Ping® October 2021 Changes Coming to Non-Compete Agreements in Illinois

EMPLOYMENT (820 ILCS 90/) Illinois Freedom to Work Act.

Illinois passed a law that amends the Illinois Freedom to Work Act. Expands the scope of the Act to apply to all employees (rather than only low-wage employees). Prohibits all covenants not to compete.

Scope

The law goes into effect January 1, 2022 and amends the Freedom to Work Act (the Act), which restricts the use of non-compete agreements for low wage workers. For the first time, Illinois will have statutory requirements for mandatory review periods, definitions of adequate consideration and legitimate business interests, as well as specific salary minimums for employees subject to restrictive covenants. 

Application

The law will apply to non-compete and non-solicit covenants. The law does not apply to contracts covering confidential and proprietary information, protection of trade secrets, or inventions assignment agreements. The law also does not address covenants for independent contractors, and expressly carves out restrictions on a person purchasing or selling the goodwill  or an ownership interest in a business.

Mandatory Review

The law requires that an employer advise the employee in writing to consult with an attorney prior to entering into the covenant and provide the employee with at least 14 calendar days to review the agreement. 

Consideration

Contract lawyers know that to be enforceable a promise must be supported by consideration. Due to the unique nature of restrictive covenants, there is heightened scrutiny of what will constitute sufficient consideration for a restrictive covenant under the Illinois law. The leading Illinois case, 

Fifield v. Premier Dealer Services, Inc., 993 NE 2d 938 (Ill.App.1st 2013), an Illinois court decided that mere employment or continued employment for at-will employees, is not adequate consideration to support a restrictive covenant unless the employee remains employed with the employer for at least two years after signing the agreement. 

Illinois law will now expressly defines “adequate consideration” as either (1) the employee working for the employer for at least two years after signing the non-compete or non-solicitation covenant or (2) other sufficient consideration, such as “a period of employment plus additional professional or financial benefits or merely professional or financial benefits adequate by themselves.”

The law leaves open the definition of “additional professional or financial benefits.” Courts have found signing bonuses, equity grants, and other types of consideration sufficient under current case law. 

Going Forward

While there is time to plan for the effect of the new law, it’s not too soon to begin reviewing current existing “form” contracts and consider changes. One-size-fits-all contracts always need fine-tuning. Change sin the business operating environment require a closer look at non-compete and non-solicitation covenants. 

Ping® – Arts, Entertainment, Media and Advertising Law News – Protecting Furniture Design Keeps Getting Harder

Herman Miller, Inc. – a leading furniture brand and purveyor of the iconic Eames Chair Design – suffered a loss at US Trademark Trial and Appeal Board (TTAB) in its bid to protect as “trade dress” the design of the chair. The case involves a well-known chair design dating from the 1940’s, by designers Ray and Charles Eames. The chair ultimately was recognized by Time Magazine as the Best Design of the 20th Century, and now is in the design collections of numerous museums. Herman Miller sought registration of most of the chair’s configuration as a mark, depicted in more than one view, for “furniture, namely, chairs.”

The court weighed each of the Morton-Norwich factors, concluding that the proposed three-dimensional product configuration as a whole indicates that it is functional. The court found that patent evidence, the advertisements touting utilitarian advantages of the design, and the limited availability of alternative designs that would work equally well, proved functionality.

Key Take Aways:

  1. Beware of patent evidence in trade dress protection due to risk that distinctive design elements be treated as de jure functional. In general, examining attorneys no longer make this distinction in Office actions that refuse registration based on functionality. De facto functionality is not a ground for refusal. In re Ennco Display Sys. Inc., 56 USPQ2d 1279, 1282 (TTAB 2000); In re Parkway Mach. Corp., 52 USPQ2d 1628, 1631 n.4 (TTAB 1999).
  2. Ensure that advertising promotes the nonfunctional design elements, such “look for” advertising. Examples include evidence, including SEO data, that connected the applicant’s efforts to promote the applied-for mark as a trademark and consumers’ ability to conceive of the applied-for mark as such, and examples of unsolicited media coverage

Ping® – Arts, Entertainment, Media & Advertising Law News – “Five Rs” To Remember

“Five Rs” To Remember When Letting Employees Go

It is inevitable in almost every business. You will need to let an employee go. Whether it’s a seasoned designer coming with plug-and-play experience or a fresh face just out of design school, sometimes it just doesn’t work out. Recently, several of my designer clients have had to fire an employee due to the employee’s misconduct. This could be anything from soliciting and directing company clients and prospects, to doing personal consulting work on the company’s dime, to taking property and information. Regardless of the reason, here are five “R”s to keep in mind.

1. Review the contract.

2. Reconcile and pay.

3. Request return of property.

4. Reiterate respectfulness. 

5. Reserve rights.

With those ideas in mind, let’s consider each one. A little more.

1. Review the contract/offer letter. This is always the first step and will provide guidance on termination rights, procedures and remedies, if any.

2. Reconcile and pay what’s owed. See number 1. Ensure that except for payment of contractual and statutory amounts, no other salary, commissions, overtime, bonuses, vacation pay, sick pay, severance pay, additional severance pay or other payments or benefits whatsoever will be paid.

3. Request return of property and information, in whatever form. Request all property any and all property or documents the employee created or received in the course of employment, including, but not limited to e-mails, passwords, documents and other electronic information, hardware such as laptop computers and cellular telephones, calculators, smartphones and other electronic equipment (mobile phone, tablet, etc.), software, keys, company credit cards, calling cards, parking transponder, information technology equipment, client lists, files and other confidential and proprietary documents, in any media or format, including electronic files.

4. Reiterate a professional’s obligation to remain respectful. Specific admonition of non-disparagement such as “refrain from saying, making, writing or causing to be made or written, disparaging or harmful comments about us, our employees and/or our clients.”

5. Reserve rights. Close your termination notice by expressly reserving legal and equitable rights and remedies.

Please note that this is not legal advice and you should consult your own lawyer regarding your rights and obligations in the context of terminating your employee’s employment.

Social Media Advertising Tools And User Consent: What Are The Requirements?

Perhaps you’ve seen them, those television and radio ads that talk about the “creepy” nature of some adverting on the Internet that follows consumers across their social media. According to Pew Research, most Americans believe their online activities are being tracked and monitored. 

The fact is, most companies can and do share data with social media platforms to ensure targeted advertising reaches receptive audiences. As more tools become available and the variety of data sources grows globally, platforms and advertisers are re-examining their rights and obligations when it comes to something as simple as matching customers’ email addresses with their Facebook accounts. 

Facebook’s Customer List Custom Audiences (“Custom Audiences”) tool is one such tool that has the potential to expand an advertiser’s liability for unauthorized use of customer data. For EU customers, a German Data Protection Authority ruling requires a individual’s explicit consent to such sharing.

The Facebook Custom Audiences tool enables advertisers to create targeted advertisements to Facebook users by combining Facebook data with the advertiser’s data such as email addresses and phone numbers. To use marketing tool the advertiser must comply with the consent and privacy expectations of individuals who have provided email addresses.

Consent to Use Email Addresses

While the use and disclosure of email addresses is regulated in some countries, the U.S. does not have a uniform data privacy protection scheme. U.S. privacy rights are protected through a patchwork of laws addressed to specific types of harm, such as unauthorized access and disclosure of financial (Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681) or healthcare-related (Health Insurance Portability and Accountability Act of 1996 (HIPAA) 42 U.S.C. § 1320d–2) data. While the CAN SPAM Act (15. U.S.C. § 7701 et seq.) specifically regulates email, the Act excludes communications based on a previously existing relationship. 

Importantly, for most purposes, permission of the e-mail recipient is not required. However, messages MUST contain a mechanism to request to opt-out of future email messages. If email addresses are acquired from third-party sources, such as marketing databases or social media, ensure users are given reasonable notice and choice about the use of such data.

The Federal Trade Commission endorses a market-style model of ensuring the fair use of information that allows individuals to participate in decisions on the disclosure and use of their personal information. As articulated by the FTC, the elements of this approach are notice, choice, access, security and enforcement.

Contractual Requirements of Facebook Custom Audiences 

In order to use the Custom Audiences tool, the advertiser must agree to additional terms and conditions. Facebook’s Custom Audiences terms require that the advertiser have both “all necessary rights and permissions” as well as a lawful basis to disclose and use the email addresses “in compliance with all applicable laws, regulations, and industry guidelines.” 

Recommendations

Review your Privacy Policy, Website Terms & Conditions, and membership/subscription applications to confirm the existence of a clear mechanism to opt-out of future email messages. If email addresses are acquired from third-party sources, such as marketing databases or social media, review data gathering practices, review scope of permissions granted to the sources of data and ensure users are given reasonable notice and choice about the use of such data.

What Is Cyberlaw?

On November 13, I had the honor of providing a lecture on Cyberlaw to students at the Boston College Law School. Virtually, of course. I had been asked to talk about trends in Cyberlaw with a specific focus on issues related to intellectual property.

So what is Cyberlaw? Simply put, it is the “Rules of the Road” for the “information superhighway.” Cyber law is the law that governs rights, obligations and remedies of people and transactions conducted over global computer networks.

In a year that has seen hyperbolic growth in technology, commerce, and communications, this topic couldn’t be more timely. In order to frame the discussion, the scope featured a discussion of the Three Cs of Cyberlaw: Connections, Content and Commerce.

The first part of the discussion centered around Content, or issues related to Copyright, such as Free Speech/First Amendment CDA Sec. 230, Creative Works, Media and Entertainment, UGC and the DMCA.

The Second part of the discussion centered around Commerce or issues related to Trademarks, marketing and branding, such as: Marketing/Advertising, Domain NamesCyberpiracy prevention, Keyword Advertising and Social Advertising.

The third and final part of the discussion focused on Connections and Communications and issues related to Personal Data, Stalking, Harassment, Surveillance and Sovereignty, issues around Social Media Freedom of Speech v. Freedom of Reach, and the latest developments around Political speech online.

The lecture closed with a Q&A focused primarily on Navigating Law School and Professional Practice.

Is It Necessary To Register A Design Copyright?

A client was asking “is it necessary to fill out all the paperwork to register a design even though the law says you already own it?”

It’s a good question. Technically, under the Copyright Act as amended in 1976, the author (creator) of a work owns the copyright. The 1976 Act states that copyright protection extends to original works that are fixed in a tangible medium of expression. This wording broadens the scope of federal statutory copyright protection from the previous “publication” standard to a “fixation” standard. No further action is necessary. Under previous versions of the law, there were publication requirements to perfect ownership.

Under section 102 of the Act, copyright protection extends to “original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device.”

Until the ’76 statutory revision to U.S. copyright law the Copyright Act of 1909 governed, under which federal copyright protection attached only when those works were 1) published and 2) had a notice of copyright affixed. In addition, state copyright law governed protection for unpublished works creating inconsistencies.

Despite the successful streamlining and efficiency of rights creation and enforcement, some challenges and inconsistencies remained. Most noticeably, there had been spit in the federal courts. Some courts required the certificate to litigate, some courts only required proof that an application had been filed.

Last year, the US Supreme Court ruled that in order for a copyright owner to enforce its rights against infringers, the copyright owner must have a registration certificate for the works that are being infringed.

In Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC, 586 U.S. ___ (2019) (PDF here) decided March 4, 2019, the US Supreme Court resolved this split among courts around the country by holding that the mere filing of a copyright application is not sufficient to allow a copyright owner to file suit – actual approval of a copyright application by the United States Copyright Office is required before suit can be filed. Approval comes only in the form of a Registration Certificate.

Returning to the client’s question, while it is true that the Copyright Act says  one owns the copyright in a work when it is fixed, it is no longer true that one can ignore the registration requirements. Yes, one does not have to do anything formal to own a copyright in a work one creates. However, one cannot enforce those rights without the registration certificate in hand. For all practical purposes, there is no reason not to register the copyright in any design, pattern or other distinctive element you create. The fees are relatively low ($65.00) and completing/filing the form can be done electronically.

A word to the wise, like all areas of Intellectual Property, there are nuances that are easily overlooked by the uninitiated. You should always consult with an experienced copyright lawyer when evaluating any individual situation.

Does My Business Need A “Button” To Comply With The CCPA’s Do Not Sell Rule?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and went into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Your clients may be asking you about the CCPA.  While each business should evaluate the law in terms of its own specific situation, here are some general guidelines to start the process.

Does the CCPA Apply to My Business?

If your business satisfies one or more of the following, then the CCPA applies:

(i) annual gross revenue in excess of $25 million?

(ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, (a) for commercial purposes (assume always true), (b) alone or in combination (assume always true), (c) annually, and

(iii) derives fifty percent (50%) or more of its annual revenues from selling consumers’ personal information.

Even if the business does not collect personal information, as long as is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

What is the Do Not Sell Rule?

The Do Not Sell rule is a key part of the regulation. It states that businesses must give consumers the option to opt-out of the sale of their personal data.

Specifically, the regulation says that businesses must:

  • Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data.
  • The business must clearly link to the “Do Not Sell My Personal Information” webpage from the homepage.
  • The website must describe the consumer’s rights to opt-out of the sale of personal data and provide a link to the “Do Not Sell My Personal Information” page in its privacy policy.
  • Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
  • Finally, websites should have a way to prove that they are respecting these customer requests.

Businesses and website owners need to put processes in place that will help them adhere to the above guidelines.

For more information about the impact of the CCPA on your business, please contact the lawyers at Adler Law Group to schedule a consultation.

Privacy Law – How Do You Verify the Identity of a Data Requestor?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and will go into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Whether or not your practice involves regular questions of Privacy Law, your clients may be asking you about the CCPA.  By keeping data minimization objectives in mind and not over-thinking compliance obligations, verifying the identity of a data requestor may be straight-forward.

 

The ability to control how one’s data is used is a cornerstone of the CCPA. However, this puts a burden on a business to ensure that only a “verified” consumer accesses the requested data and avoid fraudulent requests. To access or delete information, a consumer must submit a “verifiable consumer request.” While the term implies that a business must take steps to “verify” the individual making the request, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.

 

With little to go on, a business might be tempted to act over-cautiously and require more information than is actually necessary to verify identity.   With data minimization principles in mind, it is important to recognize privacy risks to avoid.  Don’t over-reach; avoid obtaining more sensitive or potentially harmful information than is necessary to complete the request.  Also, avoid asking for sensitive documents such as a passport.

 

A good rule of thumb is try to use the same method that was used to gather the data in first place. For example, your client operates a consumer website featuring information and users are required to provide a username and password to register with the site. Ask the requestor to provide a username and password to verify. If two-factor authentication was used, then challenge that requestor using the same method. Don’t ask for a driver’s license.

 

If a client is asking for additional resources on how to implement policies and procedures, it is useful to look to industry-standard references, such as  NIST. A good (but technical) explanation Guidelines on verifying identity.  If this is too technical, a client should work with a consultant who can explain the framework. One valuable upside is that if a business is required to respond to a regulator or litigant, the business can point to use of the industry standard as reasonable basis for compliance efforts.

 

Are you tasked with advising a client how to craft a CCPA policy or procedure? There is no requirement that companies create a written policy for processing requests. If a company chooses to create an internal policy or procedure for handling data access and deletion requests, the following four topics are relevant:

 

  1. Data subject verification. Before taking any action, a company should verify that the individual that submitted the request is the individual to whom the data belongs. Verifying identity depends upon the type of data maintained. Remember, if the requestor signed up with a username and password, use this to verify.

 

  1. Communications. A business must respond to a requestor, even if the request is a denial. To streamline a timely response, a company may choose to create template communications and procedures.

 

  1. Evaluating the request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure. If refused: Reply with a reason and provide options: regulator, court?

 

  1. Completing a Request. Upon verification of the identity of a requestor and a determination that a deletion request should be granted, a business can include instructions for technical steps that should be taken in order to erase an requestor’s information.

 

For clients implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, meeting the requirement to verify the requestor’s identity (and reduce the risk of complying with a fraudulent request) can present a risk. However, with data minimization objectives in mind, using verification methods that make sense in the context of the requestor’s data, may reduce some of the burden of verifying the identity of a data requestor.

 

FOR EDUCATIONAL PURPOSES ONLY. NOT LEGAL ADVICE.

Recent Court Decisions Provide Some Clarity in Ever-changing Techlaw Landscape

As every CIO knows, today all business is digital business.  From the corner mom and pop bodega using Square to process credit cards up to Cisco Systems global network of devices supporting Zetabytes of data over an increasing number of devices.

What began as largely static website e-commerce at the turn of the millennium is now every day operations across multiple devices and the many different brands of platform and content delivery network.  In case you missed it, two recent cases will have a wide impact regardless of industry period

Law Enforcement Access To Cell Phone Location Data Requires Warrant

In the case of Carpenter v. United States, the Supreme Court ruled that law enforcement must obtain a warrant to have access to location and other data contained on a suspect’s cell phone.  In case you’re not familiar with the case, the facts in the Carpenter case are worth mentioning. In 2011, the government, conducting a criminal investigation in Detroit, obtained months’ worth of time-stamped records known as cell-site location information (CSLI) for suspects.  Wireless carriers produced CSLI for petitioner Timothy Carpenter’s phone, and the Government was able to obtain 12,898 location points cataloging Carpenter’s movements over 127 days—an average of 101 data points per day.  Carpenter moved to suppress the data, arguing that the Government’s seizure of the records without obtaining a warrant supported by probable cause violated the Fourth Amendment.  The District Court denied the motion, and prosecutors used the records at trial.  Carpenter was convicted, based in part on the cell-site records, and he appealed. holding that the government’s acquisition of historic cell-site location information (HCSLI) – at least to the extent it includes 7 days or more of cell-site records – was a search and thereby required a warrant.

In reversing the conviction, a majority of the Court has recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements and a warrant is required only in the rare case where the suspect has a legitimate privacy interest in records held by a third party.  The Court downplayed the significance of its ruling, calling its decision “a narrow one” that “does not express views on “real-time CSLI” or question the application to … a range of other information-gathering tools, such as security cameras.”

What this means for business.  While pundits are wisely praising the decision as a victory for privacy, I for one, do not believe it applies that broadly. Even so, there is a tangible benefit for corporate counsel at technology companies, especially those that maintain location information about their customers. Lawyers and compliance pros will feel some relief knowing that they do not have to scramble, prevaricate or litigate with law enforcement when a company receives a subpoena or other demand for location data without a warrant attached.

For additional views on this decision, please see an article from the International Association of Privacy Professionals here, and another from the Electronic Frontier Foundation here.

States Can Now Require That Internet Retailers Collect Sales Tax

The other notable decision to come down from the Supreme Court involves the long-simmering issue of state taxation on internet sales.

The decision, in South Dakota v. Wayfair Inc., was a victory for brick-and-mortar businesses that have long complained they are put at a disadvantage by having to charge sales taxes while many online competitors do not. And it was also a victory for states that have said that they are missing out on tens of billions of dollars in annual revenue.

The South Dakota Legislature enacted a law requiring out-of-state sellers to collect and remit sales tax “as if the seller had a physical presence in the State” to address the erosion of its sales tax base causing a corresponding loss of critical funding for state and local services (“Act”).  The Act covers only sellers that, on an annual basis, deliver more than $100,000 of goods or services into the State or engage in 200 or more separate transactions for the delivery of goods or services into the State.  Top online retailers with no employees or real estate in South Dakota who met the Act’s minimum sales or transactions requirement, but do not collect the State’s sales tax opposed the Act. South Dakota filed suit in state court, seeking a declaration that the Act’s requirements are valid and applicable to respondents and an injunction requiring respondents to register for licenses to collect and remit the sales tax. At trial and on appeal, courts held that the Act is unconstitutional.

The ruling effectively overturned a system that it created.  In 1992, the Supreme Court held that the Constitution bars states from requiring businesses to collect sales tax unless they have a substantial connection to the state. That case was Quill Corporation v. North Dakota.  The Quill decision helped pave the way for the growth of online retail by letting companies sell nationwide without navigating the complex patchwork of state and local tax codes.

South Dakota’s attorney general, called the ruling “a big win for South Dakota and Main Streets across America.”  The case should benefit both rural businesses where local businesses have been hit hard by competition from online retailers and municipal coffers as well, because in some states local sales taxes are collected at the state level.  Owners of brick-and-mortar stores like the decision as a means of leveling the playing field because they feel they often missed out on sales of big-ticket items since sales tax could have had an amplified effect on the price.  For consumers, this could mean paying more for products bought online.  Although most have a “use tax” that works like a state sales tax for online purchases, few if any consumers actually pay it.

Since the beginning of my practice in 1999, I suggested businesses take a state-by-state approach when it comes to issues like sales tax, since it can vary widely by jurisdiction.  No business is entirely virtual. All businesses will need to examine their ecommerce strategy to see whether and to what extent this case affects the business model.

David Adler continues focus on Cyber Security Conferences

Soem prior conferences:

Data at Risk: Regulatory and Privacy Concerns in a Data Breach. – Enfuse Conference 2018, Las Vegas, NV, May 23, 2018.

Trends in Cyber-Law 2017– ISACA CSX North America 2017, Washington, DC October 2-4, 2017

The Human Side of IT Acquisitions– Assoc. of Technology Acquisition Professionals CAUCUS IT Procurement Summit, New Orleans, LA, November 7-8, 2017

My topic, Assessing and Responding to Cyber Legal Risk,was chosen for presentation at the 2018 New York State Cyber Security Conference. 

#nyscyber