Can You Display Some Online Reviews But Hide Others?

If you receive online reviews for your Amazon or Ebay business, local business with a Yelp or Google Maps profile, or e-commerce store outside the big platforms (e.g. hosted on Shopify or BigCommerce), this post is for you.

Let’s say you run a Shopify store and collect customer reviews from an app such as Yotpo. You receive 1000 reviews. Yotpo (and other review apps) give you the option to display or not display each individual review on your website. Let’s say that some of the bad reviews are irrelevant, contain gibberish, profanity, exaggerated, or are truthful but happen to 1 out of every 1,000 customers (a “black swan” event). You also have good reason to believe that some of the bad reviews are fraudulently written by your competitors. Can you hide these reviews?

You want a “yes” or “no” answer. Unfortunately, the answer is “maybe”, “depends”, and “what’s your risk tolerance”?

In an earlier post “Beauty is Truth”, my colleague Elizabeth Ragavanis discussed what businesses generally cannot do with the customer reviews they receive. To summarize: it’s illegal to write fake reviews or hire someone else to do that; it’s also illegal to review your own products (even if you bought them) without disclosing that fact; and - many people don’t know this - it’s illegal to give free product, discounts, or other benefits to someone in exchange for writing reviews, unless you make it very clear to the reviewer that they received such benefits from you in their review. The FTC has recently cracked down on online sellers (e.g. Amazon sellers and mattress companies) for precisely these tactics.

Even where you give someone a free or discounted product without asking the person to write a review, or where you ask the person to write an honest review, you must nevertheless require that person to disclose the fact that he/she has received the product for free or at a discount. The FTC’s reasoning is that while someone who receives a product for free or at a discount can write an honest review, receiving something for free or at a discount colors their perception of the value or quality of the product. Thus, while these reviews might be honest, they may not accurately reflect the general customer experience.

But, to go back to beginning of this post, what about honest reviews you collect without any inducement or fraud? Can you display some but not others? The FTC notes:

Using Testimonials That Don’t Reflect the Typical Consumer Experience
We want to run ads featuring endorsements from consumers who achieved the best results with our company’s product. Can we do that?
Testimonials claiming specific results usually will be interpreted to mean that the endorser’s experience reflects what others can also expect. Statements like “Results not typical” or “Individual results may vary” won’t change that interpretation. That leaves advertisers with two choices:

1. Have adequate proof to back up the claim that the results shown in the ad are typical, or

2. Clearly and conspicuously disclose the generally expected performance in the circumstances shown in the ad.

How would this principle about testimonialists who achieved exceptional results apply in a real ad?
The Guides include several examples with practical advice on this topic. One example is about an ad in which a woman says, “I lost 50 pounds in 6 months with WeightAway.” If consumers can’t generally expect to get those results, the ad should say how much weight consumers can expect to lose in similar circumstances – for example, “Most women who use WeightAway for six months lose at least 15 pounds.”
___________

So, the answer appears to be that it is okay hide certain customer reviews, so long as the remainder of the reviews, viewed as a whole on average, accurately reflect the typical customer experience.

Under this rationale, it is probably okay to hide reviews that are clearly not good faith attempts at reviewing a product - e.g. reviews that are trolling, irrelevant, contain gibberish, profanity, exaggerated, in poor taste, etc.

It is unclear whether it might be okay to hide reviews that reflect “black swan” incidents (e.g. a customer receiving a defective product, which, let’s say happens to your business every 1/1,000 orders).

Obviously, if your product is mediocre, and your customer base honestly rates it a 3/5 on average, it’s illegal to massage the reviews to make it a 4/5. Improve your product.

Lastly, as with any article written by a lawyer, this article is for general information only. What’s written here may not apply to your particular situation. If you are unsure about what you can and cannot do while “curating” customers reviews, talk to your lawyer.

CARES Act: The Basics

The COVID Business Loan Program: What You Need to Know

Starting today, your business may be eligible to apply for a loan under the Paycheck Protection Program of the COVID economic stimulus plan from Congress. The program is meant to help support small businesses that need help getting through the next few months while maintaining payroll and other benefits for their employees.  Below is some basic information about your potential eligibility and how the program will work for you.

 

Eligibility

With some exceptions noted below, any company with fewer than 500 employees that has been operational since February 15, 2020 will be eligible for a loan under the CARES Act.

Traditionally for purposes of the Small Business Association (the “SBA”), private equity-owned companies are considered "affiliated" with all of the private equity firm's other portfolio companies. In practical terms this means if you have 100 employees but are owned by a private equity firm whose portfolio companies employ a total of 2,000 people, your business may not qualify. The same will go for companies controlled by VC firms. However, this week House GOP Leader Kevin McCarthy stated that, based on conversations with Treasury Secretary Mnuchin, this affiliation rule would be waived for companies with less than 500 employees that don’t have an outside controlling shareholder. McCarthy also advised that formal guidance on this matter would follow in the next few days.

Additionally, cannabis-related companies will also be ineligible, as they've historically been blocked from participating in SBA programs due to marijuana’s status as an illicit substance under Federal law.

If you have any questions about the details of the size requirements of the SBA, please also see this info page from the SBA.

Loan Amounts, Interest Rates and Use of Proceeds

The amount of the loan you may be applicable for will be the lesser of:
a)     $10 million,  and

b)     2.5 times the average total monthly payments by the applicant for payroll costs (only payroll costs, not the other costs the loan proceeds may cover) incurred during the one-year period before the date of the loan.

The SBA has set an interest rate of 1% on the loans and will not require any personal guarantees or collateral.

The proceeds of the loan can be generally used to:

a)     pay employees*,

b)    maintain your company’s group health-care benefits,

c)     pay rent and utilities and

d)    pay mortgage interest or interest on other debt obligations that were incurred prior to receipt of the loan.

*Note, that these costs do not include compensation for any individual employee you may have that would be in excess of an annual salary of $100,000 (as amortized over a year). For example, if you generally pay an employee $12,000 per month, you may only count $8,333.33 of that towards calculating payroll costs in determining the potential loan amount.

Repayment

Certain portions of the loan will be eligible for forgiveness by the SBA. This amount will be may be comprised of the following costs incurred during an eight-week period beginning on the date of the origination of your loan:

a)     payroll costs (recall, this does not include payments in excess of $100,000 in salary per annum),

b)    mortgage interest, and

c)     rent or utility payments.

However, the SBA has stated that  at least 75% of the forgiven amount must have been used for payroll. Furthermore, this loan forgiveness amount will be reduced if the number of your full-time employees decreases or if you cut wages of employees earning less than $100,000 by more than 25%.

After deducting the loan forgiveness amount, the remaining amount will have a maturity date of two years from the date on which you applied for forgiveness.

Each Loan will also have automatic deferment terms (covering both principal and interest) of at least 6 months. The deferments may be extended for up to a maximum of 12 months. Interest will continue to accrue during deferment.

Other Issues to Consider

You should consider the effect borrowing money under this program could have under any current debt obligations you may be party to. As noted above, you will not be required to put up collateral for these loans, but it still will be considered additional debt and could potentially trigger payment provisions under your current debt obligations.

Additionally, if you do decide to take out this kind of loan, you will need to keep mind that you have to document and carefully keep track of how you use those funds to ensure they are allocated to only approved expenditures.

How to Apply

The SBA will be guaranteeing the loans, so you will need to apply for these loans through banks, credit unions and other lenders. The best way to begin is to approach your lender of choice and inquire about applying for a 7(a) small business loan, ideally this would be a bank you have an existing relationship with and one that already has an SBA program in place as this may help speed up the process. Note, there are reports are that applications will take at least three (3) weeks to process; so, if your business is in desperate need of capital, you may want to apply as soon as possible. As of today, certain banks, most notably JPMorgan Chase, have advised they are not prepared to begin accepting applications yet.

As a part of this process, you will need to present documentation that can verify the number of full-time employees you have, your payroll records and tax filings, insurance filings and documentation verifying rent, mortgage, utilities and other debt instrument payments. The loan application form is now available here

Going forward we expect the SBA to issue more guidance regarding criteria for receiving loans and also have better estimates on how long it will take for your business to receive the loans once you’ve applied. As we get more information we will keep you updated, but as always, please feel free to reach out to us if you have any questions on how this program could help your business.

 

 

 

How Soon Is Now?

desk phone

When should you call your lawyer? That’s an easy one.

Recently, a client came to us with a new consumer product design that they’d commissioned; they thought it looked similar to another product already in market. They were concerned it might infringe the other company’s rights. They did the obvious thing and called their lawyer. But in this case, they could have called even sooner. That’s because the client hadn’t reached out when they engaged with the designer. So the client had much less recourse to remedy the infringing deliverable they’d received than if the client had negotiated a simple, effective service agreement that required the designer to create something that didn’t obviously resemble a competitor.

Usually, these issues arise because a client perceives an activity as bearing minimal risk. But a good lawyer is able to quickly assess whether that’s accurate or if there exists some hidden exposure. For instance, a different client sought to obtain shipping insurance for their direct to consumer products. Because they pay a fixed monthly fee for their day-to-day work, they send to us what might otherwise seem like mundane activity. When we reviewed the policy, its standard terms excluded the type of goods the client was sending, so the client would have been paying for coverage that didn’t insure a single shipment they made.

We strive to create smart billing solutions to allow our clients to feel comfortable reaching out early and often. It helps our clients become more successful and enables us to provide more valuable counsel.

Thoughts on Public and Private Blockchain Technology for Enterprise

In advance of moderating tonight’s Counterpoints discussion hosted by the WSBA, I’m sharing some foundational thoughts on Public and Private Blockchain Technology for Enterprise.

Introduction

Enterprise is increasingly looking to blockchain technology to solve problems and drive efficiency.  Success or failure can be driven by manifold business, technological and relationship issues. One of the most fundamental decisions these organizations face is whether to base their solution on a private blockchain or a public one, and the choice has implications for all of those types of considerations.  Given that Gartner estimates blockchain technology will contribute over $3 trillion in business value in ten years, a broad understanding in the community of key issues will enable faster, more successful adoption and the benefits that can be achieved from it.

Private and public blockchains used by enterprise all restrict access to their networks, but are distinguished by the source of the software that enables participation in the related network.   Private blockchain projects are those like Corda and Symbiont (a client of my firm), and public projects include those like Monax and Besu.  Because enterprise deployments require a level of security and counterparty identification that isn’t relevant to non-permissioned blockchain uses like the Bitcoin network, even public blockchains will involve permissioning of users.  So for purposes of this piece, we will assume that public blockchain technology being deployed uses an application layer that requires permissioned users who are identifiable to other users for purposes of reading, writing and access roles.

What’s on and off the chain?

One of the main distinguishing characteristics of private and public blockchains for enterprise is what can be deployed on the blockchain itself (also known as “Layer 1”).  For privacy and efficiency reasons, public enterprise solutions often keep a portion, and in some cases, almost all [transaction] data out of the blockchain. Sensitive data like party identities and transaction amounts on a public ledger is or can become (as the name implies) viewable by anyone having access to the ledger, which is unrestricted.  Some companies are working to overcome this limitation by aiming to create solutions that work with the Layer 1 protocol that would obscure activity on-chain (MedRec, Kaleido and Zagg Protocol, which are in various stages of development). A further evolution of this is a system like ZeroCash, which uses “zero-knowledge” proof that allow users to prove to each other that a statement is true without revealing any interaction between the two, and mixing services, like ShuffleCoin, that blend user input to obscure its source.  

For this and other reasons, public-network enterprise solutions will generally include only a portion of the data set relating to a particular transaction on Layer 1, relegating the remainder of the data to an off-chain application/database layer that is either centralized (similar to a SaaS solution) or on a secondary chain, like a “child chain” (both are also known as a “Layer 2”).  While this application layer, being permissioned, will restrict the information there to select participants, the underlying platform that provides timestamping and immutability features, as noted above, is not. For a significant number of critical enterprise activities (like trading), the mere presence of that activity needs to be strictly private, for both regulatory and business reasons.  The efforts of the companies trying to solve for these concerns (like those listed above) amount to features added on to a system of protocols and are still in various stages of development. For the most sensitive use cases, a solution that doesn’t include integrated privacy for all transaction data may not suffice.  

Another reason for this bifurcation of data is that public blockchains currently and for the foreseeable future require a tremendous amount of computing power.  Moving part of the process can provide efficiencies for a public-network solution. This efficiency issue is likely to diminish as transaction processing speeds increase.  Companies like HyperLedger and Falcon have reported faster transaction speeds, which if realized, would greatly influence the utility of public blockchains for enterprise.  

Governance/Consensus Protocol

Because both public and private enterprise blockchain solutions rely on permissioning of the users, at the Layer 2 level, they share the same attributes relating to the decision-making amongst participants, like the timing for protocol updates and whether to add new participants into their permissioned ecosystem.  These considerations are important, but not particularly distinguishing between the two types of networks.

However, the underlying network technology does present an added consideration for enterprise solutions running on a public network.  Because the underlying network is not under the control of the participants, the benefits of using a public blockchain to underpin an enterprise, like decentralization, should be balanced against the impact of network events such as reorgs and forks.  While some reorg activity is part of the Satoshi protocol and doesn’t necessarily affect the overall finality of network transactions, in other cases, they can result in more uncertainty and disruption to the network’s history, as in the case of a 51% attack.  While Layer 2 solutions like side or child chains remove almost all activity from the Layer 1 “mainnet,” the second layer must maintain a nexus with the first that relies on periodic interaction to prove the validity of the second layer.

Consensus on a private network is determined by a known, accountable set of validators that propose and validate the order of transactions.  When a quorum (the number agreed by the group to be the minimum number required) signs a block to declare it valid, that block is added to the chain without the option for a reorg or fork.  Consensus is maintained even where a node is disabled by means of Byzantine Fault Tolerance, which provides stability.  

Cost

Although comparison data isn’t available, it seems logical that a private system would be more costly to develop: it’s more difficult and time-consuming to develop an entire ecosystem.  Smart contracts built in a more widely-known language may be easier to develop because the engineer pool is broadened by wider access to the language, especially  where such languages have been open-sourced (like Solidity and DAML), which spreads the cost of development.  

But we also need to consider the transaction costs associated with public blockchains - they change.  So the ability of an enterprise organization to budget for a particular use case will come with some level of variability that may be difficult to build in to the budgeting process.

Without a cryptocurrency element, enterprise’s incentive to participate in a private blockchain solution shifts to the efficiencies and other business reasons to justify the cost of implementing and maintaining a private system.  For many larger institutional players, this will be a cost worth taking on, but until private systems mature and become more widely available, proprietary technology used in closed consortia may not be a cost-effective solution for a broader range of small to medium-sized enterprise customers.

Regulatory oversight

A private blockchain is a closed ecosystem that, if designed to allow regulatory oversight, will allow relevant agencies to access records necessary to the audit function of their roles.  A public blockchain is able allow this in the second layer, but the dictates of a public chain’s protocol will override regulatory review if incompatible.

For example, a public blockchain will necessarily contain other parties’ activity that cannot be known by a regulator.  In certain cases, like entities subject to the ’40 Act, this is a relevant consideration, and makes the use of a public blockchain for these regulated entities a challenge, if not impossible.  In addition, the compensation paid to miners on a public blockchain in exchange for the services they provide in settling transactions as of now must still be viewed as compensatory to a transaction. Others have written extensively on the question of whether this constitutes a broker fee or other regulated compensation; for our purposes, it remains a possible complication for some deployments of public blockchain technology.


Legally Marketing Your CBD Products

If you are marketing a CBD product online, beware of the regulatory pitfalls.  

There is a rapidly growing market for products containing CBD: tinctures, creams, body products, edibles, and pet treats. The Agriculture Improvement Act of 2018 (also known as the 2018 Farm Bill) broadened the business possibilities for these products by removing hemp from the definition of marijuana, and specifically defining hemp as cannabis or a cannabis derived product containing than no more than 0.3 percent THC on a dry weight basis. As long as CBD meets this definition, it is no longer illegal as a controlled substance.

However, the Farm Bill also specifically preserved the FDA’s ability to regulate products containing hemp and hemp-derived compounds, including CBD products.  So while CBD itself is not a controlled substance, products containing CBD may still be regulated in other ways. Specifically, the US Food and Drug Administration (the “FDA”) regulates the safety and efficacy of food, drugs and cosmetics and the Federal Trade Commission (the “FTC”) protects consumers from fraudulent, deceptive, and untruthful business practices.  As a result, the FDA is reviewing the sale CBD products and the FTC is keeping an eye on how those products are marketed.

Recently the FTC & the FDA jointly issued warning letters to companies marketing CBD products as a treatment or cure for serious diseases like cancer, Alzheimer’s, and epilepsy. The FTC Act makes it unlawful to say in your advertising or marketing that a product can prevent, treat, or cure human disease unless you have “competent and reliable scientific evidence substantiating that the claims are true.” Competent and reliable evidence must be research-based, rigorous, and objective, such as “tests, analyses, research, studies, or other evidence based on the expertise of professionals in the relevant area, that has been conducted and evaluated in an objective manner by persons qualified to do so, using procedures generally accepted in the profession to yield accurate and reliable results.”[1]

In addition, a product that is meant to diagnose, treat, cure, or prevent a disease or function of the body is, in the view of the FDA, being marketed as a drug and therefore subject to regulation as a drug. Furthermore, the Food, Drug and Cosmetic Act currently makes it unlawful to sell food or (other consumables, including animal feed or pet treats) containing CBD. The FDA also has specific requirements before you can call something a “dietary supplement,” and it specifically excludes CBD products from the definition of a dietary supplement.

In combination, these regulations make it very difficult to market and sell CBD products in compliance with law, and nearly impossible if those CBD products are for consumption.

But these regulations are likely to change in the near future, as the FDA continues to research the uses, benefits, and side effects of CBD, taking proactive steps to develop a path for the lawful marketing and sale of CBD products. Currently, both agencies are being selective in their enforcement, since they recognize that there is a market for and a benefit of CBD products.

In an October 10, 2019 Warning Letter to Rooted Apothecary, LLC, the FDA said “while we recognize the potential opportunities and significant interest in drug products containing cannabis and cannabis-derived compounds like CBD, protecting and promoting public health remains our top priority.” In the meantime, the FDA has indicated that it will direct its resources at companies that go “over the line.” Specifically, the FDA is more likely to take action against companies that market products to children or other especially vulnerable people, and companies that promise treatment or cure for serious diseases, when those promises are not supported by valid, accepted, scientific research.

If you are marketing a CBD product, be careful and appreciate the risks when describing the features and benefits of a CBD product. Don’t suggest that your product treats serious conditions like autism, Alzheimer’s, or anxiety. In addition, don’t market products to children. Wherever possible, cite reliable scientific evidence to support any statements you make about your products. Even suggesting that the product “relieves pain” would require supporting scientific research. Until the FDA issues specific guidance and updates its regulations, the marketing and sale of CBD products will be scrutinized, but keeping these guidelines in mind will greatly reduce the risk of receiving a warning letter, fine, or other regulatory action.


[1] https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-industry-substantiation-dietary-supplement-claims-made-under-section-403r-6-federal-food#ftn7

 

BEAUTY IS TRUTH

 The Federal Trade Commission recently settled with skincare startup Sunday Riley Skincare and its CEO Sunday Riley over allegations that Sunday Riley (both the person and the company) instructed employees to create fake identities and submit fake reviews of Sunday Riley products. The fake reviews violated the FTC Act in at least two ways: 1) making false or misleading claims that the fake reviews reflected the opinions of ordinary users of the products; and 2) deceptively failing to disclose that the reviews were written by Ms. Riley or her employees.

For those of you who weren’t English majors, the title of this post comes from English Romantic poet, John Keats, who wrote “Beauty is truth, truth beauty”. I honestly don’t remember most of the poem,[1] or what it meant, or why it was significant (sorry, Mrs. Uhl), but what I do know is that the English Romantics had great branding and marketing, albeit 19th century style. We remember them as brilliant and doomed, and revere their work, but the truth is that most of them were privileged, creative, restless young people with too much money and time (Byron was a titled Lord, Shelley was a trust fund kid, and though Keats wasn’t wealthy, he had it way better than most 19th century English residents.) The opportunity to romanticize and revise your story is a byproduct of fame and success, even today (*cough cough*Mark Zuckerberg*), but going too far from the truth in your marketing strategy will get you in trouble.

 Even if you aren’t instructing your employees to create fake accounts and use VPNs to mask their identities, you may be creating risk if your employees enthusiastically review your products without disclosing that they are employees. That’s because a consumer review is supposed to be an honest, unbiased opinion so that your average person reading it can rely on it as a real, truthful review.[2] Similarly, if you provide free products, a paycheck, or any other benefit to a social media marketer in exchange for a review, you must require that marketer disclose clearly that they received something in exchange for their review. When an influencer fails to disclose the relationship with the advertiser, the advertiser is subject to FTC sanctions.

 Today’s creative entrepreneurs market their reputations and promote their products through online advertising, word-of-mouth, and social media, but they would still do well to remember the advice “Beauty is truth, truth beauty.” While it’s less likely that tuberculosis will tank your business, running afoul of the Federal Trade Commission’s regulations preventing “deceptive practices” might. The FTC’s website is actually a great resource for information and guidelines about what you can and can’t do when advertising and marketing online. And a simple thing to keep in mind when promoting your company or product “Beauty is truth, truth beauty,—that is all ye know on earth, and all ye need to know."

 

[1] “Ode on a Grecian Urn” (I googled it.)

[2] See Example 8 in the linked document as well as the “General considerations” section.

CCPA: the New GDPR? (Part III)

The California Consumer Privacy Act, effective January 2020, means that many businesses will have to update their practices and their communications about data with consumers. If the CCPA applies to your business, updating your privacy policy will not be enough. Complying with the CCPA will likely require a change in your data privacy practices as well as an update your privacy policy, even if you are already compliant with the GDPR.

If you are complying with the GDPR, you’ve already done much of the required foundational work. A GDPR-compliant business has:

  • A process for responding to requests from individuals who want to opt-out, delete, correct, or otherwise exercise control over their personal data.

  • Records of such requests and how the business responded.

  • An inventory of the personal data you collect, and what the business does with it, including any transfers or sales of personal data.

  • An updated privacy policy that tells consumers what information you collect, what you do with it, and how to contact the business to exercise the consumer’s rights over their data.

  • Agreements in place with vendors and third-parties to ensure that they are handling personal data in a way that complies with the law.

If your business was not required to comply with the GDPR, you will want to get all of the above in place in order to comply with the CCPA.

Even if you are GDPR-compliant, the CCPA has different and additional obligations:

  • You must provide a “Do Not Sell My Info” link on your website or mobile app so that consumers can opt-out.

  • You may not sell personal information belonging to anyone who is between 13 and 16 years old unless they expressly consent. It’s not enough that a consumer between 13 and 16 didn’t opt-out, you must collect an express opt-in (Data on kids under 13 is protected under US Federal law that requires parental consent and establishes other significant protections.)

  • You must disclose any financial incentives that your business provides to individuals in exchange for their personal data, and you must disclose how you have determined the value of that personal information.

  • If you are a data broker, you must register with the State of California.

Keep in mind that the CCPA and the GDPR share a foundation, but have significant differences. It is entirely possible to be compliant with both, but the fact that you are compliant with one does not automatically mean you are compliant with the other.  Conversely, if you have determined that you aren’t required to comply with either, you should still consider what practices and notifications will best protect your business from data breach, legal action, and a loss of consumer confidence going forward.

Please note that the above is a high-level overview for your information, and is not intended to be legal advice for your specific situation.

DeathtoStock_Creative Community7.jpg

CCPA: the new GDPR? (Part II)

The California Consumer Privacy Act is often described as similar to, or following in the footsteps of, the EU regulation known as the GDPR (General Data Protection Regulation.) The enactment of the GDPR caused much hand-wringing because it substantially changed the way businesses could collect, store, and use personal information of EU residents. The CCPA is not nearly as broad as the GDPR, but it is, like the GDPR, changing the way businesses handle personal data, this time within the US. 

The CCPA and the GDPR share similar goals. The idea is to give consumers the right to control the use of their personal information, and to put the burden on businesses to respect individuals’ rights over their personal data. Both laws give individuals the right to bring legal action against a business if the business violates the law. Both laws allow regulators to impose significant financial penalties against a business that violates the law.

Here are some ways they differ and some ways they are the same:

 

When does the law apply? 

The CCPA applies to for-profit businesses that meet certain thresholds (see Part I) and that collect the personal information of California residents.

The GDPR applies any time personal information from EU residents is processed in any way (“Processed” means collected, stored, transferred, accessed – pretty much anything you can do to data is “processing.”)

 

How is “personal information” defined?

CCPA: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

 GDPR: “any information relating to an identified or identifiable natural person …such as a name, an identification number, location data, an online identifier..”

 

Is anonymized, aggregated, and/or de-identified data also personal information?

CCPA: Data that is “reasonably capable of being associated with” an individual or household is personal information. If you could, without too much difficulty, connect that data to a person or household, it is personal information.

GDPR: Data that can be combined with other information to identify an individual is personal information. Data that is truly anonymized is not personal information.

 

What rights do individuals have over their data?

Right to access – An individual has the right to know what personal data a business has about that individual (this right is more limited under the CCPA)

Right to delete – An individual can request that a business delete and remove all of that individual’s personal data (with some exceptions)

Right to correct – Under the GDPR, a business must correct errors in an individual’s personal data if requested. (The CCPA does not include this obligation.)

Right to portability – An individual has a right to obtain a copy from the business of all personal information that business has regarding that individual

Right to opt-out – Under the GDPR, an individual can refuse consent or withdraw consent previously given to any processing of that individual’s data. Under the CCPA, a consumer can opt-out of any sale of their personal data to a third-party.

Non-discrimination – The CCPA explicitly says that a business can’t discriminate by refusing service or charging a higher price to a consumer who exercises their rights.

 

Except in the case of a parent exercising rights over a child’s data, these individual rights can only be exercised by the individual themselves, and not by a third-party seeking access to an individual’s data. It’s important, therefore, to be able to verify the identity of an individual who makes a data access request. 

Note too that both laws have additional obligations for the protection of children’s and special categories of data, like health, financial, or biometric data. Children’s data and special category data are also protected under various Federal laws.

For more information about how to comply with the CCPA, see Part III.

 

Please note that the above is a high-level overview for your information, and is not intended to be legal advice for your specific situation.

 

 

 

CCPA: the new GDPR?

The dust had just started to settle on the EU’s game-changing new privacy law known as the GDPR (the General Data Protection Regulation), when California led the way to comprehensive changes in US privacy law, too. Even if you’ve done the work to become GDPR compliant, you may need to do more to keep up with the new California law.

The California legislature passed the CCPA (California Consumer Privacy Act) in 2018, which goes into effect in January of 2020 and puts new requirements on certain businesses who collect personal information from California residents.

If you are a business with an online presence, there’s a good chance that you collect at least some information from California residents. Is that enough to put you under the CCPA’s oversight?

The CCPA applies to for-profit businesses that collect personal information from California residents if at least one of the following is true of the business:

  • It has gross annual revenues in excess of $25 million;

  • It buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;

  • It derives 50 percent or more of annual revenues from selling consumers’ personal information

Many small businesses don’t meet these thresholds, and the CCPA will not apply. It’s still smart to think about your data collection practices though, since other privacy laws may apply now or in the future. Other US states are working on their own data privacy laws, which will likely have different thresholds and obligations.

So what does the CCPA require, and how is it different from the GDPR? Check out Part II to learn more.

 

Please note that the above is a high-level overview for your information, and is not intended to be legal advice for your specific situation.

 

DeathtoStock_Creative Community3.jpg

Office Action: on Churn

It’s a rainy Wednesday afternoon here, and from our conversation emerged an anecdote about churning fees. It’s something clients fear can happen, but have little ability to detect. I imagine that it’s kind of like how I have felt taking my car to a mechanic: unless you can get under the hood yourself, you may never know you’re being overcharged. In this instance, a lawyer made a mistake in a trademark filing and was told about it in a friendly call by the examining attorney at the U.S. Patent and Trademark Office. Resolution should have been simple - the attorney at the PTO can file an examiner’s amendment and continue the filing undisturbed. But the client attorney said, “why don’t you just give me an office action instead?” Which means the PTO formally rejects the application, allowing that lawyer to bill for additional work rather than resolve the issue in a couple minutes. It also delays the client’s application process. But who would know this, beyond the two people on the phone? That’s why it’s important to have a strong relationship with your lawyer. While they may feel the need to ‘make it rain’, it does make it harder for them to soak you. Stay dry out there!

Client Advisory: NY Anti-Harassment Law Deadline

Last year, New York State passed a law requiring employers of any size to implement training and policies regarding sexual harassment and discrimination.  The deadline to comply with all of the law's mandates was extended to October 9, 2019.  

If this hasn't been on your radar, read on.

The new law has two main requirements.  First, every New York State employer must have an anti-discrimination and harassment policy implemented that meets or exceeds specified standards.  These standards require that the policy, at a minimum:

  • prohibit sexual harassment consistent with guidance issued by the Department of Labor in consultation with the Division of Human Rights

  • provide examples of prohibited conduct that would constitute unlawful sexual harassment

  • include information concerning the federal and state statutory provisions concerning sexual harassment, remedies available to victims of sexual harassment, and a statement that there may be applicable local laws

  • include a complaint form

  • include a procedure for the timely and confidential investigation of complaints that ensures due process for all parties

  • inform employees of their rights of redress and all available forums for adjudicating sexual harassment complaints administratively and judicially

  • clearly state that sexual harassment is considered a form of employee misconduct and that sanctions will be enforced against individuals engaging in sexual harassment and against supervisory and managerial personnel who knowingly allow such behavior to continue

  • clearly state that retaliation against individuals who complain of sexual harassment or who testify or assist in any investigation or proceeding involving sexual harassment is unlawful

Employers may provide the policy to employees electronically, but if they do, employees must be able to access the policy on a computer provided by the employer during work time and be able to print a copy for their records. 

One important element of the policy is that employers are forbidden from including non-disclosure requirements in the settlement of an employee claim based on sexual harassment, unless the complainant requests it.  In that case, additional requirements must be met for the settlement agreement to be effective.  

A model policy and complaint form are provided, in multiple languages (which is another of the law's requirements), here.

The second part of the law's requirement states that every New York State-based employee or employee spending part of their time working in the state must undergo minimum interactive training, and managers must undergo additional training.  This includes not only full-time workers, but also part-time, temporary and seasonal workers, and must be completed for all current employees by the October 9th deadline, and thereafter, new employees' training must be completed promptly after starting.

The training must:

  • be interactive

  • include an explanation of sexual harassment consistent with guidance issued by the Department of Labor in consultation with the Division of Human Rights

  • include examples of conduct that would constitute unlawful sexual harassment

  • include information concerning the federal and state statutory provisions concerning sexual harassment and remedies available to victims of sexual harassment

  • include information concerning employees’ rights of redress and all available forums for adjudicating complaints

  • include information addressing conduct by supervisors and any additional responsibilities for such supervisors

Find more information on the law's requirement here, or call one of our attorneys for assistance.

P.S. California employers, watch this space: you have similar obligations with a deadline of January 1, 2021.