Uncategorized

Brooke Penrose


Brooke Penrose

Nearly two years since many professionals gathered in-person and on-site, the prospect of return-to-office en mass is picking up pace.

The U.S. Bureau of Labor Statistics reports that the percentage of people telecommuting due to the pandemic dropped from 23.2% in January of 2021 to 13.4% in August of 2021. While this trend is met with mixed emotions by some, there is broad consensus that in-person gatherings, including return-to-office initiatives, are planned with the safety of all individuals in mind.

Given the rapidly evolving landscape surrounding COVID, a popular safeguard employers consider is requiring employees to provide proof of vaccination status before physically returning to the office. Any request for employee health records rightfully raises concerns about privacy and the legality – to request.

In most cases, businesses requesting an employee provide proof of vaccination will not violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but requiring the employer-provided insurance policy to confirm status may-. In general, HIPAA only applies to a patient’s healthcare providers, healthcare clearinghouse, and insurance companies (called “covered entities”) and the businesses that process patient health information on behalf of covered entities (called “business associate”). If an employee directly provides their health … Keep reading

Brooke Penrose and Deb Peckham


Brooke Penrose and Deb Peckham

In a recent decision, the Trademark Trial and Appeal Board (TTAB or Board) considered whether an application based upon an “intent to use” a mark in commerce may be predicated on proposed use with currently unlawful goods that may become lawful in the future.

In In re Joy Tea Inc., the applicant proposed to use its mark with, among other items, “tea-based beverages also containing CBD.” The Examiner refused to register the mark on the grounds that applicant’s claim of proposed use of a mark “in lawful commerce” was invalid due to not complying with the Food, Drug and Cosmetic Act at the time the application was filed.

On appeal to the Board, the narrow question became: “[D]oes a trademark applicant’s belief that the cannabis goods specified in its trademark application will become federally lawful in the future provide a sufficient basis upon which to predicate its claimed ‘intent to use’ the mark in lawful U.S. commerce?”

The TTAB’s answer was “no.”

The TTAB upheld the Examiner’s refusal to register the applicant’s mark based on the longstanding prohibition against attempting to reserve a right in a mark, rather than having the ability to use the mark in commerce.… Keep reading

Navigating the New Standard Contractual Clauses


The European Commission published its implementing decision for the new Standard Contractual Clauses (“SCCs”) in June of 2021.  On September 27, 2021, the old SCCs that had been adopted prior to the General Data Protection Regulation (“GDPR”) going into effect were officially repealed and all new data transfers relying on the SCCs as its cross-border transfer safeguard mechanism under the GDPR will need to adopt the “new” SCCs.  (For more on SCCs generally, see our post here.)

Unlike the old SCCs, the new SCCs require the parties to engage in some thought about the nature of their cross-border data transfer relationship and customize the SCCs to fit such.  Specifically, the new SCCs outline four categories of relationships that may be covered by the new SCCs under different “modules” within the SCCs:

  • Module 1: controller to controller
  • Module 2: controller to processor
  • Module 3: processor to processor
  • Module 4: processor to controller

Once the parties understand the nature of their relationship, the new SCCs can be pulled together following the modular format put forth by the European Commission, with about half the new SCC provisions containing unmodifiable language applicable to all relationships and half of the new SCC provisions … Keep reading

State of US State Comprehensive Privacy Laws


Following the lead of California and then Virginia, Colorado recently became the third U.S. state to pass a comprehensive law providing its residents with personal data privacy rights. While there is significant overlap between how each of these state laws defines who it applies to and what consumer rights are granted, there are several key differences, including the scope of consumers’ opt-out rights:

These states make up a combined 16% of the U.S. population, making it increasingly difficult for even strictly U.S.-focused organizations to fall out of scope of comprehensive data security and privacy laws requiring, for example, the use of data protection assessments.

The U.S. regulatory landscape continues to evolve on a nearly weekly basis. Indeed, similar comprehensive bills have already been introduced in Massachusetts, New York, and Illinois. As more states pass legislation related to collecting personal information, it remains imperative for businesses to stay updated on how each state regulates this activity.… Keep reading

IP & Cybersecurity: Critical Points on Data Misuse


What strategies should businesses employ to circumvent “insider” cyber threats? Attorneys Howard Susser and Brooke Penrose will discuss the best practices to manage and prevent data misuse and the claims to consider when threats arise. Learn about the Computer Fraud and Abuse Act, trade secrets and other intellectual property claims, and breaches of agreements.

Click here to view the full webinar.… Keep reading

Don’t Crumble Under Cookie Restrictions


Nearly half of all websites use cookies – small text files stored on internet users’ computers and mobile devices so web servers can track that user. Cookies come in a variety of flavors in terms of their purpose, the party placing the cookie, and the duration they last on a user’s device. For example, a cookie may have a functional (ex. cookies that remember visitors’ preferred language), analytical (ex. cookies that report site usage statistics), or advertising/marketing purpose (ex. cookies used to retarget advertising to visitors). “First-party cookies” are placed directly by the website being visited while “third-party cookies” are set by another party other than the website’s owner. “Session cookies” are deleted after the user’s session on the website ends while “persistent cookies” can last from days to years after the end of the user’s session.

Proceed with Caution – Cookies May Create Legal Exposure for Site Operators

Cookies can be incredibly useful to website operators as they can enable the operator to gather helpful information about how visitors use its website and thereby target its advertising efforts without disrupting the user experience.  However, as web visitor privacy control continues to be … Keep reading

COVID Stimulus Act Impacts U.S. Intellectual Property Laws


With the President’s signing of the Consolidated Appropriations Act for 2021 on December 27, 2020, several important updates to U.S. intellectual property law have been adopted.

Trademark Act Amended

The Trademark Modernization Act (“TMA”) makes significant amendments to the Lanham Act, which will become effective December 27, 2021. The TMA generally aims to reduce deadwood on the register of trademarks by providing for summary expungement. But the Act also made some noteworthy amendments to trademark prosecution and enforcement procedures.  A summary of some of the highlights include:

  • New Ex Parte Expungement Proceeding. A third party, or the Trademark Office, may petition to expunge a registration on the basis that the mark has never been used in commerce on or in connection with some or all of the goods or services recited in the registration. The proceeding is only available for registrations that have been registered for more than three years but less than 10 years.
  • Response Deadlines for Trademark Office Actions May be Shortened. The current response time for all Office Actions is six months. The TMA allows the response period to be shortened to a period that is at least sixty days, provided extensions of
Keep reading
Brazil Adopts Comprehensive Privacy Law


Highlights of Brazil’s LGPD

Brazil became the latest country to draw inspiration from Europe’s General Data Protection Regulation (“GDPR”) and adopt its own national comprehensive legal framework for personal data regulation, called the Lei Geral de Proteção de Dados (“LGPD”). A comparison of some of the key topics covered by the GDPR and LGPD are summarized below:

  GDPR LGPD
Effective Date May 25, 2018 August 15, 2020 (but enforcement will not begin until August 1, 2021)
Fines Up to the higher of €10 M or 2% of  global annual revenue from preceding financial year Up to the lesser of 50 M reals or 2% of Brazilian sourced revenue from preceding financial year
Territorial Scope Personal data processing activities when:

1.     Controller or processor is established in the EU, regardless of whether the processing takes place in the EU or not;

2.     the data refers to individuals located in the EU when offering goods or services to such data subjects or monitoring their behavior;

3.     carried out by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

 Personal data processing activities when:

1.     carried out

Keep reading
Consumer Rights and an Organization’s Responsibilities Under the CCPA


As we’ve previously blogged about, the California Consumer Privacy Act (“CCPA”) is an exhaustive piece of legislation requiring organizations to heed and defend consumer rights relating to access to, sharing of, and deletion of personal information that is collected by businesses. In particular, the CCPA requires organizations to notify California consumers of the rights newly afforded to them under the CCPA. These rights are summarized in the graphic below.

Summary of Consumer Rights and Organization’s Related Responsibilities:

In addition to notifying California residents of their consumer rights, organizations need to provide at least two methods– including a toll-free phone number—for consumers to submit requests to exercise their rights.  If the organization maintains a website, one of those methods needs to be a website address.  If an organization operates exclusively online and has a direct relationship with the consumer, it does not need to provide a toll-free number and only needs to provide an email address as a designated method for submitting requests.

Response Requirements When Consumer Exercises a CCPA Right

Once an organization obligated to comply with the CCPA receives a California consumer request to exercise a CCPA right, it must disclose and deliver the information free of charge … Keep reading

CCPA Enforcement Begins July 1, 2020: Do You Need to Comply?


Prior to the unique data security and privacy challenges unexpectedly presented as a result of a mass movement to remote working earlier this year, the California Consumer Privacy Act (“CCPA”) was one of the most highly anticipated regulation organizations were (or, should have been) preparing to comply with.  Despite industry pressure to delay enforcement of the CCPA so organizations could continue to focus on mitigating further disruptions and damage to their operations caused by the COVID-19 pandemic, the California Attorney General has maintained his commitment to begin enforcement of the CCPA on July 1, 2020.

In preparation for the enforcement date, Burns & Levinson will be doing a series detailing some of the highlights of the CCPA, which technically went into effect on January 1, 2020.  If the CCPA applies to your organization and you had not previously taken steps to bring your organization into compliance with Europe’s General Data Protection Regulation (“GDPR”), you may have significant work to do in order to bring your organization into compliance with the CCPA.  If your organization has previously engaged in GDPR compliance, you may still have work to do.  While there is some overlap between the regulatory and statutory requirements of … Keep reading