The Startup Law Blog

Inset:  This post was co-authored by Joe Wallin, a partner in the Seattle, Washington office of Carney Badley Spellman and Jonathan Wilson with the FinCEN Report. 

Original post found here.

The Corporate Transparency Act (CTA) took effect January 1, 2024.  This new federal law will require non-exempt reporting companies to report personally identifiable information for each beneficial owner (each, a “BOI report”) to FinCEN. Each BOI report will need to identify each beneficial owner of the reporting company by applying the definition of “beneficial owner” found in the Reporting Rule.  For reporting companies with beneficial owners residing in one of nine U.S. states that have adopted community property laws (Arizona, California, Idaho, Louisiana, Nevada, New Mexico, Texas, Washington and Wisconsin) this will prove especially challenging. This article explores those challenges and proposes some strategies to resolve them.

Identifying Beneficial Owners

The Reporting Rule defines “beneficial owner” as “any individual who, directly or indirectly, either exercises substantial control over such reporting company or owns or controls at least 25 percent of the ownership interests of such reporting company.”  The Reporting Rule also defines “substantial control” and “ownership interest” as they relate to the determination of a beneficial owner.

Importantly, each beneficial owner must be an “individual,” meaning a natural person.  The Reporting Rule provides rules for attributing ownership to an individual when an ownership interest in a reporting company is held by a non-individual.

For example, if a trust holds title to an ownership interest, the beneficial owner will be either the trustee, the grantor/settler or the beneficiary of the trust, depending on which of them has the power to dispose of all or nearly all of the trust’s assets.  31 CFR §1010.380(d)(ii)(C).

Because the CTA is aimed at preventing money laundering by eliminating the anonymity of beneficial ownership, the drafters of the Reporting Rule made it intentionally broad, hoping to prevent bad actors from circumventing its requirements. Consequently, the Reporting Rule contains provisions that compel reporting companies to attribute beneficial ownership to individuals notwithstanding intermediary arrangements.

For example, the Reporting Rule provides that “an individual may directly or indirectly own or control an ownership interest of a reporting company through any contract, arrangement, understanding, relationship, or otherwise, including joint ownership with one or more other persons of an undivided interest in such ownership interest.”  31 CFR §1010.380(d)(ii)(A) (emphasis added).

It is here that the problem of ownership in a community property state arises.  In those nine states that have adopted a rule of community property, the concept provides that two spouses (and sometimes two domestic partners) that own property have a “joint ownership . . . of an undivided interest” in the community property asset. 

Joint Ownership in Community Property States

The rules of joint ownership in the nine community property states are generally consistent in that two spouses (and sometimes two domestic partners) are deemed to own jointly all the assets of each other with an equal right and power to keep or dispose of the jointly owned property.

The State of Washington, for example, provides that:

“[Excluding certain property types] property acquired after marriage or after registration of a state registered domestic partnership by either domestic partner or either husband or wife or both, is community property. Either spouse or either domestic partner, acting alone, may manage and control community property, with a like power of disposition as the acting spouse or domestic partner has over his or her separate property . . .” R.C.W. 26.16.030. 

The Washington code provides exceptions to the general rule that either spouse may manage and control community, including on prohibitions on transfers without spousal consent for (1) testamentary gifts of more than one-half of the community property, (2) inter-vivos transfers, (3) encumbrances or liens.  The Washington code also provides that “where only one spouse or one domestic partner participates in [management of a company] the participating spouse or participating domestic partner may, in the ordinary course of such business, acquire, purchase, sell, convey or encumber the assets, including real estate, or the good will of the business without the consent of the nonparticipating spouse or nonparticipating domestic partner.”

The community property laws of the other eight community property states are generally similar, but unique provisions of state laws may require further inquiry in some situations.

For example, the community property law in Texas provides that “during marriage, each spouse has the sole management, control, and disposition of the community property that the spouse would have owned if single.”  Texas Family Law Sec. 3.102(a). Subject to that general rule, however, community property is subject to the “joint management, control and disposition of the spouses, unless the spouses provide otherwise by power of attorney in writing or other agreement.”  Texas Family Law Sec. 3.102(c).  As a consequence, determining whether a spouse should be designated as a beneficial owner because of a community property ownership in Texas may require counsel to inquire whether the ownership interest in the reporting company was acquired before or during the marriage.

Most community property states have exceptions for property that is acquired by one spouse during the marriage by gift, devise or descent.  See, e.g. Arizona Code Sec. 25-211.A.2., Texas Family Law Sec. 3.001(2), RCW 26.16.010 (excluding from community property acquired by gift, bequest, devise, descent, or inheritance).  Where applicable, counsel may need to inquire whether an ownership interest in a reporting company was acquired by gift, devise or descent as part of a determination of beneficial ownership in a community property estate.   

Including Spouses in the Identification of Beneficial Owners

Following the guidance in Section 380(d)(ii)(A) of the Reporting Rule, which requires the identification of each beneficial who has an “undivided interest in [an] ownership interest” that is more than 25% of the entire ownership interest, reporting companies should include both spouses if either spouse would be a beneficial owner and if that spouse is married and resides in one of the nine community property states and if the applicable community property law does not exclude the ownership interest from the community property of the marriage.

Importantly, this rule of including community property would not impact the reporting company’s identification of beneficial owners who have substantial control by virtue of circumstances that do not involve an ownership interest.  For example, if an individual is a beneficial owner because that individual is a senior officer of the reporting company, the fact that the individual has a spouse and resides in a community property state would be irrelevant.  The non-senior officer spouse would not have any control or influence over the reporting company.

In contrast, an individual might be a beneficial owner (even if their ownership percentage was less than 25%) if their ownership interest gave them substantial influence over major decisions of the reporting company.  For example, an investor might have an ownership interest tied to a veto right over major decisions.  Such an investor would be a beneficial owner because of the substantial control that comes from the veto right (even if the investor’s percentage interest was below 25%).  If that investor were married in a community property state, absent some agreement to the contrary, the investor’s spouse would have a power to vote the investor’s interest and should also be designated as a beneficial owner by the reporting company.

Reporting companies should, consequently, question their beneficial owners regarding their marital status and state of residence.  That inquiry may also need to focus on the means by which the beneficial owner acquired the ownership interest in the reporting company. The reporting company should consider, for each beneficial owner who is married in a community property state, whether that beneficial owner’s spouse should also be designated and reported as a beneficial owner.

In addition, if any spouses are designated as beneficial owners are a result of the community property rule, the reporting company should incorporate those spouses into whatever tracking and reporting mechanism the reporting company utilizes to track changes in beneficial ownership and changes in beneficial owner BOI.

Alternative Approaches

Many reporting companies are implementing changes in corporate governance to account for the information flows required by the CTA.  Reporting companies can adopt a compliance policy and amend their constituent documents so that investors are required, as a matter of contract, to provide the reporting company with BOI information for their beneficial owners.

Such compliance policies can also involve reporting mechanisms and tracking systems, so that any change in beneficial ownership, or any change in a beneficial owner’s reported data, is brought to the attention of the reporting company’s management.  Such a system makes it possible for management to ensure that the reporting company files an amendment to a prior BOI report when it does.

With respect to the community property rule, it might be possible to avoid having to report the BOI of a spouse who is not involved in the business by having the two spouses enter into a separate property agreement through which one spouse might renounce or transfer to the other spouse that spouse’s community property interest in shares. Of course, the parties should consult the applicable state law to determine the enforceability of such agreements, especially in the context of a dissolution proceeding. Counsel should also consider the prudence of such an approach in view of the policy reflected in the Reporting Rule that tends to include as a beneficial owner all close cases.  Because of the potential criminal penalties that could attach to an effort to exclude a beneficial owner who ought to have been included, it might be prudent to seek a no-action letter from FinCEN before relying on any side agreement that would exclude an individual from beneficial owner status. 

Conclusion

The CTA is going to usher in a new regime of corporate governance, requiring corporations, LLCs, and limited partnerships to impose data reporting obligations on their investors and their affiliates.  Investors that are not natural persons will need to provide information about their beneficial owners.  Beneficial owners who are natural persons will need to disclose their residential address and marital status, among other data points. This new regime will require reporting companies to consider aspects of beneficial ownership that were previously outside the scope of their concern.  A beneficial owner’s marital status and whether that beneficial owner lives in a community property state is a key example.  Reporting companies and the counsel who advise them should consider community property ownership when analyzing beneficial ownership disclosures.

By Amy Weston

Washington State is on track to pass a far-reaching new piece of legislation in the upcoming weeks. The “My Health My Data” Act (House Bill 1155), if signed into law, will take effect starting on March 31, 2024. The title of the law implies that it will only apply to health care related industries, when in fact the law applies to any entity that conducts business or targets customers in Washington State. As a result, many companies are racing to understand the implications of the new law. Here are the highlights.

At a high level, the law protects consumer health data collected by all entities and not only by health care providers that are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Consumers often mistakenly believe that HIPAA protects the privacy of their health data on any and all apps and websites when in fact the party collecting the data is not subject to the HIPAA rules.

The My Health My Data Act will require additional disclosures and consumer consent regarding the collection, sharing and use of consumer health information and will give consumers the right to have their health data deleted. Additionally, the law will prohibit the selling of consumer health data without valid authorization signed by the consumer and will make it unlawful to track a consumer’s location around a facility that provides health care services (the law refers to this practice as “geofencing”). Notably, the law extends to consumers the right to pursue a private right of action against companies who do not comply. This means that any individual whose data is not protected in compliance with the proposed My Health My Data Act may file a claim against any company not in compliance.

Who does My Health My Data apply to?

The law applies to any “regulated entity,” which it broadly defines as any entity that (a) conducts business in Washington or provides or produces products or services that are targeted to consumers in Washington, and (b) determines the purpose and means of collecting, processing, sharing or selling consumer health data. (For readers familiar with GDPR and similar legislation, this definition borrows from the “data controller” concept.) Excluded from the definition of “regulated entity” are government agencies, tribes, or services providers working on behalf of government agencies.

What Data is Covered?

The law defines “consumer health data” as any personal information linked to or reasonably linkable to a consumer that identifies a consumer’s past, present or future physical or mental health status. This expressly includes 12 categories of data:

1. individual health conditions, treatment, diseases, or diagnoses;
2. social, psychological, behavioral, and medical interventions;
3. health-related surgeries or procedures;
4. use or purchase of prescribed medication;
5. diagnoses or diagnostic testing, treatment or medication;
6. gender-affirming care information;
7. reproductive or sexual health information;
8. biometric data;
9. genetic data;
10. precise location data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
11. data that identifies a consumer seeking health services or supplies; or
12. any information that a regulated entity or small business (or their processor) processes to associate or identify a consumer with the above-listed categories of data, even where derived or extrapolated from nonhealth information (such as data derived or inferred by any means, including algorithms or machine learning).

What are the Requirements?

1. Consumer Health Data Privacy Policy

The first requirement is that companies maintain a “consumer health data privacy policy.”  The policy must clearly and conspicuously disclose: (a) the categories or consumer health data collected and the purpose for which it is collected, including how it will be used; (b) the categories of sources from which the consumer health data is collected; (c) the categories of consumer health data that is shared; (d) a list of the categories or third parties and specific affiliates with whom the regulated entity shares the consumer health data; and (e) how a consumer can exercise its rights under the law.

Any consumer health data not covered in the privacy policy may not be collected, used or shared without first getting the applicable consumer’s affirmative consent. Similarly, an entity may not use the consumer health data for purposes not disclosed without getting the individual’s consent, nor may the entity contract with a third-party processor to collect, use or share the data in a manner inconsistent with the privacy policy.

1. Consent to Collect; Consent to Share

In addition to maintaining a privacy policy, a regulated entity must obtain consent from the consumer prior to collection of consumer health data, except to the extent the collection of the data is necessary to provide a product or service that was requested by the consumer.

From there, the regulated entity must obtain consent from the consumer prior to sharing the consumer’s health data, except to the extent necessary to provide a product or service requested by the consumer. This consent must be separate and distinct from the consent required at time of collection.

In both cases, the request for consent must clearly and conspicuously disclose: (a) the categories of consumer health data collected or shared, (b) the purpose of the collection or sharing, including the specific ways it will be used, (c) the categories of entities with who the consumer health data is shared, and (d) how the consumer can withdraw consent from future collection of sharing of the consumer’s health data. Consent cannot be obtained by accepting or agreeing to general or broad terms of use that combine descriptions of processing of personal data along with other unrelated information. Similarly, the law prohibits using “dark patterns” to obtain consent, such as hovering over, muting, pausing or closing a piece of content or using deceptive designs.

1. Opt-in Requirement for Sale of Consumer Health Data

One of the more unique aspects of the new law is the high bar the law requires for sales of consumer health data, making it unlawful to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. To qualify as “valid authorization,” a document must be written in plain language and must contain all of the following:

1. specific consumer health data that the person intends to sell;
2. the name and contact info of the person collecting and selling the consumer health data;
3. name and contact information of the person purchasing the consumer health data;
4. a description of the purpose of the sale, including how the info will be gathered and how it will be used by the purchaser;
5. a statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
6. a statement that the consumer has a right to revoke the valid authorization at any time (and a description of how to submit a revocation);
7. a statement that the consumer health data sold per the valid authorization may be subject to redisclosure by the purchaser and no longer protected;
8. a one-year expiration (meaning, the consent is only valid for one year); and
9. the consumer’s signature and date.

Without all of the above, the authorization is not valid. The seller and purchaser must retain copies of all authorizations for six years.

1. Access and Control

Following the path of many other states in the new patchwork of state privacy laws, the Washington law grants consumers broad rights to access and control their consumer health data collected by the regulated entity. This includes confirming whether the information is actually being collected, a list of all third parties it has been shared with, and an email address or other online mechanism that the consumer can use to contact these third parties. The consumer may withdraw his or her consent to the processing of the data anytime and can ask for the data to be deleted.

Consumers can exercise these rights by submitting a request, at any time, by a secure and reliable means established by the regulated entity and described in its consumer health data privacy policy. The method used to exercise consumer rights must take into account the ways in which consumers normally interact with the company, together with the need for secure and reliable communication of such requests and the ability of the company to authenticate the identity of the consumer making the request. The information requested by the consumer must be provided up to twice a year free of charge, and the company must respond to the request no later than 45 days from the request.

1. Data Minimization; Appropriate Administrative, Technical and Physical Controls

Similar to other state privacy laws, the Washington law will require that access to the consumer health data be restricted within the company to only to those necessary to further the processes specified. The law further requires that the company establish, implement and maintain appropriate administrative, technical and physical data security practices.

1. No Geofencing

As one of the first of its kind, the law prohibits “geofencing” when used to track, collect consumer health from or target ads at consumers.  This requirement would go into effect within 90 days of the bill’s passage, whereas most of the remaining provisions will not take effect until March 31, 2024. Geofencing is defined as technology that uses GPS, cell tower connectivity, cellular data or Wi-Fi data or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary (2,000 feet or less from the perimeter of the physical location). A clear response to the Supreme Court’s Dobbs decision, this provision is intended to ensure an individual’s choice to access reproductive health in Washington State will remain private and not be shared.

Conclusions

As noted above, the bill contains a private right of action, permitting individual consumers with the right to pursue claims of violations. This, combined with the breadth of the definition of “consumer health data” and other definitions, leave open many questions around what kinds of companies the law will apply to in practice. Many companies may find themselves struggling to comply with the privacy policy notice and consent requirements even if they do not collect data they consider to be health-related personal data. Despite the law’s stated purpose of promoting consumer protection, there is a real risk of consumers becoming even more confused by the law’s requirements, especially when taken together with the patchwork of other state laws, making privacy compliance all but impossible for companies with a presence across multiple states. The call for uniform federal privacy legislation grows stronger.