What you need to know about California’s new Consumer Privacy Act
If you recently updated your company’s privacy policies in response to the European Union (“EU”) General Data Privacy Regulation (“GDPR”) in the United States – or, decided you did not have to – you may be suffering from some whiplash in light of the recently approved California Consumer Privacy Act.
On June 28, 2018, Governor Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”) (AB 375) codified in California Civil Code (“Cal. Civ. C.”) Part 4 of Division 3, relating to privacy. The GDPR reinforced E.U.’s users’ privacy rights, and the CCPA pursues similar goals.
State Senator Bill Dodd (D-Napa), co-sponsor of the bill, says CCPA puts California once again in “the lead in protecting consumers and holding bad actors accountable. My hope is other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do.”
Sen. Dodd added that “[a] lot of time and effort was put into the original bills and the initiative. This is a great example of people working together and getting something done for consumers.”
Before you start rewriting your privacy policies and terms and conditions of use, there are two important caveats. First, the law will not go into effect until January 1, 2020, so you have significant lead time if you need to come into compliance. Second, CCPA only applies to those engaged in business in California that either: (a) have annual gross revenues of $25 million or more; (b) buy, receive, sell, or share the personal information of 50,000 or more consumers (defined in the CCPA as California residents), households or devices on an annual basis; or (c) have 50% or more of its annual revenues coming from the sale of personal information of California residents. Cal. Civ. C. §1798.140(c)(1)(a), (b) and (c). Note, however, that you may already be covered by existing California data privacy laws that do not contain these limitations.
The CCPA also includes a comment period that may result in changes to the law before it goes into effect, so it is possible that there will be additional changes to the requirements discussed below. If you believe you will be adversely affected by the law, you may be able to comment on those provisions. But, as of now, the thresholds to be covered are set so if you are a small business with less than $25 million in revenue, not annually dealing in 50,000 consumers’ data, or not in the business of selling personal information, you are not covered by the CCPA.
The CCPA brings many of the concepts in the GDPR to California. But, the two are not entirely overlapping or harmonious. The CCPA shows more concern over the sale of consumers’ information, but does not address data processing in the extensive way that the GDPR does. Since there has been much discussion of the obligations under the EU’s GDPR already (see our earlier post here), this post summarizes some of the key similarities and differences between the two regulations.
Similarities Between GDPR and CCPA
Among the most noticeable similarities, the two regulations provide consumers with the right to obtain disclosure of the personal information a company has, as well as disclosure of the source of collection, the nature of the information collected, whether the information was disclosed, transferred or sold to third parties and the business purpose justifying the storage of data. Cal. Civ. C. §1798.110(a)(1) through (5); GDPR Art. 14 Sec.1 (b) through (c) and Art. 13 Sec.1(c). The GDPR further provides that a business must disclose the period during which the information is stored. GDPR Art. 13 Sec. 2(a).
Under the GDPR, a user may require at any time and without limitation, disclosure of the personal information held by a company. GDPR Art. 15. The CCPA provides for a similar system, but companies are only required to respond to two requests from any individual consumer in any twelve month period. Cal. Civ. C. §1798.100(d). The CCPA also requires the business to provide the information free of charge, within 45 days of the request. Cal. Civ. C. §1798.130(a)(2).
Both the GDPR and the CCPA provide users with a right of deletion of their personal information. Both also set forth exceptions that enable a company to deny a deletion request. But the CCPA provides more exceptions than the GDPR does. First, both allow a business to refuse to delete someone’s personal information for certain legitimate interests such as third party safety and protection, to satisfy legal requirements, protect third parties’ interests and rights, to guarantee individuals’ freedom of speech and expression and allow use of information for scientific, historical, and statistical research in the public interest. Cal. Civ. C §1798.105 (d)(1) through (9); GDPR Art. 17 Sec. 3(a) through (e). The CCPA, as the GDPR, Art. 17 Sec. 1(a), additionally allows a business to deny a disclosure request if the information held by the company is necessary to complete a transaction for which the information was collected or reasonably expected by the business in the course of its relationship with the consumer (Cal. Civ. C. §1798.105(d)(1)), or if the information is necessary to identify, debug, and repair errors that impair existing intended functionality (id at (3)).
Both regulations provide users with a right to opt-out if a business sells personal information about the consumer to third parties. Cal. Civ. C. §1798.120(a); GDPR Art. 21. The CCPA further authorizes a business, every 12 months, to contact individuals who previously opted out to obtain their consent to sell their information. Cal. Civ. C. §1798.135(a)(2)(B)(5).
Both regulations require businesses to inform a user of the consequences of refusing to disclose his personal information. The CCPA however, specifically prohibits a business from discriminating against a user who refused to provide his personal information or otherwise exercise its rights under CCPA, and the law gives a detailed list of prohibited discriminatory practices. Cal. Civ. C. §1798.125(a)(1)(A) through (D). Among those practices, a business may not refuse to sell goods or services to a consumer, charge different prices or rates, or provide a different level or quality of goods or services to the consumer.
Both regulations also require a business to collect information for proper purposes. The GDPR requires it be “collected for specified, explicit and legitimate purposes” as well as “adequate, relevant and limited to what is necessary.” GDPR Art. 5 Sec. 1(b) and (c). Similarly, the CCPA requires collection by a business be “reasonably necessary and proportionate to achieve its operational business purpose.” The CCPA adds that if a business wishes to collect more than what is strictly relevant to its operational purpose, notice to the data subject must be provided. Cal. Civ. C. §1798.100(b).
The CCPA, as the GDPR, sets special restrictions regarding the use of information from individuals aged 13 to 16. The CCPA prohibits a business in actual knowledge that a consumer is under 16 years of age from selling the individual’s information, unless the child, between 13 and 16 years old, personally consents to the sale, or the child’s parents consent on behalf of a child under 13 years old. Cal. Civ. C. §1798.120(d). The GDPR’s Article 8 precludes the use of such information at all without parental consent, when consent is required for use of the data.
Lastly, the GDPR and the CCPA both create private causes of action for data subjects. However, enforcement mechanisms are distinct. The GDPR creates local “supervisory authorities” where private individuals can file complaints against an entity’s use of their data. It also has a private right of action for damages. The CCPA similarly creates a private cause of action for data subjects, Cal. Civ. C. §1798.150(b)(1), and provides for enforcement of its provisions by the California Attorney General. Cal. Civ. C. §1798.150(b)(1)(A).
It should also be noted that previous California laws already covered some of the concepts included in the GDPR. And those provisions are not limited to the $25 million revenue cap or other limitations on the applicability of the CCPA. Prior laws include the obligation to provide reasonable security of personal information (Cal. Civ. C. §1798.81.5), notification of data breaches (Cal. Civ. C. §1798.82), and disclosure of data sharing for marketing purposes (Cal. Civ. C. §1798.83). (Compare with GDPR Arts. 32, 34, and 13 respectively). Thus, the CCPA adds to an already existing California data privacy regime; it does not replace it.
Obviously, the main difference between the GDPR and the CCPA is their respective applicability. The GDPR applies to E.U. residents’ personal information whereas the CCPA applies to personal information of California residents. But the biggest conceptual difference is the GDPR’s focus on data processing. The GDPR contains far more requirements for data processors, including specific dictates on data protection. It is concerned both with the accuracy of data and its security; and the risk that inaccuracy or misappropriation may negatively impact persons’ fundamental rights.
The CCPA too attests a goal to prevent the misuse of consumer’s data, specifically referencing the Cambridge Analytica data mining situation in its findings. AB 375, Sec. 2(g). It reemphasizes the “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” in its private cause of action. Cal. Civ. C. §1798.150(a)(1). That duty comes from preexisting California law. Cal. Civ. C. §1798.81.5.
However the CCPA spends more time addressing the purchase and sale of consumers’ data, and the business aspects of dealing in customer data than technical security. This fundamental difference makes the concerns of the CCPA somewhat easier to address from a practical standpoint, as it is less technically intensive than the GDPR. For example, GDPR Chapter IV’s lengthy technical requirements are not reflected in the CCPA. There are no requirements for appointments of Data Protection Officers, codes of conduct, or certification mechanisms.
Another noticeable distinction between the two regulations concerns the duration for which a business may keep users’ data. The GDPR expressly requires that personal information is not stored for more than what is necessary for the business to provide its services or sell its goods. The CCPA does not provide any standard regarding the data retention period. Prior California law requires data be disposed of properly to ensure it is unreadable or undecipherable; but it does not dictate when. Cal. Civ. C. §1798.81.
The GDPR also requires businesses to allow consumers to update or complete their information. The CCPA does not have any equivalent provision, even though certain companies’ systems may allow users to complete or update their information. While the CCPA’s requirements that deletion can be requested may implicitly require businesses to delete inaccurate information, the CCPA does not clearly require a correction mechanism.
The CCPA also expressly authorizes companies to provide financial incentives to users to encourage data disclosure. Among the permitted financial incentives: a company may make payments to consumers as compensation for collection of their data, or offer different prices, rates level or quality of goods or services. The CCPA however indicates that financial incentives a business may offer must be “directly related to the value provided to the consumer by the consumer’s data.” Cal. Civ. C. §1798.125(b)(1). The CCPA also provides that a business shall not offer financial incentives that are “unjust, unreasonable, coercive, or usurious in nature.” Cal. Civ. C. §1798.125(b)(4). This financial incentive provision appears to be in tension with the anti-discriminatory provisions of Cal. Civ. C. §1798.125(a)(1). Thus, any financial incentives offered may need to be closely tied to an actual value provided.
Further, the CCPA requires a business to update their privacy policies at least once every 12 months and provide a list of information subject to the update, such as data subjects’ rights, the categories of information collected or the nature of the information sold to third parties. Cal. Civ. C. §1798.130(a).
As previously mentioned, CCPA does not become effective until January 1, 2020, and reports suggest there are likely to be at least some revisions before that deadline. But until then, companies should consider reviewing their collection and use of consumer personal information and determine if any revisions to their practices and privacy policies are needed.
This blog post is only a summary and provides only general information regarding some notable portions of the CCPA. It is not a complete discussion of obligations under the CCPA, and does not constitute legal advice upon which anyone may, or should rely.
For more information about the CCPA’s requirements and your obligations, please contact Joshua S. Devore or Louise Mercier.
GDPR Is Here – The New European Union Data Protection Regulation Goes Into Force
You’ve probably received a barrage of emails in the past week from a wide variety of websites that you may (or may not) remember having an account with, telling you that they’re updating their privacy policies. The reason: the European Union (“EU”) has reached the official start date of its new General Data Protection Regulation (“GDPR”). It is a wide-ranging regulation that is based on the notion that it “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
But I’m not in the European Union?
The GDPR is striking in its breadth and claims to apply in two circumstances. First, it applies to EU entities that handle personal data, even if the entities outsource the handling of the data outside of the EU.
Second, and importantly for this audience, the regulation claims to apply to companies located outside of the EU, but who handle E.U. citizens’ personal data. That’s a pretty broad claim of jurisdiction, and on its face would suggest that a U.S. Company that got data from an EU person either for purposes of a commercial transaction, or to track their behavior in the EU (e.g., website cookies), is subject to the rule. So, for example, a winery that had a single sale to an E.U. person in its wine club database might appear to meet the requirements to comply with the GDPR.
Hold on, how can the European Union tell me what to do in the United States?
The provisions of the GDPR provide limits to these broad jurisdictional assertions by namely providing that it “does not apply to the processing of personal data … in the course of an activity which falls outside the scope of [E.U.] law.” GDPR Art. 2 Sec. 2(a). So, if you simply happen to acquire the data of an E.U. person in your U.S. database while going about the course of your U.S. business, the GDPR does not apply to you. You don’t have to purge your U.S.-based email lists of E.U. persons, or block them from accessing your U.S.-based website, as long as the activities you are engaged in are solely under U.S. law. And, keep in mind that it only applies to actual people: a person means just that, not a “legal person” such as a corporation. The GDPR does not limit your collection or handling of data on E.U. companies – but it does apply to their individual employees. Additional information can be found regarding when the regulation does not apply here. The European Commission has also begun to promulgate some guidance.
Thus, you should review your particular situation carefully to determine whether or not your activities might be under E.U. law.
Should I just follow the GDPR anyway to be safe?
Even if you are not sure whether the GDPR technically applies to you or could be enforced against you, the GDPR contains a set of provisions that could simply be considered good business practices, even if you have a good argument they are not legal obligations. The GDPR is high-minded and based on the notion that protecting personal data is a fundamental right. Its provisions include providing users with additional rights over whether and how companies use their data, to know why and for which purposes their information is gathered and for how long will the Company retains such data.
So, what do I do?
First, if you don’t want to comply with the GDPR but think you might otherwise be subject to it, you could just delete or block EU persons from your system. You would not be alone in doing that, some large and noteworthy organizations have taken this course
Otherwise, if you intend to retain EU citizen information in your system and comply with GDPR provisions, you need to determine if you are a “processor” of data or just a “controller.” The terms are fairly self explanatory: the “processor” of data is the one that actually processes personal data on behalf of the “controller,” who “determines the purposes and means of the processing.”
You also need to determine whether you fall below the threshold of 250 employees that trigger additional record keeping and other obligations (unless processing of personal data is a regular activity of the business).
Even smaller companies have obligations under the GDPR though. Those obligations are subject to a general balancing requirement of weighing the risks created against the level of effort needed to address those risks. For example, the amount of data security needed by your organization should take “into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” GDPR Art. 32, Sec. 1. The European Commission has put out some helpful guidance for how smaller business should approach complying with the GDPR, complete with a reassuring note that: “The less risk your activities pose to personal data, the less you have to do.”
Unlike many complicated statutes, the requirements of the GDPR are fairly easy to read (well, some of them anyway). Most importantly, the rights of the “data subject” (the person whose data you have) are set out in Articles 13-15 of Chapter III of the GDPR in fairly plain language.
Some steps all organizations that are concerned with GDPR compliance should take include:
- Contact your IT staff and request that they review existing data protection measures to prevent any breach of data privacy, and make appropriate updates – but only to the extent reasonable and proportionate to the risk;
- Update your privacy policies and disclosures to be more transparent with users and provide them with additional information regarding the reason why you are retaining their information, how long you will retain their information and let them know of their rights to request deletion or transfer of their data;
- Give thought to the type of information you gather, and collect only useful information; and
- Consider your current retention policies, and do not keep data for longer than needed.
In addition, and particularly important for smaller organizations that outsource their IT functions, if you are a controller you must contact your data processor and enter into a new or revised contract in which a number of items set out in Article 28, Section 3 of the GDPR are detailed. But while much of the technical obligations may fall on the processor, keep in mind that controllers are ultimately responsible for accountability with the GDPR’s principles of processing of personal data. You have the obligation to make sure the data you control is treated appropriately: an obligation that isn’t new at all.
This blog post is only a summary and provides only general information regarding some notable portions of the GDPR. It is not a complete discussion of your obligations and not legal advice upon which anyone may or should rely.
For more information about the GDPR’s requirements and your obligations, please contact Joshua S. Devore.
Steel and Aluminum Tariffs Could Impact U.S. Alcohol Beverage Producers
As has been widely reported, the President of the United States has proposed enacting steep tariffs on U.S. imports of steel and aluminum. These tariffs could both directly impact U.S. alcohol beverage products that use those materials such as beer, and result in retaliatory tariffs targeting U.S. goods nominally unrelated to steel and aluminum, including U.S. wine and spirits.
The direct impacts on the costs of steel and aluminum containers, particularly in canned beer and the growing canned wine segment, could obviously impact the competitiveness of U.S. beer and wine. Major beer manufactures have expressed strong objection to the tariffs and projected job losses throughout the industry. As the Wall St. Journal reported, some industry experts have speculated that this cost increase may push consumers away from beer and towards other alcohol beverages typically packaged in glass.
But Washington Post reporting suggests U.S. wine manufacturers, especially those that export their products, should temper any expectations of a gain from such a shift. Retaliatory tariffs are a distinct possibility, including from some of the U.S.’s historically strongest trade partners. The E.U. has already threatened retaliatory tariffs against Kentucky bourbon. Canada, the largest exporter of steel and aluminum to the U.S. and the second largest export market for U.S. wine behind the European Union, may follow suit. One Canadian trade lawyer, Lawrence Herman, has suggested a tariff on U.S. wine exported to Canada as a first response: “‘Canadian consumers are not going to be prejudiced’ because there are many alternative sources of wine in the world.”
A number of affected alcohol beverage industry groups have already spoken out on their plans to contact the Commerce Department to voice their concerns. It remains to be seen whether the tariffs will actually be implemented, and if so, whether they will apply to all countries, or exclude favored trading partners.
New Study Shows Dramatic Decline in SEC Enforcement Activity
We stray slightly from wine-law specific news here to discuss a recent study of what we think will be interesting not just to the wine industry, but to companies and investors at large. A study released by Cornerstone Research using data from the Securities Enforcement Empirical Database maintained by Cornerstone and the NYU Pollack Center for Law & Business shows a dramatic decline in SEC enforcement activity against public companies following the change in leadership at the nation’s chief securities regulator.
Public companies, those that do business with and invest in public companies, or anyone that buys or sells securities in general should consider the ramifications of what this potentially more-lax SEC enforcement activity might suggest for their future.
The study, available here, reveals a 33% decline in new enforcement action taken by the SEC against public companies and their subsidiaries in fiscal year 2017 as compared to 2016. Even more telling, the study found a significant decline in “several activity measures, including overall filings against public company and subsidiary defendants, in the second half of FY 2017 versus the first half.”
SEC leadership changed in the middle of the 2017 fiscal year, revealing that the decline in enforcement activity under the new administration is even more significant than the one-third drop off from FY 2016. The study found only 17 new enforcement actions against public company-related defendants in the second half of 2017, compared to 45 in the first half of the year. The study noted that for the preceding seven years (2010-2016), activity historically increased in the second half of the year.
Settlement activity also dramatically declined, with the SEC recovering only $196 million in the second half of 2017, compared to $1 billion in the first half of the year. (Through its Fair Funds program, the SEC often returns the funds it recovers to investors that were harmed by the alleged misconduct.)
The study was limited to public companies and their subsidiaries, so its meaning to private companies is not entirely clear. There has not been any formal announcement of full FY 2017 enforcement results by the SEC (the fiscal year ended September 30). It is interesting to note though that shortly after the end of FY 2016, on October 11, 2016, the SEC announced a “new single year high for SEC enforcement actions.” No similar announcement of full year enforcement results has been put out this year.
For questions related to this, please contact Josh Devore.
Supporting Non-Profits through Cause-Related Marketing
The start of 2017 has seen an outpouring of support from the business community for non-profit groups, including marketing campaigns that promise a certain percentage of sales or profits will be donated to particular charities. Such practices are often referred to as “cause-related marketing.” Here’s an example: ABC Winery wants to support a national nonprofit organization, and decides to launch a marketing campaign saying that 50% of profits will be donated to that cause.
While ABC Winery should be applauded for their efforts, they will also need to comply with state laws and regulations aimed at protecting consumers, promote transparency, and ensuring that charities are indeed receiving the funds that are being promised in the cause-related marketing campaign. These laws vary state by state, but typically include reporting, contracting, disclosure, and/or registration requirements for the commercial entity promising to donate a portion of sales (a “commercial co-venturer”).
In California, a commercial co-venturer must (a) have a written contract with a charity prior to making any cause marketing representation, (b) transfer any funds received as a result of the representations every 90 days, and (c) provide a written accounting to the charitable organization sufficient to determine that any cause-related representations made by the co-venturer have been “adhered to accurately and completely” and said accounting must also be sufficient for the charity to prepare its periodic charitable solicitations reports filed with the California Attorney General. Alternatively, if the co-venturer decides not to follow these steps, it must register annually with the California Attorney General’s office, pay an annual fee, and submit annual reports.
In addition, cause-related marketing claims are considered “sales solicitations for charitable purposes” under California law, and are subject to the disclosure requirements under Cal. Bus & Prof. Code Sec. 17510 et. seq. This law requires disclosure of the following information:
- Name and address of the combined campaign, each organization, or fund on behalf of which all or any part of the money collected will be utilized for charitable purposes;
- If there is no organization or fund, the manner in which the money collected will be utilized for charitable purposes;
- The non-tax-exempt status of the organization or fund, if the organization or fund for which the money or funds are being solicited does not have a charitable tax exemption under both federal and state law; and
- The percentage of the total gift or purchase price which may be deducted as a charitable contribution under both federal and state law.
If sales and marketing efforts are made outside of California, then those state laws and regulations regarding cause-based marketing may also apply.
How Do You Buy Wine If Your Name is Steven Diamond?
The Illinois Joint Committee on Administrative Rules has solved the more important question, namely, is a winery responsible for paying sales tax on shipping charges. The Joint Committee has approved amendments to the Illinois law, which will be retroactive back to November 19, 2009, creating unambiguous safe harbors, including clarity that shipping charges are not subject to sales tax for a seller of tangible personal property who offers the purchaser an option to pick up the property and charges the same price for the property, regardless of whether the buyer chooses shipping or pick-up.
While most defendants in the Steven Diamond case were correctly applying the Illinois law, as confirmed by the amendments, it is not yet clear whether defendants who previously settled will have the right to recover money paid to the state and the plaintiff. For more information, see the posting on Lexology or contact the Wine Institute.
As for what happens to Mr. Diamond after he drinks through the stockpile of wine he acquired while running complaints through his printing press, I could care less.
Considerations in Structuring Alternating Proprietorship Agreements
In 2008, TTB published an Industry Circular- Alternating Proprietors at Bonded Wine Premises (http://www.ttb.gov/industry_circulars/archives/2008/08-04.html). The Circular sets the parameters for establishing an alternating proprietor (AP) relationship that will satisfy TTB regulations. The structure, although called an alternating proprietorship, is fundamentally a lease arrangement involving two parties: the AP and the “host” winery. The AP is a fully licensed and bonded wine producer (at both the federal and state levels) who produces wine at facilities of another fully licensed and bonded wine producer (the “host” winery) holding a Federal Basic Permit, on an alternating basis. The AP, as result of its permit status, is responsible for its winemaking activities and all associated reporting and tax obligations. For the AP to control its permitted and licensed activities, it must control the facilities at the host winery in the alternating premises (when the AP is alternating into the alternating premises) and, if applicable, at its designated premises.
From the perspective of the host winery, an AP Agreement that allocates risk and liability similar to a landlord/tenant relationship can offer many benefits. In exchange for offering the host winery’s premises, on an alternating basis, to the AP, the host winery can take a triple-net lease approach that limits the host winery’s potential liabilities and expenses associated with the winery premises. In the event of, let’s say, an earthquake, the AP Agreement could expressly disclaim all warranties with respect to the structure and equipment. The host winery can disclaim responsibility for maintaining insurance that covers damage and destruction and limit the availability of insurance proceeds to the AP.
On January 21, 2015, host wineries got an additional incentive to clearly structure their APs as leases. The Board of Equalization found in favor of an appeal by Terravant Wines reversing a $416,457 tax bill. See http://www.pacbiztimes.com/2015/01/30/wine-firm-wins-crushing-victory-in-tax-case/.
The Board of Equalization originally ruled that the host winery owed a one-time sales tax payment on the purchase of equipment used at the winery. The Board did not accept the argument that the equipment was leased and, therefore, subject to a use tax instead of a sales tax. The Board found that the host winery was performing a service for the AP rather than providing a leased premises for the AP’s independent winemaking operations. In the January 21 ruling, the Board reversed its decision and accepted the argument that the AP structure gave the AP “constructive possession and actual control.” In short, the Board was ultimately persuaded that the AP relationship was a lease relationship.
The takeaway is that an AP Agreement structured in a manner that explicitly and clearly reflects the leasehold nature of the relationship and also takes into account TTB’s concerns set forth in the 2008 industry circular can have regulatory, liability and tax benefits all of which should be considered by parties involved in AP relationships.
Always Read The Contract – They Wrecked Your Wine, But Now Won’t Pay
You send your Chardonnay to a custom crush facility for bottling. A month later the wine in one out of about every ten bottles is brown. It oxidized in the bottle. You are forced to pull all your Chardonnay from the market at significant expense, and you fear your brand has suffered. The evidence suggests that the wine oxidized during bottling. Surely, the custom crush facility will step up and compensate you for your damages? To the surprise of many vintners, the custom crush facility may escape much or all liability based upon language in its contract.
In California, as in most states, companies can dramatically limit their liability to commercial customers. Companies do this by including clauses in their contracts with customers that exclude liability for negligence, for lost profits, or for consequential damages, among other things. These clauses are powerful – if something goes wrong – like oxidized wine – these clauses can shift liability from the company to the customer, or in our example, from the custom crush facility to the vintner. These clauses, if drafted properly, could prevent the custom crush facility from liability for lost profits, any damage to the vintner’s wine brand, consequential damages, and might even limit damages to the value of the wine if sold as bulk wine.
California courts will enforce contractual limitations of liability, but courts interpret those clauses very strictly. Consequently, those clauses should be well written and clear. There are, however, exceptions to the enforceability of these clauses. Parties cannot limit liability for fraud, willful injury to persons or property, or for violations of the law, even if those violations are negligent. While parties can limit liability for negligence, parties cannot limit liability for gross negligence. Courts explain that gross negligence is the “lack of any care or an extreme departure from what a reasonably careful person would do in the same situation to prevent harm to oneself or to others.” (See CACI 425.)
Additionally, contracts can further attempt to limit the amount of damages. For example, the custom crush facility in the above example might include a clause valuing the wine at $5 a gallon. If the wine is then destroyed in the bottling process because of the custom crush facility’s negligence, damages may be limited to $5 a gallon, even if the wine might retail for $25 a bottle.
If you are a winery or a winemaker in California, you need to understand these contractual limitations of liability before signing any contract with a custom crush facility, an alternative proprietor, bottler, or other service provider. You need to read the contract, and you further should understand that you could object to these limitations or negotiate less onerous clauses.
If you provide services to winemakers or wineries, you should also understand the need for contractual limitations of liability. Accidents happen, and they should not cost you your business. These limitations of liability, however, must be carefully drafted, and you should obtain an attorney with knowledge of the wine business to draft these limitations.
Additionally, all parties should understand the need for the right insurance to cover situations when things do go badly. Typically, commercial general liability policies will not cover damage to wine that occurs during the “wine making process,” which may include bottling. Both the vintner and the custom crush facility would do well to have an errors and omission policy.
Launching New Wine Brand Without a Winery
Beverage Trade Network recently published an article “Launching New Wine Brand Without a Winery” by DP&F attorneys John Trinidad and Katja Loeffelholz on insights on how to navigate legal hurdles when entering the wine industry. The article explores some of the key legal and regulatory issues facing “virtual wineries,” including securing the right licenses and permits, and protecting intellectual property. You can access the article using the following link.
The Legal Complexities of Unauthorized Dealers, Grey Market and Parallel Importation
Chris Passarelli recently presented a continuing legal education (CLE) program at the State Bar of California 87th Annual Meeting in San Diego on behalf of the Business Law Section. Attached are the written materials for that program.
Contact Chris Passarelli for any inquiries related to strategic enforcement in the online auction, distribution and supply chain integrity, grey market, parallel importation and counterfeiting context.
Prop 65 Lawsuit – Where Are We, How Did We Get Here And Where To Now?
You have seen the signs all over California; they exist on parking garages, gas stations, office buildings and convenience stores: “Warning, this area contains a chemical known to cause cancer or birth defects.” These signs exist because of Prop 65, which California voters enacted in 1986. It was originally presented as a way to prevent contamination of drinking water, but Prop 65 warnings have come to apply to thousands of products throughout the state, including alcoholic beverages.
The settlement of a recent Prop 65 lawsuit in Southern California has raised significant attention among the alcoholic beverage industry. The Wine Institute worked in tandem with the named defendants in that action to help settle the suit in such a way that producers not named in the suit can benefit from the settlement at a modest, albeit distasteful, cost. The Wine Institute recently notified its members about that suit and the settlement, and that notification has sparked considerable on line debate.
How did we get here?
The Wine Institute bulletin letter to its members describes the background of this issue as follows:
“Background: Proposition 65 is a California law that requires companies producing designated products containing chemicals that the State believes cause cancer, birth defects or other reproductive harm, to inform California citizens about exposure to such chemicals. Alcohol is one of the designated products, which means you may not sell alcohol in California without providing this warning to customers before they make a purchase:
‘WARNING: Drinking Distilled Spirits, Beer, Coolers, Wine and Other Alcoholic Beverages May Increase Cancer Risk, and, During Pregnancy, Can Cause Birth Defects.’
Many companies that are subject to Prop 65 warning requirements put the requisite warning on their product, but alcohol warnings are different. When Prop 65 first went into effect, the State agreed that in lieu of putting that warning on bottles, cans or packaging, the beverage alcohol industry could provide free Prop 65 signs for California retailers to post. For the last 29 years, the beverage alcohol industry has spent considerable sums providing Prop 65 alcohol warning signs to retailers, and many of you have contributed to Sign Management Company to pay for your fair share of the program costs. Unfortunately, the law as written says that the producer, not the retailer, has the legal responsibility to make sure there is a warning sign actually posted for customers to see, and some retailers do not like posting the signs.”
(A full copy of the Wine Institute member bulletin can be found on line here.)
Are wine producers really responsible for retailer signage?
We have heard that some winery owners—who are understandably reluctant to pay the fees and annual contributions required to opt in to the settlement—are under the belief that if they place a Prop 65 warning label on their bottles, they will avoid liability if a retailer fails or refuses to post the required warning signs. Unfortunately, even if producers place warning labels on their bottles, they may still be liable, particularly in cases where retailers are selling wine for on premises consumption (which was the case in the recently settled lawsuit).
The statute and regulations require that Prop 65 warnings must be “clear and reasonable” and “likely to be read and understood by an ordinary individual under customary conditions of purchase or use.” (Cal. Health & Saf. Code § 25249.6; Cal. Code Regs. tit. 27, § 25603.1.) The regulations implementing the Prop 65 statutory scheme require that where alcoholic beverages are sold by retailers for consumption on or off premises, signage, not bottle labels, of a specific size and type must be posted in one or another described location at the retail outlet, such as on tables, menus, or at the retail entrance. (Cal. Code Regs. Tit. 27, § 25603.3(e).) The responsibility for ensuring compliance with this signage requirement rests with the producer or its distributor, not the retailer:
“7. For alcoholic beverages, the placement and maintenance of the warning shall be the responsibility of the manufacturer or its distributor at no cost to the retailer, and any consequences for failure to do the same shall rest solely with the manufacturer or its distributor, provided that the retailer does not remove, deface, or obscure the requisite signs or notices, or obstruct, interfere with, or otherwise frustrate the manufacturer’s reasonable efforts to post, maintain, or periodically replace said materials.” (Cal. Code Regs. Tit. 27, § 25603.3(e)(7).)
In 2012, two plaintiff’s attorneys in Southern California (often referred to as “Bounty Hunters”) located restaurants in Southern California that did not have Prop 65 signs posted, so those attorneys pursued Prop 65 actions against them.
As a result of the outcry resulting from those actions, last October, the Governor signed AB 227 to protect certain businesses, like restaurants, that had not complied with Prop. 65. Under the new amendment to the Prop 65 laws, restaurants can protect themselves from lawsuits if they take corrective action within 14 days from receiving a notice of violation (i.e. post an appropriate warning sign), pay a $500 fine, and notify the complaining party that they fixed the problem. This was much better than in the past in where restaurants that received a Prop 65 notice were faced with the Hobson’s choice of either going to court or settling the case.
AB 227 was the first legislative effort to amend Prop 65 in 15 years and the second time since its inception 25 years ago. However, in enacting this reform, the legislature overlooked the need to protect producers and the corrective safe harbor provisions were not extended for the benefit of producers. As a result, plaintiffs’ attorneys commenced a new enforcement action against producers earlier this year.
Where do we go from here?
As noted above, the Wine Institute helped negotiate a settlement agreement that allows producers to “opt-in” to a consent judgment entered into by the parties and approved by the court. By doing so, producers would not need to ensure that every retailer, who provides that producer’s wines, posts and maintains their Prop 65 signs at their retail establishment.
While we certainly understand and appreciate the reluctance most producers will have to succumb to the demands of the plaintiff’s attorneys and a state bureaucracy that requires these signs, each producer ultimately has to decide whether he or she wants to run the risk that they might in the future be subjected to enforcement actions by enterprising plaintiff’s attorneys or whether they want protection from that risk by opting in to the pending settlement and thus avoid incurring unknown defense expenses and potential liabilities that can be as high as $2,500 per day. To opt in, contact Wine Institute VP & General Counsel Wendell Lee.
It should be noted, however, that producers that operate with less than 10 employees are exempt from the requirements of Prop 65. As a result, these smaller producers (who intend to stay small producers) should not have to worry about whether or not to opt-in to the consent judgment.
Five Key Points for Alcohol Beverage Distribution Agreements
Recently, Bahaneh Hobel, Senior Alcohol Beverage Attorney from Dickenson, Peatman & Fogarty, provided the Beverage Trade Network with some insights on the “5 Key Points You Must Cover in Your Distribution Agreements.” To review her article and learn more about important issues to consider in drafting distribution agreements. View Article
For more information or assistance on any alcoholic beverage law matters, contact Bahaneh Hobel
Legal Highlights from CalPoly’s New Wine & Viticulture Program
Dickenson, Peatman & Fogarty attorneys Carol Kingery Ritter and Katja Loeffelholz were recently guest lecturers at Cal Poly San Luis Obispo’s new Wine and Viticulture program. The class was led by Professor William H. Amspacher who is promoting the interdisciplinary major of Wine and Viticulture. All students in the interdisciplinary major are educated about all aspects of the wine industry, with a curriculum that combines an understanding of vineyards, winemaking and wine business.
Ms. Kingery Ritter presented “Planning Your Entry Into and Exit from the Wine Industry” and discussed business planning, business structures and the acquisition of assets. Ms. Loeffelholz, a registered attorney with the United States Patent and Trademark Office presented “Protecting Your Intellectual Property Assets in the Wine Industry” which reviewed the various aspects of wine labels and packaging that can be trademarked, copyrighted and patented. Ms. Loeffelholz also presented detailed information on protecting trademarks abroad, focusing on protecting wine brands in China. Ms. Loeffelholz’s presentations can be accessed at the following links:
To learn more about the Wine and Viticulture program at Cal Poly San Luis Obispo please contact Dr. Jim Cooper at email@example.com. For more information on how you can structure your wine business and plan for your wine business, please contact Carol Kingery Ritter at firstname.lastname@example.org. To obtain more information about protecting all aspects of intellectual property in your wine label and packaging in the United States and abroad please contact Katja Loeffelholz at email@example.com.
How to Deal with License Transfer Issues in the Sale of a Winery
Vineyard Purchases: Avoid Attorney Fees, Get a Survey
Avoiding Tax Reassessment in Transfer of Vineyard or Winery Properties
California real property is reassessed upon certain transfers causing higher (or lower) property taxes. Generally, a reassessment will occur when ownership of the property is transferred. Exclusions from reassessment are available for transfers of real property between spouses and between a parent and a child. Therefore, family owned vineyards and winery property may have been transferred down through generations without being reassessed and without a significant increase in property taxes.
Winery Deals 2011: MacRostie Wines Sold to Lion Nathan USA
MacRostie Wines was represented at all stages of the transaction by Dickenson, Peatman & Fogarty, including in the negotiation and drafting of the letter of intent, asset purchase agreement, consulting agreement and related documents, as well as in advising on intellectual property and alcoholic beverage licensing issues involved in the deal.
For more information or assistance on winery sale or acquisition issues, please contact Jim Terry at firstname.lastname@example.org.
Preliminary 2010 California Grape Crush Report Released – Used as Pricing Measure in Grape Purchase Contracts
The preliminary 2010 California Grape Crush Report was released today, February 10, 2011. The report shows that 3.58 million tons of wine grapes were crushed in 2010, down 3% from the 4.095 million tons crushed in 2009. Red wine varietals were down only 1% from 2009 while crushed white wine grapes were down 6% from 2009. Overall, 2010 grape prices decreased by 5% from 2009. Average prices for red wine grapes were $625.19, down 7 percent from 2009.
The Grape Crush Report is not only an indicator of the strength and activity of the industry for a given harvest year, but due to its break down of grape pricing by varietal and regional district, the report is also used in many cases to determine per ton grape prices for future harvests pursuant to the terms of many grape purchase agreements. Depending on the specific pricing mechanisms incorporated into the grape purchase agreement, prices as reported for one harvest year can have cumulative impacts on future harvest prices.
The preliminary 2010 California Grape Crush Report may be found at the following link: