Data Processing Addendums for California

This post was originally published on this site

Earlier this month, the California Consumer Privacy Act became effective with many companies scrambling to become compliant with the law. While there are many ambiguities in the law and the California Attorney General is still finalizing his draft regulations, companies are continuing to create their legal frameworks to comply with the law nonetheless. Part of this compliance framework is the data processing addendum (“DPA”).

 

The data processing addendum concept was introduced when the General Data Protection Regulation (“GDPR”) was passed into law in Europe in 2016. Since the GDPR became effective in May 2018, the DPA concept has been ingrained in the contractual framework for data processing activities done on behalf of others. While DPAs are generally required under Article 28 of the GDPR, a DPA is not necessarily required by the CCPA, but there is a growing understanding of its benefits for data processing contracts between businesses, service providers, and third-parties.

 

Notably, the contract requirements come from the combination of the definitions of “service provider,” “third party,” and “business purpose.” A “service provider” “processes personal information on behalf of a business…for a business purpose pursuant to a written contract…and the contract prohibits the entity from retaining, using, or disclosing” it for a purpose other than the specified business purpose(s). “Business purpose” means “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.” Finally, a “third party” is defined by what it is not. A “third party” is not (1) a business that “collects” personal information from a consumer; or (2) a service provider with the contractual restrictions described above and, in this paragraph, (or any other “person” with the same such contractual restrictions). Additionally, a third party will not be considered a third party if it is included in the written contract between the business and the service provider. Therefore, despite being two separate defined terms, the definitions of service provider and third party should be read together.

 

The written contract required by the CCPA is meant to bring down some of the business’s obligations to its service providers so that it may comply with its obligations to California consumers who exercise their rights as provided by the CCPA. Specifically, a service provider must contractually agree that it is prohibited from (i) “selling” (as defined by the CCPA) the personal information it acquires from the business and (ii) retaining, using or disclosing the personal information outside of the direct business relationship with the business or for any other purpose than what is specified in the contract. Further, the service provider must “certify” that it understands its contractual restrictions and will comply with them.

 

If you are a business or service provider, updating all of your service provider contracts could be cumbersome and costly. Rather, the addition of a DPA to your contract playbook could cut down on time-consuming negotiations while clearly establishing relationships that comply with new data protection regimes.

 

January 10, 2020

 

Written by Stan Sater and Jeff Bekiares

 

*    *    *

If you are a business that has questions about CCPA compliance or applicability issues, contact our Founders Legal team at [email protected] or [email protected]

 

Protecting Your Hemp and CBD Brand Through Trademarks

This post was originally published on this site

The 2018 Farm Bill was passed on December 20, 2018, and, among other things, removed hemp from the definition of marijuana under the Controlled Substances Act (“CSA”). Prior to the passage of this Farm Bill, the U.S. Patent and Trademark Office (“USPTO”) could refuse any cannabis or cannabis-related trademark application, on its face, because the identified goods and/or services were unlawful under the CSA. In other words, because the good or service for which the trademark was being sought was not in lawful use in interstate commerce, the USPTO would not grant federal trademark protection. With the passage of the Farm Bill, the USPTO is having to change its review practices to handle the confusion that the Bill created as to the trademark rights of cannabis or cannabis-related businesses.

On May 2, 2019, the USPTO issued new guidance addressed to its trademark examiners on how to handle trademark applications for cannabis-related products. The guidance reiterates that a product ‘must first be in lawful use’ to receive a federal trademark. As it relates to cannabis or cannabis-related trademarks filed on or after December 20, 2018, a lawful use determination “requires consultation of several different federal laws” including the CSA and the Federal Food Drug and Cosmetic Act (“FDCA”). The FDCA, which is overseen by the Food and Drug Administration (“FDA”), makes it unlawful to introduce hemp-derived foods, beverages, dietary supplements, or pet treats unless approved by the FDA. Additionally, under the FDCA, “any product intended to have a therapeutic or medical use intended to affect the structure or function of the body” is a drug. Drugs cannot be distributed or sold in interstate commerce unless approved by the FDA. At present, other than Epidiolex, a plant-derived CBD product used to treat two pediatric epilepsy disorders, no cannabis-derived drug products have been approved by the FDA. The FDA recently restated its viewpoint on the market for CBD products in a revised consumer update and is carefully monitoring the space, having issued 15 warning letters to cannabis-related companies selling products in violation of the FDCA.

For trademark applications filed before December 20, 2018, the examiners may allow applicants to amend their applications to claim a December 20, 2018 filing date to overcome a refusal based on the CSA. As the trademark can still be denied for the other reasons as discussed above, examiners may also allow applicants to amend the original filing basis to an “intent-to-use” basis. With the date change and the “intent to use” change, the examiner will conduct a new search of conflicting trademarks in the USPTO’s records. If applicants choose not to amend their application, they can abandon the application and re-file or respond to the examiner’s office action with evidence to oppose the examiner’s determination. As it relates to hemp cultivation or production services, the examiners will investigate the applicant’s legal ability to cultivate and produce hemp. Per the 2018 Farm Bill, hemp must be produced “under license or authorization by a state, territory, or tribal government in accordance with a plan approved by the U.S. Department of Agriculture (USDA) for the commercial production of hemp.” However, the USDA has not approved any state, territory, or tribal government hemp production plan. Therefore, hemp cultivation or production services trademark applications could still be denied despite the 2018 Farm Bill.

While there is still uncertainty about the future for granting federal cannabis or cannabis-related trademarks, applicants can seek state trademark registration or protect their rights against copiers at common law. Each trademark strategy must be tailored to the applicant’s business and products.

Written by: Stan Sater and David H. Pierce

 

 


Commentary by Stan Sater & David H. Pierce.  David is a corporate and IP lawyer at Founders Legal. He can be reached at [email protected]