Data Processing Addendums for California

Earlier this month, the California Consumer Privacy Act became effective with many companies scrambling to become compliant with the law. While there are many ambiguities in the law and the California Attorney General is still finalizing his draft regulations, companies are continuing to create their legal frameworks to comply with the law nonetheless. Part of this compliance framework is the data processing addendum (“DPA”).


The data processing addendum concept was introduced when the General Data Protection Regulation (“GDPR”) was passed into law in Europe in 2016. Since the GDPR became effective in May 2018, the DPA concept has been ingrained in the contractual framework for data processing activities done on behalf of others. While DPAs are generally required under Article 28 of the GDPR, a DPA is not necessarily required by the CCPA, but there is a growing understanding of its benefits for data processing contracts between businesses, service providers, and third-parties.


Notably, the contract requirements come from the combination of the definitions of “service provider,” “third party,” and “business purpose.” A “service provider” “processes personal information on behalf of a business…for a business purpose pursuant to a written contract…and the contract prohibits the entity from retaining, using, or disclosing” it for a purpose other than the specified business purpose(s). “Business purpose” means “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.” Finally, a “third party” is defined by what it is not. A “third party” is not (1) a business that “collects” personal information from a consumer; or (2) a service provider with the contractual restrictions described above and, in this paragraph, (or any other “person” with the same such contractual restrictions). Additionally, a third party will not be considered a third party if it is included in the written contract between the business and the service provider. Therefore, despite being two separate defined terms, the definitions of service provider and third party should be read together.


The written contract required by the CCPA is meant to bring down some of the business’s obligations to its service providers so that it may comply with its obligations to California consumers who exercise their rights as provided by the CCPA. Specifically, a service provider must contractually agree that it is prohibited from (i) “selling” (as defined by the CCPA) the personal information it acquires from the business and (ii) retaining, using or disclosing the personal information outside of the direct business relationship with the business or for any other purpose than what is specified in the contract. Further, the service provider must “certify” that it understands its contractual restrictions and will comply with them.


If you are a business or service provider, updating all of your service provider contracts could be cumbersome and costly. Rather, the addition of a DPA to your contract playbook could cut down on time-consuming negotiations while clearly establishing relationships that comply with new data protection regimes.


January 10, 2020


Written by Stan Sater and Jeff Bekiares


*    *    *

If you are a business that has questions about CCPA compliance or applicability issues, contact our Founders Legal team at [email protected] or [email protected]


Protecting Your Hemp and CBD Brand Through Trademarks

The 2018 Farm Bill was passed on December 20, 2018, and, among other things, removed hemp from the definition of marijuana under the Controlled Substances Act (“CSA”). Prior to the passage of this Farm Bill, the U.S. Patent and Trademark Office (“USPTO”) could refuse any cannabis or cannabis-related trademark application, on its face, because the identified goods and/or services were unlawful under the CSA. In other words, because the good or service for which the trademark was being sought was not in lawful use in interstate commerce, the USPTO would not grant federal trademark protection. With the passage of the Farm Bill, the USPTO is having to change its review practices to handle the confusion that the Bill created as to the trademark rights of cannabis or cannabis-related businesses.On May 2, 2019, the USPTO issued new guidance addressed to its trademark examiners on how to handle trademark applications for cannabis-related products. The guidance reiterates that a product ‘must first be in lawful use’ to receive a federal trademark. As it relates to cannabis or cannabis-related trademarks filed on or after December 20, 2018, a lawful use determination “requires consultation of several different federal laws” including the CSA and the Federal Food Drug and Cosmetic Act (“FDCA”). The FDCA, which is overseen by the Food and Drug Administration (“FDA”), makes it unlawful to introduce hemp-derived foods, beverages, dietary supplements, or pet treats unless approved by the FDA. Additionally, under the FDCA, “any product intended to have a therapeutic or medical use intended to affect the structure or function of the body” is a drug. Drugs cannot be distributed or sold in interstate commerce unless approved by the FDA. At present, other than Epidiolex, a plant-derived CBD product used to treat two pediatric epilepsy disorders, no cannabis-derived drug products have been approved by the FDA. The FDA recently restated its viewpoint on the market for CBD products in a revised consumer update and is carefully monitoring the space, having issued 15 warning letters to cannabis-related companies selling products in violation of the FDCA.For trademark applications filed before December 20, 2018, the examiners may allow applicants to amend their applications to claim a December 20, 2018 filing date to overcome a refusal based on the CSA. As the trademark can still be denied for the other reasons as discussed above, examiners may also allow applicants to amend the original filing basis to an “intent-to-use” basis. With the date change and the “intent to use” change, the examiner will conduct a new search of conflicting trademarks in the USPTO’s records. If applicants choose not to amend their application, they can abandon the application and re-file or respond to the examiner’s office action with evidence to oppose the examiner’s determination. As it relates to hemp cultivation or production services, the examiners will investigate the applicant’s legal ability to cultivate and produce hemp. Per the 2018 Farm Bill, hemp must be produced “under license or authorization by a state, territory, or tribal government in accordance with a plan approved by the U.S. Department of Agriculture (USDA) for the commercial production of hemp.” However, the USDA has not approved any state, territory, or tribal government hemp production plan. Therefore, hemp cultivation or production services trademark applications could still be denied despite the 2018 Farm Bill.While there is still uncertainty about the future for granting federal cannabis or cannabis-related trademarks, applicants can seek state trademark registration or protect their rights against copiers at common law. Each trademark strategy must be tailored to the applicant’s business and products.Written by: Stan Sater and David H. Pierce  

Commentary by Stan Sater & David H. Pierce.  David is a corporate and IP lawyer at Founders Legal. He can be reached at [email protected]

Dealing with Copyright Trolls

The ease of sharing pictures online has made it both lucrative for legitimate artists to monetize their works and simpler for opportunists (“copyright trolls”) to victimize unprepared websites with extortion schemes disguised as legitimate copyright enforcement practices. To escape being targeted by the latter, websites that host user-generated content can utilize the “safe harbor” provisions (Section 512) of the Digital Millennium Copyright Act (“DMCA”) to shield them from copyright infringement committed by users. In return, the DMCA “safe harbor” requires the website to adopt “notice and takedown” procedures allowing the copyright holder a streamlined way to report infringement and have the infringing content taken down.

Copyright holders who send a copyright notice to a website to remove the copyright-infringing material must include certain information to the website. The copyright notice must (i) identify the infringing material, (ii) provide the location of the original material, (iii) include the submitter’s contact information, (iv) state that the notice is entered in good faith, (iv) confirm that all information in the notice is factual, (v) state that the person sending the notice, under penalty of perjury, has the authority to act on behalf of the copyright holder, and (vi) sign the notice. Before sending the notice, the owner must also consider whether the use of the work is protected by fair use.

Copyright trolls abuse the DMCA requirements in search of easy money – big money. Copyright holders with registered U.S. works can seek statutory damages—up to $150,000 per work for willful infringement—for copyright infringement. For U.S. works, the Supreme Court has provided that a copyright owner cannot sue for copyright infringement until they have registered the work with the U.S. Copyright Office. For foreign works, copyright holders may file suit without registration per the Berne Convention (however, foreign works may not be awarded statutory damages or attorneys’ fees unless the foreign work is first registered with the U.S. Copyright Office). While these sometimes substantial damages seem harsh for a website merely hosting content posted by users, full compliance with the “safe harbor” provision of the DMCA can negate liability.

Additionally, the DMCA provides a means to fight back against overly aggressive copyright trolls (albeit through a sparingly used provision). Section 512(f) of the DMCA allows the website owner to file a lawsuit seeking costs and attorneys’ fees against any copyright notice sender who knowingly misrepresents information in a DMCA notice. The caveat is that the website must prove their harm as a result of relying upon the misrepresentation. While Section 512(f) lawsuits are scarce, one hopeful lawsuit on Section 512(f) was filed in August 2019 by YouTube against a copyright troll. Unfortunately, YouTube settled the lawsuit out of court with the copyright troll apologizing for his conduct and admitting to sending dozens of false takedowns. Thus, whether Section 512(f) is an effective means to deter DMCA takedown abuses is not yet a settled issue.

In any case, because of how easy it is for potentially infringing material to end up on a website, copyright trolling will persist. While the settlement fees copyright trolls request might seem reasonable relative to the costs of a potential copyright infringement lawsuit, websites should seek out help to evaluate the claim and strategize the most efficient way to handle the situation.


Written By: Stan Sater and David H. Pierce


Commentary by Stan Sater & David H. Pierce.  David is a corporate and IP lawyer at Founders Legal . He can be reached at [email protected]