Tag: California

Preparing Corporate Messaging in the Wake of Dobbs

The United States Supreme Court (“SCOTUS”), in Dobbs v. Jackson Women’s Health Organization, has held that there is no constitutional right to abortion, overruling Roe v. Wade and Casey v. Planned Parenthood.

Employers, who increasingly are finding themselves on the front lines of many societal issues, will need to decide quickly whether and how they might address the Dobbs decision, as public reaction has been and is likely to remain strong. Board members, employees, and shareholders may advocate for corporations to take a visible stand on the issue of abortion and reproductive rights. And employees may want to speak up themselves (possibly via employer social media accounts).

It is important to remember that company communication decisions and actions regarding the Dobbs ruling, as well as other political and social issues, can have practical and legal implications.

The first question is whether your company will comment on Dobbs. If you decide to comment, there are many factors to consider. Your message is an important starting point. Who is your intended audience? Will your employees consider it an opportunity to join in the conversation? What will you say? Even if your message is internal, keep in mind that it may not stay that way, given the nature of social media. And before you think, “I’ll just stay out of it,” remember that some will view silence or neutrality as a statement in and of itself. If you choose not to speak, are you prepared to deal with any potential reaction from customers, employees, or shareholders?

Internally, employees may have questions about health benefits or other terms and conditions of employment because of Dobbs. It will be important to arm all key stakeholders, including leadership, corporate communications, and human resources, with tools to consistently manage these communications and responses.

Whether it’s internal or external communications, expect feedback! How that feedback is handled is as important as the initial communication (or lack thereof).

Certain industries, like healthcare and insurance, may also feel compelled to make an affirmative statement if the Dobbs decision has a direct impact on services and/or products. In those cases, the need to consider all implications is even more pressing.

In thinking through these decisions, employers should also consider who may need to approve any messaging. The board of directors, senior executives, legal, and marketing and communications teams are among the key stakeholders who may need to be consulted. And don’t forget that your public-facing employees may bear the brunt of your response. Are they prepared?

Employers should also keep in mind various laws that may govern their reaction, including those they might otherwise not consider. For example, the National Labor Relations Act protects employees’ rights to collectively discuss terms and conditions of employment at work and off duty – and that applies to employers with and without a unionized workforce. The current Biden-appointed General Counsel of the National Labor Relations Board has taken an expanded view of topics that are connected to the workplace. Moreover, some states, including California and New York, have enacted off-duty conduct laws that prohibit employers from disciplining employees for lawful conduct outside of work, which may include political advocacy. There may also be anti-discrimination laws and potential civil and criminal liability associated with your statements, depending on their wording.

Reactions to the Dobbs decision may vary. Some reaction may be comparable to what we’ve seen with respect to other recent political and/or social justice movements, such as Black Lives Matter and #MeToo; others may react differently, or not at all. In these rapidly changing times, companies — particularly publicly traded and consumer-facing ones — need to be make informed decisions. Clear, consistent messaging is key to establishing confident and consistent responses to potential concerns by employees and other stakeholders.

Article By M. Carter DeLorme, Frank C. Morris, JR, Susan Gross Sholinsky, Jennifer Barna, and Erin E. Schaefer of Epstein Becker & Green, P.C.

For more civil rights legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Governor Rolls Back California COVID-19 Executive Orders & Cal/OSHA Releases Draft Permanent COVID-19 Standard

On June 17, 2022, Governor Newsom issued an executive order terminating certain provisions of prior executive orders related to Cal/OSHA’s COVID-19 Emergency Temporary Standards (ETS). Some of the terminated orders were no longer necessary due to changes in the ETS. For example, previously the Governor had issued an executive order stating exclusion periods could not be longer than California Department of Public Health (CDPH) guidelines or local ordinances. However, since the ETS now defers to CDPH guidance on isolation and quarantine, the Governor has rescinded his prior executive order on this issue. Moreover, Cal/OSHA has issued guidance for employers on COVID-19 Isolation and Quarantine that aligns with CDPH requirements.

The current version of the ETS remains in effect until the end of 2022. However, Cal/OSHA won’t be done with COVID-19 regulations in 2023. The agency is currently working on a permanent COVID-19 Standard. Recently, the draft of the proposed regulation was released.

The draft regulation carries over many of the employer obligations from the current ETS. The following are some of the proposed requirements:

  • COVID-19 procedures, either included in their Injury and Illness Prevention Program (IIPP) or a separate document.
  • Exclusion and prevention requirements for positive employees and close contacts.
  • Employers would continue to be required to provide testing to employees who have a close contact in the workplace.
  • Employers would continue to have notice requirements for COVID-19 exposure.
  • Employers would continue to have to provide face coverings to employees.
  • Employers would continue to have reporting and recordkeeping requirements for COVID-19 cases and outbreaks in the workplace.

Currently, no public hearing has been set for the proposed permanent COVID-19 Standard, so it is uncertain how soon the regulations may be implemented.

Article By Sean Paisan of Jackson Lewis P.C.

For more coronavirus legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

By Law, Everything Is Possible In California

The California Civil Code includes a number of decidedly gnomic provisions.  Section 1597 is one of these.  It purports to answer the question of what is possible:

Everything is deemed possible except that which is impossible in the nature of things.

The problem with the statute is that it doesn’t fully answer the question because to know what is possible, one must know what is impossible and the statute doesn’t provide a definition of impossibility.  In this regard, I am reminded of the following lines from James Joyce’s Ulysses: 

But can those have been possible seeing that they never were?  Or was that only possible which came to pass?

But why define what is possible?  The reason is that Civil Code requires that the object of a contract must, among other things, be possible by the time that it is to be performed.  Cal. Civ. Code § 1596.  When a contract that has a single object that is impossible of performance, the entire contract is void.  Cal. Civ. Code § 1598.

Happy Bloomsday!

Today is Bloomsday.  Joyce chose June 16, 1904 as the day on which most (but not all) of the action in Ulysses takes place.  It is called Bloomsday because the hero of the novel is Leopold Bloom.  It was on June 16, 1904 that Joyce and his future wife, Nora Barnacle, had their first date (and intimate contact).

1C8E1253-FA65-4ED3-B026-ABF4D9098AAC

Finn’s Hotel in Dublin, where Nora worked in 1904

Article By Keith Paul Bishop of Allen Matkins Leck Gamble Mallory & Natsis LLP

For more legislative legal news, click here to visit the National Law Review.

© 2010-2022 Allen Matkins Leck Gamble Mallory & Natsis LLP

BREAKING: Supreme Court Reverses California Court of Appeal in Viking River Cruises v. Moriana

On June 15, 2022, the U.S. Supreme Court issued its decision on Viking River Cruises, Inc. v. Moriana (Case No. 20-1573) reversing the California Court of Appeal’s decision to affirm the denial of Viking’s motion to compel arbitration Moriana’s “individual” PAGA claim and to dismiss her other PAGA claims.

As previously reported, the question presented in Viking River Cruises involved whether the Federal Arbitration Act (“FAA”) preempts the California Supreme Court’s decision in Iskanian v. CLS Transp. Los Angeles, LLC, 58 Cal.4th 380 (2014), which invalidates contractual waivers of representative claims under California’s Labor Code Private Attorneys General Act (“PAGA”).

In a majority opinion authored by Justice Alito, the Court held that while Iskanian’s prohibition on “wholesale waivers” of PAGA claims is not preempted by the FAA, Iskanian’s rule that PAGA actions cannot be divided into “individual” and “non-individual claims” is preempted.

Applying this holding to the parties, the Court held that Viking was entitled to enforce the parties’ arbitration agreement insofar as it mandated arbitration of Moriana’s individual PAGA claim.  As for Moriana’s non-individual PAGA claims,  because PAGA itself “provides no mechanism to enable a court to adjudicate non-individual PAGA claims once an individual claim has been committed to a separate proceeding,” Moriana lacks “statutory standing” under PAGA to litigate her “non-individual” claims separately in state court.  Accordingly, “the correct course is to dismiss her remaining claims.”

Article By Timothy Kim and Michele J. Beilke of Hunton Andrews Kurth

For more litigation legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.

ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

Article By David A. Zetoony of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

SCOTUS Cert Recap: Copyright Act’s Fair Use Defense, ‘Dormant’ Commerce Clause, And Independent And Adequate State Ground Doctrine

On March 28, the Supreme Court agreed to consider the following three questions:

Is a work of art that copies from a prior work but that conveys a different meaning than the prior work necessarily “transformative” for the purpose of the Copyright Act’s fair use defense?

Does California’s Proposition 12 – which requires all pork sold in California to come from pigs housed in compliance with the state’s animal-confinement rules, even pigs raised entirely in other states – violate the Constitution’s Commerce Clause?

Is Arizona Rule of Criminal Procedure 32.1(g), which requires a state prisoner seeking post-conviction relief to identify a “significant change in the law” that would probably have produced a different result in the prisoner’s case, an adequate and independent state-law ground to support a state-court judgment denying post-conviction relief?

 

On March 28, the U.S. Supreme Court added three cases to its docket for next term: one about when a work of art “transforms” a prior work for the purpose of the Copyright Act’s fair use defense, another involving a “dormant” Commerce Clause challenge to a California law that prohibits selling any pork in the state unless the pork comes from pigs housed in compliance with California’s animal-confinement rules, and a third concerning whether the independent and adequate state ground doctrine bars the Court from reviewing an Arizona state-court decision denying a request for post-conviction relief.

The copyright and Commerce Clause cases – which drew four and five cert-stage amicus briefs, respectively – will capture significant attention from businesses and civil litigators and could each produce landmark decisions in their respective areas of law. The case concerning the independent and adequate state ground doctrine will be of greater interest to those who practice in the post-conviction area – where such issues arise with some frequency – but all lawyers who practice before the Supreme Court should watch that case carefully as well, as the doctrine applies to all state-court decisions whatever the subject matter.

When Works Are ‘Transformative’ Under the Copyright Act’s Fair Use Defense

In Andy Warhol Foundation for the Visual Arts v. Goldsmith, the Court will return to a question it confronted last year in Google v. Oracle: When does copying a portion of a copyrighted work constitute protected “fair use” under the Copyright Act?

The notion of “fair use” in the copyright context initially developed as a common-law doctrine to allow borrowing in some situations in order to further the Copyright Act’s general purpose of fostering creativity and innovation. Congress codified that doctrine in 1976, and the Copyright Act now expressly recognizes fair use as a defense and lists four non-exclusive factors courts should consider in determining whether a use is “fair”: 1) the purpose and character of the use, 2) the nature of the copyrighted work, 3) the amount used in relation to the copyrighted work as a whole, and 4) the effect of the use upon the potential market for the copyrighted work.

As the Court explained in Google, the first of these factors – the purpose and character of the use – asks “whether the copier’s use adds something new … altering the copyrighted work with new expression, meaning or message,” and the Court has “used the word ‘transformative’ to describe a copying use that adds something new and important.” This case offers the Court an opportunity to provide further detail on what it means for a work of art to be “transformative” in this sense. It concerns a series of silkscreen prints and pencil illustrations created by Andy Warhol – whose foundation is the petitioner here – based on a 1981 portrait photograph of Prince taken by the respondent, Lynn Goldsmith. The foundation argues that the works are necessarily transformative because they convey a new meaning: namely, that they portray Prince as an “iconic” figure rather than the “vulnerable human being” depicted in Goldsmith’s photograph.

In its decision below, however, the Second Circuit rejected the notion that imbuing a work with a new meaning is necessarily “transformative.” It observed that such a rule would seem to expand fair use to make copyright licensing unnecessary in the “paradigmatically derivative” context of film adaptations – since many movies transform the message of the underlying literary work – and it noted that ascertaining the meaning of artistic works is a subjective endeavor to which judges are typically unsuited. Instead, it held that Warhol’s work is not transformative on the ground that it is “both recognizably deriving from, and retaining the essential elements of, its source material.”

The Supreme Court is now set to review this decision and thereby give litigants and lower courts further guidance on what makes a work that borrows from another sufficiently “transformative.” Copyright practitioners around the country will be closely following what the Court says.

Commerce Clause Limits on States’ Authority to Regulate Commerce

In National Pork Producers Council v. Ross, the Court will consider a challenge to California’s Proposition 12, a law that sets minimum size requirements for pig pens – and that extends those requirements to farmers across the country by making compliance with them a condition of selling pork in California.

The challengers contend that the out-of-state application of these pen-size rules violates the Commerce Clause. They note that, while the Commerce Clause is expressly framed as a grant of authority to Congress, the Supreme Court has long read the Commerce Clause to also implicitly limit states’ regulatory authority. This doctrine, often called the “dormant” Commerce Clause, has a handful of different components, and two are at issue in this case.

The first, known as the extraterritoriality doctrine, has been invoked in a number of Supreme Court decisions but is most prominently associated with the 1980s decisions Brown-Foreman Distillers Corp. v. New York State Liquor Authority and Healy v. Beer Institute. The challengers here argue that under these decisions, a state law per se violates the Commerce Clause if its practical effect is to control conduct beyond the state’s boundaries, and they contend Proposition 12 does so by effectively requiring out-of-state farmers to follow California’s pen-size rules on pain of exclusion from the California market. And California responds that Proposition 12 merely regulates in-state sales, and that any indirect, upstream effects it has on farmers is insufficient to run afoul of the extraterritoriality doctrine.

The second issue concerns the balancing test the Supreme Court articulated in Pike v. Bruce Church, which bars state laws that impose a burden on interstate commerce that “is clearly excessive in relation to the putative local benefits.” Here the parties dispute the significance of Proposition 12’s economic effects and the strength of the interests underlying the law – issues that could become complicated by the motion-to-dismiss posture of the case.

The Court has now agreed to address both of these issues, and whatever the Court decides, its decision will carry implications for the validity of state commercial regulations in a wide variety of industries across the country.

The Scope of the Independent and Adequate State Ground Doctrine

In Cruz v. Arizona, the Court will take up a criminal-law case that presents a recurring issue that arises in both criminal and civil cases alike: When does a state-court decision rest on an independent and adequate state ground such that the U.S. Supreme Court lacks jurisdiction to review the decision?

The case arises from the Supreme Court’s 1994 decision in Simmons v. South Carolina, which held that where a capital defendant’s “future dangerousness is at issue, and state law prohibits the defendant’s release on parole, due process requires that the sentencing jury be informed that the defendant is parole ineligible.” The Arizona Supreme Court later concluded that Simmons was inapplicable in Arizona – on the theory that Arizona law did not universally prohibit capital defendants’ release on parole – but the U.S. Supreme Court overturned that conclusion in Lynch v. Arizona.

Shortly thereafter, Cruz – a capital defendant whose trial and sentencing occurred after Simmons but before Lynch – filed a petition for post-conviction relief in Arizona state court. Because this was not Cruz’s first petition, he sought relief under Arizona Rule of Criminal Procedure 32.1(g), which at the time provided that relief would be available even for successive petitions where there “has been a significant change in the law that if determined to apply to defendant’s case would probably overturn the defendant’s conviction or sentence.”

Cruz argued that Lynch constituted a significant change in the law and that it applied retroactively to render his sentence unlawful. And after the Arizona Supreme Court rejected his claim, he filed a cert. petition arguing that federal law requires applying Lynch retroactively in state post-conviction proceedings. Arizona, meanwhile, countered that the Court would lack jurisdiction under the independent and adequate state ground doctrine: The Arizona Supreme Court’s decision, the state argued, simply concluded that Cruz failed to meet the state-law requirements of Rule 32.1(g).

While the U.S. Supreme Court granted Cruz’s cert. petition, it has limited its consideration to only the question concerning the independent and adequate state ground doctrine. And because its answer to that question could affect jurisdictional rulings in all manner of cases, the case will be of interest to anyone who practices before the Court.

Article By Kian Hudson of Barnes & Thornburg LLP

For more litigation legal news, click here to visit the National Law Review.

© 2022 BARNES & THORNBURG LLP

Four Indicted for $16 Million Money Laundering Scheme

Four Indicted for $16 Million Money Laundering Scheme

On March 23, 2022, an indictment was unsealed in the Western District of Arkansas, charging four men for their involvement in wire fraud and money laundering schemes involving fake investment offerings amounting to an alleged $16 million.

According to court documents, the four men allegedly engaged in an investment fraud scheme between 2013 and 2021 in which they falsely represented the nature of their investment offerings and promised large returns, which they could not and did not yield. The indictment also alleges that two of the defendants encouraged victims to send their funds to bank accounts controlled by the other two defendants, and then transferred the money through a complex series of accounts worldwide.

The defendants were charged with wire fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. One defendant was further charged with money laundering. If convicted, the men will face up to 20 years in prison for each count. The additional count of money laundering carries an additional sentence of up to 10 years.

The DOJ press release can be found here.

California Man Pleads Guilty To Stealing Government COVID-19 Relief Funds

On March 18, 2022, a California man pleaded guilty in the Central District of California to misappropriating COVID-19 relief funds obtained through the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Under the CARES Act Provider Relief Fund, CARES Act health care providers who were financially harmed by the impact of the COVID-19 pandemic are granted federal funds to provide care to patients suffering from COVID-19. According to court documents, the defendant admitted he owned a hospice agency in North Hollywood that was never operational during the COVID-19 pandemic, yet he received approximately $89,162 designated for the medical treatment and care of COVID-19 patients. The defendant admitted he misappropriated the CARES Act funds by spending them for his personal use and then transferring the funds to family members, including one family member in Armenia, rather than using the funds in any way related to the pandemic relief efforts as required.

As part of his guilty plea, the defendant further admitted that he submitted five Economic Injury Disaster Loan (EIDL) applications to the Small Business Administration (SBA) on behalf of his hospice agency and four other entities he controlled. As a result of his fraudulent applications, the SBA disbursed approximately $428,100 in EIDL funds to the man, which he used for his benefit against EIDL requirements.

The man pleaded guilty to three counts of theft of government property and is scheduled to be sentenced on June 13, facing up to 10 years in prison for each count.

The DOJ press release can be found here.

New Jersey Man Convicted for Fraudulently Obtaining US Visas for Chinese Government Employees

On March 23, 2022, a New Jersey man was convicted by a federal jury of one count of conspiracy to defraud the United States and to commit visa fraud for his participation in a conspiracy to fraudulently obtain United States visas for Chinese government employees.

According to court documents, the defendant was involved in a scheme to fraudulently obtain J-1 research scholar visas for employees of the government of the People’s Republic of China (PRC) to allow them to covertly work for the PRC government while in the United States. The defendant operated an office of the China Association for the International Exchange of Personnel (CAIEP), an agency of the PRC government, in New Jersey that seeks to recruit US scientists, academics, engineers, and other experts for the PRC.

The J-1 research scholar program allows foreign nationals to visit the United States to conduct research at a corporate research facility, library, museum, university, or other research institution. The defendant allegedly worked to obtain a J-1 research scholar visa for a prospective employee based on the false representation that the employee would conduct research at a United States university, to conceal unlawful work of another employee who was present in the United States on a J-1 visa sponsored by a US university. The two employees represented to the US government that they were entering the US for the primary purpose of conducting research at US universities, but their actual purpose consisted of working for the CAIEP. The defendant reported the employee’s arrival to the United States to the US universities, procured a local driver’s license for her and disguised her CAIEP salary as a subsidy for research scholar living expenses to make her presence as a research scholar appear legitimate.

As a result of his conviction, the defendant faces a maximum sentence of five years; he is scheduled to be sentenced on July 11.

The Department of Justice (DOJ) press release can be found here.

UPS To Pay $5.3 Million for False Claims Act Allegations

On March 21, 2022, the DOJ announced that United Parcel Service Inc. (UPS) agreed to pay approximately $5.3 million to settle allegations that the company falsely reported information about the transfer of U.S. mail to foreign posts or other intended recipients under contracts with the U.S. Postal Service (USPS), in violation of the False Claims Act (FCA).

UPS was engaged by USPS to pick up U.S. mail at various locations and deliver it to its international and domestic destinations. As a condition of payment, UPS was required to submit electronic scans to USPS to report when the mail was delivered, and there were specified penalties for mail that was delivered late or to the wrong location. The settlement resolves allegations that scans submitted by UPS were falsified times and that UPS, in fact, transferred possession of the mail.

According to DOJ, this is the fifth civil settlement involving air carrier liability for false delivery scans under the USPS International Commercial Air Contracts, pursuant to which the United States has recovered more than $70 million.

The DOJ press release can be found here.

Article By D. Jacques Smith, Randall A. Brater, Mattie Bowden, and Rebecca W. Foreman of ArentFox Schiff LLP

For more white collar crime legal news, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

California Considers Unclaimed Property Voluntary Disclosure, Interest Forgiveness Legislation

The California State Assembly is considering Assembly Bill 2280, which would launch a much-anticipated opportunity for businesses to report unclaimed property to California – interest-free – under an amnesty program.

Unclaimed property is a regulatory challenge for businesses in every industry and commonly results when company financial obligations remain unsatisfied or inactive for a legally defined period.

The unclaimed property is often owed to vendors, employees, customers, or shareholders stemming from ordinary business transactions, including:

  • accounts receivable credits
  • bank and investment accounts
  • gift cards
  • royalties
  • securities and dividends
  • uncashed payroll and vendor payments
  • virtual currencies

California has tried passing voluntary compliance legislation since its amnesty program expired several years ago, but has been unsuccessful. The sleeping giant has again awakened.

Any company with operations in California, with California-formed entities, or with customers, vendors, or employees in California should proactively evaluate its unclaimed property compliance and monitor this legislation carefully.

Every state’s law requires companies to report unclaimed property to the state annually, yet compliance rates are low nationwide. AB 2280 estimates that 1.3 million California tax-filing businesses did not correctly report unclaimed property in 2020. To close this compliance gap, California and most other states regularly audit companies to identify unreported unclaimed property. Such audits often involve detailed reviews of company accounting records for 10 or more years by third-party auditors on behalf of numerous states.

Currently, California imposes 12 percent annual interest on any past-due unclaimed property identified, which likely deters annual compliance, with companies electing to wait for the state to authorize an audit rather than pay the interest assessment. The new bill aims to fix that.

Under AB 2280, California’s Controller is authorized to establish a voluntary disclosure agreement (VDA) or voluntary compliance program for any company that:

  • is not currently under examination by California
  • is not involved in a civil or criminal action involving unclaimed property compliance
  • has not been notified of an unclaimed property interest assessment or negotiated a waiver of interest in the last five years

The proposed law would allow the state to forgive the interest if the company:

  • participates in an educational training program
  • reviews accounting records for unclaimed property for 10 years
  • makes sufficient efforts to reunite property with owners
  • timely files initial reports and remits all identified unclaimed property for the 10 years

The bill may be heard in committee March 19 and it is unclear whether this legislation will become a reality. AB 2280 is not California’s first voluntary disclosure effort. California had a temporary unclaimed property amnesty program in the early 2000s, and the State Assembly declined to advance voluntary disclosure program legislation in February 2018.

Notably, even if AB 2280 successfully becomes law, the voluntary compliance program is contingent upon the legislature appropriating funds in the Budget Act.

Beyond AB 2280, California is ramping up other efforts to drive unclaimed property compliance:

  • In the 2019 California Budget Act, the State Controller’s Office was tasked with increasing unclaimed property compliance, including through adopting an unclaimed property amnesty program; it’s unclear whether this particular bill satisfies that task or if there is more to come
  • In July 2021, California’s governor approved and signed into law Assembly Bill 466, which authorizes the Franchise Tax Board to share information with the Controller’s

Office regarding the taxpayer’s revenue and previous unclaimed property compliance (or lack thereof). This development is notable because revenue and reporting history detail is often used by states to identify companies for unclaimed property enforcement initiatives.

Voluntary compliance programs and VDAs that include an interest abatement are a common-sense incentive for voluntary compliance for states, and the advantages for companies merit thoughtful consideration.

© 2022 BARNES & THORNBURG LLP
For more articles about California legislation, visit the NLR California law section.

As the California Attorney General Focuses on Loyalty Programs, What Do Companies Need to Remember?

The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the AG focuses its attention on loyalty programs, the following provides a reminder of the requirements under the CCPA.

What is a loyalty program?

Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers; others track products purchased. Some programs are free to participate in; others require consumers to purchase membership. Some programs offer consumers additional products; other programs offer prizes, money, or products from third parties. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program,” as a practical matter most, if not all, loyalty programs have two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.[1]

What are the general obligations under the CCPA?

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Right Applicability to Loyalty Program
Notice at collection A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.[2]
Privacy notice A loyalty program that collects personal information of its members should make a privacy notice available to its members.[3]
Access to information A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.[5]
Deletion of information A member of a loyalty program may request that a business delete the personal information collected about them. That said, a company may be able to deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.
Notice of financial incentive To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA (discussed below), a business should provide a “notice of financial incentive.”[4]

Are loyalty programs always financial incentive programs?

Whether a loyalty program constitutes a “financial incentive” program as that term is defined by the regulations implementing the CCPA depends on the extent to which the loyalty program’s benefits “relate to” the collection, retention, or sale of personal information.”[6] While the California Attorney General has implied that all loyalty programs “however defined, should receive the same treatment as other financial incentives,” a strong argument may exist that for many loyalty programs the benefits provided are directly related to consumer purchasing patterns (i.e., repeat or volume purchases) and are not “related” to the collection of personal information.[7] If a particular loyalty program qualifies as a financial incentive program, a business should consider the following steps (in addition to the compliance obligations identified above):

  • Notify the consumer of the financial incentive.[8] The regulations implementing the CCPA specify that the financial incentive notice should contain the following information:
    • A summary of the financial incentive offered.[11] In the context of a loyalty program a description of the benefits that the consumer will receive as part of the program would likely provide a sufficient summary of the financial incentive.
    • A description of the material terms of the financial incentive. [12] The regulation specifies that the description should include the categories of personal information that are implicated by the financial incentive program and the “value of the consumer’s data.”[13]
    • How the consumer can opt-in to the financial incentive.[14] Information about how a consumer can opt-in (or join) a financial incentive program is typically conveyed when a consumer reviews an application to join or sign-up with the program.
    • How the consumer can opt-out, or withdraw, from the program. [15] This is an explanation as to how the consumer can invoke their right to withdraw from the program.[16]
    • An explanation of how the financial incentive is “reasonably related” to the value of the consumer’s data.[17] While the regulations state that a notice of financial incentive should provide an explanation as to how the financial incentive “reasonably relates” to the value of the consumer’s data, the CCPA requires only that a reasonable relationship exists if a business intends to discriminate against a consumer “because the consumer exercised any of the consumer’s rights” under the Act.[18] Where a business does not intend to use its loyalty program to discriminate against consumers that exercise CCPA-conferred privacy rights, it’s not clear whether this requirement applies. In the event that a reasonable relationship must be shown, however, the regulations require that a company provide a “good-faith estimate of the value of the consumer’s data that forms the basis” for the financial incentive and that the business provide a “description of the method” used to calculate that value.[19]
  • Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive,[9] and
  • Permit the consumer to revoke their consent “at any time.”[10]

FOOTNOTES

[1] FSOR Appendix A at 273 (Response 814) (including recognition from the AG that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).

[2] Cal. Civ. Code § 1798.100(a) (West 2021); Cal. Code Regs. tit. 11, 999.304(b), 305(a)(1) (2021).

[3] Cal. Code Regs. tit. 11, 999.304(a) (2021).

[5] Cal. Civ. Code § 1798.100(a).

[4] CAL. CODE REGS. tit. 11, 999.301(n); 304(d); 307(a), (b).

[6] CAL. CODE REGS. tit. 11, 999.301(j) (2021).

[7] FSOR Appendix A at 75 (Response 254).

[8] Cal. Civ. Code § 1798.125(b)(2) (West 2021).

[11] CAL. CODE REGS. tit. 11, 999.307(b)(1) (2021).

[12] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[13] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[14] CAL. CODE REGS. tit. 11, 999.307(b)(3) (2021).

[15] CAL. CODE REGS. tit. 11, 999.307(b)(4) (2021).

[16] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[17] CAL. CODE REGS. tit. 11, 999.307(b)(5) (2021).

[18] Cal. Civ. Code § 1798.125(a)(1), (2) (West 2021).

[19] CAL. CODE REGS. tit. 11, 999.307(b)(5)(a), (b) (2021).

[9] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[10] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

©2022 Greenberg Traurig, LLP. All rights reserved.
For more articles about data privacy, visit the NLR Cybersecurity, Media & FCC section.