Category: Uncategorized

Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

CCPA, Privacy Law, Technology, Uncategorized

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

New York’s Cybersecurity Requirements for Financial Service Companies

Uncategorized

New York was concerned that companies with sensitive data, such as people’s banking information, social security numbers and other financial records could be unlawfully accessed by hackers (other nations, individuals, companies). The New York Department of Financial Services (“DFS”) has promulgated regulations entitled the “Cybersecurity Requirements for Financial Services Companies” which can be found at 23 NYCRR 500.

The regulation applies to “Covered Entities” which means any person or individual holding a permit or license or otherwise authorized to operate under the New York Banking Law, the Insurance Law or the Financial Services Law. Subject to certain exemptions, discussed briefly below, Covered Entities have to have a Cybersecurity Program, based on a risk assessment that the Covered Entity has to perform, that fulfills the following:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

Additionally, each Covered Entity, unless exempt, has to appoint a Chief Information Security Officer, and adopt a Cybersecurity Policy, addressing the following:

(a) information security;

(b) data governance and classification;

(c) asset inventory and device management;

(d) access controls and identity management;

(e) business continuity and disaster recovery planning and resources;

(f) systems operations and availability concerns;

(g) systems and network security;

(h) systems and network monitoring;

(i) systems and application development and quality assurance;

(j) physical security and environmental controls;

(k) customer data privacy;

(l) vendor and Third Party Service Provider management;

(m) risk assessment; and

(n) incident response.

The regulation also requires other items, such as regular reporting to the DFS, training, confidentiality, encryption and other items.

A Covered Entity may be exempt from some but not all of the requirements of the regulation. Notably, those with fewer than 10 employees (or contractors), or less than $5,000,000 in gross annual revenue in last three year, or less than $10,000,000 in year end total assets (calculated as per GAAP) are exempt from some of the onerous items. Similarly, those that don’t hold any important information and those that are only a related, subsidiary or affiliated persons or entities (that are Covered Entities themselves) that are part of or connected to a Covered Entity that is fulfilling its obligations under the regulation are exempt from other portions of the regulation. New York State DFS provided helpful charts in its FAQ for the regulation available here.

The Opportunity in Opportunity Zones

Partnership, Tax, Uncategorized

One of the more interesting and useful items to come out of the Tax Cut and Jobs Act of 2018 are the creation of so-called Opportunity Zones. An Opportunity Zone is a particular census tract which the government has designated as a distressed community, and investments in same are entitled to certain benefits vis a vis the investor’s capital gains taxes from such investment. The goal is to stimulate investments into such areas which would not otherwise have occurred. 

The benefits that Opportunity Zones provides are related solely to the timing and possible reduction of an investor’s capital gains taxes. The program won’t apply to ordinary income tax issues, and there are no credits or other type of incentives provided for in the program (its less exciting than some folks originally thought but still a large benefit to the right investors/projects/companies though). The Opportunity Zones program provides for a delay, reduction or elimination of capital gains taxes in three ways as set forth below:

  • First is a temporary tax deferral for any taxpayer who has capital gains but re-invests same, within 180 day time period, into an Qualified Opportunity Fund (discussed below). The gain is deferred but must be recognized on the earlier of the date on which the opportunity zone investment is sold or December 31, 2026 (there is some grey area with respect to holding the investment past December 31, 2026 and hopefully the IRS clears it up). You do not have to live or work in an opportunity zone, you just have to invest in it (in a company located in one or property located in one). IRS came out with this form for these re-investments –  Form 8949
  • Second is a step-up in basis for any capital gains that were invested  (i.e. re-invested) in an Qualified Opportunity Fund. The basis of the original investment is increased by 10% if the investment in the Qualified Opportunity Zone Fund is held by the taxpayer for at least 5 years, and by an additional 5% if held for at least 7 years, excluding up to 15% of the original gain from taxation.
  • Third is a total exclusion (i.e. the investor’s basis is increased to FMV) from taxable income of capital gains from the sale or exchange of an investment (but not the original capital gain which is handled by the second point above) in a Qualified Opportunity Zone Fund if held for more than 10 years.

The Opportunity Zone program allows funds to be set up, called Qualified Opportunity Zone Funds, which funds pool investor money (as a partnership or corporation) for investing in eligible property located in a Qualified Opportunity Zone (a list of such Qualified Opportunity Zones are set out in IRS Notice 2018-48 – https://www.irs.gov/pub/irs-drop/n-18-48.pdf  )

To become a Qualified Opportunity Zone Fund, an eligible corporation or partnership self-certifies by filing Form 8996, Qualified Opportunity Fund, with its federal income tax return. Early-release drafts of the form and instructions are posted, with final versions expected in December. The return with Form 8996 must be filed timely, taking extensions into account.

Ricardian Contracts

Contracts, Digital Signatures, Smart Contracts, Technology, Uncategorized

Ricardian Contracts are really a stepping stone to Smart Contracts.  They are a way to link a contract to another system, typically an accounting system.  Ian Grigg came up with the Ricardian Contracts some time ago.  He first published about it in Financial Cryptography in 7 Layers in 1998.  Ricardian Contracts were initially used for Ricardo (hence their name), a bond platform.

They are a melding of a traditional contract with a contract that can be read and executed by machines. A Ricardian Contract can be defined as a single document that:

  1. is a contract offered by an issuer of some item of value (think of a bond, coin, token, currency, etc.) to a holder of such item;
  2. for a valuable right held by the holder, to be managed by the issuer;
  3. can be read in plain language by humans (so like a normal contract);
  4. can be read by programs (and is parsable like a database);
  5. digitally signed;
  6. carries the keys and server information; and
  7. is allied with a unique and secure identifier.

Read more

Considerations When Buying a Website or Blog

Uncategorized

If you have some disposable funds and are looking to get into the online world, buying a content based website and/or blog that throws off a revenue stream may be something that could interest you.  There are a number of sites that act as clearinghouses for domain names, websites and blogs, but probably the most well known one is Flippa.  No matter where you are looking, when purchasing a website or blog then the following are important considerations. Read more

Funding Portal Rules for Regulation Crowdfunding a/k/a Equity Crowdfunding

Broker-Dealers, Crowdfunding, Financing Your Business, Investors, Stock, Uncategorized

The JOBS Act from way back in 2012, set forth the Crowdfunding exemption to the securities laws, and required that any Funding Portal that engaged in Crowdfunding registered with the SEC and became a member of FINRA.  In late 2015, the SEC came out with the Regulation Crowdfunding Final Rules and forms to permit companies to offer and sell securities through Crowdfunding and to regulate the intermediaries which can sell the crowdfunded securities.  The latest Funding Portal rules have been finalized by the SEC and FINRA. Read more

Using “Tested” or “Market” Contract Language

Contracts, Legal Musings, Uncategorized

This is a response to a post by Ken Adams of Adams on Drafting.   In one of my earlier posts about the desires of certain clients to have as short a contract as possible, I stated that it was beneficial to draft an agreement a certain way, including certain terms and language, because judges have seen similar items before. Ken identified this and he reiterated his position that a contract drafter should not rely on what he deems “tested” contract language. Read more

SEC Releases Proposed Equity Crowdfunding Rules

Uncategorized

Yesterday the SEC released its long awaited crowdfunding rules.  The Proposed Rules are available here (and SEC’s press release here), and at 585 pages will make labored reading.   I’ve seen plenty of press coverage on the topic and most stories have taken the premise that equity crowdfunding (which the SEC is calling “Regulation Crowdfunding”) is something that the SEC is “considering” allowing.  I want to dispel that notion, and as I’ve discussed before (and here), the JOBS Act passed by Congress directs the SEC to promulgate regulations to allow equity crowdfunding.  The SEC has no choice in the matter, although it did take its time (these proposed rules were supposed to be issued by the end of last year – 2012).  And unfortunately the SEC can make compliance with the Regulation Crowdfunding rules so difficult that very few issuers will choose to use them to raise capital. Read more