California Consumer Privacy Act of 2018

On June 28, 2018 California (“CA”) Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“Act”) into law. The Act zeroes in on the personal information (“PI”) of CA residents, at once: (i) formalizing consumers’ rights regarding their own PI, and (ii) mandating what certain businesses may and may not do (sans permission) if they collect, disclose, or sell such info. Like the recently effective GDPR—and the Internet itself—the Act reaches far beyond its ostensible borders. Its implications should therefore be tracked by any covered entity dealing in PI, as the Act defines it.

This post summarizes certain key aspects of the Act: namely, its rights, requirements, and the entities beholden to both.

Effective Date

The Act will be effective January 1, 2020. §1798.198(a). Until then, the CA legislature will likely rethink, refine, and amend it. §1798.185(a). While getting a head-start on Act-literacy is wise, keeping an eye on its evolution is key.

Covered Businesses

The Act’s requirements fall primarily upon “businesses,” which are defined as:

For-profit legal entities that,

-          collect consumers’ PI (or have PI collected on the business' behalf);

-          alone or jointly determine the purposes and means of PI processing;

-          do business in CA; and

o   have annual gross revenues over $25M;

o   alone or in combination, annually buy, sell, or share for commercial purposes the PI of 50K or more consumers, households, or devices; or

o   derive 50% or more of their annual revenues from selling PI. §1798.140(c)(1).

The Act's covered businesses also include entities that (i) control or are controlled by, and (ii) share common branding (i.e. name, trademark) with, the above businesses. §1798.140(c)(2).

Covered Data

The key phrase here is “personal information.” The Act defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” §1798.140(o)(1).

The Act provides a non-exhaustive list of PI examples, including: names, SSNs, biometrics, personal property records, records of products considered or purchased, browsing history, geo data, visual, thermal or olfactory data (Note: if you know what "olfactory data" entails, let us know!), education info, and any inferences drawn from these and the other listed data points. Id. Exception: publicly available info, as defined by the Act, is not PI. §1798.140(o)(2).

Consumers and Rights

The Act grants “consumers”—defined as natural persons who are CA residents, §1798.140(g)—distinct rights pertaining to the handling of their PI, including the following.

(1) The right to know what PI each business collects.

Thanks to this right, when requested by a consumer, a business must disclose to that consumer promptly (i.e. generally within 45 days of receipt of request) and free of charge: (i) the categories of PI collected, (ii) specific pieces of PI collected; (iii) categories of sources from which a business collected such consumer's PI; and (ii) categories of third parties with which businesses share that PI.  §1798.100§1798.110.

Also, at or before the point of collection, a business must inform consumers of: (i) the categories of PI collected, and (ii) how the PI will be used. Additional collection or use is prohibited sans this notification. §1798.110.

Exceptions: Businesses are not required to disclose to consumers any unsold or un-retained PI collected for one-time transactions. Also, re-identifying or otherwise linking data that the business does not (in the ordinary course of business) maintain as PI, for the sake of disclosing that PI, is not required.  §1798.100§1798.110.

(2) The right to request the deletion of their PI.

When requested by a consumer, a business must delete that consumer's PI and direct its service providers (defined at  §1798.140(v)) to do the same. §1798.105(c). Exceptions include where the PI is necessary to: (i) perform a contract with the consumer, (ii) detect security incidents, (iii) debug, (iv) exercise a lawful right, (v) comply with certain Penal Code or other legal requirements, (vi) conduct public interest research, or (vii) otherwise use the PI “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” §1798.105(d).

(3) The right to know whether their PI is sold or disclosed, and to whom.

Upon request by a consumer, businesses who sell PI or otherwise disclose it for a business purpose must disclose to that consumer, essentially, the categories of (i) PI they collected, disclosed for a business purpose, and sold; and (ii) each third party to whom they sold the PI. §1798.115. If a business hasn’t sold the requesting consumer’s PI, such business must disclose that fact. Id.

(4) The right to prohibit—i.e. “opt out” of—the sale of their PI.

A consumer may at any time direct a business that it may not sell that consumer’s PI. §1798.120. Businesses that sell consumer PI must notify consumers that their PI may be sold, and of this opt-out right. Id. Without this notification, a business is prohibited from selling the affected PI. Id. Also, should a business receive a consumer’s opt-out, such business is prohibited from selling that consumer's PI. Id. That is, unless the consumer subsequently opts back in via an express authorization. Id. Stricter rules (e.g. a requirement that consumers “opt in” to allow their PI’s sale in the first place) apply for certain teenagers’ PI. §1798.120(d).

To comply with this requirement, businesses must provide a clear and conspicuous link on their homepage and in their privacy policy, titled “Do Not Sell My Personal Information.” §1798.135. This link must take consumers to an opt-out page; a link to this opt-out page must also appear in the business’s privacy policy, along with a description of consumer rights to prohibit the sale of their PI. Id. Exception: where a business maintains a separate, additional website for its CA consumers, it is permissible for these links to only appear on this CA-centric site, as long as the business “takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.” Id.

Moreover, a business may not require that a consumer creates an account in order to direct the business not to sell the consumer’s PI. Id.

Bonus prohibition: third parties may not sell PI that they bought from a business unless the relevant consumer: (i) has received explicit notice that its PI may be sold; and (ii) has a chance to opt out. §1798.115(d).

(5) The right to equal service and price, even if they exercise their privacy rights under the Act.

A business may not discriminate against consumers because they have exercised any of the above rights, including by denying services to such consumers or charging them different rates. §1798.125. (While the Act provides an exception to this rule, allowing businesses to offer different rates or quality of goods or services to customers “if that price or difference is directly related to the value provided to the consumer by the consumer’s data,” id, the opacity of this exception requires further assessment.)

Finally, businesses may offer financial incentives to consumers in exchange for the collection, sale, or deletion of their PI—as long as: (i) the businesses notify consumers of these incentives; (ii) the relevant consumers opt into this arrangement, which consent is revocable anytime; and (iii) the incentive practices are not unjust, unreasonable, coercive, or usurious. Id.

Penalties and Procedures

If a business fails to implement and maintain reasonable security practices appropriate to the nature of the PI, and this failure results in a consumer’s nonencrypted or nonredacted PI being accessed and exfiltrated, stolen, or disclosed in an unauthorized manner, such consumer/s (individually or as a class) may commence a civil action for: (i) the greater of (a) up to $750 in damages per consumer and incident, and (b) actual damages; (ii) injunctive or declaratory relief; and (iii) any other relief per the court’s discretion. §1798.150. The Act further provides the factors for the court’s consideration in assessing statutory damages. Id.

Consumers have a cause of action for general Act violations—and the statutory damages that may follow—as well, subject to the Act's dispute resolution procedures. Id. A consumer must notify the business 30 days before initiating their action, identifying the allegedly violated provisions of the Act. Id. If the business cures within this period, providing an “express written statement” to this effect (which statement is enforceable), no action may be brought concerning that cured matter. Id. Exception: no notice is required by an action for actual pecuniary damages. Id.

If 30 days pass without cure, a business is in violation of the Act. §1798.155.

A consumer must also notify the Attorney General (“AG”) within 30 days of filing an action for statutory damages under the Act. §1798.150. Within 30 days following receipt of this notice, the AG must either: (i) notify the consumer of the AG’s intent to prosecute, in which case the consumer may not proceed with their action (however, if the AG doesn’t prosecute within 6 months, the consumer may proceed with their action); or (ii) notify the consumer that they may not proceed with their action. Id. If the AG does nothing within these 30 days, the consumer may proceed. Id.

Any person, business, or service provider who intentionally violates the Act may be liable for a civil penalty of up to seven thousand $7,500 for each violation. §1798.155(b).

Miscellaneous Requirements and Exclusions

-          Businesses must provide at least two methods by which consumers may make the requests for info about their PI detailed above, e.g. a phone number and web address. §1798.130.

-          The 45-day deadline for a response to a consumer request for info about their PI may be extended once by a business for another 45 days when reasonably necessary, provided the relevant consumer is notified of this extension within the initial 45 days. Id. A 90-day extension is also available based on the complexity and numerosity of requests a business receives, as are exceptions to, and even payment terms concerning, this obligation. §1798.145(g).

-          Businesses' PI disclosures must cover the 12-month period preceding the receipt of consumer’s request. §1798.130.

-          Businesses must include and update in their privacy policies every 12 months, as necessary: (i) their consumers’ rights; (ii) methods of submitting requests; (iii) the categories of PI they have collected, sold, and disclosed for business purposes in the prior 12 months. Id.

-          Businesses must ensure their relevant personnel are adequately informed of the Act’s requirements, and know how to help consumers exercise the rights it provides. Id.

-          Businesses are not obligated to provide a consumer with info on the sales or disclosures of that consumer’s PI more than twice in 12 months. Id.

-          Businesses must “respect” a consumer’s opt-out for at least 12 months before requesting that the consumer revisit their decision and authorize the business’ sale of the consumer’s PI. §1798.135.

-          A consumer may opt-out via a proxy. Id.

-          The Act does not apply to:

o   Consumer information that is “deidentified or in the aggregate consumer information.” §1798.145. ("Deidentified" is defined at §1798.140(h) and "aggregate consumer information" is defined at §1798.140(a).)

o   The collection or sale of PI “if every aspect of that commercial conduct takes place wholly outside of California.” §1798.145(a). Meaning, (i) if the business collected PI while the consumer was out of CA, (ii) no part of the PI sale occurred in CA; and (iii) no PI collected while the consumer was in CA is sold. Id. The Act cautions that this exception does not permit a business to store PI (e.g. on a device) while the relevant consumer is in CA, only to collect that PI once the consumer (and their stored PI) leaves CA. Id.

o   Evidentiary privileges. §1798.145(b).

o   Protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act or certain HIPAA rules. §1798.145(c).

o   PI collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, where such law conflicts with the Act. §1798.145(e).

-          A business is not liable for violations of the Act by its service providers, if the business didn’t know (or have reason to believe), when it disclosed PI to that service provider, that it intended to commit such a violation. §1798.145(h). A service provider is similarly not liable for the businesses it deals with. Id.

-          A business is not considered by the Act to have sold PI when the relevant consumer directs the business to make such disclosure or “uses the business to intentionally interact with a third party.” §1798.140(t)(2)(A).

-          Contract provisions that purport to waive or limit consumer rights under the Act are contrary to public policy, void, and unenforceable. §1798.192.

GDPR Overlap

The Act’s implicit intent is “to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information.” §1798.175. To this end, where other sweeping PI statutes such as GDPR conflict with the Act, “the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” Id.

Conclusion

Though lengthy, this synopsis of the Act is not exhaustive. While the Act provides additional—and potentially pivotal—requirements and exceptions for businesses, their service providers, and third parties in relation to consumer PI, this post may serve as a guide to certain highlights of this new law and a primer for the internal discussions the Act should stimulate within entities of all (covered) stripes.

SLG's 50 State Survey Part Four: Illinois

This is the fourth installment of a nationwide survey report we’re working on here at SLG, which will ask the questions listed below of each of the fifty U.S. states. Here’s our New York, California, and Florida coverage, respectively. Next up:

ILLINOIS

I. LIMITS OF LIABILITY

Are contractual caps, ceilings, or limits on direct damages enforceable?

Yes, based on the public policy principle of freedom of contract. Rayner Covering Systems, Inc. v. Danvers Farmers Elevator Co., 226 Ill. App. 3d 507, 512 (1992). However, clauses limiting direct damages are disfavored in Illinois and are strictly construed against a benefitting party. Hicks v. Airborne Express, Inc., 367 Ill. App. 3d 1005, 1011 (2006). All the more so when the benefitting party drafted the limiting clause. Harris v. Walker, 119 Ill. 2d at 542, 548 (1988). As such, to make direct limits of liability stick, drafters “must spell out the intention of the parties with great particularity [as such clauses] will not be construed to defeat a claim which is not explicitly covered by their terms.” Scott & Fetzer Co. v. Montgomery Ward & Co., 112 Ill. 2d 378, 395 (1986).

Are provisions that exclude all consequential damages enforceable?

Yes, unless they are unconscionable. 810 ILCS 5/2-719(3). Limiting consequential damages for someone’s physical injuries arising from a consumer goods contract is prima facie unconscionable, although limiting consequential damages where the loss is merely commercial is not. Id.

Can remedies be limited to those express remedies solely and exclusively provided for in a contract?

Yes, unless:

A. the exclusive remedy fails of its essential purpose; or

B. the exclusion is unconscionable. 810 ILCS 5/2-719(1)-(3).

An exclusive remedy—e.g. the repair and replacement of the contracted goods in question—may fail of its essential purpose if it deprives either party of the substantial value of the bargain. Razor v. Hyundai Motor America, 222 Ill.2d 75 (2006), quoting 810 ILCS Ann. 5/2-719, Uniform Commercial Code Comment 1, at 488 (Smith-Hurd 1993). For example, if the repair or replacement of originally contracted goods doesn’t work either, repeatedly. Id.

II. DAMAGES

Does Illinois cap the amount of (A) consequential damages, or (B) punitive damages that a party may recover?

A. No. Moreover, consequential damages resulting from a seller’s contract breach include those: (i) contemplated by the parties at the time of contracting, which could not reasonably be covered; and (ii) arising from an injury to a person or property proximately resulting from any breach of warranty. 810 ILCS 5/2-715(2)(a)-(b).

B. Yes, generally. 735 ILCS 5/2-1115.05(a). The amount of punitive damages that may be awarded for a civil claim covered by this statute may not exceed three times the amount awarded to the claimant for the related economic damages. Id. Those covered claims: “all cases on account of bodily injury, or physical damage to property based on negligence, or product liability based on any theory or doctrine.” Id.

Are punitive damages recoverable in contract matters? If so, when?

No. Bank of Lincolnwood v. Comdisco, Inc., 111 Ill. App.3d 822, 829 (1982). Exception: punitive damages are available in breach of contract matters where the defendant committed the applicable breach with “malice, wantonness or oppression,” and therefore committed an independent tort. Id. As such, the court must analyze the motive underlying the breach to determine whether it warrants punitive damages.

The Illinois Compiled Statues offer further guidance, stating that punitive damages in “cases on account of bodily injury, or physical damage to property based on negligence, or product liability based on any theory or doctrine” may be recovered only if:

A. actual damages are awarded; and

B. the plaintiff shows by clear and convincing evidence that the defendant acted “with evil motive or with a reckless and outrageous indifference to a highly unreasonable risk of harm and with a conscious indifference to the rights and safety of others.” 735 ILCS 5/2-1115.05(a)-(b).

Bonus note: punitive damages are prohibited—whether capped or not—in cases of legal or medical malpractice. 735 ILCS 5/2-1115.

III. DISCLAIMERS/LIMITATIONS OF WARRANTY

Are disclaimers of any and all implied warranties enforceable in Illinois?

Yes, subject to drafting requirements for each warranty the drafter seeks to disclaim. 810 ILCS 5/2-316.

To disclaim or modify the implied warranty of merchantability, the applicable provision must:

A. mention merchantability; and

B. be conspicuous. 810 ILCS 5/2-316(2).

To disclaim the implied warranty of fitness the applicable provision must be conspicuously written. Id.

All implied warranties are also excludable via “language which in common understanding calls the buyer's attention to the exclusion of warranties and makes plain that there is no implied warranty.” 810 ILCS 5/2-316(3)(a). This language includes “as is” or “with all faults.” Id.

Finally, implied warranties can also be excluded or modified through the parties’ course of dealing, course of performance, or usage of trade. 810 ILCS 5/2-316(3)(c).

Despite this statutory guidance, drafters should note that Illinois courts have invalidated disclaimers that conformed to the above requirements where “the evidence unequivocally demonstrated that the substantially defective nature of the [contracted good] clearly impaired its value to the plaintiffs and thus revocation of acceptance is appropriate even if the dealer has properly disclaimed all implied warranties.” Blankenship v. Northtown Ford, Inc., 95 Ill.App.3d 303, 306.

IV. STATE DISPUTE RESOLUTION

May claimants sue the State of Illinois for breach of contract? If so, does Illinois mandate any dispute resolution procedures with the State?

Yes, to both. Claimants may sue the State, however, claimants “aggrieved by an administrative action must first pursue all available administrative remedies before resorting to the courts.” Village of South Elgin v. Waste Management of Illinois, Inc., 348 Ill. App. 3d 929, 930 (2004) (citing Rockford Memorial Hospital v. Dep’t of Human Rights, 272 Ill. App. 3d 751, 757 (1995)). Also, contract breach claimants must sue the Illinois in the Court of Claims, as the Court of Claims Act grants the Court of Claims exclusive jurisdiction over “[a]ll claims against the State founded upon any contract entered into with the State of Illinois.” 705 ILCS 505/8(b).

SLG's 50 State Survey Part Three: Florida

This is the third installment of a nationwide survey report by SLG, which will ask the questions listed below of each of the fifty U.S. states. Here is our New York and California coverage, respectively. Next up:

FLORIDA

I. LIMITS OF LIABILITY

Are contractual caps on direct damages enforceable in Florida?

Yes, limits of liability clauses are enforceable in Florida. Mt. Hawley Ins. Co. v. Pallet Consultants Corp., No. 06-61763-Civ (S.D. Fla. 2009). However, drafters should “clearly and unequivocally” provide their limits, considering the general “disfavor” of exculpatory provisions among Florida courts. Id.

Are provisions that exclude all consequential damages enforceable in Florida?

Yes, generally. Florida’s Uniform Commercial Code: Sales states that consequential damages may be limited or excluded altogether unless the limitation or exclusion is unconscionable. Fla. Stat. § 672.719(3). However, commercial contract drafters must note that any limitation of consequential damages for injury to a person in the case of consumer goods is prima facie unconscionable, and therefore unenforceable. Id. Still, a limitation of damages where the loss is merely commercial is not automatically unconscionable, and therefore, may be enforceable. Id.

Can remedies be limited to those expressly and exclusively provided in a contract?

Yes. As long as the remedies are expressly provided as—and therefore agreed to be—exclusive, such exclusive remedies are enforceable. Fla. Stat. § 672.719(1)(a)-(b). However, where circumstances cause an exclusive (or limited) remedy to fail of its essential purpose, such remedy may not be exclusive of other applicable statutory remedies. Fla. Stat. § 672.719(2).

II. DAMAGES

Does Florida cap the amount of (a) consequential damages, or (b) punitive damages that a party may recover?

(a) No. Although, drafters should note that consequential damages are statutorily defined to include losses:

(A) stemming from needs that the seller, at the time of contracting, had reason to know of, and;

(B) that could not reasonably be prevented by cover or otherwise. Fla. Stat. § 672.715(2)(a).

Consequential damages also include losses due to injury to a person or property that are proximately caused by the seller’s breach of warranty. Fla. Stat. § 672.715(2)(b).

(b) Yes, generally. Fla. Stat. § 768.73(1)(a). Punitive damages may not exceed the greater of:

(i) three times the compensatory damages awarded to each claimant; and

(ii) $500,000. Id.

However, Florida law raises this cap where the proven wrongful conduct was:

(1) motivated solely by unreasonable financial gain; and

(2) actually known to be unreasonably dangerous, with a high likelihood of resultant injury. This knowledge may be possessed by a managing agent, director, officer, or other person responsible for making policy decisions on behalf of the defendant. Fla. Stat. § 768.73(1)(b).

Here, the punitive damages cap is the greater of:

(y) four times the compensatory damages awarded to each claimant; and

(z) $2 million. Id.

Despite the foregoing, Florida law does not cap punitive damages at all where the defendant had a specific intent to harm the claimant at the time of injury, and such harm-minded conduct succeeded in harming the claimant. Fla. Stat. § 768.73(1)(c).

Are punitive damages recoverable in contract matters? If so, when?

Yes, unless the defendant establishes, before trial, that that punitive damages have already been awarded against that defendant for the same act or course of conduct. Fla. Stat. § 768.73(1)(d)(2)(a). Still, even in these doubled-up cases, punitive damages remain available if a court determines by clear and convincing evidence that the prior punitive damages were insufficient to punish the defendant’s behavior. Fla. Stat. § 768.73(1)(d)(2)(b).

III. DISCLAIMERS/LIMITATIONS OF WARRANTY

Are disclaimers of any and all implied warranties enforceable in Florida?

Yes. But it has to be done right. To exclude or modify the implied warranty of merchantability, for example, contract language must:

(i) mention merchantability; and

(ii) be conspicuous. Fla. Stat. § 672.316(2).

To exclude or modify any implied warranty of fitness, a contractual exclusion must be conspicuous. Id. Generally, expressions like “as is” or “with all faults” successfully exclude all implied warranties. Fla. Stat. § 672.316(3)(a).

Fun fact: There is no implied warranty that cattle or hogs are free from sickness or disease—unless the seller knowingly sells the beasts diseased. Fla. Stat. § 672.316(3)(d).

IV. STATE DISPUTE RESOLUTION

May claimants sue the State of Florida for breach of contract? If so, does Florida mandate any dispute resolution procedures with the State?

Yes. While the State of Florida waived its sovereign immunity for torts in 1975, clearing the way for claimants to sue the Sunshine State for everything from personal injury to ministerial fails, Fla. Stat. § 768.28, no statutory provisions waive Florida’s sovereign immunity regarding contracts. Florida courts undertook this matter instead, and have ruled consistently that claimants may sue Florida for contract breach as long as such suits concern “express, written contracts into which the state agency has statutory authority to enter.” Pan–Am Tobacco Corp. v. Dep't of Corr., 471 So.2d 4, 6 (Fla.1984). However, “[w]hen an alleged contract is merely implied, [Florida’s] sovereign immunity protections remain in force.” City of Fort Lauderdale v. Israel, No. 4D15–1008 (FL. Dist. Ct. App. 2015).

Florida requires no particular dispute resolution procedures for contract disputes with the State.

GDPR Versus (Traditional) UX

Often, corporate entities hail user experience (“UX”) as an essential product feature. In fast-evolving tech markets, many believe, it is the Web-tool with the smoothest ride—the most frictionless UX—that absorbs and retains the most users. As a result, many platforms place a heavy premium on minimizing the steps between what the user wants and what the user gets. The less pages or options or hoops-to-jump-through in between, the better.

The General Data Protection Regulation (“GDPR”) purposefully disrupts this strategy.

Easily the most significant data privacy regulation in the last 20 years, the GDPR, whose compliance deadline is May 25, revolutionizes the way organizations must handle consumer information. Pivotally, the European Union (“EU”)-generated law requires any entity that collects, monitors, or targets EU residents’ data to provide such data’s subjects with broad access to and control of their information. The GDPR further requires covered entities to report data security breaches to local regulators; no longer is doing so merely a “best practice.” Perhaps the GDPR’s most monumental edict, however, lay in its muscle: entities that violate the GDPR’s strict provisions are liable for fines of up to $20 million or 4% of global turnover—whichever is greater.

The GDPR’s purpose is no secret. It is intended to disrupt monolithic data companies such as Google and Facebook, forcing them to boost their privacy and security practices to a level that EU regulators believe adequately protects the consumers that provide the endless data such companies peddle.

So: with UX on one side and increasingly complex data consent, access, and control requirements on the other, what will mega-data companies do?

On April 18, Facebook invited a host of journalists to its new Building 23 at the social media giant’s Menlo Park HQ. There, Facebook revealed its GDPR compliance plan to the reporters. And the reporters were, reportedly, underwhelmed. Their chief criticisms:

-          Facebook’s user consent prompt is placed beneath an “X” in a “big blue button.” This “X” prominently invites users to skip the GDPR bases for requiring legal, personal consent over their information.

-          Pages describing Facebook’s control of sensitive information—a crux of financial value, personal privacy, and privileged knowledge such as sexual preference, religious and political views—feature an “Accept And Continue” button in “pretty blue” and an “ugly gray” “Manage Data Settings” button. The former, which defaults to Facebook’s preferences, is selectable whether or not the user scrolls through the rules. This crucial page is “obviously designed to get users to breeze through it by offering no resistance to continue, but friction if you want to make changes.”

-          In the U.S., user interactions with political groups and events pages trigger each user’s placement in “overarching personality categories” that Facebook sells to advertisers. The only way to opt out is to “remove any info you’ve shared in these categories.”

-          Global facial recognition is enabled by default.

-          To reject Facebook’s Terms of Service, users must locate a “see your options” hyperlink that is “tiny” and “isn’t even a button.” (The “I Accept” button, however, is “big.”) This “see your options” link leads to a “scary permanent delete” button and “another tiny ‘I’m ready to delete my account’ hyperlink.” If a user selects this option, but wants to download their data first, this process can take hours. And the downloaded data’s portability has significant holes.

-          Users between 13-15 years old are off-limits to Facebook collecting their sexual and political data or serving them ads—unless the child gets parental consent. This consent is obtainable by the child providing Facebook with an email address, and that email subject granting consent via email. No further controls aim to determine whether the email subject is actually the child’s parent or guardian.

In sum: Instead of scaling back on UX to ensure that users—i.e. the providers and, per the GDPR, the proprietors of that data—understand what data Facebook elicits from users, how Facebook uses that data, and how users can adjudicate both of these processes, Facebook squeezed the GDPR’s requirements into its longstanding UX-first template.

GDPR or not, Facebook still “pushes” users “to speed though giving consent…with a design that encourages rapidly hitting the ‘Agree’ button.” Their platform “makes accepting the updates much easier than reviewing or changing them.”

Facebook and companies of its data-caliber made their bones on smooth UX. This methodology founded the bonds between users and these companies’ platforms, underwriting their success. But in an effort to continuously smooth users’ ride, UX-optimizers glossed over some weighty details. By enabling—read: training—users to hit “Agree” without reading the terms and conditions governing the services at play, data propagators obfuscated the true cost-benefit analysis underlying their products. Deprived users of a reasonable opportunity to make an informed decision re: whether they could responsibly press “Post.”

The Cambridge Analytica/Facebook controversy is the latest indicator of this dissonant status quo. On April 10 and 11 Facebook CEO Marc Zuckerberg apologized to the Internet-surfing world for his company’s untrustworthy custodianship of user data. On his watch, political marketers scraped user data, aggregated it, and built a media machine of epic proportions and historical effectiveness.

In the wake of this scandal, Internet searches for “delete Facebook” reached a five-year high. This compounded a troubling trend for Facebook at the close of 2017, when the company lost daily users in the US and Canada for the first time ever. And after the U.S. Federal Trade Commission confirmed its investigation of the company, Facebook’s stock dropped precipitously, shedding over $100 billion in value to match its lowest point since mid-2017.

The Cambridge Analytica revelations spotlighted yet again the reality of social media and many other online platforms: if you use them, your data may be forfeit. From Snowden to Yahoo to Uber to Target, this is not a new lesson for consumers who find themselves increasingly aware of the shady marketability of their data.

Aleksandr Kogan, the psychology professor hired by Cambridge Analytica to scrape millions of Facebook users’ profiles, agrees. He noted recently that users’ awareness that their data is improperly traded was a “core idea” underlying Cambridge Analytica’s practices—with a twist.

“Everybody knows,” Kogan said he and Cambridge Analytica believed, “and nobody cares.”

Now, post-fracas, Kogan believes the latter part of this theory was “wrong.” People not only know how their data is manipulated, but they care, too.

This uptick in user cognizance provides a pivotal impetus for Facebook, Google, and other blue-chip data stores to leave superficial UX, made of bubble letters and candy-colored buttons, behind. To invest in true UX via true transparency. To place a premium on educating their users on the innerworkings of the relationship between human and platform. To smooth UX not by shrouding choice, but by building trust.

That is, after all, the new preferred experience.

Otherwise, regardless of Mr. Zuckerberg’s congressional apologies, Prof. Kogan’s revisions, and whether the GDPR’s impending fines are as damning as planned, users now know what happens to their data. Who is misusing it. And, UX or not, what to do about it.

Update: Cambridge Analytica announced on May 2 that it will file for bankruptcy. Its Facebook controversy has "driven away virtually all of the company’s customers."

Centra: Contradictory Tokens, Celebrity Endorsements, and a Florida Class Action

Introduction

2017 closed with a flurry of ICO activity, especially on the legal and regulatory side of the table. Throughout Q4, ICO participants filed a slew of class actions against the organizations running those ICOs, and an ICO by restaurant review platform aspirant Munchee even triggered an SEC Cease and Desist. 

This post spotlights Centra, a Miami startup that promised to build a crypto debit card platform, and its $30 million ICO, questionable credit card company relationships, A-list entertainment proponents, and alleged securities law violations.

Facts

At the time of its ICO, Centra planned to develop a cryptocurrency-focused debit and credit card system that would allow users to spend bitcoin, for example, anywhere that accepted certain major cards. Through the Summer and Fall of 2017, Centra publicized relationships with Visa and Mastercard, leverageable towards facilitating instant crypto-transactions. Centra also published its intentions to create an online crypto marketplace (“cBay”) and Centra-centric blockchain. The startup generated hype for its ICO via celebrity endorsements. In mid-September, boxing champ Floyd Mayweather encouraged his 8 million Twitter followers to “Get yours before they sell out,” referring to Centra’s CTR tokens. Rapper DJ Khaled trumpeted Centra across social media platforms as well. Seemingly overnight, millions knew of Centra, and the startup raised between $30 and $50 million by October 2017.

A Florida Class Action

On December 13, 2017 a Centra ICO participant filed a class action complaint on behalf of fellow Centra ICO participants in the US District Court of Southern Florida, alleging that the Centra ICO was a securities sale illegally unregistered with the SEC. Rensel v. Centra Tech, Inc., 1:17-cv-24500-JLK (“Rensel”). Via this ICO, Centra orchestrated “a flimsy façade” claiming that its tokens were not securities but rather “utility tokens” over which the SEC had no jurisdiction, complains Rensel. Id. at 13.

Rensel also takes aim at the allegedly deceptive nature of Centra’s Mastercard and Visa engagements, Id. at 3, and even its celebrity endorsements. Id. at 13.

Utility Tokens versus Securities

Rensel alleges that Centra dubbed its CTR tokens as “utility tokens”—not because this term accurately described CTR, but because the startup believed this tag alone would shield Centra from SEC jurisdiction. Id. at 14. Centra made contemporaneous, conflicting statements to this effect concerning their offering, asserts Rensel, including:

-          That each CTR was a “utility token” that “will surge in value,” in an online post, Id. at 15;

-          That ICO participants would be able to either use their CTR “or trade them on cryptocurrency exchanges for a profit,” per Centra’s white paper, Id. at 18; and

-          That Centra's ICO participants were “investors,” stated repeatedly, Id. at 2.

These statements—and a multitude of others made on podcasts and online—sent contradictory signals to participants as well as regulators, per Rensel.  A (non-SEC regulated) utility token’s function is to provide a utility, i.e. access or future access to a product or service, not to passively rise in value on the efforts of the offeror, which is the function of a (regulated) security. Centra sought to straddle the line between securities and utility tokens, in effect marketing both ways on a one-way street, in increasing regulatory traffic.  And ended up, according to Rensel, simply offering an unregulated, and therefore illegal, security.

Red Flags – Visa and Mastercard

Rensel isn’t the first to raise red flags around Centra. In October, a New York Times investigation revealed substantial inconsistencies concerning Centra’s touted connection to Visa and Mastercard. These relationships, pivotal to Centra’s pitch towards developing a crypto-credit and -debit system, turned out to be nascent at best, and outright nonexistent at worst.

Centra’s proposed debit and credit capability hinged on its claimed connection with established credit card companies. So, Visa once featured heavily on Centra’s website. The site even displayed mockups of crypto credit cards stamped with the Visa logo. But when the Times asked Visa about the nature of its connection with the exciting new crypto startup, Visa responded that it had never approved Centra to work with the Visa network. In fact, said a Visa spokesperson, Centra never even applied to Visa for this capability.

After the Times contacted Visa, Centra erased Visa’s logos and mentions from the Centra website. Soon after that, per the Times, a Centra founder said in an interview that Centra had refocused on the Mastercard network, which Centra would employ instead of Visa. But, yet again, when the Times reached out to Mastercard, this credit card company also denied any ties to Centra. Rensel folded much of this allegedly deceptive narrative, as well as other press releases and interviews in which Centra claimed relationships with both Visa and Mastercard, into its complaint. Rensel, at 10-15.

As of now, Visa is not mentioned on the Centra website. However, while Centra’s credit card mockups show only the Centra “C,” Centra's white paper still asserts that its "customers can use Centra Card anywhere in the world that accepts Mastercard."

Red Flags – Celebrity Endorsements

The Times also reported certain oddities regarding Centra’s celebrity endorsements. And Rensel, citing the Times, alleges that the defendants paid—in cash—for the high-profile Mayweather and Khaled endorsements, then claimed "partnerships" with the entertainers. Rensel, at 13. Mayweather’s spokesperson, for one, told the Times the boxer was “not involved in any continuing relationship with Centra.” Id.

Although Rensel clarifies that alleged deceptions such as these are not determinative of Rensel’s claims—since “Defendants are strictly liable for the offering and selling of unregistered securities in connection with the Centra ICO,” Id. at 3—these surrounding deceptions are presented rather “to stress the need for judicial immediate intervention given Defendants’ clear manipulation of investors.” Id. at 13.

On December 15, Centra's blog published the company's refutation of Rensel, calling the plaintiff an "alleged purchaser of Centra Tokens" whose suit "attempts to mimic claims and allegations the Securities and Exchange Commission has lodged against other cryptocurrency offerors." 

Conclusion

Centra exhibited other red flags, from a founder’s spotty criminal history to a crew of nonexistent employees—including an executive who apparently existed only on LinkedIn (more on these in the Times).

Yet Centra still lives. In a press release published January 14, Centra announced a revamped executive roster including a new CEO, COO, and CIO. The press release highlights the new execs' legal and regulatory experience, in particular, and mentions that Centra’s new CIO just left Visa, where he served as Senior Information Security and Compliance Officer for Global Service Operations.

Also noted in this press release: Centra just shipped its first batch of Centra Cards. But this time, Centra refers to its card recipients not as “investors,” but as “contributors.”

ICO December in Review: Munchee, the SEC, and a Centra/ATB Tease

December was a great month for ICO guidance. 

On December 11, the Securities and Exchange Commission (“SEC”), the U.S. federal agency at the forefront of ICO regulatory developments, published its Cease and Desist Order against Munchee Inc., purveyors of an iPhone restaurant review app with a $15 million ICO, for selling unregistered securities in violation of Sections 5(a) and 5(c) of the Securities Act of 1933 (“Securities Act”). On December 13, ICO participants in Centra, a crypto-debit card company with proponents like Floyd Mayweather and DJ Khaled, filed a class action U.S. District Court of Southern Florida alleging Centra committed the very same SEC violations via its $30 million coin offering. And on December 21, ATB, fielded a like-minded class action complaint in the Southern District of New York for its blockchain-based payment system and estimated $24 million ICO. All of this on top of the recent—and compounding—Tezos litigation marks an eventful month for the intersection between ICOs and their regulatory bodies.

This post analyzes the Munchee story; the next will tackle Centra, then ATB.

Munchee

In reaching its conclusion that Munchee violated the Securities Act, the SEC applied the “Howey Test,” the most common test for determining whether ICO tokens, for example, are investment contracts. The Howey Test stems from a seven-decade-old Supreme Court case, SEC v. W. J. Howey Co., 328 U.S. 293 (1946), and its progeny, and essentially analyzes whether a sale involves an:

(1) investment of money (or other consideration)

(2) in a common enterprise, with

(3) profits to come solely or primarily from the efforts of others (i.e. participants in an ICO, for instance, may have a reasonable expectation of profits based on the ICO proprietors’ entrepreneurial or managerial efforts).

Any sale that meets these qualifications—all of them—is a sale of securities. And any offering or sale of securities, per Sections 5(a) and 5(c) of the Securities Act, must be registered with the SEC (or exempted from registration) to be lawfully offered for sale or sold. Following the SEC’s Cease and Desist notice to Munchee, and in anticipation of SEC proceedings, Munchee settled with the SEC, unilaterally terminated every one of its contracts of sale with its ICO participants, and returned all of its $15 million in ICO proceeds.

Since the Howey Test’s applicability to ICOs and the tokens they hock is relative to the sort of token, business, and sale that occurred, SEC guidance on this subject via a third party such as Munchee may be useful to those planning ICOs of their own.

Facts & Passage

Munchee offered and sold “MUN tokens” (Ethereum based crypto coins) in a general solicitation that included potential U.S. investors—and in doing so, met the first two elements of the Howey Test.  In terms of the third element, the SEC asserted that Munchee instilled a reasonable expectation of future profit (based upon Munchee’s future efforts) in its ICO participants.  In the leadup to its ICO, via its white paper and online posts, Munchee publicized that it would:

(a) continuously revise its app;

(b) use the ICO proceeds to create an “ecosystem” of restaurant reviews and shares that would, in turn, increase the value of the MUN tokens; and

(c) foster a secondary trading market for MUN tokens shortly after the completion of the offering and prior to the creation of the ecosystem.

Finally, these efforts were entirely reliant on Munchee (as opposed to the ICO participants) since, at the time of the ICO, “no other person could make changes to the Munchee App or was working to create an ‘ecosystem’ to create demand for MUN tokens,” per the SEC.

So, said the SEC, Munchee passed the third element of the Howey Test, and the Howey Test itself.

Timeline

A primary key to Munchee’s fact pattern and Howey passage was Munchee’s timeline. Munchee sold MUNs before they were fully functional in the way Muchee’s marketing promised, meaning, before the “ecosystem” that the Munchee squad said would stimulate MUNs’ value was operational. This founded the SEC’s argument that MUNs were securities, whose value hinged solely on the future efforts of Munchee and the future profits those efforts may—or may not—yield.

MUNs

Another key: Munchee’s tokens themselves were also problematic. Certain ICOs seek to fail the Howey Test—namely its third, future profit/future effort prong—and avoid the SEC’s regulatory reach by deeming their ICO token a “utility token,” which, they say, provides future access to a platform, or to another service or product. Munchee went this route, going so far as to assert in its white paper that the company conducted a “Howey analysis” and assure readers that “as currently designed, the sale of MUN utility tokens does not pose a significant risk of implicating federal securities laws,” as cited by the SEC. However, the SEC pointed out, Munchee never published this analysis.

Legitimate utility tokens may well be outside the definition of securities, but not all organizations necessarily sell legitimate utility tokens. Take Munchee, for example. Per the SEC, whether MUNs were utility tokens was unclear. First, “[w]hile Munchee told potential purchasers that they would be able to use MUN tokens to buy goods or services in the future after Munchee created an ‘ecosystem,’ no one was able to buy any good or service with MUN throughout the relevant period.” Indeed, it wasn’t until 2018 and 2019 that Munchee planned to incorporate the token into the Munchee App.

And anyway, continued the SEC, “[e]ven if MUN tokens had a practical use at the time of the offering, it would not preclude the token from being a security.” Labels don’t matter, said the SEC, and dubbing a token as “utility” doesn’t obscure “the economic realities underlying a transaction.” Concludes the SEC: “All of the relevant facts and circumstances are considered in making that determination.”

Initial Lessons

ICO runners of the future can take at least the following pointers from the available details of Munchee’s demise:

1.       Show your work. If you have a great argument why your token is a utility token and not a security or why your ICO failed the Howey Test, deploy it.

2.       Don’t rely on labels. When assessing whether you’re selling a security, consider the entire transaction scenario, including the reasonable expectations, marketing, and economic realities floating around your ICO.

3.       Align your marketing. If your ICO and the purported utility of your tokens pivots on the embrace of a specific marketplace—i.e. the restaurant industry—it may look odd if your organization does not market within that sphere, but instead to typical securities investors and even hedge funds.  Munchee, according to the SEC, “likened MUN to prior ICOs and digital assets that had created profits for investors, and specifically marketed to people interested in those assets – and those profits – rather than to people who, for example, might have wanted MUN tokens to buy advertising or increase their ‘tier’ as a reviewer on the Munchee App.”

Next up: Centra, ATB, perhaps more...

ICO Contracts: Choice of Law, Venue Selection, and How Fraud Upends It All

Intro

ICOs are multiplying. Likely siphoning early stage VC funding, initial coin offerings have raised $4 billion in 2017. Bitcoin, the standard bearer of cryptocurrencies worldwide and the most common ICO currency, hit an all-time high nearing $18,000 in mid-December. With commensurate speed, lawsuits and regulator crackdowns have followed.

In particular, a series of lawsuits surrounding the startup Tezos may provide some guidance on ICO contracts. That is, not the smart contracts that administer the cryptocurrency-for-ICO token exchange at the core of certain ICOs, but the paper contracts which (hopefully!) set forth the terms and conditions of an ICO exchange, including limitations of liability, tax responsibilities, venue selection provisions, and more.

Background

Tezos threw a phenomenally successful ICO: $232 million raised by co-founders and spouses Arthur and Kathleen Breitmen, for an incomplete blockchain-based platform, in July 2017. Tezos’ haul shattered records for funds raised in an ICO—especially considering that these funds were ostensibly raised via bitcoin and ether, two currencies whose value continues to trend (substantially) up, raising the ICO’s ensuing estimated value to hit $1.3 billion.

Those Suits

Tezos faces at least five lawsuits, all class actions, filed in state and federal courts from Florida to California. One of these suits, captioned Gaviria v. Dynamic Ledger Solutions, Inc., et al., Case No. 6:17-CV-01959-ORL-40-KRS, attached to its complaint the Tezos Contribution and XTZ Allocation Terms and Explanatory Notes (“Tezos Terms”). The Tezos Terms, according to the complaint, memorialize the terms of the Tezos ICO’s fundraising offer—and are “unenforceable for a variety of reasons.” Gaviria, at 14.

Early Guidance

While the Tezos suits have yet to be resolved, and the validity of their arguments yet to be tested, guidance may be gleaned already for the fast-moving ICO space. In particular, the Tezos suits offer a lesson for ICO contract drafters on choice of law and venue selection provisions.

Choice of Law & Venue—Meet Fraud

Tezos, like certain other ICOs, sought to adjudicate litigation concerning their enterprise in a foreign jurisdiction. Via the very last provision of the Tezos Terms, any disputes “arising out of or in connection with” Tezos’ ICO are restricted “exclusively and finally [to] the ordinary courts of Zug, Switzerland.” Gaviria, at Exhibit A. Tezos’ choice of law was Swiss as well. Id.

Organizations running ICOs, like many other enterprises, don’t want to travel far to litigate, produce witnesses, and transport evidence. Hence, venue selection clauses. Also like many other organizations, those running ICOs seek regulatory havens. Jurisdictions they think align with the claims they might make (and field) should litigation arise. In fact, Kathleen Breitman told Reuters in June that Tezos chose to incorporate the Tezos Foundation in Zug since Switzerland “has a regulatory authority that had a sufficient amount of oversight but not like anything too crazy.” Each party’s assessment along these lines informs its agreement’s choice of law clause.

Generally, courts afford venue selection clauses significant deference, even when the chosen jurisdiction is a non-U.S. state. After all, the parties assumedly negotiated these clauses prior to signing the agreement. Today, the majority of federal courts (including those of the 2nd, 4th, 7th, 8th, 9th, 10th and 11th circuits—which include New York, Florida, and California) strictly enforce forum-selection clauses. The Supreme Court of the U.S. blessed this trend, ruling that “forum-selection clauses should control except in unusual cases.” Atlantic Marine Construction Co. v. United States District Court for the Western District of Texas, 571 U.S. 488 (2013). The same applies for choice of law clauses. The Restatement (Second) of the Conflicts of Laws provides that choice of law provisions are presumptively enforceable.

That said, how can Tezos be sued—multiple times—in California and Florida, at opposite ends of the country whose laws Tezos sought to avoid altogether?

Because fraud wasn’t part of the agreement.

Fraud features heavily across the Tezos litigation. For example, each in their own way, the Tezos suits allege that the utility tokens (i.e. markers of purchased services or access) that Tezos distributed to its “donors” in exchange for their “donations” during the Tezos ICO were actually unregistered securities, sold in violation of the Securities Act of 1933. Gaviria, at 31. By misleading ICO participants about the unregistered securities status of these tokens—a “material fact” highly relevant to the ICO participants—Tezos “fraudulently induced [the ICO class] to participate in the ICO.” Id., at 34. 

Fraud is kryptonite for forum selection clauses in federal court.  Decades ago the Supreme Court ruled that where enforcement of a forum selection clause would be “unreasonable and unjust, or that the clause was invalid for such reasons as fraud or overreaching,” it should not be enforced. The Bremen v. Zapata Off-Shore Co., 407 U.S. 1 (1972). As for choice of law clauses, fraud can defeat those too. Carnival Cruise Lines, Inc. v. Shute, 499 U.S. 585 (1991).

Therefore, by claiming that the Tezos Terms were “induced by fraud and overreaching” (Gaviria, at 24), the plaintiffs at play may succeed in superimposing their own venue selection—Florida, for instance—over Tezos and its Swiss preferences.

Conclusion

ICOs operate for now in a regulatory gray-space. While crypto-entrepreneurs consider the securities status of their tokens, publish ambitious marketing materials, and hunt for ICO participants, they must also consider the jurisdictional impact their decisions might have on their ICO contracts—regardless of the law and venue they select.

SLG's 50 State Survey Part Two: California

This is the second installment of a nationwide survey report we’re working on here at SLG, which will ask the questions listed below of each of the fifty U.S. states. Here’s our New York coverage. Next up:

CALIFORNIA

I. LIMITS OF LIABILITY

Are contractual caps, ceilings, or limits on direct damages enforceable?

Yes.  Courts in California uphold contractual provisions that limit liability for contract breach damages, including for ordinary negligence.  Health Net of California, Inc. v. Department of Health Services, 113 Cal.App.4th 224, 243 (2003).  Except, that is, when (i) the applicable provision affects the public interest, or (ii) another statute expressly prohibits it.  For example, per the California Civil Code, a contractual limit of liability for fraud, willful injury, or violation of law would be unenforceable, Civ. C. § 1668, as may deals struck between parties of unequal bargaining power (more on this below).  Also, California courts may kill limits of liability that are unconscionable.  Civ. C. § 1670.5(a).

Are agreements that exclude all indirect (i.e. consequential, incidental) damages enforceable?

Yes.  Under the California Commercial Code, consequential damages may be “limited or excluded unless the limitation or exclusion is unconscionable.”  Cal. Com. Code § 2719(3).  However, where consequential damages are limited “for injury to the person in the case of consumer goods,” such limitation is invalid unless proved not unconscionable.  Id.

Can remedies be limited to those express remedies solely and exclusively provided for in a contract?

Yes.  For example, a sales contract may limit liability to the “return of the goods and repayment of the price or to repair and replacement of nonconforming goods or parts.”  Cal. Com. Code § 2719(1)(a).  Also, for a stated remedy to be exclusive and mandatory, its exclusivity must be expressly agreed—otherwise, it’s only “optional.”  Cal. Com. Code § 2719(1)(b).

II. DAMAGES

Does California mandate any blanket limits on the amount of (a) consequential damages, or (b) punitive damages that a party may recover in commercial contracts?

(a) No.  However, recovering consequential (or “special”) damages requires that those damages were “foreseeable by the parties at the time of contracting.”  Martin v. U-Haul Co. of Fresno (1988) 204 Cal. App. 3d 396, 409.  Meaning, the breaching party (i) knew, or (ii) should’ve known his/her breach may instigate these damages.

(b) No.  However, punitive damages must stem from a tort, not a contract breach alone.  Civ. C. § 3294(a).

Are punitive damages recoverable in contract matters? If so, when?

No.  Punitive damages are generally unavailable for breach of contract, even where the defendant was malicious, willful, or fraudulent.  However, if a tort (i.e. fraud) independent to a breach of contract is pled and proven, punitive damages may be available.  Cates Construction, Inc. v. Talbot Partners (1999) 21 C4th 28.

 III. DISCLAIMERS/LIMITATIONS OF WARRANTY

Are disclaimers of any and all implied warranties enforceable in California?

Yes.  To disclaim the implied warranty of merchantability, a disclaimer must: (i) mention merchantability, and (ii) when written, be written conspicuously.  Cal. Com. Code § 2316(2).  To disclaim the implied warranty of fitness, a disclaimer must be written conspicuously.  Id.  The following also eliminate or modify implied warranties:

-          Expressions like “as is” or “with all faults,” which spotlight the exclusion of implied warranties.  Cal. Com. Code § 2316(3)(a).

-          The buyer examining the subject goods/sample/model “as fully as he desired,” or refusing to examine the goods—but only regarding defects an examination ought to have “revealed to him.”  Cal. Com. Code § 2316(3)(b).

-          A course of dealing, course of performance, or usage of trade that is counter to the implied warranties.  Cal. Com. Code § 2316(3)(c).

-          Liquidated damages or limits of liability provisions.  Cal. Com. Code § 2316(4).

IV. DISPUTE RESOLUTION

When the State of California is sued over a contract dispute, are there any mandatory dispute resolution procedures such as venue requirements or jury trial requirements?

No, generally.  In most scenarios, when suing a California agency for breach of contract, plaintiff must file an administrative claim within one year of the date of the alleged breach.  The government has 45 days to respond.  If the government agency denies the claim during the 45 days, plaintiff has 6 months to file a lawsuit in court from date the agency mailed the denial or personally delivered this “right to sue letter” to plaintiff.  California Government Code § 945.6.  If Plaintiff does not receive this letter (i.e. the government takes no responsive action to plaintiff’s claim) within 45 days, plaintiff has two years to file a lawsuit from the date of the alleged breach.

Exception: as of late 2016, many California public entities and contractors involved in public works construction must adhere to specific dispute resolution processes, both informal (“meet and confer”) and formal (mediation, an alternative non-binding process, civil action, or arbitration), for disputed claims of payment.  Assembly Bill No. 626.

V. ADDITIONAL NOTES

1. Pertaining to liability caps: A liability cap provision affects the public interest if it exhibits “some or all of the following characteristics.” Tunkl v. Regents of University of California, 60 Cal.2d 92 (1963).  (i) It concerns a business of a type generally thought suitable for public regulation.  (ii) The breaching party performs a service of great importance to the public, which is often a matter of practical necessity for some members of the public.  (iii) The breaching party holds itself out as willing to perform this service for any member of the public who seeks it, or at least for any member coming within certain established standards.  (iv) Due to the essential nature of the service, in the economic setting of the transaction, the breaching party possesses a decisive advantage of bargaining strength against any member of the public who seeks its services.  (v) In exercising a superior bargaining power, the breaching party confronts the public with a standardized adhesion contract of exculpation, and makes no provision whereby a purchaser may pay additional reasonable fees and obtain protection against negligence.  (vi) As a result of the transaction, the person or property of the purchaser is placed under the control of the seller subject to the risk of carelessness by the seller or his agents. So: the less equal the bargaining power, and/or the more publicly important the contract’s subject (i.e. health care services), the less enforceable the applicable limitation clause.

2. Pertaining to liability caps: Regarding contracts for goods (i.e. manufactured goods), the California Commercial Code adds another exception to the enforceability of limits of liability provisions, providing that where “circumstances cause an exclusive or limited remedy to fail of its essential purpose, remedy may be had as provided in this code [i.e. via restitution under Cal. Com. Code § 2718].”  Cal. Com. Code § 2105(2).

3. Pertaining to unconscionability overall: “Unconscionability has generally been recognized to include an absence of meaningful choice on the part of one of the parties together with contract terms which are unreasonably favorable to the other party.”  A & M Produce Co. v. FMC Corp., 135 Cal.App.3d 473 (1982).  Both the substantive and procedural elements inherent to this analysis are necessary for a court to rule a contract unconscionable and so, unenforceable.  Little v. Auto Stiegler, Inc. (2003) 29 Cal.4th 1064.

SLG's 50 State Survey Part One: New York

This post is a preview of a nationwide survey report we’re working on here at SLG, which will ask the questions listed below of each of the fifty U.S. states. Our preview, like the coming survey, discusses the keys to contract disputes: (i) limits of liability, (ii) damages, (iii) warranty disclaimers, and (iv) dispute resolution—and the parameters of each within the subject State.

For now, New York seemed a fine place to start.

 

NEW YORK

I. LIMITS OF LIABILITY

Are contractual caps, ceilings, or limits on direct damages enforceable?

Yes. Unless the damages stem from gross negligence or willful misconduct, as discussed below.

Are agreements that exclude all indirect (i.e. consequential, incidental) damages enforceable?

No. New York courts insert an implicit exception to these blanket caps, even if the applicable agreements explicitly don’t. Where the damages at play arise from gross negligence or willful misconduct, public policy dictates the offenders are limitlessly liable, and the cap fails. So, no matter what, liability for such egregious behavior is unlimited.

Despite this exception, caps on indirect damages are enforceable against other (less egregious) claims.

Additional Notes on Gross Negligence in New York:

1.       Drafters should note that evidencing gross negligence or willful misconduct can be difficult, these standards high. Parties must show that a breaching party’s “egregious intentional misbehavior evince[s] some extreme culpability.” Otherwise, no gross negligence or willful misconduct is present, and the relevant liability remains limited under the contract. Metropolitan Life Ins. Co. v. Noble Lowndes Int'l, Inc., 643 N.E.2d 504, 506-07 (N.Y. 1994) (defendant’s “voluntary and intentional … refusal to perform a contract [to develop and install software] for economic reasons,” without plaintiff proving fraud or other willful intent, fell short of gross negligence and willful misconduct and the limit of liability survived; also, entering a contract intending never to perform is not in itself gross negligence or willful misconduct).

Can remedies be limited to the express remedies solely and exclusively provided for in a contract?

Yes.  Per New York’s adoption of the Uniform Commercial Code ("UCC") § 2-316 (more on this below), remedies for breach of warranty may be limited to liquidation or limitations of damages as captured by a contract, or via a contractual modification of the subject remedies.  However, these routes carry their own rules and limitations.  For example, per UCC § 2-718, liquidated damages must represent “an amount which is reasonable in the light of the anticipated or actual harm caused by the breach, the difficulties of proof of loss, and the inconvenience or nonfeasibility of otherwise obtaining an adequate remedy.”  An unreasonably large liquidation of damages is, therefore, void.

II. DAMAGES

Does New York law mandate any blanket limits on the amount of (a) consequential damages, or (b) punitive damages that a party may recover?

(a)       No. Unlimited consequential damages resulting from a breach of contract are generally available to parties under traditional contract principles. That is, so long as these damages were (i) a foreseeable result of the breach; (ii) “within the contemplation of the parties” when contracted; and (iii) not unconscionable. The UCC adds that consequential damages may be limited or excluded—except where those limits or exclusions are unconscionable themselves. UCC § 2-719 (3).

(b)       No.

Additional notes:

1.       Similarly, courts will generally enforce a contractual cap on consequential damages unless the cap is unconscionable, violates public policy, or enforcement causes the contract to fail of its essential purpose. Taylor Inv. Corp. v. Weil, 169 F. Supp. 2d 1046, 1058-59 (D. Minn. 2001).  If the provision was reasonable and negotiated as part of an arms-length agreement, however, proving unconscionability may be difficult. Finally, New York does not allow a manufacturer to disclaim liability borne of its own gross negligence, willful, wanton or intentional conduct. Kalisch-Jarcho Inc. v. New York, 58 N.Y.2d 377, 448 N.E.2d 413 (N.Y. 1983).

2.       In recent years New York made it possible for policyholders to squeeze insurers for unlimited consequential damages for breach of policy. This remedy is available where the insurer’s denial of policy benefits (i) breaches the covenant of good faith and fair dealing; and (ii) the applicable damages were foreseeable at the contracting time.

Are punitive damages recoverable in contract matters? If so, when?

Generally, no. Even if a breach is willful and without justification. Campo v. 1st Nationwide Bank, 857 F.Supp. 264, 273 (EDNY 1994).

Additional Notes:

1.       Contract claims fused with tort claims may earn punitive damages. Meaning, where a tort claim stems from a contractual relationship. There a plaintiff must show: (i) the defendant’s conduct is actionable as an independent tort; (ii) the tortious conduct is egregious; (iii) the egregious conduct is directed at the plaintiff; and (iv) the defendant’s conduct is part of a pattern directed at the public generally. Conocophillips v. 261 E. Merrick Rd. Corp., 428 F.Supp.2d 111, 129 (EDNY 2006).

2.       In New York, certain fraudulent conduct may also earn punitive damages, i.e. fraud with “evil and reprehensible motives.” Solutia Inc. v. FMC Corp., 456 F.Supp.2d 429, 453 reconsideration denied (SDNY 2006).

3.       Contracts commonly exclude all incidental, indirect, and consequential damages subject to certain exceptions; punitive damages may be expressly excluded.

III. DISCLAIMERS/LIMITATIONS OF WARRANTY

Are disclaimers of any and all implied warranties enforceable in New York?

Yes. Regarding all issues concerning implied warranties, New York adopted UCC § 2-316, which states that all implied warranties may be disclaimed.  However, such disclaimers must use contract language that is commonly understood to call a buyer's attention to the exclusion of warranties.  Expressions like "as is" or "with all faults" suffice, per the UCC, to adequately warn buyers and, thus, establish warranties.

For the two most prevalent implied warranties—those of merchantability and fitness—New York and the UCC permit sellers to disclaim:

(A) the implied warranty of merchantability, as long as the disclaimer is:

(i) conspicuous, and

(ii) explicitly includes the word “merchantability.”

(B) the implied warranty of fitness as long as such disclaimer is

(i) "affected by a writing," and

(ii) "conspicuous.”

Drafters should note, however, that the UCC places a limitation on these disclaimers: they’re valid “unless the circumstances indicate otherwise.”  Meaning, if the facts indicate that a warranty did exist—perhaps as a deciding factor in the subject sale of goods—regardless of what the contract purports to disclaim, a warranty may exist.  Also noteworthy is the UCC § 2-316’s dictate that “an implied warranty can also be excluded or modified by course of dealing or course of performance or usage of trade.” Although these are likely tougher to prove than black and white ink on a contract is to read.

IV. DISPUTE RESOLUTION

When the State of New York is sued over a contract dispute, does New York mandate any dispute resolution procedures such as venue requirements or jury trial requirements?

No.  The Court of Claims has jurisdiction over contract dispute claims brought against the State of New York and certain State-related authorities.  Rather, to serve New York with a suit for breach of contract, a claim must be delivered to a New York Assistant Attorney General at an office of the Attorney General within six months after the claim’s accrual.  The claim's venue is determined by the county where the claim accrued.

When Assignment Bars & Termination Rights Fail: Bankruptcy Code §365(f)

Intro

Certain of your termination and anti-assignment clauses might be unenforceable.  Here’s why, when and how, and what you can do about it.

The Scenario

You’re shopping to license hardware or software from a reliable company. Maybe the company you settle on is a household name—let’s call it Tech Company—an industry leader in the service you’re seeking.  After some fruitful internal discussions, you reach out to Tech Company’s sales squad and within a matter of days or weeks money changes hands, new products are installed, and your organization is changed for the better.  Soon your employees learn to deftly handle the upgrade and before you know it, you and your customers rely on its speed and interface.  

A month later a notice arrives in the mail.  It’s from your new partners at Tech Company, but they’re not inviting you to the corporate Labor Day BBQ.  This letter is terser than the communications they’ve sent in the past.  You don’t understand its jargon, but you catch the gist.  Tech Company has filed for Chapter 11 bankruptcy.  Now it is assigning your contract to another company you’ve never heard of, called New Entity.  It seems Tech Company has suddenly washed its hands of you and introduced New Entity in its place without your knowledge—certainly without your consent.

The Roller Coaster

Here’s when you might scramble to your agreement with Tech Company.  Your review of the PDF begets more questions than answers, though; it’s practically a rollercoaster of positive and negative results. 

First, in the assignment section, you see something like this:

“Neither Party may assign this Agreement nor any rights or obligations hereunder...”

Point for the home team.

Then, a couple lines later, you read:

“…except to any entity that acquires the applicable assets of Tech Company as a result of a bankruptcy proceeding…”

Point for the away team.

You lighten back up as you come across a backdoor to the exception:

“…provided that You may, in such an instance, terminate this Agreement for convenience under Section…”

You flip to the termination section, and it’s all there, in slightly pixilated black and white.

“You may terminate this Agreement at any time upon sixty (60) days written notice to Tech Company…”

You breathe a little easier.  You still control some measure of your fate.  Tech Company cannot unilaterally unload you onto one of its competitors that you’ve never so much as spoken to.  If you don’t like what New Entity is selling, you can terminate the agreement for convenience based on Tech Company’s bankruptcy-fueled assignment.  Reassured, having disembarked the rollercoaster with your lunch intact, you ring your attorney to talk it over.

And she straps you right back in.

Apparently, there’s something called the Bankruptcy Code, Ms. Attorney says, and it rejiggers your agreement.  Per the Code’s §365, not only is Tech Company’s assignment permitted, but your right to terminate as a result of this assignment is void.

What?

Via §365(f), anti-assignment clauses are often useless in the face of bankruptcy.  Regardless of any provision that “prohibits, restricts, or conditions [an] assignment,” the Bankruptcy Code permits an assignment by the trustee of a bankrupt entity.  The only prerequisites, per the same section, are that:

(A) the trustee assumes such contract or lease in accordance with the provisions of this section; and

(B) adequate assurance of future performance by the assignee of such contract or lease is provided, whether or not there has been a default in such contract or lease.

Since the Bankruptcy Court has already approved the assignment—a.k.a. sale—of your contract to New Entity, these prerequisites have already been met; otherwise the Court wouldn’t have let the process go this far.  According to the Court Order referenced in the letter you received, Ms. Attorney continues, Tech Company’s trustee took control of the contract along with the rest of Tech Company in line with the Code.  Thus, (A) above has been met.  In terms of (B), whether or not Tech Company provided you with “adequate assurance” of New Entity’s ability to future perform your contract, Tech Company has assured the Court that it can and will “promptly take any actions reasonably required to obtain a Bankruptcy Court finding that there has been sufficient evidence of adequate assurance of future performance,” per the Order.  Satisfied with this promise and that New Entity’s performance of your contract wouldn’t result in material, economically significant detriment to you, the Court moved forward, and blessed the assignment.

But don’t I have a right to be notified at least? To object to the assignment? you ask.

Ms. Attorney reads from the Court Order: “If any consent is not obtained or notice is not given prior to the assignment’s closing, the closing shall nonetheless take place subject to the terms and conditions herein…”

And what about my termination rights? you follow up.  These rights were expressly provided for in your contract’s assignment section.

§365(f)(3) erases those, Ms. Attorney replies.

Under this subsection of the Code: “Notwithstanding a provision in an executory contract” that grants a termination right “on account of an assignment of such contract,” the subject contract “may not be terminated or modified under such provision because of the assumption or assignment of such contract or lease by the trustee.”

So, bankruptcy and its ensuing assignment cannot be the root of a termination right.  If it is, that right is itself terminated. 

Keep the Code in Mind

§365 intends to help trustees elicit the max value from debtors’ estates.  To do so it allows trustees to assign executory contracts that benefit the estate—no matter what the contract itself might prohibit or permit.  As long as the trustee assures the Bankruptcy Court that the assignee’s future performance will be adequate as compared to the performance promised under the contract, then the non-debtor (in this case, your company) is in a position level to the one it bargained for with the debtor in the first place, business can proceed, and everyone wins.  Though, as here, it might not feel that way. 

This scenario begs the question: Why do anti-assignment and termination rights hinging on bankruptcy persist if they’re rendered meaningless by the Bankruptcy Code?  Why include them at all?

The prevailing guess is that sometimes, folks don’t know the law.

Whatever side of the table a party and its attorney may occupy, anti-assignment and termination rights—along with an unfamiliarity with §365—can underpin a party’s confidence in their agreement.  However, this confidence could be false.  Through §365, the Bankruptcy Code seeks to right the ship when one entity to an executory contract is sinking.  Bankruptcy can be tricky, and a working knowledge of the Bankruptcy Code at the negotiation stage is key.  When negotiating technology agreements in general—and their assignment and termination clauses in particular—parties and attorneys must keep §365 in mind, or certain rights might be unenforceable after all.