How We Got Here

California has a unique ballot initiative process that allows citizens to pass laws outside of the traditional legislative process. At a high level, if a citizen drafts an initiative and then secures enough signatures, s/he can put the initiative on the ballot and California citizens can vote it into law. If such an initiative becomes law, it is significantly more difficult to amend than a law passed through the legislative process.

Here, a real estate developer received over 600,000 signatures for a consumer privacy initiative. The developer vowed to put the initiative on the ballot in November unless the Legislature passed a similar law. With polls suggesting that the initiative would pass if put to a vote, the Legislature passed A.B. 375, the California Consumer Privacy Act of 2018.

Will the Act Apply to Your Company?

The Act provides sweeping protections to consumers and their personal information. It generally applies to any for-profit company, and any entity that controls or is controlled by such company, conducting business in California that collects consumers’ personal information and meets at least one of the following criteria:

1. Generates annual gross revenues over $25 million.
2. Alone or in combination, receives or shares the personal information of 50,000 or more consumers, households or devices.
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act – An Overview

The Act will not go into effect until 2020, and the Legislature may continue to make changes up until that point. In its current form, the main provisions of the Act include:

1. Sweeping Definition of Personal Information. The Act is much broader than other U.S. statutes that focus on specific sensitive data like Social Security numbers. The Act defines “personal information” as any “information that … could be reasonably linked, directly or indirectly, with a particular consumer or household.” An exclusion exists for publicly available information.
2. Broad Consumer Rights. The Act grants California residents a broad range of new rights with respect to their personal information. Companies are forced to accommodate these new consumer rights, including:
   1. Companies that collect personal information must disclose to consumers the categories of personal information to be collected and for what purpose they use it.
      If a consumer asks, companies must disclose exactly what personal information they collect on the consumer and for what purpose they use it.
   2. If a consumer asks, companies must deliver such personal information to the consumer in a readily useable format, free of charge.
   3. If a consumer asks, companies must delete any of the consumer’s personal information and direct service providers to do the same. Certain exceptions exist if the consumer’s personal information is necessary to provide the consumer a service.
   4. If a consumer opts out, companies are not allowed to sell that consumer’s personal information to third parties. (For consumers under the age of 16, companies can only sell personal information if such consumers affirmatively opt in to such use of their personal information.)
   5. If a consumer asks, companies must disclose the categories of any third parties to which personal information of the consumer was previously sold or disclosed.
   6. Consumers also maintain a private right of action if a company’s lack of reasonable security practices results in a data breach.
3. Extensive Authority of Attorney General. The California Attorney General has broad authority to promulgate regulations pursuant to the Act. Also, the Attorney General has the authority to prosecute an action against a company that violates the Act. Additionally, the Act prohibits companies from discriminating against consumers who exercise any of their rights under the Act. However, companies can offer consumers financial incentives to collect or sell their personal information.

The Act also establishes a Consumer Privacy Fund in the General Fund and allows any business to seek the Attorney General’s opinion on how to comply with the Act.

Comparisons to the EU’s GDPR

The Act is modeled after the European Union’s General Data Protection Regulation (GDPR) — but there are meaningful differences between the two. Generally, the Act puts more onus on the consumer. Although consumers are granted broad rights, for the most part, they must take affirmative action to seek the protection afforded under the Act. Under the GDPR, however, that burden is inverted; companies must disclose their legal basis and retention plans for specific data at the time of collection, cannot process certain sensitive information (e.g. health data) or automatically profile consumers without receiving explicit consent, and generally must document data activities internally, whether consumers ask about their information or not. Thus, the Act makes less rigorous demands of companies than the GDPR.

Another major difference? The GDPR took around four years to pass. The California Legislature passed the Act in about one week.

For more information on the GDPR, please visit our International Affairs: GDPR resource page.

Implications of the Act

Although the Act is not as expansive as the EU’s GDPR, it is viewed as the most comprehensive, aggressive privacy law in the United States. Reports estimate that the Act will apply to over half a million U.S. companies. To some extent, domestic U.S. companies have been able to isolate the impacts of the GDPR, but they will likely have less luck ducking the regulatory challenges of the Act. Businesses subject to the Act will be forced to reform their privacy data collection, dissemination, and disclosure practices — which will be an expensive and time-sensitive undertaking.

Some positive news for businesses: the version of the bill that was passed is not likely to be the law that ultimately takes effect. Because the Act was passed by the Legislature instead of by California voters, legislators can change the details up until the Act goes into effect, and they have indicated plans to do so.

More immediately, the Legislature has expressed that it may make technical changes to the bill from August 6 to August 31. Most expect these changes will be limited to small tweaks, including correcting typos or changing terminology. Some trade associations plan to advocate for easy changes to the Act this month and wait until 2019 to address bigger issues.

Certainly, over the next 17 months, we expect many changes to the language of the Act. We’ll be tracking to see whether these changes affect the practical implications of the Act on your business.

MEET THE AUTHORS

Paul H. Luehr, Partner
612.766.7195
paul.leuhr@faegrebd.com

Alison F. Watson, Partner
202.312.7454
alison.watson@faegrebd.com

Nicole L. Pelletier, Associate
317.237.1353
nicole.pelletier@faegrebd.com

1. Prevention Through Background Checks

The sad truth is that predators seek out opportunities to have contact with children and can appear to have their best interests at heart. One of the most important and effective ways to protect children and vulnerable adults is to conduct background checks on all employees and volunteers who may have contact with these individuals. Background checks should include searching local and state-run registries that maintain records on sex and violent offenders and recognized national registries, such as Family Watchdog. Additionally, companies must ensure that prospective employees and volunteers have signed written consents to the background check and also been advised of their rights under the Fair Credit Reporting Act. Your policy additionally should address how often these background checks will be updated and ensure that your employees and volunteers are aware of these periodic updates. If your organization has independent contractors or vendors who may have contact with children and vulnerable adults, then require those entities to certify that they have run background checks on their own employees and volunteers.

2. Safe Contact and Supervision

To further create a culture of awareness and prevention, set forth clear expectations for the contact that employees and volunteers have with children and vulnerable adults. This includes policies on, among other things, appropriate physical contact with a child, who may accompany children to the restroom, and who should be present at events and overnights. However, children face many more threats than predatory adults. For example, develop policies and provide training regarding bullying and abuse by other children. You also might need to consider addressing when and what types of food can be given to a child due to concerns about food allergies. Retail stores that offer food samples should require that an adult be with the child and approve of the child receiving a sample.

If employees and volunteers are going to be charged with the care of children, set forth the appropriate child-adult ratio for events, and consider whether it is appropriate to have certain gender ratios. Also, be sure to obtain appropriate releases from participating children’s parents or guardians detailing medical, allergy or dietary concerns and permitting the organization to administer medical attention in the event of an emergency.

3. Reporting and Responding

All child protection policies should outline clear reporting and responding procedures. Most states have laws that require everyone to report instances of suspected child abuse or neglect to a governmental child protective services agency and also require reporting suspected abuse or exploitation of vulnerable adults to an adult protection services agency. In many states, it is a criminal violation to neglect a statutory duty to report. Your policy should clearly define what constitutes abuse, neglect or exploitation triggering the duty to report directly to a governmental agency with minimal to no involvement (which might be dictated by state law) from a designated organization official. Outline the actions personnel should take in the interim to protect the child or vulnerable adult as well as the measures they should take to ensure that the reporting remains confidential and does not interfere with the agency’s investigation. Conduct that does not constitute abuse, neglect, or exploitation may nonetheless violate the organization’s child protection policy. Consequently, it is critical that personnel can differentiate suspected abuse under state law from mere violations of the policy and understand their duties in responding to and reporting both. Companies should develop internal reporting guidelines for suspected violations of the policy and implement procedures for investigating and resolving such allegations. These guidelines should be comprehensive enough to cover reporting and resolution procedures for allegations against every individual affiliated with the organization, including officers and/or high-level managers.

Child protection policies should separately address what constitutes child pornography as defined by relevant law and how employees and volunteers should report and treat suspected child pornography. In general, suspected child pornography never should be shared with or forwarded to others in the organization, even superiors. The person who reasonably believes an image, document or recording constitutes child pornography should immediately report it to a local police department.

4. Training on the Policy

A well-written child protection policy is only useful if it is understood and followed by your personnel. Include training on the policy in your organization’s orientation and host periodic refresher trainings so it is clear that child protection is a central focus of the organization’s culture. Professionally developed, computerized abuse awareness and prevention training modules are available for organizations to include in training programs. As with other important policies, provide a copy to your employees and volunteers and have them sign an acknowledgement of receipt. Consider requiring employees and volunteers to reread and recertify their compliance on a regular interval.

5. Compliance and Updates

Organizations should designate one employee or manager as the compliance officer responsible for ensuring that the child protection policy is implemented and followed. Conducting periodic internal audits to assess whether the policy is being followed and consistent with current law is critical to ensuring that the organization stays on track. This vigilance also will help the organization determine if the policy needs to be updated or revised. State and federal reporting, child abuse and child pornography laws are periodically amended, and best practices may evolve over time. As a result, organizations should have a policy in place specifying how often the child protection policy should be reviewed, reevaluated and updated.

Conclusion

Where children and vulnerable adults are at the heart of an institution’s mission and activities, protection of those constituents susceptible to abuse and mistreatment must be a priority—both as a matter of community commitment and as risk avoidance. Businesses that have child guests also have strong interests in protecting children and minimizing risks inherent in having children on the premises. Each organization needs to assess its unique needs and services and take those into account in designing an appropriate child protection policy to best protect its visitors. Implementing a generic child protection policy, or simply adopting another entity’s policy, is not likely to be effective, achieve desired outcomes or sufficiently minimize risks.

Authors
Kathy L. Osborn – Partner, Faegre Baker Daniels
Sarah Jenkins – Partner, Faegre Baker Daniels

Other Author(s)
Mary Jane Bennett, Vice President of Human Resources and Safety & Security — The Indianapolis Zoological Society

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com

In light of this order, clients may ask more pointed questions about the security policies and procedures that a company follows, especially if those clients have contracts or subcontracts with U.S. federal government agencies. This new directive heightens the need for companies, especially those in “critical infrastructure” sectors, to adopt a formal cybersecurity standard like the one published by the National Institutes of Standards & Technology (NIST). Corporate managers must ensure that cybersecurity is more than a stack of policy papers and is a living and breathing strategy within the organization.

Issued on May 11, the EO is called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The order requires every federal agency to adopt immediately the “The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology,” often abbreviated as the “NIST CSF.” This standard, developed over the past several years by NIST, contains several dozen specific security rules organized under five general categories of action: Identify, Protect, Detect, Respond and Recover. The Obama administration encouraged private companies to adopt this standard, especially those who formed part of the nation’s infrastructure. The current order goes further and requires federal agencies to adopt the same standard promoted within the private sector.

As a point of emphasis, the order places new duties on individual agency leaders. In particular, the order holds each agency head personally responsible for risk management and requires each agency head to report to OMB within 90 days regarding the agency’s budget and plan to institute the NIST CSF.

The EO notes the danger posed by computers that are old and out-of-date. Consistent with President Trump’s emphasis on infrastructure spending, the order states, “Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.” Therefore, federal agencies must describe their plans to spend the appropriate amount of money on updated technology and consider ways to share technology “in the cloud.”

Finally, the executive order requires several new studies. One due in 180 days will focus on improving risk management within the nation’s critical infrastructure (e.g.  financial services, energy, defense). Other reports will address information sharing, botnets and automated attacks, electricity disruption, supply chains within the defense sector, national cybersecurity and workforce training.

Some have already criticized the order as a hollow “plan to plan.” However, we believe the order will likely have several specific impacts:

• By assigning agency heads responsibility for cybersecurity, the topic will take on even more importance in coming weeks and months, especially among government contractors, who will likely face new Federal contract terms affirming that their IT systems meet the new standards.
• By requiring all federal agencies to adopt the NIST CSF, this order could make this framework the default cybersecurity standard for all U.S. businesses, across all sectors.
• With this executive order, cybersecurity will become a more regular topic for legal compliance review during contract negotiations, mergers and acquisitions, and business transactions in general.

Therefore, managers, particularly in businesses in “critical infrastructure” sectors, would be wise to raise the profile of cybersecurity within their organization. At a practical level, they can learn more about the NIST CSF at the NIST’s online reference guide. Managers can suggest or promote the NIST CIF as the organization’s standard, promote understanding at the board level and assemble a crisis team to practice the company’s response to a real-world cyber scenario.

Authors

Paul H. Luehr, Partner – Faegre Baker Daniels
Frank S. Swain, Partner – Faegre Baker Daniels

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com

FaegreBD partner and leader of the firm’s food litigation and regulatory practice Sarah Brew, and associate Courtney Lawrence authored an article for Food & Drink explaining the new rules and what will be required to be in compliance.

Read Full Article Here

___________________________________________________

Authors:

Sarah L. Brew: Sarah Brew leads the firm’s food litigation and regulatory practice, which is nationally ranked byChambers USA, and is a leader of the firm’s food and agriculture industry group. Sarah has a national reputation for effectively defending food industry clients against labeling and class action consumer fraud claims and representing food processors, distributors and retailers in foodborne illness and contamination cases and supply chain disputes.

Courtney A. Lawrence : Courtney Lawrence is a member of the nationally ranked food litigation and regulatory practice and the national food and agriculture industry team. Her diverse practice encompasses litigation, regulatory and transactional matters for food and agribusiness clients.
41 views at time of republishing