Patchwork of State Privacy Laws

Earlier this year, we wrote about the European Union’s General Data Protection Regulation (GDPR) and how California was following suit by passing the California Consumer Privacy Act (CCPA). This law will come into effect on January 1, 2020. 

The CCPA protects California residents by providing heightened privacy rights and consumer protection regarding the collection of their personal data online.  While California residents are the protected class, businesses nationwide will be affected by the CCPA.  Any company whose website is accessed by California residents is subject to the requirements of the CCPA.  Potential damages for violation of the CCPA include statutory or actual damages, as well as fines for intentional and unintentional violations; therefore, it is imperative that businesses ensure their websites, privacy policies, and data collection procedures are compliant with the CCPA as soon as possible.

Additionally, a patchwork of states have started drafting and passing privacy laws in the CCPA’s wake. The infographic above shows which states are proposing and passing new legislation.

One of the two states that has officially passed a data privacy law is Nevada.  Although only passed in May of this year, it will be effective a full three months earlier than the CCPA, October 1, 2019.  This law appears narrower than the CCPA, as it specifically addresses a consumer’s right to opt out of the sale of their personal information, while the CCPA covers the whole gamut of an individual’s rights to data.  Additionally, this bill does not include a private right of action, but rather relies on the Attorney General to enforce it. We are not at all shocked that Nevada would be one of the earliest adopters of additional privacy legislation, however. What happens in Vegas, stays in Vegas.

The other early actor is Maine, whose governor signed one of the strictest internet privacy protection bills into law just this month. Maine’s new privacy law, which goes into effect on July 1, 2020, will require internet service providers to seek consent from their consumers before selling or sharing their personal information with any third party.  Critics have attacked this law on various grounds, arguing that the law conflicts with federal laws, the U.S. Constitution’s Interstate Commerce Clause, and even the right of free speech.  Yikes.  We’re interested to see how these challenges will play out in the courts.

Five additional states have proposed legislation.  All of these proposed bills have pros and cons, but we will look into them in more depth as they progress.

  • New York has proposed a broadly worded bill regarding privacy that includes imposing an obligation on companies as a “data fiduciary” and allows for a private right of action. We expect such an aggressive bill to get some pushback, as a fiduciary duty is a very high obligation.
  • Maryland’s proposal incorporates the CCPA’s prohibition on discriminating against those who exercise their individual rights to data access or deletion (which was one of the big changes from the GDPR to the CCPA) and shares many characteristics with the CCPA. This bill does not allow for a private right of action.
  • Massachusetts’ proposed bill allows for a private right of action for consumers who have had their personal information “improperly collected.” It also prohibits discrimination where consumers have exercised their associated privacy rights.
  • Hawaii’s proposed legislation currently has no definition for “business,” which will hopefully be remedied before its passage. It also does not include a private right of action . . . or any penalties for violations.
  • New Mexico’s proposed bill includes many key individual rights addressed in the CCPA, such as the right to access and deletion of personal information.

Additionally, Mississippi, Washington, and Texas all attempted to pass legislation this year that addressed consumer privacy.  While these bills did not make it through the legislatures, these states are participating in active discussions, which is just more inspiration for the remaining states.

A federal law may soon address this developing patchwork of state laws.  As early as November 2018, various House and Senate Committees held hearings and drafted federal legislation regarding consumer data protection. We expect to hear more from Washington D.C. by August 2019, but again, we’ll keep you posted.

– Kat Gavin, Esq.

Pam Visits Israel

Last month, Pam took some time out of the office to visit the Holy Land.  Pam made the pilgrimage to Israel along with fellow worshipers from Hope Church.  On her trip, she visited Bethlehem and the birth place of Christ, was baptized in the Jordan River, went to Nazareth and saw Armageddon, and sailed the Sea of Galilee.  She shared some of the photos from her life changing experience.

Kat Promoted to Partner

Gavin Law Offices, PLC is proud to announce that after her hard work and dedication, Kat Gavin has been promoted to Partner. We are looking forward to all we can accomplish as a team  with Kat in this position. Congratulations, Kat!

Canadian Trademark Law Changes

Canadian Trademark Law Changes

On June 17, 2019, Canada will enact new regulations aimed to bring Canadian trademark law in line with other companies like the United States.  Below are pertinent changes that will affect how you file and/or maintain your Canadian trademark registrations.

Nice Agreement and Filing Fees:

The Nice Classification, established by the Nice Agreement (1957), is an international classification of goods and services for identifying and registering trademarks.  The Nice Classification system is updated every five years, and the latest version includes 45 classes, with classes 1-34 representing goods and classes 35-45 representing services.  An applicant seeking to register a trademark can choose from these classes as appropriate for its goods/services.  Since the system is recognized in numerous countries, this helps to streamline applying for trademarks internationally.

Under Canada’s previous trademark laws, goods and services descriptions did not require Nice Classifications — applicants needed only to pay a single $250 CAD fee and to describe their goods/services in “ordinary commercial terms.”  One of the significant advantages of the previous Canadian regime was the ability to file with respect to an unlimited range of goods and services, and still only pay a single application fee.  Under the new law, the initial application fee will be $330 CAD for one class and $100 for each additional class in which an applicant wishes to file.

Additionally, for existing Canadian registrations, after June 17, 2019, registrants will need to pay per class for renewed marks as well.  The current renewal fee is $350 CAD, but will increase to $400 CAD, plus $125 for each additional class.

Overall, these changes will make filing for trademark protection in Canada more expensive moving forward.  In order to avoid paying additional fees per class, you may choose to file any new marks and/or renew any existing marks now.

The above changes bring Canadian trademark law in line with many other jurisdictions, including the United States, where applicants are required to separate the descriptions of goods and services according to the Nice Classification system, and to pay a fee for each class claimed in connection with any particular mark.

Shorter Renewal Period:

Previously, registrants were required to renew trademark registrations every 15 years in Canada.  The new revisions will reduce the renewal period to only 10 years.  You may choose to renew your marks in Canada before June 17, 2019 for an additional 15 years of protection.  If you renew a mark in Canada after June 17, 2019, your trademark will be valid for only 10 additional years, after which you must file an additional renewal (essentially losing 5 years of protection for the same cost).

Removal of “Use” as a Requirement for Registration:

Under prior Canadian law, no registration could be issued for a mark until the applicant officially declared use of the trademark in Canada.  Applications based on use in Canada had to contain a date of first use, and applications based on proposed use could not proceed to registration until a Declaration of Use was provided.  The new law removes the use requirement.  After June 17, 2019, an applicant will be able to file and obtain a registration for a mark without ever having used the mark in Canada.  This is similar to intent-to-use applications in the U.S. Under the new system, being the first to file an application will be extremely important, and you may wish to prioritize your Canadian applications in the future.

Madrid Protocol:

Canada’s new law adopts the Madrid Protocol which allows applicants to file an international application within a centrally-administered trademark system.  The applicant may select the member states in which they wish to obtain national protection.  These international applications must be based on a domestic registration or pending application for an identical trademark.  After June 17, 2019, applicants may designate Canada in new International Applications, or as a Subsequent Designation in existing registrations.  We recommend seeking legal counsel prior to filing under the Madrid Protocol, as there are additional considerations and requirements to be taken into account.  Please contact our offices with any questions you may have regarding filing under the Madrid Protocol.

Distinctiveness:

The new Canadian law empowers Canadian trademark examiners to object to a trademark application on the basis that the applied-for mark is not distinctive.  Previously, examiners’ review process was more limited.  After June 17, 2019, new applications may be rejected if an examiner’s “preliminary view is that the trademark is not inherently distinctive,” which will likely lead to more substantive objections during the examination process than in the past.

You May Wish to Consider:

  • Filing new applications, particularly Multi-Class Applications, before June 17, 2019
    • Canada’s filing fee is $250 now, but will increase to $330 (plus $100 for each additional class) on June 17.
  • Renewing Canadian registrations before June 17, 2019
    • You may want to renew before June 17, 2019 regardless of when renewal is due to reduce costs — the current renewal fee is $350, but it will increase to $400 on or after June 17 (plus $125 for each additional class).
  • Filing immediately to protect key brands in Canada. Trolls will be active and may try to acquire rights in your marks due to the lack of a use requirement in pending and new applications as of June 17, 2019.
    • Employing watch services for key brands in Canada.
  • Designating Canada in new Madrid Protocol international applications, or in existing registrations as a Subsequent Designation, starting June 17, 2019.
  • The impact of the new law on any pending Canadian applications you may have.

 

Please feel free to contact us with any questions.  – Rina Van Orden, Esq.

 

GDPR update: 1 Year Later

One of the most significant data privacy laws enacted, the European Union’s General Data Protection Regulation (GDPR), brought substantial changes for organizations which are located in the EU or process the personal data of individuals residing in the EU.  In light of the one year “anniversary” of the GDPR, which came into force a year ago on May 25, 2018. Here is a short overview of the current global data privacy law climate and noted some upcoming changes and trends that may impact businesses internationally.

 

1) Europe – The General Data Protection Regulation (GDPR):

  • The GDPR was designed to harmonize data privacy laws across Europe and give greater rights to individuals residing in the EU in terms of their personal data.  Last year, businesses around the world scrambled to comply with the GDPR, in part due to fines for non-compliance.  While the expected fines have generally yet to materialize (the largest fine for violating the GDPR was issued by France’s regulatory agency against Google for 50 million Euros earlier this year), industry experts note that enforcement of the GDPR is just getting started.  The process of investigating violations and issuing fines can take time, and many EU member states are reportedly struggling to staff their regulatory offices.
  • The GDPR requires certain businesses to appoint a data protection officer, a role new to many organizations, and includes data breach reporting guidelines.  As a result, the International Association of Privacy Professionals (IAPP) reports that over 500,000 organizations have registered data privacy officers in the past year, shedding light on the rapid growth of the privacy profession due largely in part to the GDPR.  Additionally, according to the European Data Protection Board, over 65,000 data breach notifications have been initiated by businesses as a result of the GDPR.  Businesses generally appear to be using the GDPR’s framework to update their data privacy policies and procedures, and to be cooperating with regulators.
  • The GDPR launched a dialogue about data privacy laws around the world, causing countries such as Brazil, China, India, Japan, South Korea, Thailand, and Australia to pass or propose new legislation, or consider changes to existing laws, that would bring their privacy regulations into closer alignment with the GDPR.

2) The United States – The California Consumer Privacy Act (CCPA) & Other State Laws:

  • Currently, the United States has no federal data privacy law as large in scope as the GDPR, but rather a patchwork of state data privacy laws.  Many businesses that were required to comply with the GDPR will also need to comply with the CCPA, California’s new data privacy law, which will come into effect on January 1, 2020.
    • The CCPA applies to businesses that receive personal data from California residents and exceed one of these three thresholds: (1) annual gross revenues of $25 million; (2) obtains personal information of 50,000 or more California residents, households, or devices annually; or (3) makes 50% or more of its annual revenue from selling California residents’ personal information.
  • The CCPA is a broad privacy law that expands the definition of “personal information,” and grants additional rights and protections to California residents regarding the use of their personal information by covered businesses.  California residents will be able to request that businesses provide them with information about how their individual personal information is being used, and may request that businesses stop selling their personal information.
  • Covered businesses should ensure that their websites and privacy policies are compliant with the new requirements of the CCPA.  It is important to note that just because a business is GDPR compliant, does not mean it will be CCPA compliant.
  • Other states in the U.S. are considering legislation that closely mirrors the CCPA and the GDPR, showing a trend for laws which expand the privacy rights of consumers.  Changes to the CCPA are still occurring – for example, a California bill that would have added a sweeping and unrestricted private right of action for any violation of the CCPA died in an appropriations committee earlier this month.  Also, lobbyists across various industries have been asking Congress to pass a federal data privacy law, which would preempt the new law in California and other states that are trying to follow suit, stating that the patchwork of laws in the U.S. will be too difficult for businesses to follow.

Based on the above, we anticipate that new data privacy laws and changes to existing data privacy laws will continue to emerge.  Frequently, countries’ motivation for passing or updating legislation is to enjoy the privileges of transferring personal information between themselves and the EU under the GDPR.  While many believe the GDPR has not been enforced as zealously as they anticipated, the law has clearly impacted privacy laws on a global scale in its first year.

– Courtney Reigel, Esq.