Tag Archives: compliance

Calling All California Employers – Are You CCPA Compliant?

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Many California employers have improperly ignored its application to their businesses. While most employee rights were carved out of the CCPA’s application until January 2, 2021, there are still key requirements under the CCPA that employers of California residents must abide by starting January 1, 2020.

Does the CCPA Apply to Your Business?

The CCPA generally will apply to any for-profit company that does business in California, collects the personal information of California residents (including employees residing in California) and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

If your business satisfies one of the thresholds, then having California employees is enough to trigger compliance requirements under the CCPA.

Compliance Required Today With Respect to California Employees

Effective January 1, 2020, all businesses that satisfy the threshold requirements under the CCPA are required to provide initial privacy notices to their California resident employees.

In addition to the initial notice requirements, California employers should be aware that a data breach of HR data stemming from a lack of reasonable protections could be the trigger for a class action lawsuit. It is important for employers to scrutinize information security policies, properly manage all third party service providers who have access to HR data and update internal and external privacy policies to ensure compliance under the CCPA.

Risks of Noncompliance

The CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of the CCPA will begin by the California Attorney General six months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

Share Button

Recent FDA Warning Letter Valuable Reminder To CBD Industry – Don’t Ignore Basic Regulatory Compliance

Following similar announcements by CVS and Walgreens, Kroger became the latest retailer to join the CBD craze when it announced plans to sell CBD-infused products. Sales of products containing CBD are expected to top $5 billion this year, a 700% increase from 2018, and could reach nearly $24 billion in sales by 2023, according to analysts. However, a recent warning letter from the FDA contains important reminders for the industry.

Although hemp-derived cannabidiol (CBD) was de-criminalized by the federal government in the 2018 Farm Bill, the Bill did not affect FDA or the States’ authority to regulate CBD or other cannabis or hemp products in FDA-regulated products. To date, the FDA has not approved CBD in food or drinks for humans or animals, dietary supplements or topical cosmetics and maintains its current position that it is illegal to sell a food or dietary supplement that contains added CBD in interstate commerce. Historically, however, the FDA has generally taken a passive approach to the enforcement of hemp-derived CBD products.

On July 22, 2019, FDA issued a warning letter to one of the largest producers of CBD-based products, Curaleaf, Inc. The FDA reiterated that certain hemp substances, including CBD, have a questionable regulatory and safety status in the eyes of FDA and some state governments despite the 2018 Farm Bill. But the more likely trigger for the action was the marketing claims that were associated with Curaleaf’s products.

The FDA surveyed Curaleaf’s website and social media pages, and found claims like:
• “[S]oothing tincture for chronic pain.”
• “CBD has been demonstrated to have properties that counteract the growth of spread of cancer.”
• “CBD has also been shown to be effective in treating Parkinson’s disease.”
• “CBD oil can be used in a variety of ways to help with chronic anxiety.”
• “CBD is being adopted more and more as a natural alternative to pharmaceutical-grade treatments for depression and anxiety.”

These are clear drug claims related to treating or preventing diseases, and FDA concluded that the products were misbranded and unapproved new drugs.

In response to the warning letter, the company stated that it’s removing statements from its website and social media that FDA identified as noncompliant. Also of note, following the warning letter, CVS immediately removed all Curaleaf products from its shelves, and Curaleaf’s stock tumbled.

The bottom line is that fundamental regulatory compliance matters. The full list of Curaleaf’s claims reinforce best practices for drafting and substantiating claims appearing on any food or dietary supplement labels (not just those containing CBD). And if the claim is on a product that is already under scrutiny for regulatory discretion, then compliance is especially important.

In addition to regulatory enforcement action, publicly issued warning letters may also lead to class action lawsuits based on a claim that statements are false and misleading and actionable under state consumer protection laws. While the statute the FDA is tasked with implementing (the Federal Food, Drug, and Cosmetic Act) does not include a private right of action, litigants and courts often use FDA warning letters for guidance as to whether a marketing claim is, or is not, susceptible to challenge under various consumer protection laws.

It is crucial for companies that market or sell CBD products to confirm that their marketing materials and labeling generally comply with FDA requirements and avoid making unapproved human or animal drug claims. If you currently market or are considering marketing CBD products, contact our Food and Dietary Supplement regulatory team to guide you through state and federal labeling and advertising requirements.

Share Button

Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

The data privacy regime is starting to look like more of the wild west every day. A year after companies had to focus resources on complying with Europe’s onerous requirements under the General Data Protection Regulations (GDPR), companies must once again gear-up for the first round of U.S. state efforts to tighten up data privacy rules with California’s new California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. Whether you were able to ignore GDPR or not, CCPA sets the data privacy bar higher for most U.S. based companies.

DOES CCPA APPLY TO YOUR COMPANY?

CCPA generally will apply to any for-profit company that does business in California; and, either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

COMPLIANCE WITH GDPR DOES NOT EQUAL COMPLIANCE WITH CCPA.

While many aspects of CCPA read similar to the regulations you may have become familiar with under GDPR, there are clear differences. Like GDPR, CCPA will require companies to carefully craft specific language in their website privacy policy, including providing certain rights to California consumers, such as the right to request what personal information has been collected, the right to request that information is deleted, and the right to access information.

CCPA also includes specific disclosure requirements with respect to the “sale” of California consumer personal information and specific disclosure requirements with respect to personal information of minors. As part of the “sale” disclosures, many companies will need to add a new website opt-out option labeled “Do Not Sell My Personal Information.”

RISKS OF NONCOMPLIANCE.

CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of CCPA will begin by the California Attorney General 6 months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

EXEMPTIONS – GLBA AND HIPPA.

There are specific exemptions with respect to certain types of data under CCPA. If you are a financial institution subject to Gramm-Leach-Bliley Act (GLBA) or a covered entity subject to HIPPA, certain data collected will be exempt. However, financial institutions and covered entities are still subject to CCPA with respect to data not subject to GLBA (non-NPPI) or HIPPA protection (i.e. non-PHI). It is important for companies to understand the interplay between all privacy regulations and set forth a data privacy compliance program that complies with all applicable laws.

WHERE TO START.

Analyzing the application of data privacy regulations can be daunting. McGrath North recommends companies start with data mapping to determine what information is collected, where the information is collected from, and what a company does with the information (including a list of third-parties that the information is later shared with). From here, companies can start to formulate well-thought-out compliance programs that allow them to comply with applicable data privacy laws while maintaining efficient and effective operations.

With a heightened national focus on data privacy and security, these burdensome and sometimes difficult to manage regulations are not going away. Whether you put in place a compliance program to satisfy the requirements of GDPR or not, CCPA and other U.S. state-based data privacy laws will impact almost all nationally operating entities.

McGrath North has data privacy experts to help you work through the weeds of the regulations and to partner with you to determine the most practical and efficient way for your company to implement privacy policies and procedures to ensure compliance. Here is a link for more information on our team: Privacy Team

Click here to read GDPR ONE YEAR LATER: HAS YOUR COMPANY SORTED THROUGH THE CONFUSION AND RISKS – WHAT U.S. COMPANIES NEED TO REMEMBER.

Share Button

GDPR One Year Later: Has Your Company Sorted Through The Confusion And Risks – What U.S. Companies Need To Remember

It’s been more than 1 year since Europe’s General Data Protection Regulations (GDPR) went into effect, and the data protection regulatory front still remains confusing and difficult to trudge through for many U.S. based companies. However, it is clear, there is no slowing down when it comes to increased data privacy regulation. Below is a refresher on the basics of GDPR, as last year we saw many U.S. based companies put aside the issue of whether they needed to focus dollars and time on complying with GDPR. As the regulatory front continues to grow and there is increasing pressure from consumers, customers and vendors to pay attention to data privacy laws (like GDPR), companies who avoided GDPR should review the jurisdictional requirements to confirm their compliance obligations.

WHY CARE – HOW GDPR APPLIES TO U.S. COMPANIES?

Why should a U.S. (or local Midwest based) company pay attention to a set of regulations providing rights (in general) to residents of European nations? The answer is simple; GDPR’s extra-territorial reach allows European nations who have adopted GDPR to latch onto U.S. based companies who have no physical presence in Europe. A U.S. based company with no operations (or other establishment) in Europe will be subject to GDPR jurisdiction if the company either (1) offers goods or services to residents of European nations, or (2) monitors the behavior (i.e. through its website) of residents of European nations.

PRACTICAL WAYS TO START YOUR COMPLIANCE PLAN.

Companies who desire to start formulating a plan with respect to data privacy compliance should start with data mapping. Understanding where and who data is collected from, what the company does with the data and where and who data is shared with will help a company determine what data privacy regimes govern its operations. From there, a company can begin to pull together its data privacy compliance program (whether basic or more sophisticated) to ensure compliance with all applicable data privacy laws.

IMPLEMENTING NECESSARY CHANGES.

Among other things, GDPR requires a company to include specific disclosures in its website’s privacy policy, to have in place consent rights and disclosures with respect to the use of cookies, and to formulate various technical and operational policies and procedures with respect to the treatment and use of data.

Penalties under GDPR for noncompliance can be hefty and upwards of $20 million Euros or 4% of a company’s worldwide annual turnover (whichever is greater). Companies may also be subject to criminal penalties, suits by supervisory authorities or private rights of action by individuals. And today, various European supervisory authorities are beginning to investigate compliance among dozens of U.S. based companies.

GDPR’S NOT FOR YOU – YOUR CUSTOMERS AND VENDORS MIGHT TELL YOU OTHERWISE.

Even if a company determines that GDPR’s jurisdictional reach does not apply to its operations, many U.S. based companies are seeing their customers and services providers require them to comply with the terms of GDPR (through flow-down liability). It is important for companies to understand what they are contractually signing up for and what impact agreeing to GDPR compliance will have.

What this means for most U.S. based companies, is that if GDPR is not yet on your radar (or you subtly ignored GDPR over the last few years), today is the day to review its application and take the necessary steps to gain compliance. With the regulatory focus on data privacy and security, even if GDPR does not apply to your company, almost all U.S. based companies will be impacted by various data privacy state laws working their way through local legislation. Starting with GDPR analysis is just the beginning!

LEARN MORE.

As you are evaluating GDPR’s ongoing impact, our experienced privacy team is ready to partner with you in formulating a practical, effective and tailored compliance approach that minimizes disruptions to your company’s business plans. Here is a link for more information on our team: Privacy Team

Click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

When Bad Things Happen To Good Plans: IRS Enhances Plan Correction Methods

Corrective Action

The Employee Plans Compliance Resolution System (“EPCRS”) is a program offered by the IRS that allows plan sponsors to correct retirement plan compliance violations on a voluntary basis. Plan sponsors whose plans experience operational errors or mistakes can avail themselves of EPCRS and pay a penalty that is a fraction of the penalty that would otherwise be assessed if the defect is discovered under an IRS audit. In some cases, if the defect qualifies for self-correction without IRS approval, the sanction or penalty can be entirely avoided.

EPCRS continues to improve as a very beneficial tool for plan sponsors who desire to maintain legal compliance in a complex regulatory environment. Most recently, the IRS published two new Revenue Procedures, which serve to further entice plan sponsors to utilize EPCRS by expanding the program and lowering the cost of certain corrections. The opportunity to correct certain defects in accordance with the Revenue Procedures is available immediately. This article provides a brief summary of the more pertinent enhancements to EPCRS offered by the Revenue Procedures.

Employee Elective Deferral (401(k)) Contributions

A common plan error is the failure on the part of the plan sponsor to accurately honor the salary deferral election of eligible employees in a 401(k) plan. Before the issuance of the Revenue Procedures, the permitted corrective measure under EPCRS was for the plan sponsor to contribute 50% of the amount that should have been contributed and the full matching contribution that would have been contributed if the participant’s election had been followed. These corrective contributions were adjusted for earnings.

The justification by the IRS for requiring the 50% contribution in lieu of the elective deferral is that even though the participant received the cash amount that should have been deferred, the participant was deprived of the tax deferred savings opportunity. Recognizing that the 50% could be considered a “wind-fall” for the participant, the Revenue Procedures provide that if the correct deferral amount begins not later than the first payroll after a three month period after the failure first occurred, only the corrective matching contribution is required. If the correction is made after three months, the corrective percentage for missed deferrals is 25% rather than 50%. In order to be eligible for the lower 25% correction percentage, the following conditions apply:

  • The participant election must be followed not later than the first payroll after the second year following the year the failure occurred or, if the plan sponsor is notified by the employee, the first payroll made after the month of the notification;
  • The corrective contribution must be made before the last day of the second plan year after the year of the failure and, in no case, after the plan or plan sponsor is under examination by the IRS; and
  • Corrective contributions for missed matching contributions are made in accordance with existing EPCRS rules and all corrective contributions are adjusted for earnings.

Regardless of whether the correction is made within the first 3 months or the second year following the initial failure, notice of the failure must be provided to the employee no later than 45 days after the date the correct deferrals begin.

Automatic Enrollment/Contributions

Recognizing that automatic enrollment errors are common, the Revenue Procedures provide significant relief with respect to the available correction method for failure by a plan sponsor to implement a plan’s automatic contribution feature. The Revenue Procedures provide that where the failure to implement a plan’s automatic contribution feature does not extend beyond 9½ months after the end of the plan year during which the failure occurs, no corrective contribution is required to be made by the plan sponsor if:

  • The correct deferrals begin no later than the end of the 9½ month period after the end of the plan year in which the failure first occurred or the first payroll date after the end of the month the plan sponsor is notified of the failure by the affected employee;
  • Notice of the failure is provided to the affected employee no later than 45 days after the date the correct deferral amount begins; and
  • Corrective contributions for missed matching contributions are made in accordance with the existing EPCRS rules and all corrective contributions are adjusted for earnings.

Other Revisions

The Revenue Procedures include several other revisions to the correction methods including an extended period to correct excess annual additions, reduced sanctions for required minimum distribution and participant loan violations under certain conditions, clarification regarding the plan sponsor’s duty to collect excess distributions, a new permitted method for calculating lost earnings in some situations and a variety of procedural changes.

Summary

The revisions to EPCRS by the recently released Revenue Procedures provide an impetus to plan sponsors to utilize the IRS voluntary correction program and to make the corrections sooner rather than later. By catching errors within the stated timeframes, plan sponsors can significantly reduce the cost of correction. The regulatory environment surrounding retirement plans is vast and complex; however, when errors occur, prompt correction can serve to significantly reduce and eliminate further costs and financial exposure. If you have questions regarding the IRS plan correction program, please feel free to contact one of our employee benefits lawyers or your McGrath North attorney.

Share Button

HIPAA Compliance Fines To Increase Next Year

HIPAA ComplianceJerome B. Meites, a chief regional civil rights counsel at HHS, advised a June 12 American Bar Association conference in Chicago that enforcement efforts by HHS in the next 12 months regarding privacy breaches and/or security lapses regarding protected health information will likely result in aggregate fines exceeding the more than $10 million in fines assessed since June 2013.  Mr. Meites based his remarks on previous statements in which leaders at HHS’ Office of Civil Rights have signaled an increasing desire to send strong messages.  As part of his remarks, Mr. Meites also noted that portable media causes an enormous number of the complaints that OCR deals with.  The message here for businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules is to is to perform a comprehensive risk analysis and then address any vulnerabilities raised by the analysis, with a particular focus on mobile devices.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button