The Corporate Transparency Act & Startups

The Corporate Transparency Act (CTA) became effective on January 1, 2024, and will undoubtedly cause difficulties for many startup companies.

The upshot is almost all new companies formed will have to file beneficial ownership reports with FinCEN (the Financial Crimes Enforcement Network, which is a bureau of the US Treasury Department).

There are exemptions, such as (a) entities registered with the SEC, (b) large operating companies with (i) more than $5M in top line revenue, (ii) more than 20 full-time employees, and (iii) a US office, (c) tax exempt entities, (d) certain participants in the investment funds industry, (e) subsidiaries of certain exempt entities, and (f) inactive companies, among others. See a list of 23 exemptions here: https://www.fincen.gov/boi-faqs#C_2. Unfortunately, these exemptions likely will not apply to new tech startup companies.

So, what do you have to do?

If you formed your company before 2024, you must file your first beneficial ownership report with FinCEN by January 1, 2025.

What do you have to file with the FinCEN database? Some basic information about the company and, for each “beneficial owner,” the following information:

  1. full legal name,
  2. residential address,
  3. date of birth,
  4. number from an unexpired passport, state ID or driver’s license, and
  5. a photocopy of the above instrument.

A “beneficial owner” is any individual who exercises substantial control over the company (e.g., a director, a senior officer), or who owns or controls 25% or more of the company’s ownership interest (including such owner’s spouse if they live in a community property state).

For companies formed during 2024, there is a 90-day window from the formation date to file the initial report. For companies formed on or after January 1, 2025, the window reduces to 30 days. In addition to the basic information about the company and each “beneficial owner,” the initial report for such a new company must include the FinCEN number or FinCEN information for the filing agent and the individual who signed the charter document (e.g., Certificate of Incorporation). Such individual may be referred to as the “incorporator” or “organizer” on such charter document.

What are your ongoing obligations?

After filing the initial report, companies will have to update the FinCEN database within 30 days of any information becoming outdated.

So, for example, you will have to update the database if any of the following events occur:

  1. the company issues shares to someone who, as a result of such issuance, owns 25% or more of the company’s ownership interest,
  2. the company appoints a director or senior officer, or
  3. a director or senior officer resigns.

Companies need to adopt technology tools or practices that confirm the continued accuracy of the information on FinCEN database every 30 days as well as ensure continued compliance with the CTA.

A practical note: If your company was formed before 2024, consider delaying the initial report until later in the year (e.g., Q4) to avoid an early start to the 30-day update cycle. There is no reason to start that sooner rather than later as doing so will require you to adopt a reminder system to ensure continued compliance.

Looking for more information?

Here are some helpful resources for your reference:

Regulations: 31 CFR 1010.380 (excerpt from Beneficial Ownership information Reporting Requirements Final Rule)

BOI Small Entity Compliance Guide: https://www.fincen.gov/sites/default/files/shared/BOI_Small_Compliance_Guide.v1.1-FINAL.pdf

FinCEN BOI E-Filing System: https://www.fincen.gov/boi

Everything An Angel Investor Should Know About The Corporate Transparency Act: https://www.angelcapitalassociation.org/blog/corporate-transparency-act/

Do not hesitate to contact us if you have any questions.

CTA Beneficial Ownership Reporting Challenges in Community Property States

Inset:  This post was co-authored by Joe Wallin, a partner in the Seattle, Washington office of Carney Badley Spellman and Jonathan Wilson with the FinCEN Report. 

Original post found here.

The Corporate Transparency Act (CTA) took effect January 1, 2024.  This new federal law will require non-exempt reporting companies to report personally identifiable information for each beneficial owner (each, a “BOI report”) to FinCEN. Each BOI report will need to identify each beneficial owner of the reporting company by applying the definition of “beneficial owner” found in the Reporting Rule.  For reporting companies with beneficial owners residing in one of nine U.S. states that have adopted community property laws (Arizona, California, Idaho, Louisiana, Nevada, New Mexico, Texas, Washington and Wisconsin) this will prove especially challenging. This article explores those challenges and proposes some strategies to resolve them.

Identifying Beneficial Owners

The Reporting Rule defines “beneficial owner” as “any individual who, directly or indirectly, either exercises substantial control over such reporting company or owns or controls at least 25 percent of the ownership interests of such reporting company.”  The Reporting Rule also defines “substantial control” and “ownership interest” as they relate to the determination of a beneficial owner.

Importantly, each beneficial owner must be an “individual,” meaning a natural person.  The Reporting Rule provides rules for attributing ownership to an individual when an ownership interest in a reporting company is held by a non-individual.

For example, if a trust holds title to an ownership interest, the beneficial owner will be either the trustee, the grantor/settler or the beneficiary of the trust, depending on which of them has the power to dispose of all or nearly all of the trust’s assets.  31 CFR §1010.380(d)(ii)(C).

Because the CTA is aimed at preventing money laundering by eliminating the anonymity of beneficial ownership, the drafters of the Reporting Rule made it intentionally broad, hoping to prevent bad actors from circumventing its requirements. Consequently, the Reporting Rule contains provisions that compel reporting companies to attribute beneficial ownership to individuals notwithstanding intermediary arrangements.

For example, the Reporting Rule provides that “an individual may directly or indirectly own or control an ownership interest of a reporting company through any contract, arrangement, understanding, relationship, or otherwise, including joint ownership with one or more other persons of an undivided interest in such ownership interest.”  31 CFR §1010.380(d)(ii)(A) (emphasis added).

It is here that the problem of ownership in a community property state arises.  In those nine states that have adopted a rule of community property, the concept provides that two spouses (and sometimes two domestic partners) that own property have a “joint ownership . . . of an undivided interest” in the community property asset. 

Joint Ownership in Community Property States

The rules of joint ownership in the nine community property states are generally consistent in that two spouses (and sometimes two domestic partners) are deemed to own jointly all the assets of each other with an equal right and power to keep or dispose of the jointly owned property.

The State of Washington, for example, provides that:

“[Excluding certain property types] property acquired after marriage or after registration of a state registered domestic partnership by either domestic partner or either husband or wife or both, is community property. Either spouse or either domestic partner, acting alone, may manage and control community property, with a like power of disposition as the acting spouse or domestic partner has over his or her separate property . . .” R.C.W. 26.16.030

The Washington code provides exceptions to the general rule that either spouse may manage and control community, including on prohibitions on transfers without spousal consent for (1) testamentary gifts of more than one-half of the community property, (2) inter-vivos transfers, (3) encumbrances or liens.  The Washington code also provides that “where only one spouse or one domestic partner participates in [management of a company] the participating spouse or participating domestic partner may, in the ordinary course of such business, acquire, purchase, sell, convey or encumber the assets, including real estate, or the good will of the business without the consent of the nonparticipating spouse or nonparticipating domestic partner.”

The community property laws of the other eight community property states are generally similar, but unique provisions of state laws may require further inquiry in some situations.

For example, the community property law in Texas provides that “during marriage, each spouse has the sole management, control, and disposition of the community property that the spouse would have owned if single.”  Texas Family Law Sec. 3.102(a). Subject to that general rule, however, community property is subject to the “joint management, control and disposition of the spouses, unless the spouses provide otherwise by power of attorney in writing or other agreement.”  Texas Family Law Sec. 3.102(c).  As a consequence, determining whether a spouse should be designated as a beneficial owner because of a community property ownership in Texas may require counsel to inquire whether the ownership interest in the reporting company was acquired before or during the marriage.

Most community property states have exceptions for property that is acquired by one spouse during the marriage by gift, devise or descent.  See, e.g. Arizona Code Sec. 25-211.A.2., Texas Family Law Sec. 3.001(2), RCW 26.16.010 (excluding from community property acquired by gift, bequest, devise, descent, or inheritance).  Where applicable, counsel may need to inquire whether an ownership interest in a reporting company was acquired by gift, devise or descent as part of a determination of beneficial ownership in a community property estate.   

Including Spouses in the Identification of Beneficial Owners

Following the guidance in Section 380(d)(ii)(A) of the Reporting Rule, which requires the identification of each beneficial who has an “undivided interest in [an] ownership interest” that is more than 25% of the entire ownership interest, reporting companies should include both spouses if either spouse would be a beneficial owner and if that spouse is married and resides in one of the nine community property states and if the applicable community property law does not exclude the ownership interest from the community property of the marriage.

Importantly, this rule of including community property would not impact the reporting company’s identification of beneficial owners who have substantial control by virtue of circumstances that do not involve an ownership interest.  For example, if an individual is a beneficial owner because that individual is a senior officer of the reporting company, the fact that the individual has a spouse and resides in a community property state would be irrelevant.  The non-senior officer spouse would not have any control or influence over the reporting company.

In contrast, an individual might be a beneficial owner (even if their ownership percentage was less than 25%) if their ownership interest gave them substantial influence over major decisions of the reporting company.  For example, an investor might have an ownership interest tied to a veto right over major decisions.  Such an investor would be a beneficial owner because of the substantial control that comes from the veto right (even if the investor’s percentage interest was below 25%).  If that investor were married in a community property state, absent some agreement to the contrary, the investor’s spouse would have a power to vote the investor’s interest and should also be designated as a beneficial owner by the reporting company.

Reporting companies should, consequently, question their beneficial owners regarding their marital status and state of residence.  That inquiry may also need to focus on the means by which the beneficial owner acquired the ownership interest in the reporting company. The reporting company should consider, for each beneficial owner who is married in a community property state, whether that beneficial owner’s spouse should also be designated and reported as a beneficial owner.

In addition, if any spouses are designated as beneficial owners are a result of the community property rule, the reporting company should incorporate those spouses into whatever tracking and reporting mechanism the reporting company utilizes to track changes in beneficial ownership and changes in beneficial owner BOI.

Alternative Approaches

Many reporting companies are implementing changes in corporate governance to account for the information flows required by the CTA.  Reporting companies can adopt a compliance policy and amend their constituent documents so that investors are required, as a matter of contract, to provide the reporting company with BOI information for their beneficial owners.

Such compliance policies can also involve reporting mechanisms and tracking systems, so that any change in beneficial ownership, or any change in a beneficial owner’s reported data, is brought to the attention of the reporting company’s management.  Such a system makes it possible for management to ensure that the reporting company files an amendment to a prior BOI report when it does.

With respect to the community property rule, it might be possible to avoid having to report the BOI of a spouse who is not involved in the business by having the two spouses enter into a separate property agreement through which one spouse might renounce or transfer to the other spouse that spouse’s community property interest in shares. Of course, the parties should consult the applicable state law to determine the enforceability of such agreements, especially in the context of a dissolution proceeding. Counsel should also consider the prudence of such an approach in view of the policy reflected in the Reporting Rule that tends to include as a beneficial owner all close cases.  Because of the potential criminal penalties that could attach to an effort to exclude a beneficial owner who ought to have been included, it might be prudent to seek a no-action letter from FinCEN before relying on any side agreement that would exclude an individual from beneficial owner status. 

Conclusion

The CTA is going to usher in a new regime of corporate governance, requiring corporations, LLCs, and limited partnerships to impose data reporting obligations on their investors and their affiliates.  Investors that are not natural persons will need to provide information about their beneficial owners.  Beneficial owners who are natural persons will need to disclose their residential address and marital status, among other data points. This new regime will require reporting companies to consider aspects of beneficial ownership that were previously outside the scope of their concern.  A beneficial owner’s marital status and whether that beneficial owner lives in a community property state is a key example.  Reporting companies and the counsel who advise them should consider community property ownership when analyzing beneficial ownership disclosures.

Washington State House Bill 1155 – My Health My Data Act

By Amy Weston

Washington State is on track to pass a far-reaching new piece of legislation in the upcoming weeks. The “My Health My Data” Act (House Bill 1155), if signed into law, will take effect starting on March 31, 2024. The title of the law implies that it will only apply to health care related industries, when in fact the law applies to any entity that conducts business or targets customers in Washington State. As a result, many companies are racing to understand the implications of the new law. Here are the highlights.

At a high level, the law protects consumer health data collected by all entities and not only by health care providers that are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Consumers often mistakenly believe that HIPAA protects the privacy of their health data on any and all apps and websites when in fact the party collecting the data is not subject to the HIPAA rules.

The My Health My Data Act will require additional disclosures and consumer consent regarding the collection, sharing and use of consumer health information and will give consumers the right to have their health data deleted. Additionally, the law will prohibit the selling of consumer health data without valid authorization signed by the consumer and will make it unlawful to track a consumer’s location around a facility that provides health care services (the law refers to this practice as “geofencing”). Notably, the law extends to consumers the right to pursue a private right of action against companies who do not comply. This means that any individual whose data is not protected in compliance with the proposed My Health My Data Act may file a claim against any company not in compliance.

Who does My Health My Data apply to?

The law applies to any “regulated entity,” which it broadly defines as any entity that (a) conducts business in Washington or provides or produces products or services that are targeted to consumers in Washington, and (b) determines the purpose and means of collecting, processing, sharing or selling consumer health data. (For readers familiar with GDPR and similar legislation, this definition borrows from the “data controller” concept.) Excluded from the definition of “regulated entity” are government agencies, tribes, or services providers working on behalf of government agencies.

What Data is Covered?

The law defines “consumer health data” as any personal information linked to or reasonably linkable to a consumer that identifies a consumer’s past, present or future physical or mental health status. This expressly includes 12 categories of data:

  1. individual health conditions, treatment, diseases, or diagnoses;
  2. social, psychological, behavioral, and medical interventions;
  3. health-related surgeries or procedures;
  4. use or purchase of prescribed medication;
  5. diagnoses or diagnostic testing, treatment or medication;
  6. gender-affirming care information;
  7. reproductive or sexual health information;
  8. biometric data;
  9. genetic data;
  10. precise location data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies;
  11. data that identifies a consumer seeking health services or supplies; or
  12. any information that a regulated entity or small business (or their processor) processes to associate or identify a consumer with the above-listed categories of data, even where derived or extrapolated from nonhealth information (such as data derived or inferred by any means, including algorithms or machine learning).

What are the Requirements?

  1. Consumer Health Data Privacy Policy

The first requirement is that companies maintain a “consumer health data privacy policy.”  The policy must clearly and conspicuously disclose: (a) the categories or consumer health data collected and the purpose for which it is collected, including how it will be used; (b) the categories of sources from which the consumer health data is collected; (c) the categories of consumer health data that is shared; (d) a list of the categories or third parties and specific affiliates with whom the regulated entity shares the consumer health data; and (e) how a consumer can exercise its rights under the law.

Any consumer health data not covered in the privacy policy may not be collected, used or shared without first getting the applicable consumer’s affirmative consent. Similarly, an entity may not use the consumer health data for purposes not disclosed without getting the individual’s consent, nor may the entity contract with a third-party processor to collect, use or share the data in a manner inconsistent with the privacy policy.

  1. Consent to Collect; Consent to Share

In addition to maintaining a privacy policy, a regulated entity must obtain consent from the consumer prior to collection of consumer health data, except to the extent the collection of the data is necessary to provide a product or service that was requested by the consumer.

From there, the regulated entity must obtain consent from the consumer prior to sharing the consumer’s health data, except to the extent necessary to provide a product or service requested by the consumer. This consent must be separate and distinct from the consent required at time of collection.

In both cases, the request for consent must clearly and conspicuously disclose: (a) the categories of consumer health data collected or shared, (b) the purpose of the collection or sharing, including the specific ways it will be used, (c) the categories of entities with who the consumer health data is shared, and (d) how the consumer can withdraw consent from future collection of sharing of the consumer’s health data. Consent cannot be obtained by accepting or agreeing to general or broad terms of use that combine descriptions of processing of personal data along with other unrelated information. Similarly, the law prohibits using “dark patterns” to obtain consent, such as hovering over, muting, pausing or closing a piece of content or using deceptive designs.

  1. Opt-in Requirement for Sale of Consumer Health Data

One of the more unique aspects of the new law is the high bar the law requires for sales of consumer health data, making it unlawful to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. To qualify as “valid authorization,” a document must be written in plain language and must contain all of the following:

  1. specific consumer health data that the person intends to sell;
  2. the name and contact info of the person collecting and selling the consumer health data;
  3. name and contact information of the person purchasing the consumer health data;
  4. a description of the purpose of the sale, including how the info will be gathered and how it will be used by the purchaser;
  5. a statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
  6. a statement that the consumer has a right to revoke the valid authorization at any time (and a description of how to submit a revocation);
  7. a statement that the consumer health data sold per the valid authorization may be subject to redisclosure by the purchaser and no longer protected;
  8. a one-year expiration (meaning, the consent is only valid for one year); and
  9. the consumer’s signature and date.

Without all of the above, the authorization is not valid. The seller and purchaser must retain copies of all authorizations for six years.

  1. Access and Control

Following the path of many other states in the new patchwork of state privacy laws, the Washington law grants consumers broad rights to access and control their consumer health data collected by the regulated entity. This includes confirming whether the information is actually being collected, a list of all third parties it has been shared with, and an email address or other online mechanism that the consumer can use to contact these third parties. The consumer may withdraw his or her consent to the processing of the data anytime and can ask for the data to be deleted.

Consumers can exercise these rights by submitting a request, at any time, by a secure and reliable means established by the regulated entity and described in its consumer health data privacy policy. The method used to exercise consumer rights must take into account the ways in which consumers normally interact with the company, together with the need for secure and reliable communication of such requests and the ability of the company to authenticate the identity of the consumer making the request. The information requested by the consumer must be provided up to twice a year free of charge, and the company must respond to the request no later than 45 days from the request.

  1. Data Minimization; Appropriate Administrative, Technical and Physical Controls

Similar to other state privacy laws, the Washington law will require that access to the consumer health data be restricted within the company to only to those necessary to further the processes specified. The law further requires that the company establish, implement and maintain appropriate administrative, technical and physical data security practices.

  1. No Geofencing

As one of the first of its kind, the law prohibits “geofencing” when used to track, collect consumer health from or target ads at consumers.  This requirement would go into effect within 90 days of the bill’s passage, whereas most of the remaining provisions will not take effect until March 31, 2024. Geofencing is defined as technology that uses GPS, cell tower connectivity, cellular data or Wi-Fi data or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary (2,000 feet or less from the perimeter of the physical location). A clear response to the Supreme Court’s Dobbs decision, this provision is intended to ensure an individual’s choice to access reproductive health in Washington State will remain private and not be shared.

Conclusions

As noted above, the bill contains a private right of action, permitting individual consumers with the right to pursue claims of violations. This, combined with the breadth of the definition of “consumer health data” and other definitions, leave open many questions around what kinds of companies the law will apply to in practice. Many companies may find themselves struggling to comply with the privacy policy notice and consent requirements even if they do not collect data they consider to be health-related personal data. Despite the law’s stated purpose of promoting consumer protection, there is a real risk of consumers becoming even more confused by the law’s requirements, especially when taken together with the patchwork of other state laws, making privacy compliance all but impossible for companies with a presence across multiple states. The call for uniform federal privacy legislation grows stronger.

Overbroad Nondisclosure, Confidentiality, and Nondisparagement Agreements Violate the National Labor Relations Act

By Lucinda Luke

March 2023

A new case recently decided by the National Labor Relations Board held that “an employer violates Section 8(a)(1) of the [National Labor Relations] Act when it proffers a severance agreement with provisions that would restrict employees’ exercise of their NLRA rights.” McLaren Macomb, 372 NLRB No. 58, slip op. at 7 (2023). “Such an agreement,” reasoned the NLRB, tends “to restrain, coerce, or interfere with the exercise of Section 7 rights by employees…” Id.

This decision covers almost all private sector employers, not just unionized workplaces.  However, the decision applies only to agreements between employers and current or former nonsupervisory employees (managers, independent contractors, or those who qualify as a supervisor under the National Labor Relations Act (“NLRA”) are not implicated). 

The following severance agreement language was at issue in the McLaren Macomb case:

Confidentiality Agreement. “The Employee acknowledges that the terms of this Agreement are confidential and agrees not to disclose them to any third person, other than [a] spouse, or as necessary to professional advisors.”

Nondisclosure.At all times hereafter, the Employee promises and agrees not to disclose information, knowledge, or materials of a confidential, privileged, or proprietary nature of which the Employee has or had knowledge of, or involvement with, by reason of the Employee’s employment. At all times hereafter, the Employee agrees not to make statements to Employer’s employees or to the general public which could disparage or harm the image of Employer, its parent and affiliated entities and their officers, directors, employees, agents[,] and representatives.”

The NLRB found this language overly broad and determined that it would have a chilling effect on an employee’s Section 7 rights under the NLRA.

Nondisparagement.  The NLRB also addressed the severance agreement’s nondisparagement clause.  Under prior NLRB case law, employees have a right to criticize an employer’s policy so long as the communication is not “so disloyal, reckless, or maliciously untrue as to lose the Act’s protection.” Emarco, Inc., 284 NLRB 832, 833 (1987).

The NLRB took issue with the nondisparagement provision’s breadth and the fact that it did not define disparagement or meaningfully limit whom the employees were prohibited from discussing.  The provision protected not only the employer but also “its parents and affiliated entities and their officers, directors, employees, agents, and representatives”.  The provision also had no expiration.  The NLRB determined that this nondisparagement provision prevented employees from saying virtually anything regarding anyone connected to the employer for all time.  As such, the NLRB found that this provision, as drafted, was impermissible.

The NLRB’s decision is also notable because it holds that an employer violates the NLRA when it offers an employee a severance agreement with offending provisions like those described above. It does not matter whether the employee accepts the agreement; simply offering an agreement with illegal provisions violates the law.

Although this decision may be appealed, for the present, employers should review any severance agreements, offer letters, proprietary information, and invention assignment agreements, and other employment agreements to ensure the nondisparagement, nondisclosure, and confidentiality provisions are narrowly drafted and comply with the NLRB’s McLaren Macomb decision. 

Amendments to Washington’s Equal Pay and Opportunity Act

by Lucinda J. Luke 12/28/22

Amendments to Washington’s Equal Pay and Opportunity Act (EPOA) go into effect January 1, 2023 (with no grace period) and require most employers who engage in business in Washington state to include pay ranges and benefits information in their job postings.

The Washington Department of Labor and Industries has recently released its administrative guidance on the amendments. The following are a few of L&I’s guidance points:

  • Definition of “Employer” and “Applicant”. The law covers any employer that “engages in any business, industry, profession, or activity” in Washington. The salary disclosure requirements apply to employers who have 15 or more employees (only 1 needs to be a Washington-based employee). Employers are covered if they (1) engage in business in Washington or (2) recruit for jobs that could be filled by a Washington-based employee. An applicant is anyone, including a current employee, who applies for a posted position.
  • “Posting” defined. A posting is defined as “any solicitation intended to recruit job applicants for a specific available position, including recruitment done directly by an employer or indirectly through a third party, and includes any postings done electronically, or with a printed hard copy, that includes qualifications for desired applicants.”
  • Wage scale or salary range. The salary range should be clear and without open-ended phrases such as “$10,000/per month and up.” L&I’s guidance also clarifies that “wage scale or salary range” is the “reasonable and genuinely expected range of compensation. “Job listings that can be filled with varying job titles should list a range for each job title.
  • Commissions or piece rate jobs. Jobs that pay commissions or piece rate “should include the rate or rate range that would be offered to the hired applicant,”
  • “Benefits” defined. L&I’s guidance lists of the benefit that should ordinarily be listed: healthcare benefits, retirement benefits, any benefits permitting paid days off, and any other benefits that must be reported for federal tax purposes, such as fringe benefits. “Employers need not assign a monetary value to their benefits.
  • Other compensation. Employers need not assign a value to compensation that is not a wage or salary such as stock options or bonuses. L&I suggests that a compliant reference to bonuses and stock could be: “Hired applicant will be able to purchase company stock, receive annual bonuses, and can participate in profit-sharing.”

Time to Update Your Severance Agreements: New Washington State Law and National Labor Relations Board Decision Place Additional Requirements

Authored by: Joshua D. Brittingham 
March 2023

Severance agreements have traditionally included confidentiality clauses that allow employers to keep the terms of the agreement, including the amount paid, confidential. This is particularly true when an employee has asserted claims that are waived as part of the severance agreement. However, recent legislation in Washington, known as the Silenced No More Act (RCW 49.44.211), and a National Labor Relations Board (NLRB) decision in McLaren Macomb, 372 NLRB No. 58 (2023), place new restrictions on such confidentiality clauses, requiring changes to many employers’ current severance practices.

Washington State Silenced No More Act

The Silenced No More Act, effective June 9, 2022, was passed in response to the #MeToo movement and seeks to prevent nondisclosure or non-disparagement clauses in any agreement between an employer and employee that would prevent an employee from disclosing conduct they reasonably believe to be illegal. This includes illegal discrimination, harassment, retaliation, wage and hour violations, sexual assault, and violating a clear public policy mandate. Under the new law, employers cannot prevent employees from disclosing the existence of a settlement agreement related to such conduct, but they can still prevent disclosure of the settlement amount.

National Labor Relations Board Decision

On February 21, 2023, the NLRB went further, holding that severance agreements containing broad confidentiality and non-disparagement clauses violate Section 7 of the National Labor Relations Act. The NLRB held that even offering an employee a severance agreement containing an overly broad non-disparagement and confidentiality clause could violate the NLRA. Section 7 of the NLRA allows employees to collectively work together to improve working conditions, freely discuss the terms of their employment with current and former employees, file NLRB claims, and assist and cooperate with NLRB investigations. Under the decision, a non-disparagement clause may still prohibit statements that are “disloyal, reckless, or maliciously untrue.”

Potential Penalties

Employers in violation may be subject to severe penalties. Employers that violate the Silenced No More nondisclosure rules may be liable for a minimum of $10,000 in statutory damages, plus the employee’s reasonable attorneys’ fees and costs. Employers who violate Section 7 of the NLRA may be liable for up to $50,000 in civil penalties.

Compliance

Employers can comply with both the Silenced No More Act and NLRB decision by including specific language that carves out any non-disclosure or non-disparagement obligations. We recommend that employers review their form severance agreements and any other employment-related agreements to ensure compliance with the new requirements and are happy to answer any questions.

Resources:

RCW 49.44.211 

https://www.nlrb.gov/case/07-CA-254640

https://www.nlrb.gov/news-outreach/news-story/board-rules-that-employers-may-not-offer-severance-agreements-requiring

5 Things You Should Know about the New Washington State Capital Gains Tax

Authored by: Lauren Fricke

In 2021, the Washington State legislature enacted a new tax on the sale of long-term capital assets. In March 2022, the Douglas County Superior Court ruled the new tax is invalid because it violates the state constitution. That decision has been appealed to the Washington State Supreme Court, but while we await its decision, taxpayers have been uncertain about whether and when they may need to file and pay the tax. However, on November 30, 2022, the Washington State Supreme Court granted a stay on the lower court’s ruling. The effect of this stay is that the Department of Revenue can begin collecting the capital gains tax for capital gains generated since January 1, 2022.

The question is, what does this mean for you? Here are five things you should know.

  1. How much is the tax?
    • 7% on the sale and exchange of all assets occurring on or after January 1, 2022, with gains exceeding a standard deduction of $250,000 in 2022. 
  2. When do I need to file and pay the tax?
    • Filings and payment to the Department of Revenue are due April 18, 2023.
  3. Are there any exclusions or deductions?
    • Yes. There are several important exclusions and deductions such as the sale or exchange of real estate, assets held in retirement accounts, timber and timberland, certain agricultural products, and qualified family-owned small businesses. In order to qualify as a family-owned business, the business must be one in which the taxpayer held a qualifying interest for at least five years immediately preceding the sale; the taxpayer and/or members of the taxpayer’s family materially participated in operating the business for at least five of the ten years immediately preceding the sale or transfer; and the worldwide gross revenue is less than or equal to $10,000,000.
  4. Will the tax remain in effect?
    • We do not know yet. While the stay on the lower court’s opinion allows the Department of Revenue to begin collecting the new tax, the case itself has not been decided. The Washington State Supreme Court heard oral argument on the issue on January 26, 2023. However, we may not get a final decision until after the filing deadline in April.
  5. What should I be doing now?
    • Be proactive and do not wait for the decision. Consult a tax professional in order to begin preparing your filing for the April deadline. With the tax reinstated pending the decision, the Department of Revenue can collect the tax starting in April without waiting for a decision to be issued.

Resources:

Washington Supreme Court Order: https://www.courts.wa.gov/content/publicUpload/Supreme%20Court%20Orders/1007698%20Public%20Order%20Motion%20113022.pdf

Link to the Washington State Statute: https://app.leg.wa.gov/RCW/default.aspx?cite=82.87

Department of Revenue Information page: https://dor.wa.gov/taxes-rates/other-taxes/capital-gains-tax

GDPR Update – Step 3: Time to Update your Standard Contractual Clauses!

Welcome back to the Carney Law Privacy team’s blog on all things privacy-related.  This post follows up on the steps needed to update Standard Contractual Clauses.  As you have likely heard, in response to the Schrems II decision invalidating the Privacy Shield and to reflect Europe’s General Data Protection Regulation (GDPR), on June 4, 2021, the European Commission released the updated Standard Contractual Clauses (SCCs).   As a reminder, the SCCs (old and new) are the mechanism permitting the transfer of personal data about data subjects located in the EU to entities located in most countries outside the EU. 

How are the new SCCs different from the old ones? 

The new SCCs are more flexible than the old versions, better reflecting the realities of how companies process data in today’s world.  For one, they come in four modular versions: 

  • Controller-to-controller 
  • Controller-to-processor 
  • Processor-to-controller  
  • Processor-to-processor 

The idea is that companies assess which of the four scenarios above applies to their transaction and implement the appropriate module into their definitive agreement or addendum, as needed.   

Second, the new SCCs are not as rigid as the last versions, which companies were not permitted to adjust in any other ways to reflect the unique arrangement.  For example, companies can now include the relevant clauses of the SCCs directly into a definitive agreement, rather than execute them separately, and supplement them with additional terms that do not contradict the requisite clauses or infringe upon data subjects’ rights.  They are also deemed to meet the requirements of GDPR so that there is no need for a separate DPA with additional or supplementary terms.

How and when should you update your SCCs? 

If you currently have your SCCs cross-referenced in a Data Processing Agreement (DPA), consider updating the reference in the DPA to reflect the new SCCs.  This will include specifying who the data exporter and data importer are, and which of the above-referenced modules will apply.  You may also choose to specify whether some of the optional clauses in the new SCCs should apply.  These include specifying whether third parties can “join” the SCCs via a new docking clause, whether certain types of “onward transfers” are permitted (including to subcontractors), and whether the parties choose to use an independent dispute resolution body, among other things.  You will also need to specify what law applies and in what jurisdiction disputes will be resolved.  Finally, as was the case with the old SCCs, you are required to include details about the importer and exporter and must describe the processing activity taking place.  Unlike the old SCCs, the new versions require the data importer (i.e., the entity in the US) to include in as much detail as possible a description of the technical and organizational measures implemented to ensure an appropriate level of security.   

If you do not have a form DPA or are relying on a form of DPA that is now outdated, consider swapping out the DPA in its entirety with the new standard contractual clauses, or, for certain types of transactions, consider folding the SCCs directly into your definitive transaction agreement.   

If you are entering into a new contract that involves the type of transfer discussed in this blog, you should be using the new SCCs as of September 27, 2021.  If your contract is already in place and relies upon the old SCCs, then you have until December 27, 2022, to replace those with the new SCCs.  This leaves you plenty of time to create a plan, review existing contracts and determine what needs to be updated between now then. 

Which module should you pick?   

Which of the four above modules you pick will depend upon whether you are the exporter (the entity sending data outside the EU) or the importer (the entity receiving the data from the EU).  Most importantly, do you control the nature and means of the processing of information?  Meaning, do you decide what to do with it, how to access and store it, with whom to share it, and how long you hold on to it?  If so, you are likely the controller of the information.   

Alternatively, are you acting upon the directions of your contractual partner and only using the information as needed to perform your commitments under the contract?  If so, you are likely the processor.  This can be a complicated exercise and can also depend heavily on the context of the processing, meaning that your entity might be a controller for certain purposes and a processor for others.  It is never a bad idea to consult with legal counsel if you are not sure. 

What else should you be thinking about? 

Don’t forget the impact the updated SCCs may have on your internal infrastructure.  For example, if you currently use subcontractors or other service providers to process personal data, then you will also need to update your agreements with them to ensure you are adequately meeting your obligations in the new SCCs.  You may also be required to disclose their names in the new SCCs. 

In some cases, the new SCCs may not be the most appropriate or best approach to the transfer at hand.  In these cases, an alternative transfer mechanism might be preferable, such as binding corporate rules or reliance on one of the derogations available under article 49 of the GDPR (i.e., explicit consent).

A final word on data transfer impact assessments  

One of the issues in the Schrems II case was the conflict between individual privacy and a foreign government’s ability to step in and access the personal data being transferred. The new standard contractual clauses include a risk-based method for assessing the likelihood of a government requesting or demanding access to this kind of data, with the idea being that if the risk of foreign government access is too great, the transfer may not occur.  As part of this exercise, companies are documenting their risk analysis in Transfer Impact Assessments (TIAs).  In our next post, we will take a closer look at these TIAs and provide you with some key takeaways, including whether you need one and what it should include. 

As always, if you have any questions about the new SCCs, how to update your DPA or other agreements, or other privacy-related questions, please reach out to our privacy team!  We routinely help clients make sense of these challenges and are happy to help you strategize best practices for your business model.   


About Carney Badley Spellman, P.S.

Carney Badley Spellman is about Advocacy, Strategy, Results. Located in Seattle, we are a full-service law firm committed to exceptional client service and professional excellence. Our firm serves individuals and businesses of all types and sizes. Also, our attorneys work with closely-held companies to Fortune 500 corporations in the Pacific Northwest and across the United States. Although Carney Badley Spellman‘s location is in Seattle, Washington, we are proud to be a part of the Washington state community and communities across the nation.

For more articles like this please visit our websites: Privacy Blog, The Startup Law Blog, and Carney Law.

Catching up on Privacy News!

Welcome back to Shhhh…(a Privacy Blog).   Lots have happened in the privacy world in the past few months, and we thought we’d catch our readers up on the biggest headlines. 

Updated Standard Contractual Clauses

The first part of Step 2 involves taking the country list from Step 1 and determining whether the European Commission has found the privacy protections of those countries adequate under GDPR.  Remember: this is for data exports outside of the European Economic Area versions.  As a quick reminder, the SCCs continue to be the most common and, for many US-based companies, the most feasible transfer mechanism for transfers of personal data from Europe to the United States and to any other country without an adequacy decision from the European Commission.  The updated SCCs are designed to reflect a broader range of data transfer scenarios, including processor-to-subprocessor and processor-to-controller transfers, and scenarios where the data exporter (the entity transferring data outside of the EU) is itself established outside of the EU.  However, there is a lot to unpack about how to implement the new SCCs.  For example, according to the European Data Protection Board’s recommendations addressing cross-border data transfers, a company seeking to transfer data outside the EU must verify on a case-by-case basis whether the law or practice of the third-country importer might compromise the effectiveness of the SCCs.  This verification process is lengthy and will be particularly impactful on smaller companies with limited resources to carry out the risk analysis, documentation, and monitoring it requires.  Still, the additional guidance is a step forward.  Could it eventually propel the US and Europe to reach a political solution?  We will follow up on this topic with a separate post, in which we take a closer look at the transfer tools available for transferring data outside the EU and into the US, in particular the updated SCCs and the supplementary measures that must accompany them.

California Introduces New Privacy Tools

State-side, the California Attorney General’s office recently announced two newsworthy tools that may impact readers.  The first is the Global Privacy Control (“GPC”), a universal widget that companies subject to the “Do Not Track” requirements can incorporate on their website to automate the process.  This opt-out tool, developed by an independent group of stakeholders, allows users to automatically signal their privacy preferences to participating websites.  Companies and businesses that have implemented a California Consumer Privacy Act (“CCPA”) “Do Not Sell My Personal Information” opt-out mechanism may want to consider taking advantage of the GPC.  Will big tech companies lead the charge in adopting this tool?  We shall see.

           

California also introduced the Consumer Privacy Tool, an interactive Q&A form on the Attorney General’s (“AG’s”) website designed to help consumers draft notices of non-compliance and send them to businesses directly, rather than relying on the AG’s office to do it.  This notice, if properly sent, could in theory start the CCPA’s 30-day cure period during which a business must bring itself into compliance with the CCPA or face fines from the AG’s office.  The tool is currently limited to failures to post “Do Not Sell” links on a business website, but could eventually be used to track other types of CCPA violations.

Colorado Joins the Privacy Pack


As you have probably heard by now, Colorado became the third state to pass a comprehensive data privacy law with the Colorado Privacy Act, scheduled to take effect on July 1, 2023.  Colorado joins Virginia, where the Virginia Consumer Data Protection Act takes effect on January 1, 2023, and California, where the CCPA became operative on July 1, 2020, and where most provisions of the California Privacy Rights Act will take effect on July 1, 2023.  Stay tuned as we unpack the main similarities and differences between each state’s approach to privacy and track movements in other states.


Pressure Mounts for a Uniform Federal Approach to Data Privacy

            Finally, we want to share two pieces of news on the push for a uniform federal approach to data privacy.  The Uniform Law Commission (the agency responsible for drafting laws that many states implement in all subject areas) has drafted and released an initial draft Uniform Personal Data Protection Act (“UPDPA”).  The stated goal of the UPDPA is to provide a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with regimes like California, Virginia and now Colorado.   Designed for states to adopt as written or use as a model in creating their own legislation, the law would apply to controllers and processors conducting business in a state and maintaining personal data of more than 50,000 residents during a calendar year or earning more than 50% if gross annual revenue from maintaining personal data.  Importantly, while the law would provide individuals with limited rights to access and correct personal data, it would not include a private right of action.  We will be watching closely to see what happens next with the UPDPA. 

Lastly, just last week U.S. lawmakers introduced a draft federal privacy bill, entitled “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.”  If approved, the bill would require companies to post privacy notices and appoint a designated privacy officer, would give consumers subject access rights similar to those currently found in California, Virginia, and Colorado, and would require businesses to conduct a privacy impact assessment for risk data processing activities.  The bill would also give enhanced powers to the Federal Trade Commission. 

Stay tuned for more privacy news from the Carney Badley Spellman team of privacy attorneys.

Have questions? Please contact us at privacygroup@carneylaw.com for more assistance! Or visit us at Carneylaw.com

Disclaimer: this post is for informational/educational purposes only. It is not intended to provide any legal advice. 

Copyright © 2021 Carney Badley Spellman, P.S.

The GDPR Update – Step 2 for Updating Your SCCs

Readers of our first post, GDPR update in this series, have already worked through Step 1: Transfer Mapping.  Part of that step was determining what countries you’re exporting data to.  Now, we move onto step 2: Transfer Tools.  Truth be told, Step 2 is really two parts.  So, go grab your country list from your transfer mapping project and get ready to review!

Step 2.a – Determining Whether the Countries You Export Data to Have Adequate Protections in Place

The first part of Step 2 involves taking the country list from Step 1 and determining whether the European Commission has found the privacy protections of those countries adequate under GDPR.  Remember: this is for data exports outside of the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway).  If all of the countries on your list are in the EEA, your work here is done.  (In other words, if you were compliant before the SCC changes, you’re still in the clear.)

What if I transfer data to countries outside the EEA? 

If you transfer data outside the EEA, you’re in good standing if the European Commission has issued an adequacy decision in favor of that country.  Careful though, as sometimes the adequacy decisions pertain to only part of a country. 

The European Commission maintains its list of adequacy decisions here.  As of the writing of this post, the European Commission has stated the following countries have adequate protection: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. 

If you’ve reviewed your list and have found that all of your countries are either EEA countries or have adequacy decisions in their favor, you’re done!  But what about all the other countries?  Like (gulp) in the US?  If you’ve got one or more of them on the list, keep reading.

Step 2.b – Do Your Transfer Tools Provide Appropriate Safeguards?

Let’s start by answering the obvious question: what is a transfer tool?  A transfer tool is a written safeguard (e.g., a contract) that governs how the data is moved from country to country. 

If you’re exporting data to a country that’s not in the EEA or hasn’t received a positive adequacy decision, you’ll need to make sure you’ve got these safeguards in place.  Per Article 46 of the GDPR, these safeguards include: 

  • A legally binding and enforceable instrument between public authorities or bodies; 
  • Binding corporate rules; 
  • The standard data protection clauses; 
  • An approved code of conduct; or 
  • An approved certification mechanism. 

The idea is that these transfer tools will help level the data protection playing field.  The data subjects will essentially get the same protection outside the EEA as they will inside the EEA. 

Ready to find out if your transfer tools are adequate?  Check back in soon for our post on Step 3: Transfer Tool Assessment, and feel free to contact me with any questions.

By: Ashley Long