve the use of genetic information to make employment decisions or require the employer’s acquisition or the employee’s disclosure of employees’ genetic information.  However, as with disability concerns, employers should be careful to avoid pre-screening questions that specifically seek to obtain “genetic information” about their employees, which can include information about family medical history.

Practical Impacts for Employers Based on the Guidance

Based on the foregoing, employers, depending on the industry and the threat that unvaccinated workers may pose in a particular workplace, may find it easier to encourage but not necessarily require Coronavirus vaccinations, and, if vaccinations are required, employers may find it easier to have employees obtain the vaccines from third parties rather than the employer administering the vaccines.  Employers who do decide to create a vaccination program should create a thoughtful, formal process that both demonstrates reasonable efforts to maintain a workplace free of “direct threats” given the context of the business and takes the various health and privacy-related laws into account.  Protocols should be well-documented, including pre-screening questions and opt-out situations but, again, documentation must be held confidentially and employee inquiries should be narrow.  In some industries (for example, the California health care industry), employers are required to offer certain vaccines to their employees free of charge (and to provide technical information to employees regarding the vaccine itself), though it is unclear whether that requirement would be expanded to all California employers with respect to the COVID-19 vaccine.

An employer with employees who decline to take the vaccine may wish to have those employees sign a statement acknowledging the risks to that employee in making that decision, similar to the declination statement required in health care workplaces in California, and/or a liability waiver.  The employer may also want to post prominent signage or bulletins in its workplace regarding its Coronavirus protocols (which is already required in many instances) that includes some manner of information about the business’ vaccination policy in order to allow customers and others who enter the premises to be informed.  While such documentation may not eliminate liability, it may help to reduce it.

As always, the law surrounding Coronavirus issues in the workplace is constantly evolving.  The foregoing is not intended to be an exhaustive representation of federal, state, and local laws and directives regarding COVID-19, but is rather general information about some of the EEOC’s latest positions and how employers might be able to utilize those positions in the context of the particulars of their own workplaces.  Employers should always consult with the experienced attorneys before taking steps to implement a vaccination policy.  Conkle, Kremer & Engel attorneys stay up to date and are ready to help employers understand and implement practices regarding the Coronavirus vaccine in their  particular workplace circumstances.

23
JAN
0

ADA - Americans with Disabilities Act, Banking and Finance, Beauty Industry, Discrimination, Employment Law, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Real Estate & Construction, Regulatory Compliance, Sales, Technology

, , , , , , , , , , , , , , , , , , , , , , ,

The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

Posted by:

The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

You may have noticed a recent influx of personal emails about updates to businesses’ privacy policies and terms and conditions. This may be due, in part, to the California Consumer Privacy Act (“CCPA”) allowing individuals to bring private rights of action against businesses. While the CCPA was effective January 1, 2020, it will be enforceable by the California Attorney General beginning July 1, 2020.

What is the CCPA?

The CCPA grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information. Under the CCPA, personal information is any data that identifies, relates to, or describes a particular person or household. Information such as a person’s name, address, and email address (even a computer IP address) are considered personal information. This applies to information collected online and offline, so the CCPA may apply to businesses even if they do not have a website.

Not all businesses need to comply.

The CCPA applies to for-profit businesses that collect consumers’ personal information and meet one or more of these criteria:

(1) The business has an annual gross
revenue in excess of $25M;

(2) The business collects, buys,
receives, sells, or shares the personal information of 50,000 or more
California-resident consumers, household, or devices; or

(3) The business derives 50% or more of
its annual revenue from selling consumers’ personal information.

Even small consumer-oriented businesses should take particular note of the second criteria: If the business’ website collects what the Act classifies as “personal information,” such as email addresses or the IP Address of the computer accessing the website, it may not take very long to collect that kind of information about 50,000 California-resident devices or consumers and make the business subject to the Act.

Upon receiving a verified consumer request, businesses meeting any of the above-mentioned criteria must give California residents the means to exercise their rights under the CCPA and cannot discriminate against them for exercising these rights. Businesses must complete the consumer’s request within 45 days, although an extension of time may be available, and the process of responding to consumer requests must be supported by reasonable security procedures and practices.

What happens if a business does not comply?

A failure to cure any alleged violation of the CCPA within 30 days of notification of alleged noncompliance will subject businesses to an injunction and civil penalties of no more than $2,500 per violation or $7,500 per intentional violation. And if personal information is improperly disclosed or stolen due to the absence of reasonable security procedures and practices, businesses may be subjected to civil action for injunctive or declaratory relief, damages of $100 to $750 per consumer, per incidentor actual damages (whichever is greater), or any other relief that the court deems proper.

Are you ready to comply with the CCPA? Attorneys at Conkle, Kremer & Engel are staying current with the CCPA to guide their clients through compliance.

26
JUN
0

Banking and Finance, Beauty Industry, California Trade Regulations, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Real Estate & Construction, Regulatory Compliance, Sales, Technology

, , ,

Employers’ Duties to Maintain Employee Privacy in a COVID-19 Pandemic

Posted by:

Employers’ Duties to Maintain Employee Privacy in a COVID-19 Pandemic

Dealing with illness in the workplace can be challenging under normal circumstances, but it is much more so in the midst of the Coronavirus pandemic. Many questions remain unanswered regarding the precise application of federal, state and local orders and their relationship with employee benefits. As COVID-19 becomes an increasing presence in California workplaces, and employers are forced to comply with government directives, it is just as important as ever for employers to take steps to maintain compliance with employee privacy regulations. Workers who suffer adverse employment decisions, such as pay reductions, furloughs and layoffs, may be particularly attuned to whether all their rights were respected in the process.

How much information may an employer request from an employee who calls in sick, in order to protect the rest of its workforce during the COVID-19 pandemic?

According to Guidance provided by the Equal Employment Opportunity Commission (EEOC) addressing the COVID-19 pandemic, employers covered by the Americans with Disabilities Act (ADA) may ask employees if they are experiencing COVID-19 symptoms such as fever, chills, cough, shortness of breath, or sore throat, but employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Does an employer have a duty to inform employees that one of their colleagues has tested positive for COVID-19?

Employers may be uncertain about whether to tell employees that there has been a reported case of COVID-19 in the workplace. Depending on the particular facts involved, information regarding illness of an employee or family member may be protected under the Health Insurance Portability and Accountability Act (HIPAA), the ADA or both.

A pandemic, on the other hand, likely alters those practices. In light of the rapid spread of COVID-19, employers should promptly inform workers if one of their colleagues tests positive for the virus. However, employers typically need not divulge the identity of an employee or employee’s family member to achieve the objective of maintaining a healthy workplace.

Employers may also choose to notify employees and other relevant parties that contagious illnesses may be present in any workplace and list precautionary steps suggested by medical professionals, such as the CDC. Even when not specifically required by law, it is important for business effectiveness to maintain the privacy of individual employees. These matters are best handled carefully to prevent unnecessary disruption in the workplace.

How should the employer communicate to employees that one of their colleagues has a suspected or confirmed case of COVID-19?

Clear, effective employer communications are critical to providing employees with relevant information, maintain order in the workplace, and reduce employees’ concerns. Employers should keep the following in mind when developing employee communications:

• Inform employees that the company will take any reasonable and necessary steps to ensure a safe and healthy work environment.
• Identify typical symptoms employees should watch out for.
• Include information on how to protect against getting the illness.
• Advise employees of any changes to policies.
• Notify employees of any discontinued travel.
• Ensure HR is available and prepared to address employees’ questions

What Are Employers’ Obligations to Prevent Harassment of Those Suspected of Being Infected?

Employers must take steps to prevent discrimination and harassment against individuals who have a potential claim that they are disabled due to a COVID-19 related reason. Employers should consider reminding employees of anti-harassment and discrimination company policies. Employers must be vigilant about promptly responding to and investigating any complaints of harassment or bullying in the workplace, and be conscious to limit the spread of rumors and speculation amongst the workforce.

Under the ADA, may an employer to require employees to provide a doctors’ notes certifying their fitness for duty when they return to work?

The EEOC says yes. The ADA permits such inquiries either because they would not be disability-related or, are justified under the ADA standards for disability-related inquiries of employees given the COVID-19 outbreak. However, doctors and other health care professionals may be too busy during and immediately after a pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches may be necessary, such as reliance on local clinics to provide a form, a stamp, or an e-mail to certify that an individual does not have the pandemic virus.

Conkle, Kremer and Engel’s attorneys follow the legal developments concerning Coronavirus issues at the federal, state and local level. We are available to assist employers navigate their rights and obligations in these difficult times.

1
APR
0

Banking and Finance, Beauty Industry, Coronavirus and COVID-19 Regulations, Discrimination, Employment Law, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Privacy, Privacy Rights, Real Estate & Construction, Sales, Technology

, , , , , , , , , , , , ,

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

Posted by:

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

If you sell or offer goods to EU residents, even from the U.S., it is now necessary to re-examine your data processing and privacy procedures. There is a new EU privacy law that will go into effect on May 25, 2018, with significant penalties for violations. The EU General Data Protection Regulation, or “GDPR,” covers any website, including a U.S.-based website, selling to EU residents and processing personal data of those EU residents.  Here are some basic questions and issues to address concerning your online presence:

Do you collect, store, or use Personal Data? You are subject to this regulation if your website collects, organizes, stores, disseminates, uses or otherwise processes personal data of EU residents, regardless of where your website keeps or uses such information.

“Personal Data” will likely be broadly interpreted. The GDPR defines “Personal Data” very broadly to include any information that can be used to identify an individual. This can include all sorts of data, like names, e-mail addresses, office addresses, and even IP addresses.

Can your users easily revoke consent? The GDPR takes consent seriously. The GDPR requires you to demonstrate consent was “freely given, specific, informed and unambiguous” by a “clear affirmative action” on the part of the user for the processing of personal data. When you ask for the user’s consent, you must articulate “specified, explicit, and legitimate purposes” for processing the data. Limit the data you collect to what is necessary to achieve these articulated purposes. Be extra careful if you are collecting sensitive personal data – the GDPR raises the bar for obtaining consent to process “special categories of personal data.” And make sure it is as easy for the user to withdraw consent as it is to give consent.

Can you respond quickly and effectively when the user exercises rights under the GDPR? The GDPR grants users, or “data subjects,” quite a few rights, including but not limited to knowing where and why you are taking the data and anything that happens to it, objecting to its collection or use, obtaining a copy of it, correcting or erasing it, or restricting its use. Make sure you have procedures in place to respond appropriately in the event a user exercises rights under the GDPR.

Penalties for failure to comply can be steep. Failure to comply with the GDPR can expose companies to administrative fines of up to 20 million Euros or 4% of the total worldwide annual turnover of an “undertaking” of the preceding financial year, whichever is greater. Even if you use vendors to process your data, you are still responsible for monitoring compliance. You are required to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

The EU GDPR is a minefield of regulatory requirements that require a close examination of your data processing and privacy procedures. Some companies, such as Microsoft, are implementing a single system worldwide to comply with the EU’s requirements, effectively granting greater-than-required  rights to non-EU residents.  There will likely be considerable uncertainty and confusion as the GDPR requirements are implemented and enforcement begins.  Contact Conkle, Kremer & Engel to help bring your data processing and privacy procedures into compliance.

23
MAY
0

Advertising and Labeling, Banking and Finance, Beauty Industry, Fashion, Food, Craft Beer and Nutrition, Manufacturing, Privacy Rights, Real Estate & Construction, Regulatory Compliance, Sales, Technology

, , , ,

The Conkle Firm and Social Media Influencers at Beautycon LA 2017

Posted by:

The Conkle Firm and Social Media Influencers at Beautycon LA 2017

On August 13, 2017, Conkle, Kremer & Engel attorneys Amanda Washton, Desiree Ho, Aleen Tomassian, Heather Laird and paralegal Chelsea Clark attended Beautycon in Los Angeles, both to assist clients and to observe first-hand the latest trends in the beauty industry. In addition to the thousands of youthful fans and future beauty marketing gurus in attendance, more than 100 brands and over 70 “creators” were featured at the two-day festival.

An annual gathering, Beautycon serves as a space for beauty industry participants to interact with young fans. As the popular beauty ideal moves away from the conventional toward one that is more inclusive and identity based, with the help of a talented team of influencers Beautycon advocated for authenticity – a sentiment to which all attendees could relate.

Beautycon heavily emphasized the growing trend of using social media influencers and celebrity endorsements to connect with consumers.  In exchange for a prized “like” on Instagram, many vendors gifted product samples or even full product lines.  Beautycon exemplified the partnerships that are possible between beauty businesses and social media influencers.  There were plenty of celebrities, “exclusives” and photo-ready backdrops on hand for influencers’ selfies and videos.  There were a number of forward-thinking panels on social media topics, including using beauty-oriented social media platforms to deliver positive self-esteem and diversity messages.  Beautycon demonstrated that connecting brands with social media influencers is rapidly becoming vital to the success of emerging beauty businesses.

For businesses, working with social media influencers involves a host of practical and legal issues and considerations.  Areas of concern can include contracts, copyrights, trademarks, privacy, rights of publicity, false advertising claims, regulatory issues and even trade libel and defamation, among other issues.  With continually evolving social media platforms and issues, it is essential that cosmetics and personal care products companies fully consider the implications of both their social media activities and those of the influencers they seek to help them promote their brands.  CK&E attorneys are excited to participate in dynamic events like Beautycon to help their beauty industry clients meet their needs in the shifting landscape of social media.  (And as the photos show, it doesn’t hurt to partake in a little of the fun, either.)

20
AUG
0

Beauty Industry, Copyrights, Intellectual Property, Personal Care Products, Trademarks

, , , , , , , ,