The Federal Trade Commission’s (FTC) new proposed rule that would prohibit many employers nationwide—including trade and professional associations but not including charities and other nonprofits—from entering into any non-compete agreements with all workers (including independent contractors and not excluding senior executives) has gotten the attention of the association community. What the final rule will look like and whether it will be challenged in court and survive such challenges is unclear. Meanwhile, at the state level, approximately fifteen states and Washington, DC, have enacted laws that impose some form of limitation on the use of employee non-compete agreements. In DC, a new law took effect last October that significantly restricts employers’ use of non-compete agreements, but in a much-scaled-back version compared to the original law. On the other side of the country, California has for many years had the nation’s most sweeping statutory ban against employee non-compete agreements. Overlaid on top of all of this is every state’s and DC’s “common law,” which has always permitted but imposed limitations and conditions on employers’ use of non-compete agreements, with the limitations and conditions varying from state to state.

Common Law on Non-Compete Agreements

Common law in the United States treats non-compete agreements as generally enforceable, but subject to certain limitations and requirements. Non-compete agreements are generally defined as contractual agreements between employers and employees that restrict employees from competing with their former employers for a certain period of time and within a certain geographic area after the termination of employment.

As noted above, the enforceability of non-compete agreements varies by state, as they are governed by state law. Some states, such as California, have common law restrictions that limit the enforceability of non-compete agreements, while other states’ common law, such as Texas’, generally enforce them more liberally. And some states have statutory restrictions on non-compete agreements, which further limit their enforceability. The DC and California statutes are discussed below.

Under most states’ common law, for a non-compete agreement to be enforceable, it must generally meet the following requirements:

Consideration: Non-compete agreements must be supported by valid consideration, which means that the employee must receive something of value in exchange for agreeing to the restrictions. For example, the offer of initial employment, a promotion, or additional compensation may serve as valid consideration.

Reasonableness: Non-compete agreements must be reasonable in terms of their scope and duration. This means that the restrictions must be no broader than necessary to protect the legitimate business interests of the employer, such as protecting trade secrets, confidential information, and/or customer relationships. The duration (length of time) and scope (geographic, functionally, and otherwise) of the non-compete agreement also must be reasonable, and overly broad or overly long restrictions may be deemed unenforceable.

Public Policy: Non-compete agreements must not violate public policy. For example, non-compete agreements that unreasonably restrict an employee’s ability to seek new employment or that are against the public interest may be deemed unenforceable.

Notice: Non-compete agreements must be clear and conspicuous, and employees must be given reasonable notice of the restrictions before or at the time of entering into the agreement.

Overview of the FTC Proposed Rule

The FTC—which has jurisdiction over trade and professional associations (but not over non-association nonprofit organizations)—has proposed a Non-Compete Clause Rule that would prohibit employers nationwide from entering into non-compete agreements with all workers (including independent contractors and not excluding senior executives), on the basis that non-compete agreements constitute an unfair method of competition under Section 5 of the FTC Act. The FTC believes that non-compete agreements stifle competition, resulting in reduced wages and suppressed labor mobility.

The proposed rule would ban non-compete clauses categorically and is more restrictive than virtually all state non-compete laws, including Washington, DC’s (which exempts employees earning over $150,000 annually and which does not apply to independent contractors). Most states do not currently have a categorical ban on non-competes, and they typically differentiate amongst workers (such as by job function, earnings, etc.). The proposed rule would expressly preempt state law that is inconsistent with it.

The proposed rule defines “employer” as a person or entity that hires or contracts with a “worker” to work for the employer. “Worker” is defined as a natural person who works, whether paid or unpaid, for an employer. The term “worker” includes “an employee, [ ] independent contractor, extern, intern, volunteer, apprentice, or sole proprietor who provides a service to a client or customer.”

The proposed rule would apply to post-employment non-competition restrictions and would require employers to rescind existing non-compete agreements and provide notice to workers that they are no longer in effect. 

The FTC defines a non-compete agreement as “a contractual term between an employer and a worker that prevents the worker from seeking or accepting employment with a person, or operating a business, after the conclusion of the worker’s employment with the employer.” As such, in most cases, if a non-compete provision exists merely in an association employee handbook, it likely would not rise to the level of a contract, but any (enforceable, i.e., with consideration) non-compete agreements entered into between employers and their workers prior to, during, and following employment would be covered by the proposed rule, including both employment agreements and severance/separation agreements.

The FTC clarified that whether a contractual provision will be considered a “non-compete” clause will depend not on what it is called, but how it functions. The FTC’s definition of a non-compete clause would generally not include other types of restrictive employment covenants—such as nondisclosure agreements and non-solicitation agreements—because these covenants generally (if they are appropriately tailored) do not prevent a worker from seeking or accepting employment after leaving the prior job. However, such covenants would be considered non-compete clauses where they are so unusually broad in scope that they function as such. The proposed rule makes clear that “a contractual term [ ] is a de facto non-compete clause [when] it has the effect of prohibiting the worker from seeking or accepting employment with a person or operating a business after the conclusion of the worker’s employment with the employer.” For example, a nondisclosure agreement between an employer and a worker that is written so broadly that it effectively precludes the worker from working in the same field after the conclusion of the worker’s employment with the employer could be considered a de facto non-compete clause.

The proposed rule exempts non-compete agreements that are entered into by a person who is selling a business or an ownership interest in a business, when the person restricted is a substantial owner or member of the business being sold.

The proposed rule was published in the Federal Register, and the FTC received scores of public comments on it before the comment period closed on March 20, 2023. Notably, FTC Commissioner Christine Wilson published a dissenting opinion that provides a roadmap for employers seeking to oppose the proposed rule.

Compliance with the final rule will be required as of 180 days after publication in the Federal Register. In addition, as of the compliance date, employers must rescind any existing non-compete clauses and provide notice to their workers that their non-compete clauses are no longer in effect.

Legal challenges to the final rule are to be expected, with the U.S. Chamber of Commerce and some Republicans in Congress already contending that the FTC does not have the authority to issue the rule.

While not related to the FTC’s proposed rule, at least two bills have been introduced in Congress to impose federal statutory limitations on employers’ use of non-compete agreements.

Overview of the District of Columbia Non-Compete Law

DC’s new and modified Non-Compete Law took effect on October 1, 2022; it prohibits non-competition provisions for covered employees but allows non-compete agreements with “highly compensated” employees that meet certain drafting and procedural requirements. The law does not apply to independent contractors and does not limit or regulate non-solicitation agreements. The new law allows employers to use nondisclosure agreements and anti-moonlighting policies in certain circumstances and includes employer notice requirements in connection with them. The law applies to all employers operating in DC and covers employees who spend a substantial amount of their work time in DC (and not more than 50 percent of their work time in another state). While narrower than the originally enacted version, the law is much broader than similar laws in other states.

Non-compete provisions in new agreements entered into on or after October 1, 2022, are void and unenforceable if the provisions violate the law. After October 1, 2022, employers are prohibited from requiring or requesting that a covered employee sign an agreement or comply with a workplace policy (e.g., an employee handbook) that includes a non-compete provision. It is illegal to retaliate against an employee for refusing to comply with a provision void by the new law.

The DC law covers employees and prospective employees only if (i) they spend or are reasonably anticipated to spend more than 50 percent of their work time in DC, or (ii) their employment is or will be based in DC, and the employer reasonably anticipates that that the employee will regularly spend a substantial amount of the employee’s work time in DC and not more than 50 percent of the employee’s work time in another jurisdiction. This means that employers based outside of DC but that have employees who work remotely more than 50 percent of their time from DC will be subject to the law with respect to those employees. The law does not supersede the terms of any valid collective bargaining agreement.

The law permits DC employers to enter into non-competes with “highly compensated” employees, subject to certain restrictions and notice requirements. Highly compensated employees are defined as those who earn or are expected to earn total (cash) compensation of at least $150,000 per year ($250,000 for licensed physicians), with this amount to be indexed to the federal Consumer Price Index annually.

For employees who earn below the “highly compensated” threshold, employers are prohibited from entering into any agreement that contains a “non-compete agreement,” which is defined as any contract between an employer and employee containing a “non-compete provision,” which, in turn, is defined as a provision in a written agreement or workplace policy that prohibits an employee from “performing work for another for pay or from operating the employee’s own business.”

However, the law provides for four categories of provisions that are excluded from the definition of a “non-compete provision” and not affected by the new law (provided that they are otherwise lawful):

• Non-competition provisions entered into in connection with the sale of a business.
• Nondisclosure or confidentiality provisions that prohibit or restrict an employee from disclosing, using, selling, or accessing the employer’s confidential or proprietary information.
• A provision that provides a “long-term incentive” to the employee (e.g., bonuses or other performance-driven incentives for individual or organizational achievements).
• The law permits anti-moonlighting provisions restricting outside compensation for employment or the operation of a business by a current employee to the extent that the employer reasonably believes that such work could (i) result in the disclosure or use of the employer’s confidential or proprietary information, (ii) violate the employer’s, industry’s, or profession’s established rules regarding conflicts of interest, (iii) constitute a “conflict of commitment” (for accredited higher education institutions), or (iv) impair the employer’s ability to comply with federal or DC laws or with a contract or grant. If an employer adopts policies under any of these exceptions, there are certain notice requirements regarding the covered employees.

An employer with a workplace policy that includes one or more of these four exceptions must provide a written copy of the provisions to its DC employees within thirty days after an employee’s acceptance of employment and any time such policy changes. This notice and disclosure requirement applies to all affected DC employees, not only highly compensated employees.

Employers are strictly prohibited from retaliating against employees who refuse to agree to, or fail to comply with, an impermissible non-compete provision or workplace policy. Employers also are prohibited from retaliating against employees who either question or raise complaints about a non-compete agreement or policy.

The law outlines specific requirements for permitted non-compete agreements with “highly compensated” employees. To be valid and enforceable, any such agreement executed after October 1, 2022, must specify:

• the functional scope of the competitive restriction, including what services, roles, industry, and/or competing entities the employee is restricted from performing work for or on behalf of;
• the geographical limitations of the work restriction; and
• the duration of the restrictions, not to exceed 365 days from the date of separation (730 days for medical specialists).

Employers also must provide the non-compete agreement to the highly compensated employee in writing at least fourteen days before the start of employment or before a current employee is required to execute the agreement, and employers proposing such a non-compete agreement must provide a specifically worded notice (spelled out in the law) to the employee at the same time.

Employers may face both civil and administrative penalties for violations of the law. The law empowers the DC mayor or DC attorney general to fine employers, and aggrieved employees are able to file administrative complaints with the DC mayor’s office or file suit in civil court in DC.

Overview of the California Non-Compete and Non-Solicitation Law

As has been the case for many years, California law generally prohibits all non-compete agreements and restricts and regulates non-solicitation agreements for employees. California Business and Professions Code Section 16600 states that contracts that restrain individuals from engaging in lawful professions, trades, or businesses are void, except for a few specific exceptions. Note that these California laws apply to all association employees based in California, even if the association is based in another state. Following are some key points about these laws.

Non-Compete Agreements: Non-compete agreements, which typically restrict employees from working for a competitor or starting a competing business after leaving their current employer, are generally unenforceable in California. California’s strong public policy favors employee mobility and competition, and such agreements are generally considered void and unenforceable, regardless of the employee’s job level or type of employment. Additionally, California Labor Code Section 925 clarified in 2017 that forum-selection and choice-of-law clauses that select non-California forums and/or laws cannot be enforced if the employee performs work in California (with an exception if the employee is represented by legal counsel when negotiating the terms of the agreement). Thus, non-California-based employers with California employees effectively have no choice but to avoid employee non-compete agreements entirely and to ensure that employment agreements comply with the California law with respect to their choice-of-law and choice-of-venue clauses.

Non-Solicitation Agreements: Non-solicitation agreements, which restrict employees from soliciting their former employer’s customers/clients or employees after leaving their job, are more limited in California. Non-solicitation agreements are generally enforceable in California, but with certain restrictions. California Business and Professions Code Section 16600 states that an agreement between an employer and an employee prohibiting the solicitation of customers is not enforceable (unless directly tied to the use of employer trade secrets), as it is considered a restraint on competition. However, an agreement prohibiting the solicitation of other employees may be enforceable so long as it includes reasonable time and geographic limitations. Non-solicitation agreements with California employees must be narrowly tailored to protect the employer’s legitimate business interests, and they cannot be overly broad or prevent employees from engaging in their chosen profession or trade.

Trade Secret and Confidential Information Protections: California law provides protection for employers’ trade secrets and confidential information. Employees can be restricted from using or disclosing their employer’s trade secrets or confidential information after leaving their job, even if they have signed a non-compete and/or non-solicitation agreement.

Exceptions: There are some limited exceptions to California’s general prohibition on non-compete and non-solicitation agreements. For example, non-compete agreements may be allowed in connection with the sale of a business, and certain employees who are owners, officers, or directors of a corporation may be subject to non-solicitation agreements.

For more information, contact Mr. Tenenbaum at [email protected].

Has the administrative state gotten “too big for its britches”? Certainly, the pendulum of virtually uncritical deference to federal agencies has swung sharply in the opposite direction in various decisions of the Roberts Court.

Five years ago, in Lucia v. Securities & Exchange Commission,^[1] the U.S. Supreme Court held that U.S. Securities and Exchange Commission (“SEC”) administrative law judges (“ALJs”) are inferior executive officers and are therefore subject to the Appointments Clause of the U.S. Constitution.^[2] As a result, respondents in SEC administrative proceedings were entitled to de novo hearings before new, constitutionally appointed ALJs.

The most recent example is Axon Enterprise, Inc. v. Federal Trade Commission,^[3] which held—without dissent—that the statutory review schemes for both the Federal Trade Commission (“FTC”) and the SEC do not displace classic federal question jurisdiction over claims that those agencies’ structures or activities are unconstitutional. The holding presages a tsunami of constitutional challenges against not only these two regulators but also other federal agencies operating under similar statutory structures.

The Federal Agency Enforcement Paradigm

Both the SEC and the FTC partake of an enforcement model that is common to many federal agencies. Each commission has the option to bring an action in federal court, but they also have (and typically prefer) the option of proceeding via an administrative complaint. When the cards are dealt that way, the deck is stacked in favor of the agency. If the respondent does not fold and agree to some form of consent order but decides to litigate, the matter will go before an ALJ. ALJs are removable “only for good cause,” e.g., “neglect of duty” or “malfeasance,” as determined by a separate federal entity, the Merit Systems Protection Board (whose members likewise are removable only for good cause).

Hearings before ALJs typically allow only such discovery as the rules of the federal agency may permit. Like any other judge, the ALJ hears witnesses, makes credibility determinations, decides what evidence will be admitted, weighs the evidence, and reaches a decision. That decision, however, is only a recommendation.

Appeals by either the agency enforcement staff or the respondent (or both) go to the full commission—the same commission that authorized the investigation and the enforcement proceeding to begin with—and that commission then makes a decision based solely on the administrative record. Even if the ALJ found the evidence overwhelmingly favored one party, the commission is free (even though it had no opportunity to hear the evidence firsthand or assess the credibility of witnesses) to disregard the ALJ’s recommendation. It is only when the commission issues a decision that there is “final agency action” within the meaning of the Administrative Procedure Act (“APA”).^[4]

Then, and only then, may the respondent obtain judicial review, but it is not de novo review in a district court. Rather, the review is before a federal appeals court, is based on the administrative record, and is circumscribed by the deferential APA standards of judicial review (i.e., “substantial evidence” / “arbitrary” and “capricious”).^[5]

This enforcement paradigm is followed by many other federal agencies. For example, each of the three bank regulatory agencies—the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation—uses the same model.

Constitutional Backdrop

While the amount of relevant precedent is considerable, some decisions vital to an understanding of the Axon decision delineate the shift in the judiciary’s assessment of the administrative state:

• Humphrey’s Executor v. United States.^[6] This now oft-questioned 1935 SCOTUS precedent upheld for-cause limitations on the President’s ability to remove an FTC commissioner. At that time, the Court believed the FTC (then barely twenty years old) was not only nonpartisan but “neither political nor executive,” and exercised “predominantly quasi-judicial and quasi-legislative” powers.^[7] The Court thought it “essential that the commission should not be open to the suspicion of partisan direction.”^[8] 
• Thunder Basin Coal Co. v. Reich.^[9] This 1994 SCOTUS decision established a tripartite analysis to determine whether Congress intended to preclude a federal district court from exercising jurisdiction over challenges to federal agency action. The three factors are (1) whether preclusion of district court jurisdiction could foreclose all meaningful judicial review, (2) whether the challenge is wholly collateral to the statute’s review provisions, and (3) whether the claim is “outside the agency’s expertise.”^[10]
• Free Enterprise Fund v. Public Company Accounting Oversight Board.^[11] This 2010 SCOTUS decision invalidated certain limitations on the president’s removal power over executive branch officials. Significantly, in order to reach that question, the Court concluded that it had jurisdiction to review a challenge to the legitimacy of an ongoing SEC investigation, even though that investigation had not yet resulted in a final order.
• Seila Law, LLC v. Consumer Financial Protection Bureau.^[12] This 2020 SCOTUS decision gave Humphrey’s Executor a narrow construction and held that the Consumer Financial Protection Bureau (“CFPB”) was unconstitutionally structured, because the combination of a single agency director and termination only for “inefficiency, neglect of duty, or malfeasance” ^[13] (the same standard at issue in Humphrey’s Executor) violated Article II of the U.S. Constitution. Thus, the President can remove the head of the CFPB without cause.
• Jarkesy v. Securities & Exchange Commission.^[14] This 2022 Fifth Circuit decision held that an enforcement proceeding by the SEC seeking civil money penalties was unconstitutional because (1) seeking such penalties is sufficiently similar to common law fraud actions and sufficiently involves private rights (as opposed to public rights) that the targets of such actions are entitled to trial by jury, (2) Congress unconstitutionally delegated legislative power to the SEC by failing to provide an “intelligible principle” to guide the SEC’s determinations whether to file cases as federal court actions or internal administrative proceedings, and (3) the statutory restrictions on removing SEC ALJs from office violate Article II.^[15] 

The Road to Axon

Two cases were consolidated in the recent Axon opinion: Cochran v. Securities & Exchange Commission^[16] and Axon Enterprise, Inc. v. FTC.^[17]

Cochran v. Securities & Exchange Commission

Michelle Cochran, a CPA, was suspended from practicing before the SEC for five years based on an alleged failure to comply with auditing standards established by the Public Company Accounting Oversight Board. After losing at an administrative hearing, Cochran decided to fight on, but then the Lucia decision intervened, and so the SEC went back to square one with newly (and, this time, constitutionally) appointed ALJs. Cochran, however, filed an action in federal district court contending that even if a substitute ALJ were constitutionally appointed, the ALJ would still be unconstitutionally insulated from the president’s removal power because of multiple layers of for-cause protections against removal from office.

The district court dismissed her case for lack of subject-matter jurisdiction on the ground that the relevant statute implicitly stripped district courts of jurisdiction to hear challenges to ongoing SEC enforcement proceedings by providing for review of final SEC orders in a circuit court of appeals.^[18] On appeal, a divided Fifth Circuit panel affirmed the dismissal,^[19] but then the Fifth Circuit, sitting en banc, reversed, holding that Cochran’s constitutional challenge was cognizable by, and within the jurisdiction of, the district court because the claim was “wholly collateral” to the SEC’s administrative proceeding.^[20]

Axon Enterprise, Inc. v. Federal Trade Commission

When Axon, a manufacturer of body cameras and other equipment for law enforcement, sought to purchase a failing competitor, the FTC commenced an antitrust investigation. The agency subsequently filed an administrative complaint against Axon’s consummated acquisition of the competitor^[21] and asserted that the acquisition violated section 7 of the Clayton Act.^[22] The FTC demanded that Axon spin off the acquired company and share its own intellectual property.

Seeking to enjoin the FTC’s administrative proceeding, Axon sued in federal court alleging, inter alia, that the combination of investigative, prosecutorial, adjudicative, and appellate functions within a single agency violates due process, and, similar to what Cochran argued against the SEC, the dual layer of protection given to the FTC’s ALJs insulated them from presidential removal power in violation of the Appointments Clause. The FTC argued that the district court lacked jurisdiction because Axon had to bring its claims in the administrative proceeding and, if it did not prevail, only then seek judicial review in the court of appeals. The district court agreed and dismissed the complaint.^[23]

On appeal, a divided panel of the Ninth Circuit affirmed. The majority concluded that Axon would have meaningful judicial review of its constitutional claims because the Supreme Court held in Thunder Basin that such claims “‘can be meaningfully addressed in the Court of Appeals,’ even though the petitioner there similarly had argued that the agency process itself would violate its constitutional rights.”^[24]

The Axon Enterprise Decision

Authored by Justice Kagan, the Court’s opinion concluded that neither the statutory provision governing FTC enforcement proceedings nor the statutory provision governing SEC enforcement proceedings divests federal district courts of jurisdiction to hear collateral constitutional challenges to administrative proceedings. Reviewing the three Thunder Basin questions, the Court answered each in the affirmative. On the first factor of “meaningful judicial review,” the Court reasoned that precluding district court jurisdiction of these constitutional challenges would effectively foreclose meaningful judicial review of these sorts of claims. The analysis was straightforward: “A proceeding that has already happened cannot be undone. Judicial review of Axon’s (and Cochran’s) structural constitutional claims would come too late to be meaningful.”^[25] The Court emphasized the “here-and-now injury” that Cochran and Axon suffered by being subject to proceedings they believed to be unconstitutional.^[26] A similar result was reached on the second factor, as the constitutional challenges are collateral to the proceedings “because they are challenging the Commissions’ power to proceed at all, rather than actions taken in the agency proceedings.”^[27] Finally, observing that issues of constitutionality fall outside the expertise of both the FTC and the SEC, the Court concluded that those sorts of claims are not “of the type” that the FTC’s and SEC’s statutory schemes address and, accordingly, are properly reviewable by the district court.^[28]

Justice Thomas authored a concurring opinion in which he expressed doubt that Congress may vest administrative agencies with primary authority to adjudicate “core private rights” to life, liberty, and property.^[29] Congress might be violating separation of powers by compelling the judicial branch to defer to the executive branch on matters that the Constitution vests in the judiciary. Similarly, because agencies are not courts of competent jurisdiction, Congress might be violating due process by empowering federal agencies to deprive citizens of core private rights. Finally, Thomas noted that “the appellate review model” might violate the Seventh Amendment because agencies adjudicate “what may be core private rights without a jury.”^[30]

Justice Gorsuch concurred only in the judgment. He wrote separately to express dissatisfaction with the Thunder Basin balancing test, which he regards as an incoherent “judge-made” device.^[31] In his view, the Court need only review the relevant statutory text to assess whether (A) Congress “has actually carved out some exception” to jurisdiction, and (B) the general federal question jurisdiction statute, 28 U.S.C. § 1331, grants district courts the ability to hear the claims at issue.^[32]

Conclusion

Axon goes hand in glove with increasing disillusionment at the results of uncritical Chevron deference and with last year’s invocation, in West Virginia v. Environmental Protection Agency,^[33] of the “major questions” doctrine to curb the authority of federal agencies to act on “decisions of vast economic and political significance” absent clear congressional authorization.^[34] At a minimum, the Axon Enterprise decision will create hurdles for agency enforcement actions. Beyond that, the case can be seen as part of a larger trend toward increased skepticism by the Court of overbroad powers—and potential abuses of those powers—by federal administrative agencies.

1. 138 S. Ct. 2044 (2018). ↑

2. U.S. Const. art. II, § 2, cl. 2. ↑

3. No. 21-86, slip op. (U.S. Apr. 14, 2023). ↑

4. 5 U.S.C. § 551 et seq. ↑

5. 5 U.S.C. § 706. ↑

6. 295 U.S. 602 (1935). ↑

7. Id. at 624 (emphasis added). ↑

8. Id. at 625. ↑

9. 510 U.S. 200 (1994). ↑

10. Id. at 212–13. ↑

11. 561 U.S. 477 (2010). ↑

12. 140 S. Ct. 2183 (2020). ↑

13. Id. at 2193 (citing 12 U.S.C. § 5491(c)(1), (3)). ↑

14. 34 F.4th 446 (5th Cir.), reh’g denied, 51 F.4^th 644 (5^th Cir. 2022). ↑

15. Jarkesy, 34 F.4^th at 462–67. ↑

16. 20 F.4^th 194 (5th Cir. 2021). ↑

17. 986 F.3d 1173 (9^th Cir. 2021) ↑

18. 15 U.S.C. § 78y. ↑

19. Cochran, 969 F.3d 507 (5th Cir. 2020), rev’d, 20 F.4^th 194 (5^th Cir. 2021) (en banc). ↑

20. 20 F.4^th 194 (5th Cir. 2021) (en banc). ↑

21. In re Axon Enter. & Safariland LLC, FTC File No. 1810162 (last updated June 27, 2022). ↑

22. 15 U.S.C. § 18. ↑

23. Axon Enter. Inc. v. Fed. Trade Comm’n, 452 F. Supp.3d 882 (D. Ariz. 2020), rev’d, 986 F.3d 1173 (9^th Cir. 2021). ↑

24. 986 F.3d 1173 (9th Cir. 2021). ↑

25. No. 21-86, slip op. at 13 (U.S. Apr. 14, 2023). ↑

26. Id. ↑

27. Id. at 14. ↑

28. Id. at 16–17. ↑

29. Id. (Thomas, J., concurring) (slip op. at 1). ↑

30. Id. (Thomas, J., concurring) (slip op. at 8). ↑

31. Id. (Gorsuch, J., concurring in judgment) (slip op. at 2). ↑

32. Id. (Gorsuch, J., concurring in judgment) (slip op. at 6) (emphasis in original). ↑

33. 142 S. Ct. 2587 (2022). ↑

34. The “major questions” doctrine is a label applied to jurisprudence over the years where the Court has curtailed exercises of power by administrative agencies “beyond what Congress could reasonably be understood to have granted.” Id. at 2609 (citing King v. Burwell, 576 U.S. 473, 486 (2015); Utility Air Reg. Group v. EPA, 573 U.S. 302, 324 (2014); Gonzales v. Oregon, 546 U.S. 243 (2006); FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 159 (2000)). ↑

We all know that reading is power. At the ABA Business Law Section’s Hybrid Spring Meeting in April, the Section’s Rule of Law Working Group, led by Judge Alvin Thompson and John Stout, and its Pro Bono Committee spearheaded a fun and dynamic opportunity for members of the ABA BLS to read with elementary school students. Daniela Cimo (Chair of the Pro Bono Committee) and Tsui Ng (Co-chair of the Programs Committee) organized volunteers to work with Reading Partners, which partners with schools that identify students who are six months or more behind grade level in reading. (You can read more about the inspiration behind the initiative in Cimo’s article “How Civic Education, Pro Bono, and Professional Integrity Strengthen the Rule of Law.”) Students are paired with trained volunteers who provide one-on-one tutoring twice a week for forty-five minutes during the school year, following a structured curriculum. Students receive their own book every session to build their own home library.

As part of the curriculum, students practice reading out loud. BLS volunteers first received training and selected the book for their student to read to them. These books were donated by BLS members and ranged from stories exercising political and voting rights and stories about historical figures to simply funny stories.

The hour or so we spent working with Reading Partners was extremely meaningful, and admittedly, very fun. I had the honor to read with a powerhouse second grader who just turned eight, and who bounced into the room with her hoop earring, blue necklace, tie-dye purse, and a huge smile. We laughed together as she read me a book on how kids can help people to vote and why that is important. Without question, we all left our way too fast sessions with the students with more energy and hope than when we walked through the school doors. And because we all didn’t know each other before our volunteer session, we ended with a shared experience and new BLS friends.

Given the success of the program, the Rule of Law Working Group and the Pro Bono Committee are planning for another volunteer opportunity at the Annual Meeting in Chicago. I will be the first person to sign up.

This article is part of a series on intersections between business law and the rule of law, and their importance for business lawyers, created by the American Bar Association Business Law Section’s Rule of Law Working Group. Read more articles in the series.

The ubiquity of social media has been accompanied by an advertising boom that is lucrative for influencers and brands alike. The benefit to companies is immense because of lower costs compared to traditional advertising methods. For a fraction of the price of traditional radio, television, or print advertising, influencers can reach thousands, sometimes millions of followers with brand recommendations. However, the relationships come with serious risk for companies choosing to tie their reputation to influencer accounts and personalities.

As of 2022, the average daily social media usage of internet users worldwide amounted to 147 minutes per day, up from 145 minutes in the previous year.^[1] In 2021, Americans spent on average more than 1,300 hours on social media.^[2] It is no wonder businesses find it valuable to capture even a fraction of that screen time for social media advertising. Social media advertising through influencers allows brands to reach individuals who may otherwise not encounter their product. Gamers, makeup artists, musicians, and socialites can amass large numbers of followers attracted to their personality, celebrity status, content, or expertise in a certain field. To influencers’ followers, a brand recommendation from a trusted influencer is akin to a referral from a friend. Companies see the benefit in these interactions and pay lucrative contracts to capitalize on the relationships built by influencers.

Influencer Code of Conduct

While this kind of advertising can be profitable for both influencer and brand, there are risks associated with tying a company’s image to an individual. The publicly expressed opinions and behavior of the influencer, as well as their political and social leanings, may not always align with the values of the brand. On a grand scale, there have been instances where famous individuals lost sponsorships after unfavorable public incidents. For example, golfer Tiger Woods lost his sponsorships with Gatorade, AT&T, and Gillette in the wake of his alleged extramarital affairs. More recently, Adidas faced immense pressure to break ties with artist Ye, formerly known as Kanye West, in the wake of his social media and public statements on race and politics, particularly antisemitic posts on Instagram and Twitter; Adidas and a wide range of other brands eventually cut ties with Ye. On a smaller scale, brands utilizing social media influencers must conduct the same evaluation of whether an influencer’s words or actions should continue to be associated with the brand. Often the solution is to disassociate with the influencer to avoid the perception of being complicit or tacitly approving of the actions of their brand ambassador.

Influencer contracts or influencer marketing agreements set forth the relationship between the parties and outline, for instance, the amount of content an influencer must generate to earn compensation. Additionally, moral/conduct clauses are essential to permit the brand to terminate a contract when the actions of the influencer fail to align with the brand’s values. Such contracts are an excellent tool for managing what can sometimes be unpredictable business relationships. The contracts, however, do not always account for conduct that occurred prior to the inception of the marketing relationship. In that regard, thorough and comprehensive vetting prior to entering into an influencer agreement is essential.

Internet activity, unless purposefully removed, is stored and accessible for years. With throngs of relentless internet sleuths digging into every post, like, and interaction, there have been countless instances of previous conduct, sometimes decades old, inciting public uproar. In 2022, media and fans called for corporate sponsors to reevaluate their relationship with the Dallas Cowboys after a 1957 photo surfaced of owner Jerry Jones at a Little Rock, Arkansas, protest against school integration. Former players and colleagues jumped to Jones’s defense; the outrage eventually quieted, and sponsors remained in place. However, Jones’s story shows the precarious position in which brands may find themselves when the influencer relationship draws public ire for past behavior. Contracting parties must address this reality to ensure there are clear grounds for severing the sponsorship relationship.

As with any contracting relationship, prevention is better than cure. I am reminded of the proverb cautioning the reader to walk with the wise and become wise, instead of making companionship with fools and suffering harm. The notion holds true in the ever-evolving world of social media influencer advertising. The choice of a social media partnership should come down to more than just the number of followers. Companies and brands must exhaustively vet influencers’ online presences and must account for conduct-based severance terms in their influencer contracts/influencer marketing agreements.

Compliance with FTC Disclosure Requirements

Influencers must be aware of their responsibility to conspicuously disclose endorsements, sponsorships, and partnerships with brands and companies. The Federal Trade Commission (“FTC”), in its efforts to protect consumers from deceptive advertising, has turned a keen eye to the prevalent use of influencer advertising. One of the most common pitfalls for influencers is the failure to clearly disclose partnerships, which can lead to deceptive advertising. To that end, the FTC released a guide to influencers, “Disclosures 101 for Social Media Influencers” (the “Guide”) which provides a condensed and simple reference tool for social media advertising.^[3] The Guide warns, “If you endorse a product through social media, your endorsement message should make it obvious when you have a relationship (‘material connection’) with the brand. A ‘material connection’ to the brand includes a personal, family, or employment relationship or a financial relationship – such as the brand paying you or giving you free or discounted products or services” (emphasis added). Thus, even brand publicity in exchange for free products requires adherence to the strict disclosure guidelines. The simple reference tool of the Guide can save influencer clients from losing brand opportunities, or worse, facing legal consequences for false advertising. Practitioners should keep an eye on the FTC’s regulation in this field, as the Commission has approved a request for comment seeking public input on proposed changes to the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising.^[4] This development signals an impending change and likely stricter regulation of influencer advertising.

SEC Prosecution of Deceptive Advertising in Securities

Practitioners must also advise influencers of the pitfalls of promoting or encouraging the public to purchase stocks and other investments. In a November 1, 2017, statement, the Securities and Exchange Commission (“SEC”) cautioned celebrities “and others” against endorsing the purchase of stocks. The SEC warned those endorsements could be unlawful without disclosure of “the nature, source, and amount of any compensation paid, directly or indirectly, by the company in exchange for the endorsement.”^[5] Recent prosecution by the SEC shows the warning was not toothless.

In December 2022 the SEC charged eight social media influencers in a $100 million stock manipulation scheme promoted on Twitter and Discord.^[6] As described by Joseph Sansone, chief of the SEC Enforcement Division’s Market Abuse Unit, the SEC complaint filed in the US District Court for the Southern District of Texas alleged the defendants “used social media to amass a large following novice investors and then took advantage of their followers by repeatedly feeding them a steady diet of misinformation, which resulted in fraudulent profits of approximately $100 million.”^[7] Despite the seriousness of this example, social media activity promoting securities need not be nefarious to draw the SEC’s attention; failure to disclose partnership and sponsorship is sufficient for prosecution.

Several recent SEC prosecutions highlight the importance of properly disclosing sponsorships and compensation. Socialite and media personality Kim Kardashian reached a $1.26 million settlement with the SEC over a 2021 post promoting cryptocurrency without disclosing the amount she was paid for the advertisement.^[8] The same fate befell boxer Floyd Mayweather Jr. and music producer DJ Khaled, who also failed to disclose payments in exchange for promoting companies purporting to sell securities.^[9] As social-media-propelled investment opportunities such as non-fungible tokens (“NFTs”) and cryptocurrency increase in popularity, it is tempting to push social media posts promoting these items. Practitioners must advise against doing so without adequate scrutiny of the brand/company, without understanding the assets to be promoted, and most importantly, without disclosing the nature of the sponsorship and compensation. Consumer transparency remains the paramount concern of the FTC and SEC. Following a few simple publicly available guidelines may help to avoid prosecution.

1. Stacy Jo Dixon, “Average daily time spent on social media worldwide 2012-2022,” Statista, August 22, 2022. ↑

2. Peter Suciu, “Americans Spent On Average More Than 1,300 Hours On Social Media Last Year,” Forbes, June 24, 2021. ↑

3. FTC, “Disclosures 101 for Social Media Influencers,” November 2019. ↑

4. Guides Concerning the Use of Endorsements and Testimonials in Advertising, 87 Fed. Reg. 44288 (July 26, 2022). ↑

5. SEC, “SEC Statement Urging Caution Around Celebrity Backed ICOs,” November 1, 2017. ↑

6. SEC, “SEC Charges Eight Social Media Influencers in $100 Million Stock Manipulation Scheme Promoted on Discord and Twitter,” December 14, 2022. ↑

7. Id. ↑

8. SEC, “SEC Charges Kim Kardashian for Unlawfully Touting Crypto Security,” October 3, 2022. ↑

9. SEC, “Two Celebrities Charged With Unlawfully Touting Coin Offerings,” November 29, 2018. ↑

A recent decision interpreting the Illinois Biometric Information Privacy Act (BIPA) serves as a stark warning to all businesses collecting personal information, and specifically biometric information that may be subject to the requirements of BIPA: obtain informed consent or prepare for potentially crippling financial penalties. Answering a certified question from the United States Court of Appeals for the Seventh Circuit, the Supreme Court of Illinois, in Cothron v. White Castle Sys., Inc., 2023 IL 128004, concluded “that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent” in violation of section 15(b) or 15(d).

In Cothron, a group of Illinois residents, led by a former manager of White Castle (“Plaintiff”), filed a putative class action against the fast-food franchise alleging it violated Section 15(b) (applicable to the collection or capture of biometric data) and 15(d) (applicable to the disclosure or dissemination of biometric data) of BIPA when it required its employees to scan their fingerprints to access pay stubs and computers and then transmitted the scan to a third party for verification—all without first obtaining the employees’ informed consent. White Castle argued that the Plaintiff’s suit was untimely because it accrued in 2008—that is, only when the company first obtained Plaintiff’s biometric information and transmitted it to a third party after BIPA took effect. Plaintiff responded that “a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator.”

BIPA Actions Accrue with Every Scan or Transmission

The court, in a 4–3 decision, held that claims arising under Section 15(b) and 15(d) of BIPA accrue each time a company either collects or discloses an individual’s biometric information without prior informed consent. Under Section 15(b) and 15(d), respectively, companies are prohibited from collecting or disclosing a person’s or a customer’s biometric identifier or biometric information “unless it first” obtains informed consent (emphasis added).^[1] Relying on the common definitions of “collect” and “disclose,” the majority determined White Castle’s process of collection clearly fell within the scope of the statute: White Castle obtained its employee’s initial fingerprint scan and stored it for authentication purposes. Thereafter, when the employee needed to access company computers, for instance, a second fingerprint scan was then obtained and sent to a third-party vendor to compare both fingerprints and verify the employee’s identity. In the majority’s view, White Castle failed “to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer.”

Nevertheless, White Castle argued that interpreting BIPA to allow for repeated accruals of claims by one individual “would constitute ‘annihilative liability’ not contemplated by the legislature and possibly be unconstitutional.” The company contended “if [the] plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” The court was unpersuaded by these arguments, concluding that “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature … [to] make clear its intent regarding the assessment of damages under [BIPA].”

Majority’s Rule Will Render BIPA Compliance Burdensome

The dissenting opinion contends the majority’s interpretation is unsupported by the statute’s plain language and, in no uncertain terms, “will lead to consequences that the legislature could not have intended.” For example, the dissent observed “that the ‘precise harm’ the legislature sought to prevent [in enacting BIPA] was an individual’s loss of the right to maintain biometric privacy.” With that in mind, the dissent argues that a private entity may obtain an individual’s biometric information in violation of BIPA only once as there is only “one loss of control or privacy, and this happens when the information is first obtained.” Accordingly, in the dissent’s view, subsequent scans cannot be considered as obtaining additional biometric information because “White Castle already has it.”

Turning to the implications of the majority’s rule, the dissent highlighted two areas of concern. First, under the majority approach, plaintiffs are incentivized to delay bringing their claims as long as possible, thereby impermissibly “racking up damages.” Second, in light of the potential $17 billion damages award White Castle may face, the dissent argued the majority’s interpretation is clearly contrary to legislative intent. In sum, the dissent concluded that “[i]mposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.”

Navigating a Post-Cothron World

The Cothron decision illustrates that statutory claims for alleged privacy violations can quickly turn into “bet the company” litigation. This risk is particularly acute whenever the potentially applicable statutory regime includes a private right of action for alleged violations. To effectively mitigate this risk, companies must clearly identify the regulatory requirements that apply to any personal information—not just biometric information—collected and processed as part of operations from any individual, whether a customer, employee, independent contractor, vendor, or other individual. With this foundation, companies can develop, implement, and regularly update comprehensive and robust compliance protocols with respect to the collection, processing, storage, and destruction of the regulated personal information.

In light of the Cothron decision, and specifically with respect to biometric information, any business collecting and processing biometric data should consider implementing the following best practices:

• develop a system for providing written notice and obtaining informed consent prior to the collection of biometric information
• ensure the written notice clearly informs the individual of: (1) the entity collecting or storing biometric information; (2) the entity’s purpose for collection, use, and storage; (3) whether the biometric information will be disclosed or disseminated to other parties, and if so, the specific purpose for each such disclosure or dissemination; and (4) how long the entity will use or store the information
• maintain a program for tracking the written consents and releases authorizing the entity to collect, process, and disclose biometric information
• develop, implement, and enforce a policy for destruction of biometric information that no longer serves a legitimate business purpose.

1. 740 ILCS 14/15(b) and (d). ↑

In Consumer Financial Protection Bureau (“CFPB”) examinations, an assessment factor in the CFPB’s implementation of the Federal Financial Institutions Examination Council’s (“FFIEC”) Uniform Consumer Compliance Rating System (“CC Rating System”) is “self-identification of consumer compliance issues and corrective action undertaken as such issues are identified” (“self-cures”).^[1] The CFPB Supervision and Examination Manual states:

This early detection can limit the size and scope of consumer harm. Moreover, self-identification and prompt correction of serious violations represents concrete evidence of an institution’s commitment to responsibly address underlying risks. In addition, appropriate corrective action, including both correction of programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents violations from recurring in the future.^[2]

These statements raise practical questions about how to implement a self-cure, including the implementation of a “full redress for injured parties.”

Holland & Knight’s Consumer Protection Defense and Compliance Team (“Holland & Knight”)^[3] and NERA Economic Consulting’s Antitrust and Competition Practice (“NERA”)^[4] recently worked together on a project in which a financial institution sought to implement a self-cure resulting from an inadvertent coding issue that affected the frequency of the financial institution’s review of consumers’ interest rates for certain credit products. In this article, we discuss questions we encountered in the course of the case and how they were addressed.

Redress Analysis

It is instructive to think about full redress as one would think about economic damages, in which one calculates affected individuals’ loss of economic value from the wrongful act.^[5] Isolating a consumer’s loss of economic value involves assessing what the consumer’s economic situation would have been but for the wrongful act (“but-for scenario”) and comparing it to the consumer’s actual economic situation with the wrongful act (“actual scenario”).^[6]

Modeling but-for scenarios can be particularly involved for consumer financial products because the products can be complex and one might have to model multiple interactions between the consumer and the financial institution. For example, a difference in interest rates between the actual and but-for scenarios for a credit card program could affect (1) the allocation of payments between interest and principal; (2) outstanding balances, number of installments, late payment fees (when applicable), etc.; and (3) the accrual of interest.

A rigorous framework for approaching redress is important as redress analysis can face scrutiny from the CFPB and result in protracted interaction with the agency, including potential escalation to a formal enforcement action.^[7] In addition, as supervised entities are likely to engage with the agency and/or their prudential regulators repeatedly, choosing a method for redress analysis may commit the financial institution to the methodology should similar issues arise in the future.

Case Study

In a recent project, Holland & Knight and NERA worked with the legal, business, and data and analytics teams at a financial institution to assess the financial institution’s (1) redress approach and associated payment amounts to affected customers and (2) updates to its procedures and associated code that required redress.

Technical Assistance

NERA’s review and analyses of the financial institution’s materials, including computer scripts and associated generated inputs and outputs, helped the financial institution to identify coding errors in the financial institution’s computer scripts that impacted interest calculations for a credit product. NERA also assisted the institution with potential remedies and their implementation, and provided an independent review of the financial institution’s code that implemented a remedy.

NERA’s role involved working with outside counsel and directly with the financial institution to analyze the issue and associated data, audit computer scripts, recommend solutions, and assist with the implementation of a redress analysis. To perform this work, NERA’s experts drew on their collective experience and expertise with damages analyses and consumer financial services products, as well as their experience with programming languages (including, for example, SAS, Stata, R, Python, and VBA) and technical knowledge, to understand the structure of the client’s data and business logic. The NERA team was able to communicate directly with the data and analytics team at the financial institution and review the financial institution’s code associated with the project of implementing redress for the coding error that resulted in incorrect interest calculations for a credit product. This work provided the legal team at the financial institution with more insight into their internal processes and supported the in-house data and analytics team with insight into the likely perspectives used by regulators in the context of redress analyses.

Rhetorical Approach

Holland & Knight, as outside counsel, provided guidance through the supervisory process and interactions with the CFPB. Specific guidance included a comprehensive analysis of applicable CFPB regulations and innovative compliance recommendations to implement a self-cure and address other critical compliance observations. The law firm also effectively liaised with regulators to disclose the coding issue and the implemented self-cure.

NERA contributed memoranda and exhibits that described the redress analysis for submissions that Holland & Knight made to the CFPB on behalf of the financial institution. Due to the NERA team’s experience writing expert reports and presenting to regulators, the memoranda and exhibits featured clear, compelling language and graphics to explain the redress approach in ways that all parties (the financial institution, in-house counsel, outside counsel, and regulators) could easily understand. In addition to contributing exhibits to counsel’s responses to the CFPB, including responses to the CFPB’s notice of Potential Action and Request for Response (“PARR letter”),^[8] NERA created memoranda that were attached to letters to the CFPB. The team also prepared high-level executive summaries to assist counsel in their preparation for meeting with the CFPB. The executive summaries summarized the redress procedure and highlighted features of the procedure that, when there was ambiguity, erred on the side of benefiting affected customers.

Strategic Perspective

The CFPB accepted the self-cure redress approach in this project. We think that the preparation and work at the supervisory stage by the financial institution, Holland & Knight, and NERA provided for effective responses to the CFPB that may have mitigated a protracted process.

That said, should the process have continued, the NERA team was structured so that, if needed, an economic expert could provide testimony in an enforcement action or litigation. The team included PhD economists who could testify on economic issues, which are broader in scope than the calculations performed in the redress analysis. This was strategically valuable: because the consulting team was already familiar with the case and the financial institution, duplicative work would have been avoided had the issue proceeded to enforcement or litigation, whether with a regulator or a plaintiff class action attorney.

Dr. Ling Ling Ang is a director and Tilling Lee is an associate director at NERA Economic Consulting. The opinions expressed in this article are those of the authors and do not necessarily reflect the views of NERA Economic Consulting or its clients. Leonard Bernstein, Da’Morus Cohen, and Anthony DiResta are partners at Holland & Knight LLP.

1. Consumer Fin. Prot. Bureau, CFPB Supervision and Examination Manual 7–10 (Jan. 2023) (PDF pp. 22–25) [hereinafter CFPB Manual]. ↑

2. Id. at 9–10 (PDF pp. 24–25). ↑

3. Holland & Knight’s team was led by Anthony DiResta, Esq.; Leonard Bernstein, Esq.; and Da’Morus Cohen, Esq. ↑

4. NERA’s team was led by Dr. Ling Ling Ang, Dr. Alan Grant, and Tilling Lee. ↑

5. See, e.g., Mark A. Allen, Robert E. Hall & Victoria A. Lazear, Reference Guide on Estimation of Economic Damages, in Reference Manual on Scientific Evidence 429 (Academies Press 3d ed. 2011). ↑

6. Id. at 432; Roman L. Weil, Daniel G. Lenz & Elizabeth Evans, Litigation Services Handbook 4–12 (John Wiley & Sons, Inc. 6th ed. 2017). ↑

7. CFPB Manual, supra note 1, at Overview 5–6 (PDF pp. 7–8). ↑

8. “A PARR letter provides an entity with notice of preliminary findings of conduct that may violate Federal consumer financial laws and advises the entity that the Bureau is considering taking supervisory action or a public enforcement action based on the potential violations identified in the letter. Supervision invites the entity to respond to the PARR letter within 14 days and to set forth in the response any reasons of fact, law or policy why the Bureau should not take action against the entity. The Bureau often permits extensions of the response time when requested.” Bureau of Consumer Fin. Prot., Request for Information Regarding the Bureau’s Supervision Program, Docket No. CFPB-28-0004 (Feb. 12, 2018). ↑

Board responsibilities are complex and continue to grow, with directors being held accountable for the governance, oversight, and, if necessary, management of the organization. This evolution of board responsibilities is long-term and has been further intensified by the pandemic and the economic uncertainty facing organizations of all types today. The chief legal officer (“CLO”), the chief financial officer (“CFO”), and other senior officers join the chief executive officer (“CEO”) as those with the senior-most responsibilities from the management side in ensuring that proper governance, oversight, and management are occurring.

The recent, ongoing developments regarding the survival of certain banks, and perhaps even the future shape of the banking industry as a whole, stand as a testament to the fact that the CEO, CFO, and the general counsel (“GC”) and CLO must join with the board and others in focusing on operational and capital cash flows. Indeed, both the CEO and CFO were named as defendants in securities litigation arising from the failures of Silicon Valley Bank and Signature Bank. Too often, companies deemed to be healthy have not focused on cash flows, which are often the critical indicator of a company’s ability to survive. Troubled companies understand the importance of the cash flows—for some, unfortunately, when it is too late.

Case Study

Sophisticated businesses, large and otherwise, recognize the importance of tracking cash flows. One of the authors of this article served as the CFO of a diversified holding company that was the managing general partner of two sizable general partnerships. In each one, the other two general partners were major insurance companies. However, the experiences in a partnership setting are equally applicable to a corporate structure.

Each partnership met quarterly. An important component of these meetings was the CFO’s review and discussion of financial and operational results. Every one of these discussions focused on partnership cash flows—basically, the receipts and disbursements from the normal course of operations, investment income, capital expenditures, and other significant cash items. Cash was addressed comprehensively.

All of the partners agreed that this was more useful than reviewing the income statement because it avoided esoteric accounting entries, as well as footnotes that may be confusing and distracting. The cash data was much more understandable and gave a clearer picture of financial performance, a picture that was supported by money in the bank or other liquid assets.

These meetings were an exercise in highly effective governance. The general partner representatives were informed and involved, and their institution had “skin in the game.” They understood the business and recognized that the tracking of the cash flows was the most effective way to stay on top of the business. They designated to their respective internal audit staffs the responsibility for reviewing the accounting work of the managing general partner’s accounting staff and that of the partnership’s external auditor.

Cash Flow Emphasis: Can’t Be Overrated

Directors of any company, in any line of business, would do well to adopt effective techniques to improve their financial oversight. Continuous oversight and interpretation of cash flows by board and senior management are essential. Very simply, cash flows are the organization’s lifeblood.

Cash flows can be measured in an effective, timely manner; and, to repeat, cash data can be much more understandable and give a clearer financial picture than an income statement. The comparison of budgeted to actual receipts and disbursements often gives a much clearer financial picture than reported revenues and expenses and net income on a generally accepted accounting principles (“GAAP”) income statement. Discussions about the causes of cash flow variances can uncover problems and opportunities without the need for approximations or adjustments. The cash flows either did, or did not, occur within the particular time period.

Operational and capital cash flows are concrete results not easily subject to manipulation. Thus, they can serve as a safeguard against efforts to manipulate income through revisions in accruals or reclassifications of operating expenses to capital expenditures. They can also avoid misunderstanding of results that include unbudgeted, one-time charges or results that have been adjusted to exclude such charges.

Accurate cash flow information can also help to highlight possible weaknesses in controls and negative developments not readily apparent in income statement measures, as in a case where a strong, corporate emphasis on customer sales growth, combined with a relaxing of the company’s product financing and credit granting controls, may be increasing risk to an unacceptable level.

It should be noted that certain cash flow information can be very complex—for example, the statement of cash flows that is presented in GAAP. This cash flow information is viewed by some as arcane and difficult to understand. Further, it does not provide the useful insights of business unit receipts and disbursements.

Authority for Cash Flow Management and Cash Control

Who should be given the authority for budgeting the operational cash flows, tracking the actual cash flows, developing the variance reports, and providing explanations of the variances that occur? There are many options. However, an effective approach involves having the company’s operating units work with a centralized financial unit such as treasury, financial analysis, or accounting or some combination of these financial units. The board typically looks to the CFO to play a major role in structuring the team responsible for budgeting, measuring, and explaining cash flows. Both the internal auditor and the external auditor can provide input to the team and assist in ensuring accuracy.

Analytical Model

An analytical model, as shown here, aids in understanding and monitoring operational and capital cash flows. To analyze performance, such a model is developed and monitored for each business unit that generates cash flows. The model identifies basic requirements such as working capital, capital expenditures, and debt service and determines if cash flows will be adequate.

If operational cash flows do not provide enough for adequate working capital, do not fund budgeted capital expenditures, or do not cover the required debt service, the business operation is in the “crisis” zone. The options for the business operation are to “fix” or to “liquidate.”

Cash Flows: The Analytical Model.

The model also determines a risk-adjusted return on equity. When added to the basic capital requirements, this establishes the market capital requirements. As can be seen in the cash flows model, if the operational cash flows exceed the basic capital requirements but fall short of market capital requirements, the business operation is “underperforming.” While not in “crisis” mode, steps need to be taken to improve performance.

If the operational cash flows exceed the market capital requirements, the operation is in the “performing” zone. This shows an opportunity to invest and grow, pay down debt, buy back stock, or make cash distributions to equity holders.

This relatively simple presentation of cash flow data can give the board a solid understanding of whether its firm generates a positive cash flow and if its cash flow is adequate to meet present and future needs. This ability to monitor whether a firm is generating a sufficient cash flow will improve a board’s oversight and control system, in good times and bad. A board that understands the components of basic capital and market capital requirements, and how they are affected by cash flows, has considerable insight into the risks confronting the firm and can effectively address its oversight responsibilities.

Cash Control Activity

Cash control activity comprises two parts. The first involves managing the firm’s receipts and disbursements. The second involves monitoring the company-wide cash position.

Controlling a firm’s cash inflows and outflows involves monitoring information and control reports between the firm’s operations centers and its cash management center; then, the flow of control reports from the cash management center to senior financial management. To effectively monitor cash inflows and outflows, the firm focuses on the following: the varying liquidity requirements and forecasting difficulties facing the different operations centers, development and implementation of effective reporting guidelines, and the manner and frequency with which periodic variance reports are developed and transmitted.

Liquidity Requirements and Forecasting Difficulties

Any attempt at developing an effective cash control system must start with the varying liquidity requirements and forecasting difficulties of the firm. Different sectors of a firm often have different liquidity needs and face unique problems in developing their forecasts.

Good cash forecasts are built on the correct recognition of the amounts of inflows and outflows expected to take place, and when these are expected to occur. The various areas within the firm may be able to forecast the timing for these cash flows, but they experience difficulty in estimating the amounts involved.

Electricity and gas utilities are examples of firms with this type of problem. As winter and summer approach, forecasters must predict the weather conditions in order to determine the projected revenues and expenses in the forecasting period. The timing of the revenues does not pose much of a problem for these firms because most bill a certain percentage of their customers on each day during the month.

With flows for previous forecasting periods available, it is not difficult to accurately estimate the percentage of revenues expected at a point in time. The problem is estimating the total amount of revenues for the period. Similarly, the timing of major outflows is predictable, but the problem is forecasting the amounts (like revenues) that will be affected by actual weather conditions.

Senior financial management must have consolidated cash forecasts early enough to permit them to react to the problems forecasted. This leads to the requirement that the cash management center obtain the data from the areas within the firm responsible for forecasting early enough to permit the consolidation of the data. The different areas may require varying lead times, particularly those subject to volatile revenues based on uncontrollable factors such as weather, and those with foreign exchange exposure.

Timing of the cash forecasts depends on when the various areas are able to prepare their estimates and on the time required to consolidate them and prepare the other cash-related data. Once the reporting times are set, they must be observed. This is particularly critical in the early stages of implementing a cash control system.

Each area of activity within the firm is constantly confronted with operating pressures, making it difficult for the various areas to complete their forecasts on time. However, those responsible for this activity need to know that their forecasts are being used and are important to the well-being of the entire company. Also, the cash management center needs to respond immediately when the forecasts are not received on time. Those areas that are late should be contacted as soon as the deadline has been missed, with a follow-up in writing. A further method for enforcing the guidelines is to maintain a checklist of the times at which the forecasts are received and forward the checklist to senior financial management.

Company-wide Cash Flow Reporting Structures

Similar consideration must be given to shaping the guidelines for reporting the actual cash inflows and outflows. These guidelines must be realistic and recognize the constraints that each of the areas faces.

An important point in the reporting of the inflows and outflows is the tie between cash management and cash control. The same information required for the cash management center can also be used for cash control purposes. A basic structure is set out here.

Reporting Relationships for Cash Flows.

Controlling the company-wide cash position requires the monitoring of all headquarters, division, and subsidiary bank accounts. Monitoring the headquarters-controlled cash position should be fairly straightforward because the cash management center is in constant communication with the headquarters’ accounting staff. Guidelines for maintaining the cashbook on each bank account, handling the support data, and reconciling the accounts are established in accordance with the requisites for internal control.

A means of monitoring non-headquarters-controlled accounts on a current basis must be developed. A weekly report indicating beginning and ending balances and total inflows and outflows along with monthly bank reconciliations permits timely monitoring of these accounts.

The importance of a firm’s cash flows has focused increased attention on the need for cash control systems. An effective cash control system enables the monthly, weekly, or daily monitoring of operation centers’ cash flows. This, in turn, creates an awareness of any unwarranted cash flow variances on a timely basis.

Cash Is King

Cash is “king” not only today—it has always been king.

One story that is often heard in financial circles describes the damage to a major firm whose board reviewed quarterly financial results with its sole focus on the income statement. The company’s board was told that operating income for the quarter was $490 million and was projected to increase to $525 million in the following quarter. According to this data, everything looked rosy, and no further questions were raised. However, the cash flow for the following quarter was projected to be a negative $475 million, a $1 billion difference. The firm filed for bankruptcy a few months later. Whether apocryphal or not, the point of the story is clear: ignoring cash flows can be dangerous for corporate health and bad for directors who should know better.

Understanding and monitoring cash flows is an important aid to boards in addressing their continually expanding responsibilities to oversee and direct their firms. Monitoring cash flows is an important tool in effective risk management, serves as a powerful check and balance on other forms of financial and operational reporting, and can aid in fraud detection. CFOs should coordinate the necessary financial and operational resources and take the lead in monitoring cash flows and, in doing so, create effective presentations to keep board members on top of the truest measure of a company’s finances—adequate cash flow. Also, CLOs can and should be an important check and balance regarding the existence and effectiveness of the cash flow management and control structure and their boards’ understanding and oversight of the structure.

As co-chairs of the American Bar Association’s 2021 European Private Target Mergers & Acquisitions Deal Points Study, published in early 2023, we thank all our friends and colleagues around the world (listed in the credits) who invested their time in providing responses to the online questionnaire, and those who double-checked the validity and consistency of data. This publication of the Market Trends Subcommittee of the ABA Business Law Section’s M&A Committee is a valuable resource reflecting the main trends observed in share deals targeting European businesses; it includes current data and comparisons with prior editions as well as with the US Private Target M&A Deal Points Studies.

Study Sample

The latest edition of the EU Study analyzes share purchase deals for acquisitions of privately held targets in Europe signed or completed in 2019, 2020, or 2021 that met the following criteria: (a) transaction value was at least EUR 15 million; (b) the transaction was a pure share deal; and (c) the target or a substantial part of its assets or operations were in Europe.

The deal points analyzed in the EU Study include Financial Provisions, Pervasive Qualifiers, Representations and Warranties, Covenants, Conditions to Closing, Indemnification Provisions, and Dispute Resolution Mechanism.

Unlike the US Private Target studies, which rely on publicly available transactional documents, the EU Study sample consists of sanitized share purchase agreements provided by working group members’ firms in Austria, Czech Republic, Denmark, Finland, France, Germany, Italy, Lithuania, Luxembourg, Norway, Portugal, Romania, Spain, Switzerland, the United Kingdom, and the United States. As acquisition deal documents are not generally publicly available in Europe, the contribution by working group members’ firms is key for the existence of the EU Study.

The study sample consisted of:

• 106 acquisition agreements
• subject to applicable law in 18 different jurisdictions – usually (in 75% of deals) the target’s jurisdiction
• with transaction values ranging from EUR 15M to EUR 4.49B (median transaction value: EUR 41M)
• for targets in a broad array of industries (the top three: technology, industrial goods & services, and healthcare)
• with Corporate buyers representing a majority (51%), the remaining buyers being Financial (37%) and Entrepreneurial (11%).

How to Get a Copy of the EU Private Target Deal Points Study

All members of the M&A Committee of the Business Law Section received an e-mail alert on January 25, 2023, with a link to the study. If you are not currently a member of the M&A Committee but don’t want to miss future e-mail alerts, committee membership is free to Business Law Section members, and you can sign up on the M&A Committee’s homepage. ABA members who are not currently members of the Business Law Section can sign up to join on the Section’s membership webpage.

The published editions of the European Private Target Deal Points Study are available for download by M&A Committee members from the Market Trends Subcommittee’s Deal Points Studies page on the ABA’s website. Also available at that link are the most recently published versions of the other studies published by the Market Trends Subcommittee, including the US Private Target Mergers & Acquisitions Deal Points Study, Canadian Public Target M&A Deal Points Study, Carveout Transactions M&A Deal Points Study, and Strategic Buyer/Public Target M&A Deal Points Study.

The next edition of the EU Study is already in the making, to cover deals signed or closed in 2022 or 2023. We invite interested practitioners to reach out to participate.

When an entity shares data outside of its organization, the following questions often arise: Does the FCRA or GLBA (or both) apply to the specific type of data sharing? And how do these laws impact a company’s financial privacy notices?

The answer to these questions comes down to the relationship between the Gramm-Leach-Bliley Act and its implementing Regulation P (GLBA) and the Fair Credit Reporting Act and its implementing Regulation V (FCRA), and the common financial privacy notice used to satisfy disclosure and opt-out requirements under both laws. To understand which law governs the particular data sharing at issue, the key questions to ask are: With whom you are sharing the data (affiliates or non-affiliates), and for what purposes?

Data Sharing with Non-Affiliates: GLBA

The GLBA requires that a financial institution provide a privacy notice to consumers: (i) prior to disclosing nonpublic personal information (NPI) about the consumer to any non-affiliated third party (outside of certain exceptions); or (ii) at or before the time that the institution enters into a continuing customer relationship with that consumer. Among other things, the notice must provide the consumer with the right to opt out of the disclosure of NPI to non-affiliated third parties. Stated another way, the GLBA only specifically restricts the sharing of NPI with a non-affiliated third party. In the financial privacy notice model form on the website of the Consumer Financial Protection Bureau (CFPB), certain categories of sharing relate specifically to the GLBA opt-out requirement and its exceptions. Namely, the model form lists these categories that discuss sharing:

1. “For our everyday business purposes—such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus;”
2. “For our marketing purposes—to offer our products and services to you;”
3. “For joint marketing with other financial companies;” and
4. “For non-affiliates to market to you.”

The financial institution must describe whether it shares each type of specific information under the above categories and whether the consumer can limit the sharing. The first three categories describe exceptions to the GLBA requirement, which means that a consumer does not have a federal right to limit those types of sharing (although opt-out rights may exist under state laws, and an institution also is free to offer a voluntary opt-out opportunity). Sharing under the fourth category (non-affiliate marketing) is subject to the GLBA opt-out requirement and affirmative opt-in requirements under certain state laws. Properly populating these categories is critical to maintaining GLBA compliance regarding when NPI may be shared with non-affiliates.

Data Sharing with Affiliates: FCRA

In contrast to the GLBA, the FCRA regulates sharing of information between affiliated entities. An “affiliate” is generally any company that controls, is controlled by, or is under common control with another company. Generally, whenever consumer information is shared between affiliates, the FCRA will come into play. However, understanding the type of information shared and for what purposes (i.e., marketing or non-marketing purposes) will determine how the information is disclosed in the notice and whether the consumer has a right to opt out of the sharing and/or use of such information. FCRA affiliate sharing and marketing rules impact the following sections of the financial privacy notice:

1. “For our affiliates’ everyday business purposes—information about your transactions and experiences;”
2. “For our affiliates’ everyday business purposes—information about your creditworthiness;” and
3. “For our affiliates to market to you.”

Therefore, the first question is to assess whether the sharing is for an everyday business purpose or a marketing purpose. In the everyday business purpose context, the entity must next ask whether the sharing relates to “information about transactions and experiences” or “information about creditworthiness.” Both of these the categories map to the FCRA’s definition of a “consumer report.”

Specifically, for purpose of “information about transactions and experiences,” a consumer report does not include any:

1. report containing information solely as to transactions or experiences between the consumer and the person making the report; [or]
2. communication of that information among persons owned by common ownership or affiliated by corporate control.

For purpose of “creditworthiness” a consumer report does not include:

communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated amongst such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons.

Transactions and Experience vs. Creditworthiness

This means that if a financial institution wishes to share “transaction and experience” information with an affiliate, the financial institution must disclose that fact on the financial privacy notice, but does not have to give the consumer an opt-out right. If a financial institution wishes to disclose “creditworthiness” information with an affiliate in a manner that might otherwise cause the information to be considered a “consumer report” (i.e., for the affiliate’s everyday business purposes), the financial institution must disclose that fact on the financial privacy notice and provide the consumer with an opt-out right; otherwise, the financial institution risks being considered a “consumer reporting agency,” making it subject to a variety of burdensome regulatory requirements.

The FCRA itself does not provide clear guidance as to what constitutes “transaction or experience” information. However, the Federal Trade Commission, the former regulatory agency for the FCRA, explained in a 2011 staff report called “40 Years of Experience with the Fair Credit Reporting Act” (which, by the way, is an excellent FCRA resource) that:

[r]eports limited to transactions or experiences between the consumer and the entity making the report are not consumer reports. An opinion that is based only on transactions or experiences between the consumer and the reporting entity is also within the exception. For example, a creditor’s description of an account as “slow pay” would not be a consumer report if the description was based on the creditor’s own experience and did not come from a [consumer reporting agency].

The FTC also noted that a list provided by a creditor showing customers who have an account balance of $10,000 or more would be transaction or experience information. In contrast, any information beyond the reporting entity’s own first-hand transactions or experiences with a consumer would not qualify as transaction and experience, and the consumer would be entitled to opt out of such sharing to the extent that the information bears on the consumer’s creditworthiness or other personal characteristics, and is being shared in a manner that might otherwise cause the financial institution to be considered a consumer reporting agency. Moreover, application information “supplied by the consumer (including lists of [the consumer’s] assets and liabilities, and lists of the names of companies from whom the customer has purchased insurance and securities) is not the creditor’s ‘transaction or experience’ information because it includes the customer’s transactions with entities other than the creditor.”

Sharing for Marketing Purposes

In addition, if the sharing is for marketing purposes as opposed to everyday business purposes, specific rules under the FCRA will govern the use of such information. The FCRA provides that a regulated person may not use “eligibility information” about a consumer received from an affiliate to make a solicitation for marketing purposes to the consumer, unless:

1. it is clearly and conspicuously disclosed to the consumer;
2. the consumer is “provided a reasonable opportunity and a reasonable and simple method to ‘opt out,’”; and
3. the consumer has not opted out.

Under the FCRA, when eligibility information is shared to make solicitations for marketing purposes, the entity must disclose the sharing and provide an opportunity for the consumer to opt out before the information may be used for marketing purposes. Note that this opt-out is separate from the opt-out provided when sharing occurs between affiliates for everyday business purposes.

At a broad level, “eligibility information” is defined to mean any information that would be a “consumer report” under the FCRA, but for the exceptions for “transaction and experience” information and information that is shared under the authority of the affiliate-sharing opt-out. Thus, it generally includes any written, oral, or other communication of any information that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used (or expected to be used) or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for: (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other permissible purpose under the FCRA. However, note that eligibility information does not include “aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.”

Thus, when eligibility information is shared between affiliates for solicitation or marketing purposes, this sharing must be properly disclosed in the “affiliates to market to you” category on the notice, and the consumer must have a right to opt out of the use of such information for marketing purposes.

Conclusion

It can be difficult to grasp the nuances between the GLBA and FCRA and how the different categories of data sharing in the financial privacy notice relate to the requirements under each law. But understanding the interplay between these two laws is critical when sharing any consumer information, no matter who the recipient is.

In a perfect world, all technology vendors would present their clients with balanced legal agreements that perfectly represent the commercial deal between the parties and fully meet the client’s business and legal requirements. Unfortunately, we don’t live in a perfect world, and experience has shown that some vendors are better than others at creating transparent and fair contracts. Based on my own experience, the following list may be helpful to counsel acting on behalf of users in negotiating technology services agreements.

1. RFPs and vendor proposals do matter.

If the client began the contracting process by issuing a Request for Proposal (RFP) and then awarding the deal to the winning vendor based on the vendor’s proposal, then it is critical to incorporate the vendor’s proposal in the contract by reference. This ensures that the extensive promises made by the vendor in its response to the RFP are actually included in the contract. This is not only fair to the client but fair to all the other proponents that were not chosen for the transaction. The winning vendor’s proposal is not supposed to be a marketing bluff: clients do rely upon the representations and promises made in such documents, and the successful proponent should be held accountable.

Unfortunately, some vendors do attempt to disavow their own proposals, even going so far as to say that their responses are not legal contracts that did not pass through the vendor’s own legal approval, and so cannot be incorporated into the final contract. This approach seemingly undercuts the trust process at the beginning of the relationship and strikes me as a red flag that the vendor may be acting unscrupulously and seeking to distance themselves from the various commitments made in their proposal, potentially including pricing and other key assurances. If the client accepts this and decides to proceed with such vendor regardless, it will be important for the client to scrupulously ensure that all of the critical components contained in the vendor’s proposal (and the requirements of the client’s RFP) are actually expressly included in the vendor’s contract, including those related to security/cyber resilience, location of vendor personnel, service levels, certifications, etc.

2. Read the SOW(s).

The Statement of Work (SOW) is the document that describes, in very plain and detailed language, the scope of the actual deliverables and services to be provided by the vendor, applicable project phases/timelines/milestones, pricing, the various responsibilities of the parties, any assumptions/dependencies, staffing, compensation to be paid by the client and any other salient business terms. Unfortunately, SOWs are often the place where some vendors try to reject critical legal and business terms otherwise contained in the main body of the services agreement, through the insertion of net new (and flatly contradictory) terms. This includes the repudiation of legal representations/warranties, the addition of different payment and termination provisions (and sometimes inclusion of robust termination fees), deemed acceptance provisions, attempts to override service levels, etc.

Equally problematic are SOWs that are poorly drafted with many capitalized and undefined terms, vague or no real vendor obligations (or merely commitments to define critical technological or other requirements after the SOWs are signed by the parties—what lawyers like to call “agreements to agree”) and no actual timelines/deadlines. While many lawyers are not comfortable drafting SOWs, it is a vast error not to have client-side tech lawyers do at least one review of the draft SOW before signing with a view to eliminate intentional or otherwise inadvertent language that contradicts the main legal document or otherwise undercuts it.

3. Understand the vendor’s services.

It is important for lawyers counselling clients in the tech space to understand which services/technology are under the control of the vendor in question, versus the portions that are under the control of the vendor’s own affiliates, or any third-party subcontractors of the vendor and other large outsourcing providers. Such an understanding is crucial from the perspective of the flow-down conditions that one should include in the technology services agreement. Vendors should be fully responsible (and liable) for the actions and omissions of their own affiliates and direct subcontractors, particularly in the areas of privacy, cybersecurity, and performance. However, it will be more difficult for vendors to make bespoke promises on behalf of larger vendors, such as Microsoft and Amazon.

Depending on their own regulatory/compliance requirements, some clients may wish to control whether the vendor can assign some of its rights and performance obligations under the relevant agreement to certain approved affiliates or control the use of subcontractors, i.e., only to those located in certain geographic locations/countries or control where their client/user data is being processed. All of this must be understood and documented in the technology contract signed by the vendor.

4. Use the right form of technology agreement.

There are multiple considerations concerning the form of the technology agreement. Firstly, some vendors use a cascade of interrelated and interdependent agreements to form their contract, so it is critical for client counsel to review all of them and understand their order of precedence to ensure that amendments are made to various documents as necessary.

Secondly, certain large vendors employ omnibus “one-size fits all” contracts that incorporate various international terms that are inappropriate for the particular transaction. These include global data protection agreements and services agreements that (inappropriately) reference and hold US and Canadian customers responsible for complying with European data protection laws, anti-corruption law, anti-bribery laws, antislavery laws, export controls and other non-relevant provisions. Thus, clients should insist that their vendors use localized services agreements that contain appropriate terms regarding governing laws, jurisdictions, applicable data protection laws (including mandatory data/security breach notification provisions, including timelines) so that the client can satisfy its own regulatory and legal requirements. If localized versions of the services agreement are not available, then the client and its counsel should factor in the additional time required to negotiate the necessary amendments to make them so.

Lastly, the negotiated amendments must be appropriately incorporated into the overriding/master vendor document, as many standard vendor tech contracts contain a myriad of hyperlinks to ever-changing standard form agreements located on the vendor’s website that would override and contradict these carefully negotiated amendments. Be especially careful to ensure that the relevant Order Form/document specifically references the amended Master Services Agreement and related Exhibits rather than boilerplate standard form terms.

5. Open-source licenses are real agreements, and compliance matters.

While I am a proponent of the use of open-source software (OSS) in technology offerings, I remain dismayed by those vendors that deny their usage of OSS, or otherwise plead ignorance that such OSS is governed by actual OSS licenses, each with their own legal requirements and compliance obligations. While litigation involving OSS is relatively rare, it does occur, as evidenced by the recent 2022 case Software Freedom Conservancy Inc. v. Vizio Inc. In this decision, the US District Court for the Central District of California confirmed that the Software Freedom Conservancy could proceed on a breach of contract claim against product maker Vizio for using OSS (licensed under the GNU General Public License Version 2 and the GNU Lesser General Public License Version 2.1.) in violation of those agreements, confirming the validity of OSS agreements as both copyright licenses and as contractual agreements, each with separate remedies. In other words, OSS licenses are real legal agreements.

Accordingly, if the vendor does use OSS, its technology contracts should contain explicit representations and warranties that confirm the vendor’s usage of such OSS complies with the applicable OSS licenses that governs such code on an ongoing basis to ensure that the client is not in breach of any such OSS licenses through its use. Moreover, client counsel should also seek an indemnity from the vendor if such vendor is in breach of any applicable OSS license, uses any incorrect OSS license or incorrectly combines them in a way that makes the client susceptible to any damages/claims.

6. Future-proof your technology agreement as much as possible.

Technology contracts exist in a rapidly changing environment, and it is important to recognize that the tech transaction does not end at contract execution. As much as possible, tech contracts should be drafted in ways that ensure critical terms remain relevant during the life of the agreement. References to crucial privacy and other legislation should contain language that may be amended or replaced. References to intellectual property representations/warranties and indemnities should not refer to patents that were granted at the date of the agreement’s execution, but instead should be ongoing. The contract should also allow for parties to manage technological change through provisions regarding change management and should contain appropriate governance provisions for ongoing monitoring of performance, and periodic re-evaluation and adjustments, if required, to service levels and other mutually agreed service considerations.

Other recommended provisions include informal and formal dispute resolution, and scheduling periodic meetings with the vendor to get insight as to new product roadmaps, development, etc. While this may make the contract longer, it is worth it if the agreement provides an appropriate vehicle to further manage customer risk, forestall commercial disputes and account for necessary changes during the life cycle of the business arrangement.

7. Anticipate and manage the exit.

Lastly, all good things must come to an end, and tech agreements are notorious for ignoring the exit, as the parties don’t want to deal with the prospective divorce during the “honeymoon” phase of negotiating the original contract. However, preparing for an orderly and a smooth exit is a critical concern for most clients, especially those that may become heavily dependent on their vendor. If the client anticipates it will require a wind-down phase to transition off the vendor’s services and seek a replacement provider, then they must build this requirement into the contract, including the length of the termination assistance period, any changes to the services, the fees for such termination assistance services (if different from the standard fees), whether a transition assistance plan is required, and any limitations that could impact the client’s right to obtain such ongoing services.

The return of customer data, including timing, format, and any related costs, should also be addressed, as well as any ongoing right of the vendor to use client data post-termination/expiration, including client generated data, even in any anonymized/de-identified form. Clients should also ensure through their legal agreements that customer data is never “held hostage” in the event of any fee disputes or otherwise. The tech contract should also robustly address the secure destruction/deletion of all client data and any other critical exit-related terms, including which limited provisions of the agreement (representations/warranties, limitations of liability, indemnities, confidentiality, audit rights, etc.) should survive termination/expiration of the agreement (and for how long). There should be no surprises.