Faegre Baker Daniels – HospitalityLawyer.com

The Most Aggressive Privacy Law in the U.S.: Tracking the California Consumer Privacy Act of 2018

Faegre Baker Daniels — Tue, 14 Aug 2018 16:00:23 +0000

Signed into law on June 28, 2018, the California Consumer Privacy Act provides the most comprehensive and aggressive privacy law in the United States — despite being pushed through the legislative process in one week. The California State Legislature will reconvene from Summer Recess on Monday, August 6, and it is expected to reevaluate the Act before the legislative session closes on August 31. Businesses should get acquainted with the main provisions of the Act and its broader implications as legislators fine-tune this significant law — a process that can continue until the Act goes into effect on January 1, 2020.

How We Got Here

California has a unique ballot initiative process that allows citizens to pass laws outside of the traditional legislative process. At a high level, if a citizen drafts an initiative and then secures enough signatures, s/he can put the initiative on the ballot and California citizens can vote it into law. If such an initiative becomes law, it is significantly more difficult to amend than a law passed through the legislative process.

Here, a real estate developer received over 600,000 signatures for a consumer privacy initiative. The developer vowed to put the initiative on the ballot in November unless the Legislature passed a similar law. With polls suggesting that the initiative would pass if put to a vote, the Legislature passed A.B. 375, the California Consumer Privacy Act of 2018.

Will the Act Apply to Your Company?

The Act provides sweeping protections to consumers and their personal information. It generally applies to any for-profit company, and any entity that controls or is controlled by such company, conducting business in California that collects consumers’ personal information and meets at least one of the following criteria:

Generates annual gross revenues over $25 million.
Alone or in combination, receives or shares the personal information of 50,000 or more consumers, households or devices.
Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act – An Overview

The Act will not go into effect until 2020, and the Legislature may continue to make changes up until that point. In its current form, the main provisions of the Act include:

Sweeping Definition of Personal Information. The Act is much broader than other U.S. statutes that focus on specific sensitive data like Social Security numbers. The Act defines “personal information” as any “information that … could be reasonably linked, directly or indirectly, with a particular consumer or household.” An exclusion exists for publicly available information.
Broad Consumer Rights. The Act grants California residents a broad range of new rights with respect to their personal information. Companies are forced to accommodate these new consumer rights, including:
1. Companies that collect personal information must disclose to consumers the categories of personal information to be collected and for what purpose they use it.
  If a consumer asks, companies must disclose exactly what personal information they collect on the consumer and for what purpose they use it.
2. If a consumer asks, companies must deliver such personal information to the consumer in a readily useable format, free of charge.
3. If a consumer asks, companies must delete any of the consumer’s personal information and direct service providers to do the same. Certain exceptions exist if the consumer’s personal information is necessary to provide the consumer a service.
4. If a consumer opts out, companies are not allowed to sell that consumer’s personal information to third parties. (For consumers under the age of 16, companies can only sell personal information if such consumers affirmatively opt in to such use of their personal information.)
5. If a consumer asks, companies must disclose the categories of any third parties to which personal information of the consumer was previously sold or disclosed.
6. Consumers also maintain a private right of action if a company’s lack of reasonable security practices results in a data breach.
Extensive Authority of Attorney General. The California Attorney General has broad authority to promulgate regulations pursuant to the Act. Also, the Attorney General has the authority to prosecute an action against a company that violates the Act. Additionally, the Act prohibits companies from discriminating against consumers who exercise any of their rights under the Act. However, companies can offer consumers financial incentives to collect or sell their personal information.

The Act also establishes a Consumer Privacy Fund in the General Fund and allows any business to seek the Attorney General’s opinion on how to comply with the Act.

Comparisons to the EU’s GDPR

The Act is modeled after the European Union’s General Data Protection Regulation (GDPR) — but there are meaningful differences between the two. Generally, the Act puts more onus on the consumer. Although consumers are granted broad rights, for the most part, they must take affirmative action to seek the protection afforded under the Act. Under the GDPR, however, that burden is inverted; companies must disclose their legal basis and retention plans for specific data at the time of collection, cannot process certain sensitive information (e.g. health data) or automatically profile consumers without receiving explicit consent, and generally must document data activities internally, whether consumers ask about their information or not. Thus, the Act makes less rigorous demands of companies than the GDPR.

Another major difference? The GDPR took around four years to pass. The California Legislature passed the Act in about one week.

For more information on the GDPR, please visit our International Affairs: GDPR resource page.

Implications of the Act

Although the Act is not as expansive as the EU’s GDPR, it is viewed as the most comprehensive, aggressive privacy law in the United States. Reports estimate that the Act will apply to over half a million U.S. companies. To some extent, domestic U.S. companies have been able to isolate the impacts of the GDPR, but they will likely have less luck ducking the regulatory challenges of the Act. Businesses subject to the Act will be forced to reform their privacy data collection, dissemination, and disclosure practices — which will be an expensive and time-sensitive undertaking.

Some positive news for businesses: the version of the bill that was passed is not likely to be the law that ultimately takes effect. Because the Act was passed by the Legislature instead of by California voters, legislators can change the details up until the Act goes into effect, and they have indicated plans to do so.

More immediately, the Legislature has expressed that it may make technical changes to the bill from August 6 to August 31. Most expect these changes will be limited to small tweaks, including correcting typos or changing terminology. Some trade associations plan to advocate for easy changes to the Act this month and wait until 2019 to address bigger issues.

Certainly, over the next 17 months, we expect many changes to the language of the Act. We’ll be tracking to see whether these changes affect the practical implications of the Act on your business.

MEET THE AUTHORS

Paul H. Luehr, Partner
612.766.7195
paul.leuhr@faegrebd.com

Alison F. Watson, Partner
202.312.7454
alison.watson@faegrebd.com

Nicole L. Pelletier, Associate
317.237.1353
nicole.pelletier@faegrebd.com

Big Brother or Big Benefit? Weighing the Option of Microchipping Your Employees

Susan Kline — Mon, 11 Sep 2017 01:43:59 +0000

A Wisconsin tech company made news in August 2017 for implanting microchips into the hands of willing employees. While it’s certainly worth keeping an eye on this technology and its uses, early adopter employers face many technological unknowns, employee wariness and potential liabilities (not to mention the expense).

Benefits for Employers

Enhancing company security and employee safety. Implanted chips can’t easily be lost, stolen or loaned, making facilities more secure from outsiders. If they track location, chips can provide accurate employee location information to help resolve theft or misconduct investigations or to find employees in the event of a weather emergency or other workplace safety incident.

Refining time clock procedures and wellness programs. Chips could help ensure that employees are being paid for all time worked, because they could be more accurate than standard time clock or “badging” payroll approaches. Badging technologies leave open the possibility “tailgating” — entering a facility through a secured door by closely following someone who has “badged in” — which hinders accurate payroll information and attendance tracking. Properly used, the chip could offer employees feedback on health metrics as an enhancement to a company wellness program.

Improving recruiting competitiveness. Offering chip alternatives may enhance companies’ reputations and recruiting opportunities if candidates view them as being on the leading edge. In particular, tech-comfortable millennials may be drawn to the idea of entering facilities, paying for food in a company cafeteria and conducting other transactions without carrying separate badges, credit cards, etc.

Communicating With Employees

Before deciding whether to receive a chip, employers should clearly communicate:

That implantation is voluntary and those who do not participate will have the same employment privileges and conditions
When and how the chip will be implanted
How the chip could be removed (voluntarily) if the employee leaves the company and whether employees can ask for removal at any time, at company expense
Exactly what the chip can monitor and how information will be used
Security measures being taken to prevent outside access to data collected
Any health risks and whether to consult a health care provider first

Privacy Concerns

A chip program would need to address employees’ reasonable expectations of privacy. Employers should be forthright about whether and what monitoring would take place outside of work hours and activities, especially if the chips track location.

Medical information that chips could collect is a key privacy concern. The Americans With Disabilities Act (ADA) prohibits employers from making post-employment medical exams or inquiries without a specific, well-documented and job-related business necessity, so employers should not monitor individual medical information from chips. Even for purposes of employer-sponsored wellness programs, employers may only view employee medical information in aggregate form that does not disclose individuals’ identities. If the wellness program is part of the employer’s group health plan, Health Insurance Portability and Accountability Act (HIPAA) privacy, security and breach notification protections apply.

Other Employer Liabilities

In addition to data privacy concerns, including the possibility of data breaches, employers using such chips face the risk of knowing too much. If the chips collect data that is not relevant to employment decisions, and then actually or allegedly misuse that data, it could lead to discrimination claims. Microchipping could hurt recruiting if potential candidates perceive the company as a “big brother” employer. Employees who consent to implantation may later say they felt pressured to do so against their will or were not properly informed about the risks – and claim coercion.

The chips also present possible medical issues, such as infection or fear of cancer, as well as technological risks. How will an employer deal with chip malfunctions or technological advances that make the chips obsolete?

Alternative Options

Before jumping on the microchipping trend, employers should consider less invasive alternatives such as fingerprint recognition devices, “smart” badges that employees keep with them at work (which could also be used for wellness program activity tracking) and vehicle GPS tracking for field personnel.

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com

What’s on the Menu?

Faegre Baker Daniels — Thu, 25 Jun 2015 02:24:30 +0000

The U.S. Food and Drug Administration recently released two final rules for menu and vending machine labeling. “Nutrition Labeling of Standard Menu Items in Restaurants and Similar Retail Food Establishments” significantly expands FDA’s regulatory reach into restaurants and beyond. The rule stems from the Affordable Care Act and the compliance date is Dec. 1.

FaegreBD partner and leader of the firm’s food litigation and regulatory practice Sarah Brew, and associate Courtney Lawrence authored an article for Food & Drink explaining the new rules and what will be required to be in compliance.

Read Full Article Here

___________________________________________________

Authors:

Sarah L. Brew: Sarah Brew leads the firm’s food litigation and regulatory practice, which is nationally ranked byChambers USA, and is a leader of the firm’s food and agriculture industry group. Sarah has a national reputation for effectively defending food industry clients against labeling and class action consumer fraud claims and representing food processors, distributors and retailers in foodborne illness and contamination cases and supply chain disputes.

Courtney A. Lawrence : Courtney Lawrence is a member of the nationally ranked food litigation and regulatory practice and the national food and agriculture industry team. Her diverse practice encompasses litigation, regulatory and transactional matters for food and agribusiness clients.
41 views at time of republishing