Re-Evaluating a Trademark Portfolio for…Privacy Compliance (?!)
Does your company have multiple, distinct brands? If so, there may be a need for trademark clearance, and possibly new applications, well ahead of 2023. The reason for this is the California Privacy Rights Act (CPRA), which takes effect on January 1, 2023. “Wait…what?!?” [I can hear you saying it.] Yes – changes in privacy law are driving a need to re-look at trademarks.
Privacy attorneys are busy advising clients about the ins and outs of this new law, one piece of which is that California customers, employees, and b2b contacts of a business (all together referred to in the law as, “consumers”) will have the right to opt out of “cross-context behavioral advertising.” Cross-context behavioral advertising is defined by the law to include the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across…distinctly-branded websites, applications, or services….”
In other words, if your company is subject to the CPRA, and your business practice is to have each of your brands interface separately with its consumers, but behind the scenes, you are considering consumers’ personal data from all the brands collectively to determine what advertising those consumers see, you will need to either (a) offer an opt-out from that use of their data, or (b) do some branding updates to make sure that the consumers have a clear understanding that they are dealing with a larger organization.
Privacy attorneys are therefore asking (or should be asking) their multi-branded clients how they want to handle the “distinctly-branded” issue, so as to inform the design and implementation of privacy compliance mechanisms.
But this isn’t simply a privacy compliance-affecting decision. If a company wants to adopt more common branding across its brands in order to avoid offering an opt-out, it needs to at a minimum make sure that updated branding can be used legally in connection with all the brands’ goods and services.
There is no clarity under the CPRA or its [still in draft form] regulations of what “distinctly-branded” means under the CPRA, much less how to avoid being distinctly branded, but some options that multi-branded companies may be considering include:
· Prominently stating that each brand is “part of the XYZ family”
· Adding “an XYZ brand” under/after each of the brand names and/or logos
· Adding XYZ at the beginning of each of the brand names and/or logos
· Fully rebranding all brands to XYZ (not to be undertaken lightly, to be sure)
No matter which of these is chosen, though, if there is a third party using XYZ – or something similar to it – for goods or services that are similar to your brands’, you could be creating a likelihood of confusion by updating the branding approach. In other words, you may solve the privacy “problem” but create an infringement problem.
The only way to know of the risk is to conduct trademark clearance. If a mark is not clear for some of the brands’ goods or services, then the privacy compliance implementation likely needs to change in order to avoid creating trademark infringement liability for the company. Moreover, your privacy compliance team is going to need to know this ASAP – before they start building the compliance mechanisms.
To the extent that the XYZ mark is clear for application to all the brands, you may also want to make sure your XYZ mark is formally protected for the goods and services that the brands offer. Trademark registration provides a variety of benefits such as deterrence of later adopters, refusal of another’s registration if a later adopter isn’t deterred, legal presumptions favoring the registered owner in enforcement proceedings, and access to additional types of enforcement mechanisms.
Note that other privacy laws becoming effective in 2023 have notions of “common branding” as well. The privacy laws of Connecticut, Virginia, and Utah (but not Colorado) define “affiliate” to mean not only the traditional “common ownership or control” type of affiliate, but also companies with “common branding.” This approach allows for easier personal data sharing between a company and its franchisees, distributors, or other licensees. So, be sure to ask yourself whether there are any companies that are not traditional affiliates, but who share common branding with yours. If so, make sure not only that trademark clearance, trademark registration, and trademark licensing agreements are solidified, but also be sure that the data-related provisions in those agreements are present, clear, and up to date.
Take Aways for Multi-Branded Companies and Their Attorneys:
Privacy Attorneys and Compliance Teams:
· If you are even remotely considering adopting some level of common branding as part of your compliance roadmap, go see your trademark attorney. Make sure your potential use of a company mark in a new context will be legal.
· Ask yourself whether there are companies or contractors outside of the corporate family whose trademark licenses need to be updated to cover data sharing and related provisions.
· Have these discussions ASAP to make sure there is sufficient time to implement any changes.
o Branding changes can take a fair amount of time, especially if you have physical locations that need to be considered.
o Working through the business and legal terms of updated contracts takes time too.
Trademark Attorneys:
· Ask your privacy colleagues what they are thinking about doing on the CPRA “distinctly-branded” site/service question.
· Make sure they know that their choice to apply a company mark to additional brands needs to be cleared in order to avoid creating any infringement problems for the company.
· Building privacy compliance mechanisms takes a lot of time. Have these discussions ASAP to make sure that the team has enough time to build an opt-out process if that is what needs to be done.
· Check your trademark licenses to make sure that data sharing is appropriately covered and do so in tandem with your privacy colleagues. Make sure that the trademark licenses are clear about whether personal data may (or must) be shared and under what circumstances, and about any provisions affecting the data sharing, such as fulfillment of consumer data requests.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s InsightsHERE.