Insights & Opinions from McGrath North

I'm looking for help in my industry:
I'm looking for help in a specific practice area:

Updates To The CCPA Proposed Regulations – What Changes Now?


On Friday, February 7, 2020, the California Office of the Attorney General (OAG) released revisions to its proposed implementing regulations to the California Consumer Privacy Act (CCPA). The OAG will accept comments regarding the proposed changes until Monday, February 24, 2020.

While the majority of the changes are made for clarification purposes, there are modifications or additions that likely affect a business’s CCPA compliance plan.

Below is a list of some of the material modifications or clarifications set forth in the revised proposed regulations:

I.  Privacy Policy Updates.

  • Express requirement written into the regulations that a business who must comply with the CCPA must have a privacy policy that complies with the CCPA.
  • A business that operates online need only provide an email for submitting requests to know in lieu of the prior inferred requirement that the business have an interactive webform accessible on the business’s website.

II.  New/Modified Requirements.

  • If personal information is collected from a consumer’s mobile device for a purpose the consumer would not reasonably expect, then a just-in-time notice must be provided.
  • A business registered as a data broker with the OAG does not need to provide a notice at collection to the consumer if it has included a link in its registration submission to its online privacy policy that includes instructions on how a consumer may opt-out.
  • The rules governing additional disclosures of a large quantity of personal information of California consumers for a commercial purpose (i.e. sale, purchase, sharing for commercial purpose) have been adjusted to apply to 10,000,000 or more California consumers affected in any calendar year

III. Procedural Clarifications.

  • The definition of “personal information” has been revised to provide that if the business does not link the IP address to any particular consumer or household, and could not reasonably link the IP address, then the IP address is not “personal information”.
  • Revised examples setting forth appropriate delivery of the initial notice have been provided, specifically for delivery through a mobile application and over the telephone and notice at collection of employment-related information.
  • Clarification has been provided that electronic signatures complying with the Uniform Electronic Transactions Act qualify with respect to obtaining a signed attestation.
  • The two-step process for online requests for deletion has been made optional.
  • Additional clarification has been provided on the required content in a response to a request to know categories.
  • The CCPA accessibility requirements may be satisfied if the business generally follows recognized industry standards, including the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the Worldwide Consortium.
  • Additional details on the “Do Not Sell My Personal Information” link and opt-out button have been provided for clarity.
  • Revised the actions required with respect to back-up or archived data to narrow the scope of when deletion is required.
  • Clarifies certain actions allowed by a service provider, including internal use of personal information to improve the quality of services and the ability of service providers to respond to requests on behalf of a business.

The OAG did us a favor and included a redline to the originally proposed regulation.

To discuss the implications these proposed changes may have on your business’s compliance with the CCPA, please reach out to a member of our Privacy & Cybersecurity Practice Group .

Refer to the Privacy & Cybersecurity Practice Group’s prior publications on the CCPA for additional information on whether the CCPA applies to your business:

Lurking In The Shadows – How The California Consumer Privacy Act May Affect Your Business 

Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act

CCPA Doesn’t Apply To Financial Institutions? Think Again – Big Impacts On Banks Privacy Operations

HIPAA-Covered Entity Exemption To CCPA, Don’t Be Mistaken – You May Still Have To Comply

Calling All California Employers – Are You CCPA Compliant?


The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Many California employers have improperly ignored its application to their businesses. While most employee rights were carved out of the CCPA’s application until January 2, 2021, there are still key requirements under the CCPA that employers of California residents must abide by starting January 1, 2020.

Does the CCPA Apply to Your Business?

The CCPA generally will apply to any for-profit company that does business in California, collects the personal information of California residents (including employees residing in California) and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

If your business satisfies one of the thresholds, then having California employees is enough to trigger compliance requirements under the CCPA.

Compliance Required Today With Respect to California Employees

Effective January 1, 2020, all businesses that satisfy the threshold requirements under the CCPA are required to provide initial privacy notices to their California resident employees.

In addition to the initial notice requirements, California employers should be aware that a data breach of HR data stemming from a lack of reasonable protections could be the trigger for a class action lawsuit. It is important for employers to scrutinize information security policies, properly manage all third party service providers who have access to HR data and update internal and external privacy policies to ensure compliance under the CCPA.

Risks of Noncompliance

The CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of the CCPA will begin by the California Attorney General six months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

Final CFIUS Regulations Significantly Expand Jurisdiction


The US Department of the Treasury issued final regulations (“Final Rules”) last week that expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to review non-controlling foreign investments in certain US businesses and certain real estate transactions. The existing jurisdiction of CFIUS to review any transaction in which a foreign person acquires control of a US business with national security concerns has not changed. The final regulations become effective February 13, 2020.

CFIUS Jurisdiction Expanded to Cover Minority, Non-Controlling Investments in TID US Businesses

Under the final regulations, CFIUS’s jurisdiction is expanded to allow it to review certain minority, non-controlling investments in US businesses that (1) produce or develop critical technologies; (2) own or operate critical infrastructure; or (3) maintain and collect sensitive personal data of US citizens. CFIUS defines such businesses as a “TID US Business”.

A minority, non-controlling investment in a TID US Business will be subject to CFIUS review if it provides a foreign investor with one of the following: (1) access to material nonpublic information of the TID US Business; (2) right to appoint a board member or board observer of the TID US Business; or (3) any involvement (other than the voting of shares) in substantive decision-making of the TID US Business regarding the development of critical technologies, the operation of critical infrastructure or the use of sensitive personal data.

Under this expanded jurisdiction, the CFIUS process and filings largely remain voluntary.

However, as discussed below, a mandatory filing is required in two situations: (1) certain “substantial interest” foreign government-related transactions in TID US Businesses, and (2) certain investments “critical technologies” TID US Businesses.

Mandatory Filings Required for Certain “Substantial Interest” Investments by Foreign Government-Controlled Entities

A mandatory filing is required for transactions resulting in the acquisition of a “substantial interest” in a TID US Business by a foreign person in which a foreign government has a “substantial interest”. Under the Final Rules, the “substantial interest” requirement would be met if a foreign person has a voting interest (direct or indirect) of 25% in a TID US Business and a foreign government has a voting interest (direct or indirect) of 49% or more in that foreign person. With respect to funds and partnerships, a foreign government will be deemed to have a “substantial interest” if it holds at least 49% in the general partner, managing member or equivalent.

Mandatory Filings for Certain Foreign Investments in Critical Technologies

The Pilot Program, which established mandatory filing requirements for foreign investments in certain TID US Businesses involved in “critical technologies”, will expire on February 12, 2020. However, certain key aspects of the Program will remain in effect under the Final Rules. As with the Pilot Program, mandatory filings are required for investments in a TID US Business involving “critical technologies” that give a foreign investor certain substantive rights in that business – either control, board membership or observer rights, access to material nonpublic information, or involvement (other than voting of shares) in substantive decision-making regarding the TID US Business. The term “critical technologies” generally means defense articles, nuclear equipment and materials, select agents and toxins, a broad range of dual-use items subject to export control and certain “emerging and foundational” technologies that will be controlled for export under forthcoming regulations.

Under the Pilot Program, the filing requirement was triggered by a TID US Business producing, designing, testing, manufacturing, fabricating or developing a “critical technology” in one of 27 different enumerated NAICS Code industries. The Final Rules state that separate, additional rules will be issued that will eliminate the association between “critical technologies” and NAICS Codes, and will instead be based upon export control licensing requirements. Therefore, going forward, the mandatory filing requirement would be triggered by a TID US Business producing, designing, testing, manufacturing, fabricating or developing a “critical technology” that is subject to export control licensing requirements, regardless of the self-assigned NAICS Code in which the business operates. Further detail has not yet been provided so the significance of this modification remains to be seen.

In addition, the Final Rules include certain exceptions to these mandatory filing requirements for foreign investors from “excepted foreign states” (as discussed below), investments in a fund managed and ultimately controlled by US nationals, foreign investors who are already subject to mitigation, and investments in a TID US Business that is a TID US Business solely because it is involved in certain non-sensitive encryption technology.

Exemptions for Foreign Investors from Australia, Canada and UK

Certain investors from “excepted foreign states” are exempt from CFIUS’s expanded jurisdiction over TID US Business investments. Under the Final Rules, the “excepted foreign states” are Australia, Canada, and the United Kingdom.

Generally, persons who are nationals exclusively of excepted foreign states (and/or the US) can qualify as “excepted investors”, as can foreign governments of excepted foreign states.

An entity will be deemed an “excepted investor” if, among other requirements: (1) it is organized under the laws of an excepted foreign state or the US; (2) 75% or more of the members and 75% or more of the observers of the board of directors are citizens of either the US or an excepted foreign state; and (3) all investors that hold a 10% or more equity interest are citizens of either the US or an excepted foreign state.

“Excepted investors” are not subject to CFIUS’s expanded jurisdiction for non-controlling investments or covered real estate transactions (discussed below), nor to the mandatory filing requirements for “substantial interest” investments or “critical technologies” investments described above, but they do remain subject to the traditional CFIUS jurisdiction for transactions that would result in their control of a US Business with national security implications.

CFIUS Jurisdiction Expanded to Cover Certain Real Estate Investments

The existing CFIUS jurisdiction covers foreign investments in real estate only if it allows a foreign person to gain control over a US Business. Under the Final Rules, CFIUS has expanded jurisdiction to review purchases, leases and concessions of real estate by foreign persons, including Real Estate Investment Trusts (REITs), involving property with geographic proximity to airports or maritime ports, or sensitive US military and other government sites.

The Final Rules state that CFIUS intends to make a web-based tool available in the near future to assist in the determination of whether a real estate transaction would qualify as a “covered real estate transaction” subject to CFIUS review. Note that while the scope of “covered real estate transactions” subject to CFIUS review has expanded, these transactions are still voluntary filings under the Final Rules.

Remaining Questions

  • Treasury plans to issue separate rules amending the criteria for mandatory filing requirements to be based on export control licensing requirements rather than NAICS Codes. This is a welcome change since it should simplify the classification of such businesses and aid in a more precise determination of whether a US business constitutes a TID US Business.
  • “Emerging and foundational technologies” still have not been defined by the Department of Commerce. This definition will have a major impact on jurisdiction over what constitutes a “critical technology” for purposes of a TID US Business.
  • Filing fees will be determined in later rulemaking. CFIUS is permitted to impose filing fees not to exceed the lesser of 1% of the transaction value or $300,000.

Investors and companies are now faced with a more complicated CFIUS framework and analysis, and CFIUS will continue to be a key issue in future transactions involving foreign investment. In light of the Final Rules, fund managers should also review their fund documents to determine whether existing governance rights and/or access rights could potentially trigger CFIUS’s expanded jurisdiction. If you have questions about this alert and its applicability, please contact Roger Wells, Tom Worthington or Rachel Meyer.

FDA Issues Warning Letters To 15 Companies Selling CBD Products


This week, FDA issued warning letters to 15 companies for selling products containing cannabidiol (CBD) in violation of the Federal Food, Drug, and Cosmetic Act (“FD&C Act”). The covered products include pet products, topicals, dietary supplements, and conventional foods (including peanut butter, water and gummies).

As we have written about [here], 2019 has seen a flurry of enforcement actions against companies marketing CBD-containing products. In this latest batch of warning letters, FDA alleges that these companies marketed CBD products in ways that violate the FD&C Act by making claims that CBD products could prevent or cure diseases in humans and/or animals, and marketing CBD products as a dietary supplement or a food additive. Significantly, this is the first time FDA has clearly stated that CBD cannot be in a dietary supplement because it is a drug.

In surveying these companies’ websites and social media, FDA cited claims such as:

  • CBD product has “anti-inflammatory” properties” and can be “applied topically for temporary relief to treat pain and discomfort from arthritis, muscle strain, bruises, sprains, joint aches and backaches”.
  • “CBD lowers incidence of diabetes”
  • “Little known uses for CBD – CBD for opioid addiction”
  • “Our treats and oil can help your dog and cat with anxiety, skin conditions, arthritis, and more”
  • “What Does Conditions May CBD Be Effective For? [sic] IBS; Migraine headaches; Seizure disorders; MRSA; Cancer; Depression; PTSD; Autism; Parkinson’s; Alzheimer’s”

Some of the products cited by FDA are specifically marketed for infants and children and one product is intended for food-producing animals. These warning letters indicate that FDA remains concerned about products marketed for vulnerable populations, like infants and children, that may be at greater risk for adverse reactions, and that FDA continues to be focused on the safety of human food products.

Earlier this week, FDA also published a Consumer Update detailing its underlying safety concerns about CBD, stating that “CBD has the potential to harm you, and harm can happen even before you become aware of it.” Further, based on the lack of scientific information supporting the safety of CBD, FDA has indicated that it cannot conclude that CBD is generally recognized as safe (GRAS) among qualified experts for its use in human or animal food.  This is significant because without the GRAS designation, CBD would need to be the subject of an approved food additive regulation before it could legally be used in human or animal food.

These warning letters signal that FDA may be taking a more aggressive approach with increased scrutiny of CBD products.  Our food and dietary supplement lawyers regularly advise clients on the status of CBD in FDA-regulated products. If you have any questions about this Alert, or are considering marketing or selling CBD products, contact our Food and Dietary Supplement regulatory team. 




The IRS has released the 2020 cost-of-living adjustments applicable to the dollar limits and thresholds for retirement plans and health and welfare benefit plans. Plan sponsors should update their systems and formulas to include the limits that have been adjusted.

The IRS has released the 2020 cost-of-living adjustments applicable to the dollar limits and thresholds for retirement plans and health and welfare benefit plans. Plan sponsors should update their systems and formulas to include the limits that have been adjusted.

To view the chart, click here.

USDA Releases Proposed Hemp Rules


On October 29, the USDA released  the much-anticipated draft rules for hemp manufacturing (the “Proposed Rules”).  As we have previously written about HERE, the 2018 Farm Bill removed hemp from the Controlled Substances Act and ordered the USDA to establish a Domestic Hemp Production Program and implementing regulations. The Proposed Rules cover the requirements for where hemp can be grown, THC testing standards, the disposal process for “hot hemp” (hemp with THC content in excess of the permitted limit) and licensing protocols.

USDA-Approved State and Tribal Plans; USDA Plan

Under the  Proposed Rules, a State or Indian Tribe that wants to have primary regulatory authority over the production of hemp in that State or Indian Tribe territory may submit a plan for monitoring and regulating hemp to the USDA for approval. States and Indian Tribes may begin submitting production plans once the Proposed Rules are published in the Federal Register (which we expect to happen yet this week).  USDA will have 60 days following receipt to review and rule on the submitted plan.

The Proposed Rules also establish a USDA production plan to regulate production in states or territories where hemp production is legal but not covered by a USDA-approved State or Tribal plan. USDA will begin accepting applications 30 days after the Proposed Rules are published in the Federal Register; however, USDA will not issue licenses to producers located in a State or Indian Tribe territory that has a draft hemp production plan pending for USDA approval.

Regardless of whether a producer is operating under a State, Tribal or USDA Plan, operating under a USDA-approved plan is significant because hemp producers will be eligible for USDA programs, such as loans and crop insurance coverage.

Plan Requirements

There are requirements that all producers must meet, regardless of whether the USDA, State or Indian Tribe is overseeing production, including:

  • Licensing requirements
  • Maintaining information on the land on which hemp is produced
  • Procedures for testing the THC concentration levels for hemp
  • Procedures for disposing of non-compliant plants
  • Compliance provisions, including annual inspections of a random sample of hemp producers to verify compliant hemp is being produced
  • Procedures for handling violations

THC Testing and Violations

All hemp must be sampled and tested for THC levels by a USDA-approved sampling agent or authorized federal, state or local law enforcement within 15 days prior to anticipated harvest.  Because of the potential for labs to handle product testing above the approved 0.3% THC level (which, under the Controlled Substance Act, would be marijuana and a Schedule I controlled substance), testing can only occur in DEA-registered labs.

The Proposed Rules also establish an acceptable hemp THC level distribution range that takes into account uncertainty in cultivation and provides some flexibility for producers.  The Proposed Rules provide the following example: “if a laboratory reports a result as 0.35% with a measurement of uncertainty of +/- 0.06, the distribution or range is 0.29% to 0.41%.  Because 0.3% is within that distribution or range, the sample, and the lot it represents, is considered hemp for the purpose of compliance with the requirements of State, Tribal, or USDA hemp plans.”

If the THC content is found to exceed the permitted THC limit (known as a “hot hemp”), it must be reported by the laboratory to the producer and USDA, and destroyed by someone authorized under the Controlled Substance Act and DEA to handle marijuana, such as a DEA-registered reverse distributor or  federal, state or local law enforcement.

In cases where a negligent violation has occurred, a corrective action plan will be established and the producer must periodically report on compliance with the plan for at least 2 years following such violation.  A producer who negligently violates the Rules three times in a 5-year period will be ineligible to produce hemp for a period of five years from the date of the third violation.  Note that negligent violations are not subject to criminal enforcement by federal, state or local law authorities.  In addition, the Proposed Rules provide that a producer would not negligently violate the Proposed Rules if the plants test between 0.3%-0.5% THC and the producer used “reasonable efforts” to grow compliant hemp.

In cases where an intentional, knowing or reckless violation has occurred, the producer will be reported to the Attorney General, USDA and the chief law enforcement officer of the State or Tribe.

Final Thoughts

The Proposed Rules are an important step in creating a consistent regulatory framework for growing hemp and testing its THC content.  Of note, the Proposed Rules do not address what happens to processed hemp products, such as CBD (which we have written about HERE). In a footnote, the Proposed Rules reiterate the provision in the 2018 Farm Bill preserving FDA’s authority to regulate these products.

The public has 60 days to comment on the Proposed Rules once formally published in the Federal Register.  Thereafter, if USDA makes no changes based on the public comments, USDA will publish a Final Rule. Then implementing regulations still need to be drafted and published.  Those regulations will be focused on the nuts and bolts of implementing the Final Rule.  We are continuing to monitor developments in this area and will provide further updates as necessary.  If you have any questions about this Alert, please contact Rachel Meyer or Sandra Morar.

New “Notice And Access” Safe Harbor Allows Employers To Ditch Paper Disclosures For Retirement Plans


On October 22, 2019, the Department of Labor (“DOL”) released proposed regulations updating the electronic disclosure rules for ERISA notices. Given the significant advances in technology over the last decade, employers have long-awaited a meaningful update to the current, outdated electronic disclosure safe harbor. Although employers may continue to provide paper notices to employees, the DOL anticipates that most employers will migrate to the new, proposed safe harbor for electronic disclosure of ERISA notices. The new safe harbor is expected to create efficiency, increase participant awareness, and result in cost savings for employers. The only downside¾the safe harbor does not apply to health and welfare plans.

What disclosures are impacted by the rule?

The new safe harbor can be used for any ERISA notices required to be distributed to pension benefit plan participants, other than those documents only required to be furnished upon request. In other words, pension benefit statements, Safe Harbor Notices, QDIA Notices, fee disclosures, summary annual reports, and other documents required to be furnished solely because of the passage of time may be disclosed electronically under the new safe harbor. However, disclosures such as the plan document, terminal report, trust agreement, and other documents that only need be to be furnished upon request cannot utilize the new safe harbor for disclosure.

Curiously, the safe harbor only applies to pension benefit plans, as defined in ERISA Section 3(2), including defined contribution (e.g., 401(k) plans) and defined benefit (e.g., pension) plans. The safe harbor does not apply to “employee welfare benefit plans,” which means that group health plans, disability plans, and other health and welfare plans must continue to rely on the old electronic disclosure regulations. The DOL expressed concern about the safe harbor as applied to group health plans, given the special considerations relating to issues such as pre-service claims review, access to emergency health care, and more.

Who can receive retirement plan disclosures electronically?

Participants, beneficiaries, or other individuals (“Covered Individuals”) entitled to ERISA notices can receive the notices electronically if: (1) they provide the employer, as a condition of employment or at the beginning of plan participation, with an e-mail address or smartphone telephone number; (2) they are assigned an e-mail address by the employer; or (3) they are given an internet-based mobile computing device by the employer.

Internet-based mobile computing devices include smartphones with data plans, laptops, tablets, or similar devices. The DOL does not want to specifically limit the regulations to any particular devices, as technology changes quickly over time and they want to avoid ending up with outdated regulations.

What are the notice and access requirements?

The “notice and access” safe harbor requires just that: delivery of a specific notice of internet availability and compliance with certain minimum standards concerning the availability of and access to the notices. A notice of internet availability must comply with certain content requirements and must be furnished electronically to the Covered Individuals no later than the time the notice is available on the internet/website. In other words, if a notice is due to participants on January 1st and is uploaded to the company website on such date, the notice of internet availability must be provided to Covered Individuals on January 1st. For an employer that chooses to provide all notices at the same time each year, the notice of availability must only be provided each plan year, and no more than 14 months following the date the prior plan year’s notice was furnished.

The “access” prong of the safe harbor requires that employers comply with the following requirements: (1) the employer must ensure the existence of an internet website at which a covered individual is able to access covered documents; (2) the notices must be available on the applicable, required dates; (3) each notice must remain available on the website until it is superseded by a subsequent version of the notice; (4) the notice must be presented on the website in a manner calculated to be understood by the average plan participant (must be “readable”); (5) the notice must be presented in a widely-available format or formats that are suitable to be both read online and printed clearly on paper, and must be “searchable”; (6) the notice must be presented on the website in a widely-available format or formats that allow the covered document to be permanently retained in an electronic format; and (7) the website must protect the confidentiality of personal information relating to the Covered Individuals.

Can a Covered Individual opt out?

Yes.  The safe harbor includes a “global” opt out provision. Covered Individuals may elect to opt out of electronic disclosure and receive all notices in paper. Covered Individuals may also maintain electronic disclosures, but request that the employer furnish them, free of charge, a paper copy of a notice (or all of the notices) as soon as reasonably practicable. For individuals that opt out, the employer must establish and maintain reasonable procedures governing requests or elections for paper copies.

The proposed regulations require employers to send an initial notification of default electronic delivery and the right to opt out to ensure that all participants and beneficiaries accustomed to receiving paper notices are aware of the new method for electronic disclosure and have the opportunity to choose to continue to receive paper copies.

Effective Date

Generally, the proposed regulations will be effective 60 days after publication of a final rule in the Federal Register. The DOL has proposed the new safe harbor apply to employee benefit plans as of the first day of the calendar year following the publication of the final rule. The Department has requested comments with regard to providing an earlier effective date.


For more information on the details of the proposed regulations and implementing the safe harbor going forward, including special rules for severance of employment and other circumstances, please contact Caroline Nelsen at 402-633-9575 or e-mail her at

California Attorney General Issues Draft CCPA Regulations – Has The Playing Field Changed?


The California Attorney General (AG) has issued the long-awaited draft regulations for the California Consumer Privacy Act (CCPA), which regulations will be officially filed on October 11, 2019. The AG stated that July 1, 2020 is the expected effective date of final regulations and enforcement. This is not to be interpreted as a safe harbor, but simply an enforcement delay. The public may submit written comments to the proposed regulations prior to December 6, 2019 at 5:00pm. The CCPA is effective on January 1, 2020.

Below are highlights of the key take-aways from the proposed regulations:

Disclosure. The regulations provide a clear emphasis on transparency and set forth format and content requirements for disclosures and privacy notices.

Requests. The regulations include additional parameters on the procedures for receiving and responding to consumer requests, including guidance on timing and reasonings for denying requests. The regulations also provide detailed guidance on how to verify the identity of a requesting consumer.

Training and Record Retention. The regulations reinforce and add guidance to the CCPA-specific training requirements and add new record retention requirements for consumer requests.

To learn more about whether the CCPA applies to your business and how McGrath North attorneys can assist in implementing an efficient and cost-effective compliance plan, contact McGrath North’s data privacy attorneys.

CCPA Amendments – Do The Delays Affect You?


The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. In September, the California legislature passed a handful of amendments that may have large impacts on your business’s overall plan for compliance with the CCPA. The Governor of California has until October 13, 2019 to sign the amendments into law or veto the bills.

The CCPA is a sweeping piece of legislation designed to provide California residents with control over how their personal information is used and shared by businesses “doing business in California”. Businesses who are subject to the CCPA requirements must implement procedures for and facilitate consumer data requests, update their privacy policies and flow-down compliance obligations to their vendors. To determine whether the CCPA applies to you and your business, refer to Tackling the California Market Article.

Employee Data – AB-25. Ultimately, the CCPA will apply to employee data. However, AB 25 has sun-setted the application of most of the CCPA’s key provisions with respect to personal information that is collected about employees. As of January 1, 2020, businesses will have to provide employees notice about what categories of information the business collects and the purpose for collection, but businesses will not need to offer employees opt-out, access, and deletion rights until January 1, 2021. California resident employees will still be entitled to bring a private right of action under the CCPA with respect to a data breach.

Business to Business Data – AB 1355. AB 1355 added new Section 1798.145(l) which provides that certain obligations under the CCPA do not apply to personal information collected during business to business communications until January 1, 2021 when new Section 1798.145(l) would become inoperative. The year-long exemption would apply to “personal information reflecting written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.” Effective January 1, 2020, B2B customer personnel will still have the right to opt-out of their information being sold and be entitled to bring a private right of action under the CCPA with respect to a data breach.

To learn more about all of the CCPA amendments and how McGrath North data privacy experts can assist you in preparing a comprehensive, tailored and practical CCPA compliance plan, contact one of our privacy experts.

Ch-Ch-Changes* – Immigration Updates


As we have seen the last two years, there are changes to the U.S. immigration system almost daily. Whether it be a new proposed regulation, case, executive order, blocking of court order, policy, or tweet, immigration has been a moving target. Some policies are proposed, suspended, and some are passed and now in place. Now more than ever it is imperative to keep up to date with the never-ending changes the immigration system is experiencing as increased scrutiny continues.

Social Security “No-Match” Letters

Social Security No-Match Letters are back again. In 1993, The Social Security Administration (SSA) began issuing notices called “Request for Employer Information” soon to be known as “No-Match Letters.” The purpose of the letters was to ensure the accuracy of earning records that are used to determine social security benefits. In 2012, the Obama Administration decided to stop issuing the letters. The No-Match Letters returned in 2019 advising employers that certain employee names and Social Security numbers on a named employee’s W-2 do not match Social Security records. The new notices now impose an affirmative duty to employers to respond to the SSA within 60 days of receipt of the notice. (See sample No-Match Letter at It is important to note that the letter is not, by itself, proof that the employee lacks employment authorization. However, total disregard of the letter combined with other evidence might establish that the employer had “constructive knowledge” that an employee does not have employment authorization. The notice imposes on employers a duty to resolve the question of whether an employee is authorized to work in the U.S. Therefore, employers must notify employees and request that they correct the discrepancy of information and provide evidence it is corrected or resolve the issue with the SSA. No specific penalties have been established on employers from failure to respond to the SSA. In fiscal year 2018, Homeland Security Investigations (HSI) opened 6,848 worksite investigations compared to 1,691 in FY17; initiated 5,981 I-9 audits compared to 1,360; and made 779 criminal and 1,525 administrative worksite-related arrests compared to 139 and 172, respectively. All of these categories surged by 300 to 750 percent over the previous fiscal year. Given the rise in compliance audits and investigations by the SSA, HSI, and ICE, it is essential to establish consistent policies of maintaining records and responding to No-Match Letters.

I-9 Compliance

Last month, USCIS announced that until further notice, employers should continue using the Form I-9 with edition date July 17, 2017, even after the expiration date of August 31, 2019, has passed. We will provide further information regarding the new Form I-9 as it is provided.

USCIS Announces Increase in Fee for H-1B Cap Petitions

In January 2019, Department of Homeland Security (DHS) amended its H-1B regulations, which now requires petitioners (employers) filing H-1B cap-subject petitions to first electronically register with USCIS during a designated registration period, whenever that may be. Only those petitioners whose registrations are selected will be eligible to file an actual H-1B cap-subject petition. Although the rule took effect on April 1, 2019, USCIS suspended the electronic registration requirement for the FY2020 H-1B cap filing season. On September 4, 2019, USCIS proposed a rule that would require petitioners filing H-1B cap-subject petitions to pay a $10.00 fee for each electronic registration they submit to USCIS. Please note that USCIS has not yet announced whether it anticipates utilizing the H-1B registration for the upcoming FY2021 H-1B cap filing season which begins on April 1, 2020, even though it has announced the fee increase.

Form I-539 No Longer Eligible for Premium Processing

In March 2019, USCIS revised Form I-539, Application to Extend/Change Nonimmigrant Status, and published new Form I-539A, Supplemental Information for Application to Extend/Change Nonimmigrant Status. The Form I-539 is used for certain nonimmigrants whom request to extend their stay or change to another nonimmigrant status. The most notable change of the revised Form I-539 is the requirement that every applicant pay an $85.00 biometrics fee and attend a biometrics appointment, regardless of age. Applicants usually receive a biometrics appointment within a few weeks after filing Form I-539. Thereafter, it takes at least another three weeks for biometrics to be completed. Due to this new biometrics requirement, Form I-539 applications are now separated from the primary applicant’s Form I-129 petition and processed on their own. Consequently, USCIS can no longer continue premium processing Form I-539 applications filed concurrently with Form I-129 petitions, such as an H-1B petition. As a result, H-4 spouses and children are now having to wait substantially longer to have their Form I-539 applications adjudicated and approved.

Changes to Immigrant and Nonimmigrant Visa Application Forms

Forms DS-160/DS-156, Nonimmigrant Visa Application are used for nonimmigrant, temporary travel to the United States and for K (fiancé(e)) visas. Form DS-260, Immigrant Visa Application is used for immigrant visa applicants. These forms are filed electronically to the Department of State. On May 31, 2019, new questions were added to the Forms DS-160/DS-156 and Form DS-260. These additional questions require applicants to disclose five years of social media and contact history when applying for a nonimmigrant or immigrant visa. Specifically, applicants are now required to disclose the social media platforms they have used within the previous five years, as well as provide their username for each platform. Please note that passwords for these accounts are not required and should not be provided. In addition, the applications request the applicant’s email addresses and phone numbers used in the past five years. Despite concerns raised by stakeholders, the Forms DS-160/156 and DS-260 have been updated to solicit this information. On September 4, 2019, DHS proposed changes to several immigration and travel forms to also collect social media information from applicants. The forms that would be affected by the new social media questions include USCIS Forms N–400, I–131, I–192, I–485, I–589, and I–751; CBP’s ESTA; and others.

Supreme Court Agreed to Review Three Cases Challenging the End of DACA

On June 28, 2019, the Supreme Court agreed to review three cases challenging the Trump Administration’s decision to end Deferred Action for Childhood Arrivals (DACA or “Dreamers”). In total, four federal appeals courts have heard arguments on whether President Trump went through the proper procedure to end DACA. Both the Ninth Circuit and the Fourth Circuit held that Trump’s decision to end DACA was improper. Decisions are still pending in the Second Circuit and D.C. Circuit. The Supreme Court is expected to issue its decision by June 2020. This means that current DACA recipients can continue to submit their renewal applications until that decision. DACA recipients will continue to receive protection from deportation and work permits, unless and until the Supreme Court issues a decision otherwise.

What are the Numbers for H-1B Petition Denials?

The National Foundation for American Policy analyzed the report from the H-1B Employer Data Hub and found that, “Between FY 2015 and FY 2018 the denial rate for new H-1B petitions quadrupled from 6% to 24%. To put this in perspective, between FY 2010 and FY 2015, the denial rate for initial H-1B petitions never exceeded 8%, while today the rate is 3 to 4 times higher.”  Denial rates for initial H-1B petitions nearly doubled from 13% in FY 2017 to 24% in FY 2018 and climbed to 32% in the first quarter of 2019 due to Trump’s “Buy American, Hire American” Executive Order. H-1B extensions and transfers also had comparable denial increases. Petitions filed for the same workers with the same jobs that were previously approved, are now being denied. In FY 2017 the denial rate for these petitions was 5%. The rate more than doubled in FY 2018 to 13%.

Denial Rate: H-1B Petitions for Initial (New) Employment

FY 2019*33%
FY 201824%
FY 201713%
FY 201610%
FY 20156%
FY 20148%
FY 20137%
FY 20125%
FY 20117%
FY 20108%
FY 200915%

Source: USCIS, National Foundation for American Policy. *FY 2019 data through the second quarter of FY 2019. Percentages are rounded off. Data extracted and analyzed from USCIS H-1B Employer Data Hub.

Denial Rate: H-1B Extension Petitions for Continuing Employment

FY 2019*14%
FY 201812%
FY 20175%
FY 20164%
FY 20153%
FY 20143%
FY 20133%
FY 20123%
FY 20113%
FY 20105%
FY 20096%

Source: USCIS, National Foundation for American Policy. *FY 2019 data through the first two quarters of FY 2019. Percentages are rounded off. Data extracted and analyzed from USCIS H-1B Employer Data Hub.

* “Changes” by David Bowie (1971)

Next Page »
Latest News
  • Jun

    Leadership Class 43 Graduation

    McGrath North congratulates Cody Brookhouser-Sisney on her graduation from Leadership Omaha Class 43!  Leadership Omaha was launched in 1978 to […]

  • Jun

    2021 Class of Summer Associates

    McGrath North welcomes our 2021 class of Summer Associates: Avram Tynes, Katelyn Noah, Nicole Petrow, Samantha Blixt, Jeanne Kelley, Madison […]