Who Owns Your Business? The Government – and Maybe Litigation Adversaries – Want to Know

Posted by:

UPDATE:  On March 1, 2024 Judge Liles C. Burke, a federal court judge in Alabama, effectively invalidated the Corporate Transparency Act (CTA) by finding it unconstitutional: “The Corporate Transparency Act is unconstitutional because it cannot be justified as an exercise of Congress’ enumerated powers.”  2024-03-01 National Small Business United v Yellin, Case No 5.22-cv-1448-LCB  The decision will almost certainly be appealed, so expect further developments.  In the meantime while the federal CTA is not considered currently in effect, its state counterparts (such as the New York LLC Transparency Act) remain effective.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ORIGINAL POST:

As we usher in the new year, individuals aren’t the only ones making resolutions. Many business entities organized in the United States must also resolve to comply with the Corporate Transparency Act (CTA), a pivotal component of the National Defense Authorization Act for Fiscal Year 2021. This anti-money laundering law, enforced by the Financial Crimes Enforcement Network (FinCEN), aims to illuminate the ownership and control structures of entities operating within the U.S. But there are important exceptions and potential litigation risks to be aware of.

The Beneficial Ownership Interest Rule (BOI Rule) now mandates that most private business entities file a Beneficial Ownership Interest Report. The BOI Report provides personal information about individuals who own or control the entity. “Beneficial ownership” includes anyone who owns or controls 25% or more of the ownership interests, or who directly or indirectly exercises substantial control over a company. The net was cast widely to include almost any imaginable form of agreement that can grant control to someone, including equity, profit sharing agreements, voting trusts, convertible debt, stock options, joint ownership of an undivided interest, and ownership through subsidiaries. There are certain exceptions for minor children, intermediaries, agents, individuals acting solely as employees, creditors, and individuals whose only interest is through inheritance.

“Substantial control” includes individuals who serve as a senior officer of the entity (i.e., president, CEO, CFO, general counsel, or others who perform similar functions); majority or dominant minority directors; and anyone who directs, determines, or has substantial influence over important decisions made by the entity.

The CTA applies to “a corporation, LLC, or other similar entity that is either created by filing a document with a secretary of state or a similar office under the law of a State . . . or formed under the law of a foreign country and registered to do business in the United States. . . .” This includes Limited Liability Companies (LLCs), limited partnerships and business trusts. But it does not apply to sole proprietorships, general partnerships, or non-business trusts, because those entities are not created through a filing with a Secretary of State.

The CTA of course exempts public companies that file securities reports, but it also has a notable exemption for non-public “large operating companies” as well as some specialized entities like insurance companies, accounting firms, utilities, tax exempt entities, as well as inactive entities. “Large operating companies” that do not have to file a BOI Report are those which employ at least 20 full time employees, maintain a physical office in the U.S., and received at least $5 million in gross receipts for the last fiscal year.

The BOI Reports must include the entity’s name and any fictitious names, its address, its jurisdiction of formation, its taxpayer ID number, and elaborate identification of the beneficial owners: Full legal name, date of birth, residential address, and an identification number and digital copy (this may be a driver’s license, passport, or FinCEN ID). Entities created after January 1, 2024 must provide the same information about the company applicant who filed the paperwork to register the entity.

Entities in existence prior to January 1, 2024 must file their BOI Report by January 1, 2025. New entities registered between January 1, 2024, and December 31, 2024, must submit their BOI Report within 90 days of confirmation of formation. Entities formed on or after January 1, 2025 must submit their BOI Report within 30 days of confirmation of formation. Changes concerning beneficial ownership or corrections to previous BOI Reports must be filed within 30 days. The consequences of failure to file a BOI Report may be costly. A daily fine of $500 can be imposed for non-compliance, up to a maximum of $10,000. Individuals who submit false information in a BOI Report also may be subjected to criminal penalties.

BOI Reports are filed electronically with FinCEN, a bureau of the United States Department of the Treasury that collects information to address money laundering, terrorist financing, and other financial crimes. FinCEN’s “Access Rule” generally limits disclosure of BOI Reports to Federal agencies engaged in national security, intelligence, or law enforcement activity, and state, local, and tribal law enforcement agencies with court authorization, certain foreign law enforcement authorities and financial institutions with customer due diligence requirements and regulators supervising them for compliance.

Interestingly, there is no indication yet whether litigants would be able to obtain copies of BOI Reports through discovery processes in litigation such as civil subpoenas and demands for document production. For example, if a litigant alleges in a pleading that an opponent is an “alter ego” of an entity subject to the BOI Rule, will that be sufficient to require disclosure in discovery of the entity’s BOI Report? Until more specific laws are enacted, at present it seems likely that general constitutional and statutory provisions of the individual states that concern confidentiality and privacy would control such disclosures.

Companies and individuals who may be subject to the Beneficial Ownership Interest Rule would be well advised to consult counsel who can address the nuances of their situation.

0

California Invasion of Privacy Act Lawsuits Challenge Website Live Chats

Posted by:

Does your business use live chats to offer customer service support to your customers?  Throughout the past year, hundreds of nearly identical suits have been filed alleging that the live chat features on businesses’ websites may violate the California Invasion of Privacy Act (CIPA).  Most of the lawsuits have been filed by attorneys at the Newport Beach, California, firm called Pacific Trial Attorneys, but other firms have brought very similar lawsuits.

CIPA is a set of California penal statutes that are directed against unconsented wiretapping or recording of telephone communications. The CIPA complaints allege that some software vendors that facilitate customer service live chats are acting as third-party eavesdroppers or wiretappers who share sensitive customer information with entities such as Meta for purposes of targeted advertising. In order to fit their allegations of internet-based communications into the CIPA wiretapping and eavesdropping prohibitions protecting telephone communications, the lawsuits often allege that the plaintiffs accessed the defendant’s live chat through their smart phone’s web browser.

The Conkle firm attorneys believe the plaintiff law firms’ approach is a flawed legal theory that is an unwarranted attempt to extend the scope of the CIPA statute.  At present, no reported decisions have determined the merits of these types of claims, and it appears that most of the lawsuits are intended primarily to draw settlements from defendants wishing to avoid the expense and risk of defending themselves.

If your business has a web presence that involves a “chat” function, it may be prudent to take proactive measures to reduce the risk of having to defend a CIPA lawsuit.  Such measures include plain disclosures to live chat users about the involvement of a third-party software vendor, a method of documenting consent of the live chat user, and links to an appropriately-phrased privacy policy. Such prophylactic measures will not only help deter plaintiffs’ lawyers from targeting your business for CIPA violations but can also contribute to a transparent and trustworthy customer experience.

It is also important that you respond quickly and appropriately if you receive a warning letter or demand from a law firm claiming that your business is violating CIPA. A swift and appropriate response is an important part of your defense to such claims and may ward off a lawsuit that is otherwise almost sure to follow. Should you receive a demand letter alleging a CIPA violation based on the above-conduct, it is best to promptly contact experienced counsel for guidance and assistance. Conkle, Kremer & Engel attorneys are very familiar with this area of the law and can guide your business to improve website chat features to forestall such claims, respond to demand letters or, if necessary, defend CIPA litigation.

0

Are You Ready for the New California Employment Privacy Regulations?

Posted by:

 

You may recall that the California Privacy Rights Act (CPRA) amendments (Cal. Civ. Code § 1798.100 et seq.) went into effect January 1, 2023, but enforcement was delayed until March 29, 2024. Employers with the requisite contacts with California consumers (which is defined in an extremely broad manner) will be required to provide employees with extensive privacy notices, respond to requests to exercise new data rights, limit uses and disclosures of HR data, and obtain contractual commitments from third-party recipients of personal information.

The CPRA amendments apply to any business with worldwide gross annual revenue of $25 million or more that collects personal information from any California consumer, which includes a service provider, an employee, a job applicant or an investor, for example.  All entities that share common branding will be subject to the CPRA requirements if even one of those entities meet the requisite standards.

Generally, when the employer is subject to CPRA, its employees (and service providers, job applicants, investors, etc.) have six data rights:
1. The Right to Delete
2. The Right to Correct
3. The Right to Know
4. The Right to Restrict the Use of Sensitive Personal Information
5. The Right to Opt-Out of the Sale or Sharing of their Personal Information
6. The Right to Not Be Retaliated for Exercising these Rights

Each of these general rights are subject to detailed requirements and exceptions that must be carefully considered and addressed by employers, who must give appropriate notification to employees.  Employers’ data subject to the CPRA includes only information collected on or after January 1, 2022.  Given the suspended enforcement, it is presently uncertain whether employers will be expected to be in compliance through a “look back” period that could apply as early as the enactment date of January 1, 2023, or whether employers will be given a pass on compliance until the enforcement stay expires on March 29, 2024. In any event, employers who may be subject to the amended CPRA would be well advised to start their compliance efforts as soon as possible, and should contact qualified counsel to guide their efforts.

0

CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Posted by:

Effective July 1, 2021, annual public disclosure requirements will start to apply to every business that is required to comply with the California Consumer Privacy Act (“CCPA”), and which knows or should know that (alone or in combination) it  buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year. This requires these businesses to compile the following metrics for the previous calendar year (January 1, 2020 through December 31, 2020):

  1. The number of requests to know that the business received, complied with in whole or in part, and denied;
  2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
  3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

This information must be disclosed in the business’s privacy policy or posted on its website and accessible from a link included in the privacy policy.  The metrics must be updated annually by July 1. In the disclosure, a business may choose to disclose the number of requests that were denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

To review, the CCPA, which became effective on January 1, 2020, grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information.  Currently, only for-profit businesses that collect consumers’ personal information and meet one or more of these criteria must comply: (1) the business has an annual gross revenue in excess of $25 million; (2) the business collects, buys, receives, sells, or shares the personal information of 50,000 or more California-resident consumers, household, or devices; or (3) the business derives 50% or more of its annual revenue from selling consumers’ personal information. For more information about the rights afforded to California residents, and businesses’ obligations under the CCPA, see below for some of our previous CCPA blog posts.

Among other requirements, all businesses that are required to comply with the CCPA must maintain records of CCPA consumer requests and how the business responded to the requests for at least 24 months. These businesses are required to implement and maintain reasonable security procedures and practices in maintaining these records. Such records may be maintained in a ticket or log format, provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

In addition, the businesses must establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Attorneys at Conkle, Kremer & Engel are staying current with the CCPA and to guide their clients through compliance with this sweeping data privacy law.

0

Can Employers Require Employees to be Vaccinated Against COVID-19?

Posted by:

As we have discussed in previous Coronavirus-related blog posts, employers have a general duty to provide a safe and healthy workplace that is free from serious recognized hazards where possible (meaning that such hazards are either nonexistent, eliminated, or reduced to a safe or acceptable level).  While most regions have tiered or priority programs in which newly-released COVID-19 vaccines will only be made available to certain age groups or industry sectors after higher-risk individuals are vaccinated, as the vaccines are made more widely available, “essential” employers and employers who may be planning to resume or increase the scope of their on-premises operations may see vaccination as an important tool to ensure the maximum level of safety within their workplaces.

These employers likely have many questions about COVID-19 vaccines, such as whether they may be able to require employees to be vaccinated against COVID-19 as a condition to being permitted at the workplace, how a vaccination program implicates disability and other related privacy issues and laws, and whether not requiring such vaccinations (or leaving it up to employees) could open them up to potential liability.

Addressing some of these concerns, the federal Equal Employment Opportunity Commission (EEOC) recently released guidance for employers regarding workplace vaccine mandates (see Section K). While the EEOC guidance does not make any blanket rule regarding the permissibility of mandatory vaccinations, it does give recommendations on how an employer should navigate the various concerns that arise in administering a vaccination program.  (But be aware that state health departments may release guidance or rules different from the EEOC and that union workers in particular may have collective bargaining agreements containing particular rules that must be taken into account.)

Vaccines are not Medical Examinations Under the ADA, but Employers Should be Careful with Inquiries Surrounding a Vaccine

The EEOC guidance initially provides that the administration of Coronavirus vaccines is not considered a “medical examination” under the Americans with Disabilities Act (ADA), but that employers should be careful when posing any pre-screening vaccination questions to their employees that might implicate the ADA’s rules regarding inquiries which are likely to elicit information about an employee disability.  Any pre-screening questions (i.e. to determine whether there is a medical reason that would prevent the employee from receiving the vaccine) must be job-related and consistent with business necessity – an employer must have a reasonable belief, based on objective evidence, that an employee that does not answer pre-screening questions and does not receive the vaccine will pose a direct threat to the health or safety of herself or others.  Though the EEOC has previously stated that “based on the guidance of the CDC and public health authorities […] the COVID-19 pandemic meets the direct threat standard,” this assessment may change moving forward, and an employer’s response to the “direct threat” concern will likely differ depending on industry and other workplace contexts.  In workplaces with significant worker density or customer contact, the threat is generally considered greater than in workplaces with limited interpersonal contact or the ability to work from home.  Under the guidance, these concerns apply equally to requests for an employee to show proof of a COVID-19 vaccine – the request by itself is not a disability-related inquiry, but any questions asking for reasons for not obtaining a vaccine may be.

The guidance identifies two circumstances in which disability-related screening questions can be asked of employees without needing to satisfy the “job-related and consistent with business necessity” requirement.  First, if the vaccination program is voluntary rather than mandatory, an employee’s decision to answer screening questions is also voluntary.  In such case, if an employee declines to answer screening questions an employer can decline to administer the vaccine, but the employer cannot retaliate against that employee in any manner for her decision.  The second circumstance is when employees receive an employer-required vaccination from a third party not under contract with the employer, such as a pharmacy.  However, the guidance cautions that any employee medical information obtained in the course of a vaccination program must be kept confidential by the employer, and that employers should advise employees not to provide medical information to the employer when providing proof of vaccination.

If an Employee Cannot Receive the Vaccine due to Disability or Religious Belief, Employers Must Try to Make Accomodations Where Feasible

Per the guidance, if an employee indicates that she is unable to receive a COVID-19 vaccination because of a disability, employers must conduct an individualized assessment of four factors in determining whether there is a direct threat to the health or safety of others in the workplace – the duration of the risk, the nature and severity of the potential harm, the likelihood that the potential harm will occur, and the imminence of the potential harm.  An employer cannot exclude an unvaccinated employee from the workplace unless there is no way to provide a reasonable accommodation to that employee that will eliminate or satisfactorily reduce the threat without undue hardship to the employer.  If such a threat cannot be reduced to an acceptable level, the employer can forbid the employee’s physical presence at the workplace.  However, this does not mean the employer may automatically terminate the employee – in some cases, the employee may be able to work remotely or may be eligible to take leave under various Coronavirus-related legislation, state law, or the employer’s own policies.  Employers should be sensitive to accommodation requests by employees and should engage in an interactive process that takes into account the nature of the industry, the employee’s role, CDC or other health official guidance regarding the current prevalence and severity of Coronavirus outbreaks, and whether an accommodation poses significant expense or difficulty to the employer.

The same standards and practices apply if an employee’s sincerely held religious belief prevents the employee from receiving the vaccine – while an employer should assume that a professed belief is sincerely held, if there is an objective basis for questioning the claimed belief, the employer may be justified in requesting additional information.

Further, the guidance refers to FDA literature providing that particularly because the COVID-19 vaccine is available under an Emergency Use Authorization (EUA) instead of traditional FDA approval, any person may opt out of receiving the vaccine.  As such, even if it is unclear whether disability or religious concerns motivate an employee’s decision to decline a vaccine, an employer should still likely make whatever reasonable accommodations are possible based on individualized assessments of the four factors described above.

The Genetic Information Nondiscrimination Act (GINA) is not Implicated by Employer Administration of a Coronavirus Vaccine

The guidance provides that because the COVID-19 vaccines, even though they use mRNA technology, do not involve the use of genetic information to make employment decisions or require the employer’s acquisition or the employee’s disclosure of employees’ genetic information.  However, as with disability concerns, employers should be careful to avoid pre-screening questions that specifically seek to obtain “genetic information” about their employees, which can include information about family medical history.

Practical Impacts for Employers Based on the Guidance

Based on the foregoing, employers, depending on the industry and the threat that unvaccinated workers may pose in a particular workplace, may find it easier to encourage but not necessarily require Coronavirus vaccinations, and, if vaccinations are required, employers may find it easier to have employees obtain the vaccines from third parties rather than the employer administering the vaccines.  Employers who do decide to create a vaccination program should create a thoughtful, formal process that both demonstrates reasonable efforts to maintain a workplace free of “direct threats” given the context of the business and takes the various health and privacy-related laws into account.  Protocols should be well-documented, including pre-screening questions and opt-out situations but, again, documentation must be held confidentially and employee inquiries should be narrow.  In some industries (for example, the California health care industry), employers are required to offer certain vaccines to their employees free of charge (and to provide technical information to employees regarding the vaccine itself), though it is unclear whether that requirement would be expanded to all California employers with respect to the COVID-19 vaccine.

An employer with employees who decline to take the vaccine may wish to have those employees sign a statement acknowledging the risks to that employee in making that decision, similar to the declination statement required in health care workplaces in California, and/or a liability waiver.  The employer may also want to post prominent signage or bulletins in its workplace regarding its Coronavirus protocols (which is already required in many instances) that includes some manner of information about the business’ vaccination policy in order to allow customers and others who enter the premises to be informed.  While such documentation may not eliminate liability, it may help to reduce it.

As always, the law surrounding Coronavirus issues in the workplace is constantly evolving.  The foregoing is not intended to be an exhaustive representation of federal, state, and local laws and directives regarding COVID-19, but is rather general information about some of the EEOC’s latest positions and how employers might be able to utilize those positions in the context of the particulars of their own workplaces.  Employers should always consult with the experienced attorneys before taking steps to implement a vaccination policy.  Conkle, Kremer & Engel attorneys stay up to date and are ready to help employers understand and implement practices regarding the Coronavirus vaccine in their  particular workplace circumstances.

0

The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

Posted by:

You may have noticed a recent influx of personal emails about updates to businesses’ privacy policies and terms and conditions. This may be due, in part, to the California Consumer Privacy Act (“CCPA”) allowing individuals to bring private rights of action against businesses. While the CCPA was effective January 1, 2020, it will be enforceable by the California Attorney General beginning July 1, 2020.

What is the CCPA?

The CCPA grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information. Under the CCPA, personal information is any data that identifies, relates to, or describes a particular person or household. Information such as a person’s name, address, and email address (even a computer IP address) are considered personal information. This applies to information collected online and offline, so the CCPA may apply to businesses even if they do not have a website.

Not all businesses need to comply.

The CCPA applies to for-profit businesses that collect consumers’ personal information and meet one or more of these criteria:

(1) The business has an annual gross
revenue in excess of $25M;

(2) The business collects, buys,
receives, sells, or shares the personal information of 50,000 or more
California-resident consumers, household, or devices; or

(3) The business derives 50% or more of
its annual revenue from selling consumers’ personal information.

Even small consumer-oriented businesses should take particular note of the second criteria: If the business’ website collects what the Act classifies as “personal information,” such as email addresses or the IP Address of the computer accessing the website, it may not take very long to collect that kind of information about 50,000 California-resident devices or consumers and make the business subject to the Act.

Upon receiving a verified consumer request, businesses meeting any of the above-mentioned criteria must give California residents the means to exercise their rights under the CCPA and cannot discriminate against them for exercising these rights. Businesses must complete the consumer’s request within 45 days, although an extension of time may be available, and the process of responding to consumer requests must be supported by reasonable security procedures and practices.

What happens if a business does not comply?

A failure to cure any alleged violation of the CCPA within 30 days of notification of alleged noncompliance will subject businesses to an injunction and civil penalties of no more than $2,500 per violation or $7,500 per intentional violation. And if personal information is improperly disclosed or stolen due to the absence of reasonable security procedures and practices, businesses may be subjected to civil action for injunctive or declaratory relief, damages of $100 to $750 per consumer, per incidentor actual damages (whichever is greater), or any other relief that the court deems proper.

Are you ready to comply with the CCPA? Attorneys at Conkle, Kremer & Engel are staying current with the CCPA to guide their clients through compliance.

0

Employers’ Duties to Maintain Employee Privacy in a COVID-19 Pandemic

Posted by:

Dealing with illness in the workplace can be challenging under normal circumstances, but it is much more so in the midst of the Coronavirus pandemic. Many questions remain unanswered regarding the precise application of federal, state and local orders and their relationship with employee benefits. As COVID-19 becomes an increasing presence in California workplaces, and employers are forced to comply with government directives, it is just as important as ever for employers to take steps to maintain compliance with employee privacy regulations. Workers who suffer adverse employment decisions, such as pay reductions, furloughs and layoffs, may be particularly attuned to whether all their rights were respected in the process.

How much information may an employer request from an employee who calls in sick, in order to protect the rest of its workforce during the COVID-19 pandemic?

According to Guidance provided by the Equal Employment Opportunity Commission (EEOC) addressing the COVID-19 pandemic, employers covered by the Americans with Disabilities Act (ADA) may ask employees if they are experiencing COVID-19 symptoms such as fever, chills, cough, shortness of breath, or sore throat, but employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Does an employer have a duty to inform employees that one of their colleagues has tested positive for COVID-19?

Employers may be uncertain about whether to tell employees that there has been a reported case of COVID-19 in the workplace. Depending on the particular facts involved, information regarding illness of an employee or family member may be protected under the Health Insurance Portability and Accountability Act (HIPAA), the ADA or both.

A pandemic, on the other hand, likely alters those practices. In light of the rapid spread of COVID-19, employers should promptly inform workers if one of their colleagues tests positive for the virus. However, employers typically need not divulge the identity of an employee or employee’s family member to achieve the objective of maintaining a healthy workplace.

Employers may also choose to notify employees and other relevant parties that contagious illnesses may be present in any workplace and list precautionary steps suggested by medical professionals, such as the CDC. Even when not specifically required by law, it is important for business effectiveness to maintain the privacy of individual employees. These matters are best handled carefully to prevent unnecessary disruption in the workplace.

How should the employer communicate to employees that one of their colleagues has a suspected or confirmed case of COVID-19?

Clear, effective employer communications are critical to providing employees with relevant information, maintain order in the workplace, and reduce employees’ concerns. Employers should keep the following in mind when developing employee communications:

• Inform employees that the company will take any reasonable and necessary steps to ensure a safe and healthy work environment.
• Identify typical symptoms employees should watch out for.
• Include information on how to protect against getting the illness.
• Advise employees of any changes to policies.
• Notify employees of any discontinued travel.
• Ensure HR is available and prepared to address employees’ questions

What Are Employers’ Obligations to Prevent Harassment of Those Suspected of Being Infected?

Employers must take steps to prevent discrimination and harassment against individuals who have a potential claim that they are disabled due to a COVID-19 related reason. Employers should consider reminding employees of anti-harassment and discrimination company policies. Employers must be vigilant about promptly responding to and investigating any complaints of harassment or bullying in the workplace, and be conscious to limit the spread of rumors and speculation amongst the workforce.

Under the ADA, may an employer to require employees to provide a doctors’ notes certifying their fitness for duty when they return to work?

The EEOC says yes. The ADA permits such inquiries either because they would not be disability-related or, are justified under the ADA standards for disability-related inquiries of employees given the COVID-19 outbreak. However, doctors and other health care professionals may be too busy during and immediately after a pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches may be necessary, such as reliance on local clinics to provide a form, a stamp, or an e-mail to certify that an individual does not have the pandemic virus.

Conkle, Kremer and Engel’s attorneys follow the legal developments concerning Coronavirus issues at the federal, state and local level. We are available to assist employers navigate their rights and obligations in these difficult times.

0

California Consumer Privacy Act of 2018 – A U.S. Version of EU’s GDPR

Posted by:

The California Consumer Privacy Act of 2018, regarded as the most comprehensive privacy law in the United States, was unanimously passed by the California legislature and signed into law by governor Jerry Brown on June 29, 2018. The bill (AB 375) was fast-tracked through the State Senate and Assembly in a rush to defeat an even stricter privacy ballot initiative, which was introduced by Californians for Consumer Privacy. After weeks of intense negotiations with technology companies, Californians for Consumer Privacy agreed to withdraw the initiative if AB 375 was signed into law.

The  new law, which takes effect January 1, 2020, is a reactive measure to recent privacy and data breaches, including the Cambridge Analytica scandal, and governs the use of California consumers’ data by larger companies. Businesses are required to disclose the categories of information to be collected prior to collection, as well as the identity of third-parties that are allow to access that information. Consumers also have the right to request the data that has been collected on them and may also request that the data be deleted. While consumers over 16 years old may opt out of having their data sold to third-parties without being penalized, businesses are prohibited from selling data collected from consumers under 16 years old unless these underage consumers affirmatively opt-in. The bill also gives California consumers the right to sue for up to $750 in the event of a data breach involving non-encrypted personal information due to the failure to implement and maintain reasonable security procedures and practices.

While this California law is the strictest in the nation, it is less restrictive than the EU GDPR.  For example, the GDPR requires consumers opt into, or give consent, by “clear affirmative action,” prior to the collection of personal data, whereas the California law only requires disclosure prior to the collection of personal data and allows them to opt-out of the sale of personal data. Most importantly, the GDPR requires any business that offers goods or services to consumers in the EU and collects any personal data from those EU residents to comply with the GDPR, while the California law only applies to companies that do business in California and satisfy one of the following criteria: (1) have an annual gross revenue exceeding $25 million; (2) in connection with a commercial purpose, annually buy, receive, sell, or share the personal information of 50,000 or more consumers; or (3) derive 50% or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act may not remain in final form as passed. Tech companies have already expressed their desire to lobby legislators to change certain provisions of the law which they believe will result in unintended consequences. Lawmakers are expected to make amendments to the bill over the course of the next 18 months.

Conkle Kremer & Engel will continue to monitor the status of the California Consumer Privacy Act and will report on changes to the final version of this law, if any. CK&E has many years of experience advising clients about regulatory compliance issues they face, and helping them prepare for foreseeable changes in the law.

 

0

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

Posted by:

If you sell or offer goods to EU residents, even from the U.S., it is now necessary to re-examine your data processing and privacy procedures. There is a new EU privacy law that will go into effect on May 25, 2018, with significant penalties for violations. The EU General Data Protection Regulation, or “GDPR,” covers any website, including a U.S.-based website, selling to EU residents and processing personal data of those EU residents.  Here are some basic questions and issues to address concerning your online presence:

Do you collect, store, or use Personal Data? You are subject to this regulation if your website collects, organizes, stores, disseminates, uses or otherwise processes personal data of EU residents, regardless of where your website keeps or uses such information.

“Personal Data” will likely be broadly interpreted. The GDPR defines “Personal Data” very broadly to include any information that can be used to identify an individual. This can include all sorts of data, like names, e-mail addresses, office addresses, and even IP addresses.

Can your users easily revoke consent? The GDPR takes consent seriously. The GDPR requires you to demonstrate consent was “freely given, specific, informed and unambiguous” by a “clear affirmative action” on the part of the user for the processing of personal data. When you ask for the user’s consent, you must articulate “specified, explicit, and legitimate purposes” for processing the data. Limit the data you collect to what is necessary to achieve these articulated purposes. Be extra careful if you are collecting sensitive personal data – the GDPR raises the bar for obtaining consent to process “special categories of personal data.” And make sure it is as easy for the user to withdraw consent as it is to give consent.

Can you respond quickly and effectively when the user exercises rights under the GDPR? The GDPR grants users, or “data subjects,” quite a few rights, including but not limited to knowing where and why you are taking the data and anything that happens to it, objecting to its collection or use, obtaining a copy of it, correcting or erasing it, or restricting its use. Make sure you have procedures in place to respond appropriately in the event a user exercises rights under the GDPR.

Penalties for failure to comply can be steep. Failure to comply with the GDPR can expose companies to administrative fines of up to 20 million Euros or 4% of the total worldwide annual turnover of an “undertaking” of the preceding financial year, whichever is greater. Even if you use vendors to process your data, you are still responsible for monitoring compliance. You are required to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

The EU GDPR is a minefield of regulatory requirements that require a close examination of your data processing and privacy procedures. Some companies, such as Microsoft, are implementing a single system worldwide to comply with the EU’s requirements, effectively granting greater-than-required  rights to non-EU residents.  There will likely be considerable uncertainty and confusion as the GDPR requirements are implemented and enforcement begins.  Contact Conkle, Kremer & Engel to help bring your data processing and privacy procedures into compliance.

0

The Conkle Firm and Social Media Influencers at Beautycon LA 2017

Posted by:

On August 13, 2017, Conkle, Kremer & Engel attorneys Amanda Washton, Desiree Ho, Aleen Tomassian, Heather Laird and paralegal Chelsea Clark attended Beautycon in Los Angeles, both to assist clients and to observe first-hand the latest trends in the beauty industry. In addition to the thousands of youthful fans and future beauty marketing gurus in attendance, more than 100 brands and over 70 “creators” were featured at the two-day festival.

An annual gathering, Beautycon serves as a space for beauty industry participants to interact with young fans. As the popular beauty ideal moves away from the conventional toward one that is more inclusive and identity based, with the help of a talented team of influencers Beautycon advocated for authenticity – a sentiment to which all attendees could relate.

Beautycon heavily emphasized the growing trend of using social media influencers and celebrity endorsements to connect with consumers.  In exchange for a prized “like” on Instagram, many vendors gifted product samples or even full product lines.  Beautycon exemplified the partnerships that are possible between beauty businesses and social media influencers.  There were plenty of celebrities, “exclusives” and photo-ready backdrops on hand for influencers’ selfies and videos.  There were a number of forward-thinking panels on social media topics, including using beauty-oriented social media platforms to deliver positive self-esteem and diversity messages.  Beautycon demonstrated that connecting brands with social media influencers is rapidly becoming vital to the success of emerging beauty businesses.

For businesses, working with social media influencers involves a host of practical and legal issues and considerations.  Areas of concern can include contracts, copyrights, trademarks, privacy, rights of publicity, false advertising claims, regulatory issues and even trade libel and defamation, among other issues.  With continually evolving social media platforms and issues, it is essential that cosmetics and personal care products companies fully consider the implications of both their social media activities and those of the influencers they seek to help them promote their brands.  CK&E attorneys are excited to participate in dynamic events like Beautycon to help their beauty industry clients meet their needs in the shifting landscape of social media.  (And as the photos show, it doesn’t hurt to partake in a little of the fun, either.)

0