Why Now is the Time to Buy or Sell a Business

Looking for Business Opportunities Ahead of the Economic Fallout

In this difficult time of staying at home, people may be looking to buy or sell a business. We have all been impacted in different ways, each of which may be a reason to make a change. Traditional reasons people exit a company arise because of changing economic conditions, a tragic family event, a loss of passion, or simply the desire to retire. At the same time, buyers may be seeking to expand in a sector or industry, add talent, enlarge the customer base, or acquire technologies or resources that can provide a competitive advantage. Witness the unprecedented overnight shift to tele-work, tele-health, remote online primary school education, and live-streamed happy hours and family gatherings.

Thinking of Buying or Selling a Business?

If you are thinking of buying or selling a business, here are three key reasons to act now. First, labor is in flux, and available. As retailers, restaurants, travel companies and other service sectors that employ tens of millions of Americans get squeezed, the tech sector, which tends to have relatively few employees, has surged. Many target businesses may have a lower headcount while retaining a leaner operating infrastructure and access to a ready, willing, and trained talent pool.

Second, the federal government will do what it takes to stabilize the economy and accelerate the recovery. Nevertheless, there is a real risk of many “main-street” companies going bankrupt – making them easy acquisition targets. Opposite that, large-scale public companies (consumer-packaged goods, media) are boosting the broader recovery. Companies on either side of this equation may benefit from the changing market dynamics and opportunities for what comes next. As of this writing, nine states have lifted the stay-at-home orders or will let them expire, with many others soon to follow. The window is closing.

Third, one of few benefits of the current crisis is the acceleration of investment and escalation of consumer-facing products, services, and technologies. Reports indicate that 2020 shows a year-over-year (YoY) increase of over 15% in use of contactless payments.  This is a real opportunity for companies to not only “get lean” but also digitize business practices that can improve the customer experience.

Changing consumer behavior will continue to force this along. According to Forbes, U.S. YoY online retail revenue growth is up 68% in April, surpassing the earlier peak of 49% in early January. U.S. & Canadian e-commerce orders grew 129% with 146% growth in all online retail orders. Online conversion rates increased 8.8% in February, an increase of shopping intensity usually seen only during rare events such as Cyber Monday.

Bottom Line

Most people are sitting around waiting for things to shift and change around them, while others are moving through it all and pivoting on their own. Don’t wait for your competitors to invest in the next generation technologies. Working with experienced legal counsel will help you identify the opportunities and act quickly to negotiate and close a deal. If you are interested in learning more about buying or selling a business, please get in touch.

Does My Business Need A “Button” To Comply With The CCPA’s Do Not Sell Rule?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and went into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Your clients may be asking you about the CCPA.  While each business should evaluate the law in terms of its own specific situation, here are some general guidelines to start the process.

Does the CCPA Apply to My Business?

If your business satisfies one or more of the following, then the CCPA applies:

(i) annual gross revenue in excess of $25 million?

(ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, (a) for commercial purposes (assume always true), (b) alone or in combination (assume always true), (c) annually, and

(iii) derives fifty percent (50%) or more of its annual revenues from selling consumers’ personal information.

Even if the business does not collect personal information, as long as is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

What is the Do Not Sell Rule?

The Do Not Sell rule is a key part of the regulation. It states that businesses must give consumers the option to opt-out of the sale of their personal data.

Specifically, the regulation says that businesses must:

  • Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data.
  • The business must clearly link to the “Do Not Sell My Personal Information” webpage from the homepage.
  • The website must describe the consumer’s rights to opt-out of the sale of personal data and provide a link to the “Do Not Sell My Personal Information” page in its privacy policy.
  • Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
  • Finally, websites should have a way to prove that they are respecting these customer requests.

Businesses and website owners need to put processes in place that will help them adhere to the above guidelines.

For more information about the impact of the CCPA on your business, please contact the lawyers at Adler Law Group to schedule a consultation.

Privacy Law – How Do You Verify the Identity of a Data Requestor?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and will go into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Whether or not your practice involves regular questions of Privacy Law, your clients may be asking you about the CCPA.  By keeping data minimization objectives in mind and not over-thinking compliance obligations, verifying the identity of a data requestor may be straight-forward.

 

The ability to control how one’s data is used is a cornerstone of the CCPA. However, this puts a burden on a business to ensure that only a “verified” consumer accesses the requested data and avoid fraudulent requests. To access or delete information, a consumer must submit a “verifiable consumer request.” While the term implies that a business must take steps to “verify” the individual making the request, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.

 

With little to go on, a business might be tempted to act over-cautiously and require more information than is actually necessary to verify identity.   With data minimization principles in mind, it is important to recognize privacy risks to avoid.  Don’t over-reach; avoid obtaining more sensitive or potentially harmful information than is necessary to complete the request.  Also, avoid asking for sensitive documents such as a passport.

 

A good rule of thumb is try to use the same method that was used to gather the data in first place. For example, your client operates a consumer website featuring information and users are required to provide a username and password to register with the site. Ask the requestor to provide a username and password to verify. If two-factor authentication was used, then challenge that requestor using the same method. Don’t ask for a driver’s license.

 

If a client is asking for additional resources on how to implement policies and procedures, it is useful to look to industry-standard references, such as  NIST. A good (but technical) explanation Guidelines on verifying identity.  If this is too technical, a client should work with a consultant who can explain the framework. One valuable upside is that if a business is required to respond to a regulator or litigant, the business can point to use of the industry standard as reasonable basis for compliance efforts.

 

Are you tasked with advising a client how to craft a CCPA policy or procedure? There is no requirement that companies create a written policy for processing requests. If a company chooses to create an internal policy or procedure for handling data access and deletion requests, the following four topics are relevant:

 

  1. Data subject verification. Before taking any action, a company should verify that the individual that submitted the request is the individual to whom the data belongs. Verifying identity depends upon the type of data maintained. Remember, if the requestor signed up with a username and password, use this to verify.

 

  1. Communications. A business must respond to a requestor, even if the request is a denial. To streamline a timely response, a company may choose to create template communications and procedures.

 

  1. Evaluating the request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure. If refused: Reply with a reason and provide options: regulator, court?

 

  1. Completing a Request. Upon verification of the identity of a requestor and a determination that a deletion request should be granted, a business can include instructions for technical steps that should be taken in order to erase an requestor’s information.

 

For clients implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, meeting the requirement to verify the requestor’s identity (and reduce the risk of complying with a fraudulent request) can present a risk. However, with data minimization objectives in mind, using verification methods that make sense in the context of the requestor’s data, may reduce some of the burden of verifying the identity of a data requestor.

 

FOR EDUCATIONAL PURPOSES ONLY. NOT LEGAL ADVICE.

Choosing the Right Legal Entity for Your Business – Webinar

Seasoned business owners usually know enough to invest in the protection of some form of business entity. Too often, these individuals fail to engage in the necessary business and tax planning to get the most from their investment.
Whether you are a sole proprietor, partnership, corporation, limited liability company (LLC), limited liability partnership, or hybrid entity, you will gain useful knowledge. This webinar covers why a business owner should consider the benefits and costs of each type of entity, the existence of limited liability for owners, flexibility in terms of governance and ownership structure, and favorable treatment under state and Federal income tax laws. More sophisticated entrepreneurs may find certain advantages in terms of estate and gift planning and flexibility in operations and management.
I want to say thanks to the folks at IVY for giving me the opportunity to present the Ivy Webinar – Choosing the Right Legal Entity for Your Business with David M. Adler. In case you missed it, there is a link to the full webinar details below.
NOTICE AND DISCLAIMER: The webinar content is for informational purposes only. It is not legal advice and does not create a lawyer-client relationship with David M. Adler.
View Webinar Here.

Declaratory Judgment Action for Copyright Infringement

At a time when #media creation & consumption is traveling across a growing number of devices, at increasing speeds, and without care for for borders whether physical, digital, or geographic, licensing, distribution and use of digital content can cause problems.

The case of Fastcase, Inc. v. Lawriter, LLC, Case No. 17-14110 (11th Cir. Oct. 29, 2018) (Tjoflat, J), involved a dispute between two legal publication service companies over the right to re-publish the Georgia Regulations.

The Declaratory Judgment defendant and presumptive rights owner had no enforceable copyright or contract rights in the Regulations. Defendant updated the terms so that unauthorized re-publication of the Regulations would result in liquidated damages of $20,000 per instance, which was relevant to the jurisdictional issues of whether § 411(a) is a jurisdictional bar.

From The National Law Review, source for this story: “Practice Note: A demand letter alleging infringement under the Copyright Act—or even alleging state law claims that would arguably be preempted by the Copyright Act—confers jurisdiction on a federal court to hear the recipient’s declaratory judgment action.”

Illinois Amends the Freedom From Location Surveillance Act

The latest amendments to the Act provide even more privacy positive aspects. The definition of “electronic device” has been clarified to include any device that enables accessto, or useof an electronic communication servicethat provides the ability to send orreceive wire or electronic communications, including wireless communications connecting the device to a telephone network. [Emphasis mine]  Also, “location information” now includes information concerning the location of an electronic device generated by or derived from the possession of the device (rather than onlyoperation of the device). The amendments also remove time-based limits on some law enforcement searches.  No location information – rather than current or future location information – may be obtained without first obtaining a court order based on probable cause. Provides that the Act does not apply to a law enforcement agency obtaining basic subscriber information from a service provider under a valid court order or search warrant (removing prior subpoena requirement). The changes are effective immediately.

The Illinois Freedom From Location Surveillance Act (725 ILCS 168/) can be found here.

Copyright Must Read: SKIDMORE V. LED ZEPPELIN reversed, remanded for prejudicially erroneous Jury Instructions.

Hat tip to Joshua L. Simmons, Copyright Division Council Liaison from KIRKLAND & ELLIS LLP in New York for keeping the #Copyright Bar up to date on important developments.

From this week’s news letter is the decision in Skidmore v. Led Zeppelin involving a claim by Michael Skidmore, a Trustee, alleging Led Zeppelin copied key portions of its timeless hit “Stairway to Heaven” from the song “Taurus.” At trial, the jury found in favor of the Defendants. Skidmore appealed on the grounds of alleged trial errors. He also disputed the district court’s determination that the scope of the copyright for unpublished works under the Copyright Act of 1909 (“1909 Act”) is defined by the deposit copy.

The appellate court made several key holdings. First, the failure to instruct the jury that the “selection and arrangement of unprotectable musical elements are protectable” was prejudicial error.  Second, a jury instruction incorrectly stated that copyright does not protect “chromatic scales, arpeggios or short sequences of three notes.” Third, a jury instruction on originality  incorrectly omitted a statement that “any elements from prior works or the public domain are not considered original parts and not protected by copyright.” “In copyright law, the ‘original’ part of a work need not be new or novel.”  Lastly, the district court must revisit the issue whether as a matter of law, that Skidmore’s “evidence as to proof of access is insufficient to trigger the inverse ratio rule.”

For more more information:

SKIDMORE V. LED ZEPPELIN
No. 16-56057, 16-56287, 2018 WL 4654729 (9th Cir. Sep. 28, 2018)