Photo of Nate Garhart

Nate Garhart’s practice centers on protecting and maximizing the value of various forms of intellectual property, which often represent important assets and major revenue sources for organizations ranging from startups to public companies and nonprofits.

Nate’s work spans the gamut from selecting and registering trademarks, to protecting and enforcing copyrights, to strategic negotiation of licenses of all kinds. He also works with clients to minimize the legal risks related to their branding, advertising, and publicity strategies.

Online, he counsels clients on internet issues and e-commerce topics, drafts website terms of use and privacy policies helping clients comply with Europe’s GDPR and California’s CCPA, and reviews customer communications for compliance with current laws.

Contact: ngarhart@fbm.com

In California Privacy Protection Agency et al. v. The Superior Court of Sacramento County (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection Agency (CPPA) to enforce the regulations promulgated under California’s groundbreaking consumer data privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)). 

The California Chamber of Commerce had challenged the CPPA’s timeline for enforcing its newly finalized regulations, arguing that the agency had missed statutory deadlines, which, in their view, should delay the enforcement start date a full year after their promulgation—to March 29, 2024. The regulations in question, which address aspects such as privacy notice requirements and the handling of browser signals for opt-out requests, are part of the broader framework established by the CCPA. The lower court agreed and temporarily stripped the CPPA of its enforcement capabilities.

The appellate court overturned that decision. The court found no explicit mandate in the law that would necessitate delaying enforcement until a year after the finalization of the regulations, as the Chamber had contended. Consequently, the CPPA can now immediately begin enforcing the regulations finalized last March without the previously imposed delay.Continue Reading California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In today’s rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting it for countless cost-effective purposes. As nonprofit executives, you may wonder how AI intersects with intellectual property and data privacy law and how it

ChatGPT got the early press, and every day we learn of new generative artificial intelligence products that can create new and creative visual and text responses to human input. Following on ChatGPT’s fame, Google’s Bard and Microsoft’s Bing are now grabbing some of the spotlight, but these are merely a few of the hundreds if not thousands of generative artificial intelligence products currently available or in development—there is no question that generative AI is here to stay. Indeed, social media and other platform companies—TikTok (using AI to create or add effects to images), Instacart (to create shopping lists and answer food questions), and Shopify (to generate product descriptions), to name a few—are already integrating AI into their services.

Among all the questions begged by this innovative technology are some critical issues concerning privacy. While only time will tell the extent of the privacy issues, some of the concerns are already clear.
Continue Reading I Always Feel Like AI Is Watching Me: Artificial Intelligence and Privacy

It was my pleasure to join Farella exempt organizations partner and host of the EO Radio Show podcast, Cynthia Rowland, for a discussion on privacy laws and how they affect information collection and online activities by nonprofits.

We begin our conversation with some basic background on when a nonprofit needs a privacy policy on its website and how to think about what should be posted on the website, and where.

The current privacy requirements in California do not currently apply to most nonprofit organizations. But there are a number of reasons a nonprofit might want to think about collecting and protecting the data as if it were subject to such privacy requirements.
Continue Reading Privacy Policy Best Practices for Nonprofits

Since the California Consumer Privacy Act (“CCPA”) was passed in 2018, employers have been watching carefully to see how the law will apply to data collected and maintained about their employees. Up until now, employment data had been exempted from most of the CCPA’s requirements. But the new amendments to the CCPA embodied in the California Privacy Rights Act (“CPRA”) come into effect on January 1, 2023, and that, coupled with the fact that the legislature failed to extend the employer exemptions, means that many categories of human resources data will be subject to the requirements of the law.[1]

The Current CCPA Employer Exemptions Are Expiring

As it stands (and through the end of 2022), covered employers are only obligated to notify employees of the categories of data being collected and the purposes for which the data will be used. In the event of a security breach involving employee data, employers are required to notify affected individuals and could be liable for statutory damages. In response to these requirements, most covered employers developed privacy notices with the required disclosures and reviewed their data security policies and protocols to ensure consistency with best practices.

But starting in 2023, employee data will be treated as any other commercial information, and covered employers will need to add employee and human resources data to their ongoing compliance efforts. Indeed, under the CCPA, “personal information” is defined broadly to include information that “identifies, relates to, describes, is reasonably associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household.” Cal. Civ. Code § 1798.140(o)(1). In the employee or human resources context, personal information could include an employee’s contact information, insurance and benefits elections, bank and direct deposit information, emergency contacts, dependents, resume and employment history, performance evaluations, wage statements, time punch records, stock and equity grants, compensation history, and many other forms of data routinely collected in the context of the employment relationship. Moreover, the CPRA introduces a new concept of “sensitive personal information” (such as financial information, social security numbers, communications content, health information, and biometrics) that must be considered and addressed by the employer.

New Requirements Take Effect in 2023

So what does this mean for employers? First, employers must prepare and provide a privacy notice to an employee (or a job applicant since such applicant is likely providing personal information) at or before the time personal information is collected. This could mean including a privacy policy (and a click-through mechanism) on any online application site, in the employee handbook, and/or on internal websites. The privacy policy is likely to be similar to the online privacy policy the employer includes for consumers, though it will need to be revised to accurately reflect the categories of personal information collected (along with the length of time the employer intends to retain data in each category), as well as the categories of third parties with whom such information will be shared (e.g., payroll service providers, etc.).
Continue Reading Employee Data Under the CCPA: Expiration of Employer Exemptions Requires Compliance as of January 1, 2023

With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:
Continue Reading Twists in the Plot: California AG Releases Final CCPA Regulations

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With such openings, governmental entities, trade organizations, and others are wisely recommending protocols, including using wellness screenings, in an effort to lower the risk that such reopenings result in a reversal of trends that have flattened the infection curve. While such protocols focus on ensuring the health and wellbeing of employees, customers, and others physically visiting the businesses and are necessary in any consideration of reopening, businesses implementing new data collection from their employees and customers need to consider the privacy implications of doing so.
Continue Reading Reopening Plans and Recommended Protocols Beg New Privacy Issues

Democratic Senators Richard Blumenthal and Mark Warner have introduced the Public Health Emergency Privacy Act in response to the bill of the same subject released by Senate Republicans (the COVID-19 Consumer Data Protection Act) at the end of last month. As with the CCDPA, the PHEPA regulates the collection of emergency health data. While the respective bills differ in many ways, the most glaring distinctions focus (not surprisingly) on enforcement, preemption, and certain uses of data.
Continue Reading Senate Democrats Release Competing COVID-19 Privacy Bill

Californians for Consumer Privacy has announced that it has secured and submitted enough signatures to qualify its California Privacy Rights Act (“CPRA”) for inclusion on California’s November 2020 ballot.

Alistair Mactaggart, the architect behind the ballot initiative that led to the California legislature’s adoption of the CCPA, pushed forward with the CPRA to amend perceived issues and shortcomings in the CCPA.
Continue Reading Signatures Submitted for Inclusion of New California Privacy Law on November Ballot

A group of Republican senators has proposed a new privacy law to govern the collection and use of certain personal information thought to be both important and at risk during the current coronavirus crisis.

While numerous companies and governments have developed and deployed apps and programs to track individuals and trace contacts between individuals in furtherance of the laudable goal of helping to better understand and address the pandemic, there have been concerns that such data could be collected without proper authorization and/or used for purposes outside of the scope for which the data is willingly provided.
Continue Reading Federal “COVID-19 Consumer Data Protection Act” Proposed