Tag: Privacy

Legal Tech Corner: Developing Laws to Fit the Internet of Things

In typical California fashion, the state is leading the charge toward developing law that would regulate the Internet of Things (“IoT”). IoT devices typically include any device that connects to the internet, such as phones, tablets, home security systems, Amazon “Alexa” and other similar convenience items, thermostats, baby monitors, and even connected home security systems.California SB-327 has passed the California House and Senate and looks like it may soon be signed into law by the Governor. Although not effective until January 1, 2020, the law requires that manufacturers of IoT devices implement certain reasonable security measures into the devices themselves. It also requires manufacturers to force users to customize the password for their device, among other things.

While the law has been recently criticized for being too broad (i.e. not defining “reasonable” security measures), lawyers and tech specialists recognize that a law that is too specific in dictating tech measures may not be a “fit” for all devices. Not to mention that such measures may be outdated solutions by the time the device enters the market. Thus, it seems a balance between vagueness and specificity in the law must be struck. We expect to see some tweaks to this law prior to the final version going into effect in 2020.

Though no other state has yet passed any similar laws to the California bill, Congress has proposed an IoT bill called the SMART IoT Act (H.R. 6032) which would force the Department of Commerce to conduct a study of the IoT industry, providing the precursor to perhaps a federal IoT law.

If you have additional questions about navigating the laws relating to IoT devices, or any other cyber security legal issue, please do not hesitate to contact us at 312-368-0100 or nremien@lgattorneys.com

You Can Run But You Can’t Hide… More On Privacy Regulation, GDPR And California. Who’s Next?

On May 25, 2018, the European General Data Protection Regulation (“GDPR”) went into effect.  US-based companies that had offices in the European Union or European Economic Area (collectively, “EU”) or those companies whose target market consisted of persons living in the EU were forced to take both IT and legal measures to ensure compliance, or face heavy fines or potential court damages.  However, many US-based companies simply decided that they would disable their e-commerce websites to the EU, and discontinue selling products to the EU, as a means of avoiding compliance with the GDPR.

While this strategy of avoidance may be successful for certain companies to avoid taking compliance measures required by GDPR, it will not be successful as a long term strategy as more States (and potentially the federal government) adopt privacy laws similar to the California Consumer Privacy Act of 2018 (“CCPA”).

Passed in June, 2018, the CCPA will become effective January 1, 2020.  Once effective, US companies will have additional regulations with which to comply regarding the processing of personal information (“PI”) of California residents.  PI is defined broadly to include “any information that …relates to … a particular consumer or household”.   The law was designed to provide California consumers with a means of controlling their personal information, putting them in a better position to protect their privacy and autonomy.   Specifically, the CCPA:

  • Gives California consumers the right to know what PI a business has collected about them or their children;
  • Gives California consumers the right to know if such PI has been sold or disclosed for a business purpose, and if so, to whom;
  • Gives California consumers a right to have their PI deleted;
  • Requires businesses to disclose to California consumers if it sells any of the consumer’s PI has been sold, and if so, allows California consumers to request that the business cease any sales of the consumer’s PI;
  • Prevents a business from denying, changing, or charging more for a service if a California consumer requests information about the sale of the consumer’s PI, or refuses to allow the business to sell the consumer’s PI; and
  • Requires businesses to safeguard California consumers’ PI and hold them accountable if such PI is compromised as a result of a security breach arising from the business’s failure to take reasonable steps to protect the security of consumers’ sensitive information.

Who Must Comply?     Companies must comply if, in the course of their business, they receive PI from any California residents and if they or their parent or subsidiary either: (1) generate annual gross revenues in excess of $25 million, (2) collect PI of 50,000 or more California residents, households or devices annually, or (3) generate 50% or more of its annual revenue from selling California residents’ PI.  Interestingly, parent companies and subsidiaries using the same branding are covered by the definition of “business” even if they themselves do not meet or exceed these parameters.  Thus, essentially, most all US companies whose websites collect PI (even though obtaining IP addresses) are subject to the CCPA, unless they can ensure that less than 50,000 California residents or less than 50,000 of their devices visit the company’s site annually.

What about Companies Who Do Not Do Business in California?

Many US companies may have difficulty showing that they do not do business in California.  According to the California Civil Code, only companies whose “commercial conduct takes place wholly outside of California” would be able to avoid the CCPA.  Further, a company outside California is deemed to be “doing business” in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California”.  Those companies outside California but that are qualified to do business in California may be subject to the CCPA if they enter into “repeated and successive transactions” in California, including online transactions.  However, while this is only limited to California, it is very probably that other states will adopt similar legislation.

Whose Information Is Affected?

The new law defines “consumer” broadly to include not only customers, but also employees, patients, tenants, students, parents and children.  (Cal. Civ. Code Sec. 1798.140(g).  A “resident” includes natural persons who are in California for anything other than a temporary or transitory purpose, and, those natural persons who are domiciled in California who are out of the State for a temporary or transitory purpose.

What Are The Penalties of Non-Compliance?

If a business is not incompliance with CCPA, the California Attorney General’s Office may bring a civil action against the business.   The Office may levy penalties for non-compliance of up to $7500 per intentional violation of any provision or $2500 per violation for unintentional violations that are not cured within 30 days of notification.

What are Companies To Do?

Moving forward, all US Companies must engage in data mapping to determine what PI it collects, and then put in place updated privacy notices, and other procedures to comply with all relevant regulations.  While California is often the ringleader, certainly other states are also developing similar laws aimed at the protecting PI of its residents.  Until such time as a federal privacy regulation is put into place, US companies will need to analyze carefully where they do business and comply with a patchwork of state laws.

To learn more about the CCPA and other privacy related matters, please contact the author:

Natalie A. Remien, CIPP/US at:

nremien@lgattorneys.com or (312) 368-0100.

New York Toy Fair Is Approaching. Are You Legally Prepared?

February 17, 2018 is fast approaching.  Anyone who is anyone in the toy industry will be at Javits Convention Center showcasing the latest and greatest in toy innovation.  All businesses in the toy industry are putting the final touches on their displays and their presentations.  Is a meeting with the company’s lawyer on the pre-show checklist?  If not, why not?

Consulting with the Company’s lawyer may save a company tens, even hundreds of thousands of dollars.  The following is a short discussion of some of the items that should be on every toy company’s “To-Do” list prior to attending Day One of the New York Toy Fair.

  1. Intellectual Property.

At the very least, the company should consider applying for a trademark registration for the name of the company and its products.  Unfortunately, the number one thing most companies forget or ignore until there is a legal battle ensuing is to properly protect the Company’s intellectual property, such as its name and the names of its products.  Trademarks for product names are fairly inexpensive to search and protect, and yet, may cost a company dearly if those names were to become the subject of a cease and desist letter and resulting federal court infringement litigation.  We defended a toy manufacturer in a trademark infringement lawsuit that allegedly infringed a competitor’s trademark.  After two years and in excess of $50,000 in legal fees (pretty inexpensive in trademark dispute litigation) the matter was resolved.  Consulting with counsel and filing the appropriate trademark applications could have avoided the huge waste of time and expense.

Another form of legal protection often overlooked is copyright for the toy’s design.   If the design meets the requirements of a sculptural work, such as a plush toy design, then copyright can be a powerful tool in locking out your competition from the use of designs that are “substantially similar”.  Prior to any trade show, toy companies must identify and protect its intellectual property, or risk the very goodwill of the company.  Intellectual property can give a company significant value.

  1. Privacy and Security.

Toy companies, like all companies, must take steps to protect the data of the company, minimize the risk of a breach, and put in place technological and legal measures designed to decrease liability in the event a breach does occur.  A comprehensive privacy program including but not limited to updated privacy notices, terms and conditions, internal policies, incident response plans and insurance coverage all geared toward reducing risk of legal liability is imperative if the company is to survive.  If the toys being showcased are “smart” or “connected” toys, privacy and security issues involving the Internet of Things will be at the forefront of manufacturers’, retailers’, and consumers’ minds.  Retailers seeking to avoid liability undoubtedly will have questions as to how the software works, what, if any, personally identifiable data is collected, how is it being stored, retained and destroyed.  Additionally, if a third party vendor will be used to provide software for a smart or connected toy, the company must seek counsel knowledgeable in privacy and security in order to reduce legal risk to the company that may result from the use of such software.

  1. Labeling / Advertising.

Federal law requires product packaging and certain advertisements for toys and games intended for use by children 12 years of age and under to display cautionary statements regarding choking and other hazards.  Safety related labeling and advertising for toys generally depends upon the category of toy and the age of the child for which the toy is intended.  It is imperative that toy companies be familiar with these laws and engage counsel who is familiar.

For more information, please contact:

Natalie A. Remien at:

(312) 368-0100 or nremien@lgattorneys.com.

Is Your Business BIPA Compliant?

In order to increase productivity and efficiency, businesses are increasingly using biometric data to identify employees, customers and other individuals.  For example, some employers use biometric data to identify their employees and track work hours for purposes of compensation.   Biometric information includes fingerprints, retina scans, facial scans, hand scans, or other identifiers that are biologically unique to a particular person.   While convenient, and seemingly secure, such biometric identification methods raise serious privacy concerns.  The Illinois Biometric Information Privacy Act, 740 ILCS 14, et seq. (“BIPA”), imposes many requirements concerning the collection, use, storage, and destruction of biometric information with which businesses, including employers, must comply, or risk liability.

Under BIPA, before an Illinois business collects, stores, or uses biometric identifiers, it must develop a written policy and make the policy available to the public.  The policy must include a retention schedule describing how long such data will be stored, and provide guidelines for its destruction when the reason for the original collection of the data no longer exists, such as when an employee resigns.  Additionally, Illinois businesses must describe and adhere to a destruction schedule for biometric information that it is no longer using.  If no schedule is provided, then BIPA requires that a business destroy such information within three years of the individual’s last interaction with the business.

In addition to the required written policy, Illinois businesses must obtain consent and a written release from an individual prior to collecting biometric information.  BIPA is currently one of the strictest state statutes regarding the collection, retention, storage and use of biometric information.  Before biometric information may be collected, all Illinois private entities must (1) inform the individual in writing that a biometric identifier is being collected or stored, (2) inform the individual in writing of the specific purpose and length of time for which the biometric identifier is being collected, stored and used, and (3) receive a written release executed by the individual assenting to the collection, storage and use of a biometric identifier.  Absent a court order or law enforcement directive, businesses may not share biometric information without express consent from the individual.

Illinois businesses that utilize biometric identifiers but do not comply with BIPA may face severe consequences. BIPA provides that individuals may bring an action against a business that negligently or intentionally violates a provision of BIPA.  If the claim is for negligence, the business may be liable for damages up to $1,000 per violation, and if the claim is for an intentional violation of BIPA, the business may be liable for damages up to $5,000 per violation.  Damages in either category may be higher if actual damages exceed these numbers.  An aggrieved party may also receive attorneys’ fees and costs, an injunction, and other relief.

Recently, privacy-related claims are on the rise as a result of BIPA.  Since mid-2017, over 25 lawsuits have been filed in Illinois alleging violations of BIPA.  The majority of the cases are class action lawsuits by employees claiming violations of BIPA relating to employee time clock technology that uses an employee’s fingerprint as a means of identification.  Time will only tell whether employers will spend the additional resources necessary to comply with BIPA, or choose to avoid the use of biometric identifiers and information altogether.

For more information regarding BIPA compliance and other privacy issues, please contact:

Natalie A. Remien at:

(312) 368-0100 or nremien@lgattorneys.com.

Increased Focus on Employer Policies and Handbooks

With the increasing prevalence of employees’ use of social and other electronic media, crafting appropriately narrow internal policies and employee handbook provisions to address the myriad issues that arise in connection with employees’ use of electronic media is vital.

It is widely accepted that employees should not have reasonable expectations of privacy when working on an employer’s computer since company computer systems are owned and/or provided by the company for the purpose of conducting company business. Many companies monitor employee e-mail and Internet activity, in part because employers are often liable for their employees’ actions. Even so, employers must be careful as they enforce their e-mail communications policies.

Generally speaking, the National Labor Relations Act (NLRA) protects non-governmental employees engaged in activities to influence change in the workplace (so called “protected concerted activity”) – even if those employees are not union members and the activity has no connection to union activity or a labor union. Thus, the NLRA protects the rights of all private sector employees to join together, with or without a union, to improve their wages and working conditions.

Over the past few years, the General Counsel of the NLRB has issued complaints against employers that have discriminatorily enforced otherwise valid communication policies. In one case, the NLRB issued a complaint against a distribution company that had in place a rule prohibiting all non-business e-mail communications. However, the employer failed to consistently enforce the rule, allowing non-business e-mail and only disciplining employees when they used e-mail for union solicitations. More recently, the NLRB found that an employer selectively enforced its electronic communications policy in a case where it terminated an employee who e-mailed a petition to the company’s Board of Directors. The petition sought development of a method for employees to directly submit workplace concerns. The evidence in this case showed, contrary to the policy, that the employer’s e-mail policy permitted reasonable personal use of the company’s e-mail system and that employees frequently used their computers for personal purposes. Thus, the employer’s claim that the employee had improperly used its e-mail proved to be a losing argument.

While these few examples of e-mail policy enforcement issues may appear to only apply to unionized companies, this issue may also affect non-unionized companies.

As many are aware, the NLRB has also dealt several blows to employers in recent years regarding employer social media policies and how such policies violated employees’ rights to “concerted activity.” In June of this year, however, in a ‘win’ for an employer, an administrative law judge (ALJ) considered the legality of a restaurant chain’s social media policy which provided that employees not post information regarding the company, their jobs or other employees which could lead to morale issues in the workplace or detrimentally affect the company’s business. The policy also urged employees to make clear that the views they post were the employee’s personal views and not the company’s and requested that employees put a disclaimer on their social media pages stating that the views expressed were the employee’s alone and not the views of the employer. The policy also stated that no employee could use any words, logos or other marks that would infringe upon the intellectual property rights of the company. The ALJ in this case found that the policy when read in its entirety did not forbid employees from engaging in rights protected by the NLRA, but only urged them to be considerate of and civil toward others when putting such items on the Internet. The ALJ also interpreted provisions of the rule precluding use of the company logo in a manner that infringed on the company’s intellectual property rights as simply protecting the company’s legal rights concerning its logo, and did not implicate the employees’ rights under the NLRA.

Workplace policies regarding non-disparagement and confidentiality have also recently come under attack. For example, an employee of Quicken Loans signed an employment contract with broad confidentiality and non-disparagement provisions wherein she agreed to hold “in the strictest of confidence” any “nonpublic information relating to or regarding the company’s business, personnel, operations or affairs.” She also agreed not to “publicly criticize, ridicule, disparage or defame the company or its products, services, policies, directors, officers, shareholders or employees” in “any written or oral statement or image” including emails or social media posting. After leaving Quicken Loans for a competitor, Quicken Loans sued its former employee for allegedly violating certain provisions of her employment contract. The employee filed charges with the NLRB, and the NLRB upheld an administrative law judge’s ruling that Quicken Loans’ confidentiality clause violated the NLRA by restricting employees from discussing compensation or job conditions with co-workers or union organizers. The NLRB also rescinded the non-disparagement provision finding that “within certain limits, employees are allowed to criticize their employer and its products” as part of their rights under the NLRA. Similarly, employer policies that prohibit employees from complaining to the media or requiring employees to obtain permission from management prior to speaking with reporters are unlikely to withstand legal scrutiny.

The prevalent use of technology in the workplace and increased scrutiny by the NLRB on all employees’ rights to engage in protected concerted activity dictates that every employer have policies in place which set forth appropriate and enforceable rules with respect to employees’ use of company’s computer systems, e-mail and the Internet. It is important to review technology and communication policies periodically, adapt the policies so they evolve as technology changes and consistently enforce the policies.

To discuss your business’s internal policies, employee handbook or employment agreements, please contact:

Jonathan M. Weis at: jweis@lgattorneys.com or 312-368-0100

or

Mitchell S. Chaban at: mchaban@lgattorneys.com or 312-368-0100

testimonials

"We've worked with Levin Ginsburg since the 1980s...we have grown with them and have a very high level of comfort and confidence with this firm." Jay Nichols, President,
Badger Murphy
"Astute, responsive and practical. Those are three reasons why we work with Levin Ginsburg." Bryan L. Oyster, V.P. and General Manager,
Bentley Forbes