Photo of Nate Garhart

Nate Garhart’s practice centers on protecting and maximizing the value of various forms of intellectual property, which often represent important assets and major revenue sources for organizations ranging from startups to public companies and nonprofits.

Nate’s work spans the gamut from selecting and registering trademarks, to protecting and enforcing copyrights, to strategic negotiation of licenses of all kinds. He also works with clients to minimize the legal risks related to their branding, advertising, and publicity strategies.

Online, he counsels clients on internet issues and e-commerce topics, drafts website terms of use and privacy policies helping clients comply with Europe’s GDPR and California’s CCPA, and reviews customer communications for compliance with current laws.

Contact: ngarhart@fbm.com

As we are all well aware by now, the California Consumer Privacy Act (CCPA) (Cal. Civ. Code Sections 1798.100 et seq.) went into effect on Jan. 1. Through its amendments and regulations (the latter of which have yet to be finalized as of this article’s publication), one aspect of the act has stayed largely consistent: the CCPA grants a private right of action only in limited situations. While the California Attorney General has the ability to impose fines for any CCPA violation, the private right of action is specifically limited (over significant debate and a proposed amendment that failed to pass) to data breach. Moreover, in creating that private right of action, the act specifically notes that violations “shall not be interpreted to serve as the basis for a private right of action under any other law.”

Does that mean there will not be significant litigation concerning the CCPA outside of the data breach realm? The answer is clearly a resounding “no.” Indeed, we have already seen multiple lawsuits filed taking direct aim at the CCPA’s claimed limitations on private enforcement. In those cases, in direct contravention of the stated limitation on private rights of action, plaintiffs have claimed (among other things) that the failure to provide proper notice required by the CCPA predicates a violation of California’s Unfair Competition Law (Cal Civ. Code. Section 17200) (the UCL). See, e.g., Burke v. Clearview AI, Case No. 3:20-cv-00370 (S.D. Cal., filed Feb. 27, 2020); Sheth v. Ring, Case No. 2:20-cv-01538 (C.D. Cal., filed Feb. 18, 2020). Whether such claims will fail as expressly barred by the act remains to be seen.
Continue Reading Private Rights of Action and the CCPA—Unlimited Limitation?

With all of the business interruption caused by the COVID-19 pandemic, many worldwide trademark offices have taken steps to recognize the issues caused by the crisis. The offices in which applicants from the U.S. most commonly file – the United States Patent and Trademark Office (USPTO), the European Union Intellectual Property Office (EUIPO), and the Canadian Intellectual Property Office (CIPO) – have provided some relief.
Continue Reading Trademark Office Deadlines and Coronavirus-Related Delays

With the explosion of COVID-19 cases worldwide, companies and governments have expanded their interest in the use of the vast stores of consumer data. Even where such collection and use of personal data is ostensibly for the public good, the privacy rights and legal requirements applicable to such data must be considered carefully.[i]
Continue Reading Public Ends From Private Means: Privacy Rights and Benevolent Use of Personal Data

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.
Continue Reading Data Scraping Under the Revised CCPA Regulations

Various state laws require data breach notification and different state laws have different triggers for when notification is required and who must be notified. In California, for example, a breached company must give notice to each affected California resident, but the California AG need be notified only if the breach affected 500 or more individuals in California. In New York, on the other hand, AG notification is required if any NY residents were affected by the breach.

While all such laws generally address notification of affected parties, the AG, credit reporting agencies, other holders of the data, and certain other constituents, they are not the only word in disclosure requirements.
Continue Reading Data Breach Disclosure Requirements Implicate More Than Privacy Law

It was recently discovered that a certain software product, in this case used by numerous cannabis companies around the country, was not secure and allowed access to consumer data of companies using the software. You can read more about it in this linked article. This isn’t the first time a security vulnerability was introduced by the use of third-party software, and it won’t be the last. The CCPA requires “reasonable security measures” be taken to protect consumer data. It is likely that employing vulnerable software will be seen to violate this standard (it has yet to be tested), but will it lead to liability of the company employing the software?  I think it will.

So what is a company to do when purchasing third-party software that will store or otherwise have access to consumer data?
Continue Reading Data Security: Are you looking at your third party software?