Tag Archives: Vancouver startup lawyer

California Consumer Privacy Act comes into Force Jan. 1, 2020

The California Consumer Privacy Act (the “CCPA”) is a new law intended to enhance privacy rights and consumer protections for California residents, which comes into force on January 1, 2020. 

In the lead-up to the CCPA coming into force, this blog post covers three common questions we receive: (1) do I need to comply? (2) when do I need to comply? and (3) what happens if I do not comply?

1.         Do I need to comply? Probably, but not directly.  Most companies that operate from Canada or in states other than California, will not directly have to comply with the CCPA as the territorial scope of the law is fairly limited, especially when compared with the EU’s General Data Protection Regulations (the “GDPR”).  To fall under the territorial scope of the CCPA, you have to be a for-profit business doing business in the State of Californiaand have one of three factors apply: 

(a) gross revenue of over $25,000,000 USD

(b) handle the personal information of more than 50,000 consumers, households or devices (it is unclear in the Act, at this stage, whether this is a California or world-wide number); or 

(c) derive more than 50% of annual revenue from the selling of consumers’ personal information.  

While the CCPA may not apply directly to many companies, as we saw with the GDPR rollout in 2018, the CCPA will likely indirectly apply as major tech companies like Google and Apple will have to comply with this law and as such, they will likely require, as part of their own compliance requirements, that companies they do business with that collect personal information also comply.  The extent of this indirect compliance is currently unclear and may only apply to certain provisions of the CCPA.

2.         When do I need to comply?  The effective date of the CCPA (the date at which the CCPA becomes law), is January 1, 2020, and while enforcement by the California Attorney General’s office may not begin until supporting regulations are finalized (deadline for regulations is June 1, 2020), we recommend that companies that need to comply directly begin compliance work immediately and aim to be fully compliant by January 1.  Companies that only need to comply indirectly may have some time to wait and see how the CCPA will affect contracts and terms with CCPA compliant companies but it won’t hurt to be compliant by early 2020. 

3.         What happens if I do not comply?  Beware of the cost!  There are several penalty clauses in the CCPA, including $2,500 for each non-intentional violation and $7,500 for each intentional violation.  If you have over 50,000 users, these penalties can easily amount to over $125,000,000.  For companies that will have to comply indirectly through contracts or user agreements, beware of indemnification clauses and other liability amendments that may push these penalties onto your company.

For may companies, the CCPA may not directly apply. However, it’s important to monitor CCPA factors, relative to your company’s business, to ensure that you do not miss compliance should a factor be met in the future – this is especially important in rapidly growing startups where it’s easy for a compliance obligation to be missed. Even if the CCPA factors are not met, there may be an obligation to comply as large tech companies will likely be complying and force compliance on everyone else they do business with.

Founder Leaving the Company

While founders embark on the journey of launching a company with an abundance of optimism it may be the case that their relationship does not last as long as the company, leading to the question of how to handle a founder leaving the company? This situation goes one of two ways: (1) the company and its founders entered into agreements that address this situation and the process set forth in these agreements is followed; or (2) no agreements are in place and the company and founder are left to try and work out a resolution (difficult if the departure was not amicable).

In this post we will detail two agreements to put in place early-on in a company’s life that could ease a founder’s departure:

1. Reverse Vesting Agreement. A reverse vesting agreement subjects a founder’s shares to repurchase by the company if the founder leaves/is fired from the company within a particular period of time. Each time shares “vest”, meaning that a particular period of time has elapsed and a certain number of shares cease to be subject to the company’s repurchase right. Typical terms are described as “4 years with a 1 year cliff”. This means that the agreement lasts for 4 years and that 1/4 of the shares vest after 1 year and are no-longer subject to the company’s repurchase right. After the cliff, shares typically vest in monthly or quarterly instalments for the remaining 3 years. The repurchase price is a nominal amount, typically the amount the founder paid for the shares upon incorporation (ex. $0.00001/share).

BENEFITS: If the founder leaves within the vesting period, the company can exercise its repurchase right and repurchase those unvested shares. This is especially useful if a founder leaves early, such as within the first year and allowing the company to repurchase all the founder’s shares. Without this agreement, a founder could leave the company within the first year yet retain all their shares.

COMMON MISTAKES: (1) Too short of a term, for example 2 year vesting term when the founder is needed for at least 3 years in order to complete the product; and (2) setting the repurchase price too high resulting in shares that are too expensive for an early-stage company to repurchase.

2. Shareholders Agreement. A Shareholders Agreement addresses the relationship among the shareholders and the company and may often contain clauses addressing founders specifically. Relevant to a founder’s departure, the Shareholders Agreement may contain a section permitting the company and/or the shareholders (or maybe the other founders) to repurchase the departing founder’s shares. The Shareholders Agreement would contain a mechanism for valuing the shares and a process for completing the repurchase. Additionally, even if the shares were not purchased or no purchase mechanism exists, it may contain a voting trust serving to transfer the votes held by the founder’s shares to a company designee.

BENEFITS: By including a repurchase mechanism, the Shareholders Agreement can kick-in following expiration of a Reverse Vesting Agreement, providing a way to easily repurchase shares of a departing founder once that agreement has expired. Additionally, the voting trust ensures that the founder receives the financial benefit in the future of any shares they retain but by transferring the votes associated with those shares to a company designee it ensures that only people actively involved in the company can vote on company matters.

COMMON MISTAKES: (1) Drafting the Shareholders Agreement to only apply to initial shareholders and not containing provisions whereby the agreement automatically applies to new shareholders; and (2) not creating a clear process for valuing shares and a process for resolving any dispute over share value.

In summary, if you plan for shareholder problems at the start you will be well equipped should those problems arise in the future. While founders may not want to dwell on a divorce when they are optimistic about the future they will be glad they did if things turn for the worse down the road.

Non-Compete Clauses – Common Questions

We are often approached with questions about non-compete clauses in the context of employment agreements and independent contractor agreements and asked whether or not the clause is enforceable in Canada or the US. While the enforceability of a non-compete clause is determined on a case-by-case basis, we thought it beneficial to provide an overview of common questions we receive:

  1. Are non-compete clauses enforceable?  In many jurisdictions, yes, if drafted correctly. However, courts are always on the lookout for reasons to invalidate non-compete clauses. Indeed, in some US states, including California, non-compete clauses are effectively unenforceable.  California courts will even invalidate employment agreements from other states if the employee is now working in California for a competitor.  Elsewhere in the US, you typically need a legitimate business interest to ensure an enforceable non-compete clause.  In Canada, courts will ask a similar question of whether the company has a proprietary interest worthy of protection
  2. What interest is worthy of protection? In both the US and Canada, the analysis is similar.  Courts will ask if a company is protecting trade secrets, confidential information, trade connections or goodwill through the non-compete clause.  If a company is simply trying to prevent competition, the non-compete will likely be unenforceable.
  3. What about independent contractor agreements?  It is possible to apply non-compete clauses to independent contractors but there is a much higher likelihood that such a clause is unenforceable. Additionally, the likelihood that a contractor will agree to a non-compete is significantly lower as contractors are working multiple jobs at the same time and signing a non-compete clause may cause them to lose out on work.  Finally, some courts may interpret the non-compete clause as indicating an employer-employee relationship, which may lead to material labor law issues.
  4. What is a reasonable non-compete?  A company cannot have a non-compete that stops an employee from working entirely except in extreme circumstances, which usually involves a large severance package (for example, applied to a CEO).  Typically, a company needs to limit any non-compete clause by length of time, geographic location and type of work prohibited and to tailor these limits very specifically to the work that a company actually does. 
  5. What about a non-solicit or non-disclosure clause  In Canada, and some other jurisdictions, courts will invalidate a non-compete clause if there are other less restrictive means to enforce company goals.  Often a non-solicitation clause or a confidentiality/non-disclosure clause will operate to accomplish the same objective.

By keeping the above in mind, you should be able to avoid the pitfalls of unenforceable non-competes or avoid them entirely through other clauses.

US and Canada – similar countries, similar privacy laws… right? Wrong.

We are often engaged to review Privacy Policies from a U.S. and Canadian legal perspective.  In many cases these Privacy Policies were drafted by Canadian counsel without considering the laws of the client’s major market, the U.S.  The privacy laws of Canada and the U.S. are quite different and a failure to comply with U.S. privacy law can have enormous financial implications.  Accordingly, it is critical that Canadian companies ensure that their Privacy Policies are compliant on both sides of the border.

Below we detail three common privacy law issues that Canadian companies have when entering the US market.

1. The US is far bigger and more complex than Canada

In Canada, with a couple of exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers most privacy law issues in the commercial sphere.  Conversely, in the U.S., companies must comply with several different federal privacy laws, as well as state laws, the latter playing a major role in privacy protection.  This means that companies need to worry about complying with the privacy laws of all 50 states as well as several federal laws.

2. Same words, different meanings

Although both countries write their laws in English (In Canada – en Français aussi), words can have varying meanings under the law.  In privacy law in particular, certain key concepts are very different between Canadian and U.S. privacy laws, and companies that ignore these differences open themselves up to huge liability.

For example, the term personal information, at the core of privacy law in both countries, has different meanings in both countries and in the US there is no standard definition from one law to the next, or one state to the next. This means that while you might be compliant in Canada with the current way that you collect data from customers, the exact same data collection practice may be non-compliant in the US.

Other major privacy law concepts that differ in the US include: privacy of children under 13 years old, standards for “consent” and “breach”, rules for third-party access to personal information and jurisdiction issues.

3. Fines are far greater in the US

The price to pay for not complying with US privacy laws is far greater than not complying with Canadian privacy laws. For example, the Office of the Privacy Commissioner of Canada (OPC), the Canadian privacy law enforcement body, does not have the authority to fine companies for most privacy law violations.

In the US, by contrast, recent fines imposed by the Federal Trade Commission (FTC) and sister body, the Federal Communications Commission (FCC), consistently are in the million-dollar range and even up to $25 million in some cases.  Even simple violations such as gathering temporary personal information of children prior to getting parental consent can garner fines of up to a million dollars.  And be aware, the first piece of evidence that the FTC will use to see if a company is complying with US privacy law, is its online privacy policy. If you haven’t changed your privacy policy from a Canadian law compliant privacy policy to a cross-border compliant privacy policy, you are putting your company at huge risk.

Canada’s population is 1/10 that of the U.S.  For business, this means that most Canadian companies are going to look to the U.S. for revenue generation and in the process create exposure to U.S. laws, including privacy laws.  It’s critical that companies stay on top of their exposure to U.S. laws and engage legal counsel to ensure that their operations are fully compliant.