USCIS Expands Premium Processing

Beginning January 30, 2023, U.S. Citizenship and Immigration Services (USCIS) will expand premium processing to all pending and initial EB-1 multinational executive and manager and EB-2 national interest waiver petitions. In these categories, premium processing will provide for 45 calendar day initial processing for an additional $2500 premium processing fee. The premium processing timeline for other eligible categories remains 15 calendar days. 

If you have questions about whether you qualify to file premium processing for any pending applications, please contact your Varnum immigration attorney.

Cannabis Growers and Processors Must Be Aware of Applicable Environmental Laws

In a potentially under-appreciated risk for cannabis growers and processors in Michigan, there are important environmental laws and permits that must be complied with in order to avoid jeopardizing business operations and state-issued licenses.

There are several environmental laws that apply to growers and processors, along with the various environmental permits that are needed. A prudent cannabis business should presume that the Department of Environment, Great Lakes, and Energy will notify CRA of any enforcement activities for violations of environmental laws. Such violations will be taken into account by CRA for licensing decisions.

Unbeknownst to some applicants, a license from the CRA is not a certification that the grower or processor is in compliance with environmental laws as enforced by EGLE. Even with an active license from CRA, the grower or processor may still need certain permits from EGLE, such as a permit to withdraw water, to use or build on certain lands (such as wetlands), to discharge wastewater (with pollutants such as those from fertilizer) or for waste management purposes. If the grower or processor is unaware that they need a permit, they could find themselves in violation of various laws even if they are operating with a valid license. In fact, EGLE representatives have expressed concern about the large discrepancy between licenses given by CRA and the number of environmental permits given by EGLE.

EGLE seems intent on notifying CRA of any violations they discover. If CRA is notified of a violation, it is clear the violation will be taken into account for licensing purposes. Growers and processors should ensure compliance with all environmental laws to avoid drastic consequences down the road. 

Varnum has successfully represented cannabis clients in environmental matters such as wetlands and air quality violations. Please contact a member of our Cannabis Team if you have environmental compliance concerns or questions.

This advisory was originally posted on February 11, 2020, and was updated on January 10, 2023.

Record-breaking Fine: Epic Games, Inc. and FTC Agree to Settlements Totaling $520 Million Dollars for U.S. Privacy Law Violations

On December 19, 2022, Epic Games, Inc., one of America’s largest video game and software companies, announced that it reached a settlement with the U.S. Federal Trade Commission (FTC) that will require it to pay a total of $520 million dollars to resolve allegations of Epic Games’ violating federal privacy law and engaging in other unfair and deceptive privacy practices related to its popular video game known as Fortnite. The settlement involves two separate record-breaking amounts related to FTC enforcement actions. 

First, Epic Games is required to pay a $275 million monetary penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA), which is the largest penalty the FTC has ever imposed for an alleged violation of a privacy-related rule. Under COPPA, companies are required to obtain verifiable parental consent before collecting personal information from children under the age of 13.  According to the FTC’s allegations against Epic Games[1], Epic Games was aware that many children under the age of 13 were playing its popular Fortnite video game and yet, Epic Games collected personal information from such children without first obtaining parents’ verifiable consent. Moreover, the FTC alleged that Epic Games also instituted unfair default settings in its voice-chat and text chat communication features that resulted in harm to children and teens, including threats and sexual harassment. After learning of the allegations, Epic Games initially resisted calls to remove the voice-chat function from its default features and once the option to turn off the feature was implemented, it remained difficult to locate within the game. In addition to the monetary penalty, the FTC’s consent order will prohibit Epic Games from enabling voice and text chat communications for children and teens unless parents provide affirmative consent, require Epic Games to establish a comprehensive privacy program addressing the issues identified in the FTC’s complaint and require Epic Games to obtain regular, independent audits, among other things.

Second, Epic Games is required to pay $245 million dollars as a refund to individual consumers for the illegal dark patterns[2] and billing practices Epic Games allegedly engaged in with its popular Fortnite video game. In particular, the FTC filed a separate administrative complaint with the FTC that contained complaints of Epic Games using dark patterns to trick players into making unwanted purchases and, more specifically, allowing children to incur substantial unauthorized charges without any parental involvement.[3]  In particular, the FTC found that Fortnite’s configurations allowed children (and other users) to incur charges simply by pressing buttons to wake the game up from sleep mode or pressing adjacent buttons in trying to preview certain items. Moreover, the FTC’s complaint states that until 2018, Epic Games permitted children to make in-game purchases by simply pressing buttons with no parental or card holder action or consent required before the purchases would be valid. The FTC also alleged that Epic Games subsequently ignored more than one million complaints it received from Fortnite users as well as repeated internal concerns about incorrect or unauthorized charges, and that if any Fortnite user disputed such charges with their credit card companies, Epic Games would then lock the user’s entire account, resulting in lost access to all prior in-game purchases. 

The FTC’s enforcement action against Epic Games for the above-described practices serves as a reminder to all companies doing business in the U.S. that the privacy of its consumers, including children, is a serious matter. In fact, FTC Chair Lina Khan reiterated that “[p]rotecting the public, and especially children, from online privacy invasions and dark patterns is a top priority” for the FTC and the enforcement actions brought against Epic Games “make clear to businesses that the FTC is cracking down on these unlawful practices.”[4] 

If you are concerned about or would like to have a Varnum Data Privacy & Mobility attorney review your company’s privacy practices as it relates to the applicable laws or privacy practices referenced above, please contact a member of Varnum’s Data Privacy Team

[1] Complaint, Case No. 5:22-CV-00518, U.S. Federal Court of the Eastern District of North Carolina, available at https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesComplaint.pdf.

[2] See here for a discussion by Varnum Attorneys of “dark patterns”:https://www.varnumlaw.com/insights/trends-in-data-privacy-regulation-dark-patterns/.

[3] Complaint, Case No. 192-3203, FTC Commission, available at https://www.ftc.gov/system/files/ftc_gov/pdf/1923203EpicGamesComplaint.pdf.

[4] Federal Trade Commission, Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges, (December 19, 2022) available at https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations.

Michigan Appeals Court Debates Adopt and Amend Strategy Impacting Minimum Wage and Paid Medical Leave

On December 13, 2022, the Michigan Court of Appeals heard arguments regarding the constitutionality of the legislative adopt and amend process that modified ballot proposals impacting Michigan’s minimum hourly wage rate and the Paid Medical Leave Act (“PMLA”) in the case of Mother Justice v. Nessel.  A decision was not expected and an opinion was not issued from the Bench. For now, nothing has changed, and the status of the law remains in a holding pattern presumably through February 19, 2023, pursuant to a stay entered earlier this year by the Court of Claims.  Regardless of which way the Court of Appeals rules, further challenges are expected. 

At the direction of the Court, the oral arguments focused on the constitutionality of the legislative action not the potential impact to Michigan businesses in the event the Court of Claims decision holding that adopting a proposal and amending the proposal during the same legislative term is unconstitutional. If upheld, the decision reinstates the minimum hourly wage rate increases and the Earned Sick Time Act (“ESTA”) as originally adopted. Both parties asked the Appellate panel to issue an opinion on this important topic by February 1, 2023. 

Varnum’s Labor & Employment team is closely monitoring the proceedings and is prepared to assist clients with preparation to comply and compliance when a final decision is issued. Please contact your Varnum Labor & Employment attorney with any questions.

First year associate Rebecca Fadler contributed to this advisory.

Starting a U.S. Business as an International Student

Many schools encourage students to innovate and create, so it isn’t surprising that a lot of entrepreneurial ideas spring from students. However, for international students, starting a business can be intimidating because of their intertwined immigration status. This overview is intended to help international students follow their dream of starting their own businesses in the U.S.

Immigration Status

Most international students enter the U.S. with an F-1 nonimmigrant visa, which means the visa holder must possess nonimmigrant intent to reside in the U.S. temporarily. The visa holder is only permitted to work off-campus if Curricular Practical Training (CPT) or Optional Practical Training (OPT) are specifically authorized by the education institution.

This is not an issue for an international student intending to only passively own a business in the U.S. However, this is a hurdle for an international student wanting to engage in the actual operation of a business. Operating or working for a startup business (even if it does not generate revenue) could be deemed “working off campus” in violation of certain conditions of an F-1 visa.

There are ways to overcome this issue. Depending on the international student’s relationship with the school, one or more of the following methods would allow a student to operate or work for his or her own business.

Working on Campus

One option for an international student is to work with his or her education institution for the operation of or work for the startup. Essentially, the student’s startup would enter into an agreement with the institution under which the institution acts as an agent, independent contractor or a joint-venture partner to the startup. The startup owns all of the business intellectual property rights, and the institution performs all the substantive work for the startup (i.e., research and development, production, testing, etc.). At the same time, the institution employs the international student as an employee to do such work on the institution’s behalf.

While this strategy assists F-1 visa holders, this option may not be a complete solution for an international student if there is any residual work the startup requires that cannot or is not performed by the institution on-campus. For example, administrative work for the startup holding the intellectual property may still be deemed “work off campus.”

This option also requires that the international student have a very close relationship with the institution, which may or may not be the case depending on the institution and the student’s program.

Practical Training

A second option for international students involves F-1 visa holders’ eligibility for two types of “practical training” periods, which could also avoid violation of the F-1 requirements.

There are two types of practical training as referenced above: 1) CPT and 2) OPT. CPT requires that a student has an employer and requires the employment to be clearly related to the student’s program of study, but is not available for self-employment opportunities. This leaves OPT as the only viable option under F-1 Practical Training.

OPT is a program that temporarily allows international students with F-1 visas in the U.S. to work up to 12 months in relation to their program of study. Such students are eligible for OPT after completing their first academic year. OPT may be used both before and after the program end date, but generally, it only authorizes 12 months of employment for the applicant.

An exception to the 12-month time limit applies to students who have completed degrees in the areas of science, technology, engineering and mathematics (STEM). Such students are eligible for a 24-month extension for post-graduation completion of OPT employment, making the post-graduation work authorization eligibility a total of 36 months.

However, international students face additional challenges in securing the 24-month STEM extension because an OPT STEM employer has to be “E-Verified.” This requires the employer to have other employees. Unless the startup is mature enough to have hired other employees already, this could be a potential hurdle.

H-1B

In anticipation of the expiration of an F-1 visa, including upon conclusion of OPT work authorization, international students wishing to continue to operate or work for their startup in the U.S. often consider the H-1B dual intent visa for workers in specialty occupations. To obtain an H-1B visa, an H-1B applicant must have an employer sponsor and demonstrate a valid employer-employee relationship.

Demonstrating the valid employer-employee relationship can often be a hurdle for an international student working for and owning his or her own startup. Generally, the employer sponsoring the H-1B employment must be able to exert the authority to hire, pay, supervise and fire the international student as an employee independent of the student’s control. As such, to qualify for an H-1B visa, an international student’s ownership and control of his or her own startup needs to be structured in a manner to generally ensure that someone other than the student has the requisite authority over the student’s employment. Additionally, in terms of owning or investing in a startup, H-1B visa holders may only serve as passive investors or owners. That is, for example, the H-1B visa holder could not invest or own the startup unless it was truly passive and the holder cannot otherwise partake in day-to-day management of the startup.

International students who choose to apply for an H-1B visa will also face the mandated cap hurdle during the process. Every year, H-1B visa applicants go through a “lottery system” where only 85,000 of the applicants are granted the opportunity to be approved for the visa (i.e., a 65,000 regular cap and 20,000 special cap for individuals with an advanced degree). Applicants who were not selected must wait to be considered the following year.

Because the H-1B application may be submitted without affecting an international student’s ongoing OPT status under an F-1 visa, an applicant who is excluded from consideration for an H-1B visa because of the mandated cap may continue to work under his or her remaining OPT period and re-apply next year.

There are some exceptions to the H-1B visa mandated cap, including if the employer sponsoring the international student’s H-1B visa is a higher-education institution or non-profit organization that meets the definition for a cap-exempt employer.

One of the major advantages of utilizing an H-1B visa is that it is considered a dual-intent visa. While working under an H-1B visa, the student is eligible to apply for permanent residency in the U.S., which ultimately lifts several of the restrictions imposed on the student.

Access to Capital

Accessing capital for a startup company as an international student can also be difficult. Many U.S. angel investors and venture capital firms may be hesitant to invest in a startup that has an international student as one of the lead founders. The potential immigration issues for the founder adds another layer of risk to the investment.

A number of technology startups may, instead, consider seeking funding from federally supported programs like the Small Business Innovation Research and Small Business Technology Transfer; however, these programs typically require that a majority (more than 50 percent) of the business’s equity (e.g., stock or membership interest) must be directly owned and controlled by a U.S. citizen or an entity whose majority equity is owned and controlled by a U.S. citizen. For international entrepreneurs considering these programs, there may be a balancing act between retaining control over the startup and receiving funding though these federally-sponsored programs.

Conclusion

Although the legal work involved in starting a business as an international student may seem overwhelming, it is certainly possible. If you are thinking about starting your own business as an international student, seize the idea, do the research and ask for professional advice. There is always assistance available along the way to help you meet and clear your hurdles. Please contact a Varnum attorney for assistance navigating this process.

NCAA Releases Updated NIL Guidance to Member Schools

On October 26, 2022, the NCAA Division I Board of Directors published new guidance clarifying how schools can be involved with the name, image, and likeness (NIL) activities of enrolled student-athletes. Since the NCAA’s initial release of their NIL Policy on July 1, 2021, the Board has issued additional guidance in May 2022 and two Q&As in November 2021 and July 2022. The recent guidance provides a non-exhaustive list of permissible and impermissible conduct and divides involvement by schools into four categories: (1) Institutional Education and Monitoring, (2) Institutional Support for Student-Athlete NIL Activity, (3) Institutional Support for NIL Entity/Collective and (4) Negotiating, Revenue Sharing and Compensating.

Institutional Education and Monitoring

With respect to education and monitoring, the NCAA stated that schools can and should provide educational resources—specifically as it pertains to financial literacy, taxes, entrepreneurship and social media—to enrolled and prospective student-athletes as well as to collectives and boosters. Additionally, the NCAA noted that schools should require that student-athletes report their NIL activities to the athletic department, if permitted by state law. The NCAA did not explicitly identify any impermissible conduct as it pertains to educational and monitoring activities.

Institutional Support for Student-Athlete NIL Activity

The NCAA addresses what schools can and cannot do as it pertains to supporting student-athlete NIL activity. The guidance makes clear that, while a school can notify student-athletes of NIL opportunities, they cannot develop, execute or implement a student-athlete’s NIL activity unless the same benefit is made available to all students. The guidance includes a non-exhaustive list of permissible activities, including, administering a “marketplace” that matches student-athletes with NIL opportunities, providing NIL entities the contact information of student-athletes and introducing student-athletes to NIL representatives. Impermissible activities include providing student-athletes services (e.g., tax preparation, contract review, etc.) or access to equipment (e.g., cameras, computers, etc.) to support NIL activity, unless the benefit is available to all students. Further, schools are prohibited from communicating with NIL entities regarding a student-athlete’s compensation or encouraging an NIL entity to fulfill a student-athlete’s request.

Institutional Support for NIL Entity/Collective

Under the new guidance, school staff can support NIL entities by providing them with donor contact information and assets (e.g., tickets, suites), facilitating meetings with donors and even assisting with raising money. However, schools are prohibited from donating cash to NIL entities, incentivizing donors to fund an NIL entity or allowing athletic department staff to be employed by an NIL entity.

Negotiating, Revenue Sharing and Compensating

The NCAA’s guidance makes clear that schools, staff and staff-owned companies cannot be involved with negotiating or compensating student-athletes for NIL activities. This includes representing student-athletes in NIL deals, entering into contracts with student-athletes for the sale of NIL-related products and compensating student-athletes for promoting an athletic competition. Additionally, coaches may not compensate a student-athlete for promoting a coach’s camp.

Independent Contractor Today, Employee Tomorrow?

UPDATE – On October 25, 2022, the Department of Labor extended the comment period by 15 days, so individuals and entities wanting to comment on the proposal now have until December 13, 2022 to submit comments.

On October 11, 2022, The U.S. Department of Labor (“DOL”) proposed a new rule which, if passed, would redefine which workers are considered “employees,” and which workers qualify as “independent contractors” under the Fair Labor Standards Act (FLSA).

The FLSA requires that employees receive at least the minimum wage for all time worked and overtime pay for hours over 40 in a workweek unless they qualify as an exempt employee. Independent contractors, on the other hand, are not “employees” under the FLSA, and thus are not legally required to receive at least the minimum wage or overtime under that statute. However, independent contractors typically enjoy more freedom – they may work for multiple employers at once, they have more control over their work schedules and they often negotiate their own terms of pay.

In January 2021, the DOL published employer-friendly guidance that redefined who was considered an employee and who was considered an independent contractor. That provision, which is still in effect, makes it easier to define a worker as an independent contractor than prior approaches. It uses five factors that focus on “economic reality.”[1] Two of the five factors are considered the “core factors” and are the most crucial in making the decision. Those two core factors are: (1) the nature of the work and (2) the worker’s opportunity for profit or loss.[2] The remaining three factors are: (3) the amount of skill required for the position, (4) the permanence of the working relationship and (5) whether the work is an “integrated unit of production.”[3]

The DOL’s October 11, 2022 proposal would use a “totality-of-the-circumstances” test to determine who is an independent contractor. [4] The bottom line of the test would be to determine “whether a worker is in business for themself or is instead economically dependent on the employer for work.”[5]  Under this test, similar economic reality factors are considered, but they “are not assigned a predetermined weight, and each factor is given full consideration.”[6] Thus, the factors that would be considered if the proposed rule passes are as follows:

  1. The Opportunity for Profit or Loss Depending on Managerial Skill.[7] A worker may be an independent contractor if the worker can (a) exercise initiative or (b) manage their investment or capital on helpers, equipment or material.[8]
  2. Investments by the Worker and the Employer.[9] Investments are treated as a “standalone factor” under the proposed rule.[10] If the worker makes “capital or entrepreneurial” investments, they may be considered an independent contractor. The worker’s investments that are based on regular performance of a job, such as tools and equipment, do not apply.[11]
  3. Degree of Permanence of the Work Relationship.[12] The worker may be an independent contractor if they are not hired indefinitely but are hired for a fixed period of time.[13]
  4. Nature and Degree of Control.[14] The worker may be an independent contractor if the worker has their own business.[15]
  5. Extent to Which the Work Performed is an Integral Part of the Employer’s Business.[16] The worker may be an independent contractor if their work is not an “integral part” of the employer’s business.[17]
  6. Skill and Initiative.[18] A worker may be an independent contractor if the work requires “specialized training or skill that the potential employer does not provide.”[19]

This proposed rule would likely reclassify many independent contractors as employees. U.S. Labor Secretary Marty Walsh argued that this reclassification is important because “Misclassification deprives workers of their federal labor protections, including their right to be paid their full, legally earned wages.”[20] According to the DOL, the proposed rule would also align more closely with historical case law.[21]

The proposed rule is currently in a 45-day public comment period.[22] The final rule, if passed, would be implemented mid-2023, at the earliest, and court challenges to it are likely.[23] In fact, there is a possibility that this proposed rule will be blocked in court and may never come to fruition.

Please contact your Varnum attorney, or any member of the firm’s labor and employment practice team, with questions about how this proposed change may affect your workforce.

[1] 2021 IC Rule.
[2] Id.
[3] Id. at 1247 (§ 795.105(d)(2)).
[4] 87 Fed. Reg. 197 (Oct. 13, 2022).
[5] Id. at 62236, (citing Cornerstone Am., 545 F.3d at 343; Flint Eng’g, 137 F.3d at 1440; Superior Care, 840 F.2d at 1059).
[6] Id. at 62220.
[7] Id. at 62237
[8] Id.
[9] Id. at 62240. 
[10] Id.
[11] Id.  
[12] Id. at 62243.
[13] Id.
[14] Id. at 62246.
[15] Id.  
[16] Id. at 62253.
[17] Id.
[18] Id. at 62254.
[19] Id.
[20] Daniel Wiessner, Nadita Bose, David Shepardson, Biden labor proposal shakes up gig economy that relies on contractors, Reuters (Oct 11, 2022).
[21] US Department of Labor Announces Proposed Rule on Classifying Employees, Independent Contractors; Seeks to Return Longstanding Interpretation, U.S. Dep’t of Labor; https://www.dol.gov/newsroom/releases/WHD/WHD20221011-0.
[22] Wiessner, supra note 20.
[23] Id.

Learning From the Sephora Settlement: How to Mitigate the Risk of CCPA Public Enforcement

Sephora, Inc. recently became the target of California’s first public enforcement of the California Consumer Privacy Act (CCPA), and Attorney General Rob Bonta is signaling that more will follow. Companies doing business in California should learn from Sephora’s consumer data privacy missteps to avoid becoming the next focus of CCPA public enforcement.

On Aug. 24, 2022, Sephora settled with the Attorney General’s office after allowing third-party companies to create consumer profiles for targeted marketing, despite the fact that consumers were not given the right to opt out of this sale—a violation of the CCPA. To resolve these claims, the cosmetics chain agreed to pay $1.2 million, inform consumers that it sells their personal data, and honor consumers’ requests to opt out of such sales.

The investigation into Sephora began when the Attorney General’s office initiated an “enforcement sweep” in June 2021. By spot-checking more than one hundred online retailers’ compliance with CCPA’s opt-out rules, the Attorney General determined whether online retailers offered (and honored) consumers’ rights to opt out of the sale of their personal data. Sephora received notice that it was not compliant with the CCPA, but the company failed to fix the alleged violations after its thirty-day grace period, prompting further investigation.

According to Attorney General Bonta, this settlement should be considered a warning to all CCPA-covered businesses. “Today’s settlement with Sephora makes clear we will not hesitate to enforce the law,” he said. “It’s time for companies to get the memo, protect consumer data, honor their privacy rights.” Companies doing business in California should heed Bonta’s warning and get their privacy house in order. As they work to comply with the CCPA and the California Privacy Rights Act (CPRA)—which becomes effective January 1, 2023—businesses should learn from Sephora’s settlement to avoid becoming California enforcers’ next target.

Utilize—But Do Not Rely On—a Grace Period to Cure Noncompliance

Businesses should immediately cure their noncompliance when the Attorney General notifies them of law violations—but they should no longer rely on such a grace period. Whereas the CCPA required the Attorney General to provide businesses with 30 days to cure the violation before enforcing the law, the CPRA eliminates this requirement on January 1, 2023 and instead gives enforcers discretion on whether to provide a grace period.[1]

In this case, the Attorney General notified a number of businesses that they failed to honor consumers’ opt-out requests and provided them with thirty days to cure their noncompliance. Sephora disregarded the warning—a $1.2 million mistake.

Since businesses may no longer expect a grace period to cure any shortcomings before the Attorney General brings an enforcement action, businesses should enter 2023 fully compliant with CPRA. Those that are fortunate enough to still receive notice of their noncompliance before being penalized should take full advantage of the opportunity, immediately curing their CPRA violations.

Know Whether You “Sell” or “Share” Personal Data

The CCPA and CPRA require businesses that “sell” or “share” personal information to give consumers the opportunity to opt out of this transaction.[2] However, both terms are afforded somewhat nuanced definitions. “Selling” means transferring a consumer’s personal information to a third party for monetary or other valuable consideration.[3] “Sharing” means transferring a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not for valuable consideration.[4] Significant exceptions are baked into these definitions, allowing businesses that would otherwise “sell” or “share” personal data to do so without offering consumers the right to opt out.

The term “valuable consideration” has given many stakeholders pause, since this undefined term can determine a business’s legal liability. This action against Sephora demonstrates one such application. In the complaint, Attorney General Bonta alleged that Sephora installed third-party trackers in the form of cookies, pixels, software development kits and other technologies that automatically sent data about consumers’ online behavior to third parties. Sephora allegedly “sold” consumer data when it gave companies access to this data in exchange for free analytics and advertising benefits, without providing consumers the opportunity to opt out of the sale. Therefore, the term “valuable consideration” includes receiving information about a consumer’s activities and preferences.

Notably, this transaction between Sephora and the third parties would likely have been permitted if Sephora had a compliant service provider contract with each third party (under a common exception to a “sale”). However, Sephora failed to establish this relationship. Perhaps misapprehending the law’s requirements, the cosmetics company found itself without legal cover.

Businesses should learn from Sephora’s oversight and scrupulously examine the CPRA’s precise language and subsequent applications of these laws—particularly regarding “selling” and “sharing.” Many of the CPRA’s mandates include legal terms of art and exceptions, which include other terms of art and exceptions. As they enter 2023, businesses must fully grasp the law’s detailed requirements and comprehend how their current practices map onto these obligations.

Honor Opt-Out Requests via Global Privacy Controls

Businesses should review and test their technical procedures to ensure that Global Privacy Control (GPC) signals are honored. Initially, there was some uncertainty about whether the CCPA requires businesses to honor consumer opt-outs received via GPCs—plug-ins that allow consumers to universally opt out of the sale of their data across all websites. Subsequent CCPA regulations put the issue to rest: businesses must now treat user-enabled GPCs as a valid consumer request to opt out of the sale.[5] However, Sephora’s website was not configured to detect or process any GPC signals and entirely disregarded these requests, in clear violation of this regulation. The Sephora settlement underscores the California regulators’ consistent emphasis not just on honoring GPC mechanisms, but also on consumers’ efficient management of their CCPA-established rights.

Businesses should learn from Sephora’s counterexample and, at very least, test their technical capabilities to process GPC signals. Taking it a step further, businesses should embrace the spirit of the settlement and empower their consumers to easily exercise their data rights. By ensuring that privacy disclosures are candid and clear, opt-out mechanisms are conspicuous, and links are fully operative, businesses can help mitigate the risk of public enforcement.

Sephora’s $1.2 million settlement should serve as a cautionary tale to businesses still honing their CCPA and CPRA compliance. Businesses should utilize a grace period if they are provided time to cure (although soon this will no longer be mandated), know how their data practices apply to the laws’ detailed requirements, and consistently honor consumer opt-out requests—including those made via GPCs. In so doing, businesses can minimize the odds of becoming the industry’s next source of “lessons learned” for CCPA and CPRA compliance.

[1] Cal. Civ. Code § 1798.155.

[2] Cal. Civ. Code § 1798.120.

[3] Cal. Civ. Code § 1798.140(ad).

[4] Cal. Civ. Code § 1798.140(ah).

[5] Cal. Code Regs. Tit. 11 § 7026(c).