As part of the 2021 National Defense Authorization Act, small businesses will now need to comply with the new Corporate Transparency Act (CTA). This is meant as an additional preventative measure against money laundering and funding of terrorist organizations.
Small business owners will need to provide basic identifying information and comply by January 1, 2022. It’s important to comply as the penalties are significant and raise daily until the information is provided. Don’t forget to put this new requirement on your calendar!
This is a guest post by Laura Sims of PilieroMazza PLLC.
On January 1, 2021, Congress enacted the 2021 National Defense Authorization Act. In an effort to strengthen the fight against money laundering and the funding of terrorist activities, it included broad amendments to the U.S. Anti-Money Laundering Act, the most significant of which was the Corporate Transparency Act (CTA).
The CTA will greatly impact the way businesses are formed and how they operate, and it will require regular reporting practices that businesses need to prepare for before the CTA takes effect. Below are five fundamentals of the CTA that small businesses need to understand now.
1. What is the CTA?
The CTA is legislation that requires privately held U.S. businesses to report certain identifying information for all beneficial owners of such businesses to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). The CTA was passed to identify and prevent formation of shell companies with no legal U.S. connections that were created solely for illicit financing purposes, including money laundering and terrorist organization funding.
To provide greater transparency into who owns and controls small businesses in the U.S., the CTA will require each beneficial owner of qualifying entities to report his or her full name, date of birth, current address, and unique identification number, such as social security number, passport ID number, or driver’s license ID number, to FinCEN, unless exempt. Under the CTA, a “beneficial owner” is any individual who directly or indirectly owns or controls at least 25% of the ownership interests of, or exercises substantial control over, a qualifying entity.
Some of the individuals exempt from beneficial owner reporting include:
- Creditors of entities unless the creditor independently qualifies as a beneficial owner;
- Employees of entities if the “control” over the entity is based solely on their employment status;
- Minor children, if their parent / guardian information is reported; and
- Those who own or control interest in an entity solely through inheritance.
2. Who is subject to the CTA?
All privately held business entities either formed or registered to do business under the laws of any State or jurisdiction in the U.S., unless exempt, will be subject to the CTA reporting requirements.
A few examples of exempt entities include:
- Non-profit organizations;
- Publicly traded companies, banks, credit unions, and other financial institutions heavily regulated by government agencies, such as the Securities and Exchange Commission; and
- Companies with over twenty (20) full-time employees with reported gross receipts or sales over $5 million on the previous year’s tax returns and an operating physical office address in the U.S.
3. When does it go into effect?
The start date for reporting requirements under the CTA are tied to when the Treasury adopts regulations under the CTA, which must take place no later than January 1, 2022. All qualifying U.S. business entities formed after the regulations are adopted will be required to report at the time of formation.
Qualifying business entities formed before the regulation adoption date will be required to submit reports no later than two (2) years after the regulation adoption date. All businesses, whether formed before or after the regulations are adopted, will be required to update any change in their previously reported information within one (1) year of such change.
4. How will this affect businesses?
The most obvious answer is that qualifying entities will need to completely and correctly submit required beneficial owner information to FinCEN within the applicable reporting window and ensure that any changes in the previously reported information are updated in a timely manner. In many instances, business entities will need to start collecting the required information from beneficial owners well in advance of the reporting deadline.
All qualifying entities will need to build beneficial owner information collection into their regular operations with the realization that, where there are multiple qualifying beneficial owners, the reporting and update deadlines might be logistically burdensome. Similarly, future business transactions, such as mergers and acquisitions, may need to include additional due diligence and representations and warranties specific to a target entity’s CTA reporting.
5. Why is it important, and what should you do to prepare?
Under the CTA, failure to report beneficial owner information, reporting incorrect information, or failure to update previously reported information will have serious consequences. These may include civil penalties up to $500 per day until the violation is corrected, as well as criminal fines up to $10,000 and imprisonment up to two (2) years.
While CTA regulations are not mandated until January 1, 2022, business entities should stay informed about regulatory insights released before the regulation adoption date to ensure that all required information is properly collected and submitted when reporting is due.
Finally, there are still ambiguities in several critical aspects of the CTA, including how ownership and control will be determined, as well as what the reporting requirements will be for certain partnerships and trusts. Because of these ambiguities, privately held business entities should work with legal counsel in advance of the CTA regulation adoption to fully understand whether they will be subject to the reporting requirements, and if so, what those reporting requirements will be.
If you have questions about how the CTA could impact your business or would like to learn more, please contact Laura Sims, the author of this blog, or any member of PilieroMazza’s Business & Transactions Group or Corporate and Organizational Governance Group.
This post originally appeared on the PilieroMazza blog at https://www.pilieromazza.com/5-fundamentals-of-the-corporate-transparency-act-impacts-on-small-businesses/ and was reprinted with permission.
Note from John: Seems like every time I have a conversation with another colleague or company the topic of CMMC comes up. The Cybersecurity Maturity Model Certification is not going away…for many good reasons. As defense contractors we have to protect our assets, resources and those of our clients. It is in OUR best interest. Here is another great article from Jason Miller.
This is a guest post by Jason Miller, executive editor, Federal News Network.
Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.
Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.
So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.
“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”
Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.
“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said.
“We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”
That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.
Click the link below to read the full article and listen to Jason’s interview with Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield: https://federalnewsnetwork.com/cybersecurity/2021/02/cmmc-changing-culture-one-company-at-a-time/.
Note from John: The VA’s role in certifying veteran-owned small businesses seems to be gone and the transfer of that role to the SBA appears to be underway. This really makes sense as they are the entity that certifies all the other socio-economic programs such as 8(a), HUBZone and ED/WOSB.
Once the process is put into place I’m hopeful this will help streamline the process for new companies to get certified. Those companies that are currently self-certifying will have one year from the Go Live date to apply for the certification. After that date the self-certification is not valid even for Government requirements outside the VA.
This is a guest post by Steven Koprince of Koprince Law LLC. It was originally published on Dec 4, 2020, and the 2021 NDAA was signed into law on Jan 1, 2021.
The House and Senate have agreed to eliminate service-disabled veteran-owned small business self-certification and adopt a government-wide SDVOSB certification requirement, while transferring control of the certification process from the VA to the SBA.
The Conference Report on the 2021 National Defense Authorization Act would require government-wide SDVOSB certification (eventually) and transfer control of the Center for Verification and Evaluation from the VA to the SBA. Assuming the President signs the bill into law (which, unlike the typical NDAA, remains to seen), SDVOSB self-certification–which is still the law for non-VA contracts–is on its way out.
If you’re not the sort to read an entire National Defense Authorization Act, you can skip right to Section 862, where the SDVOSB changes are set forth. Here are some of the most important pieces of Section 862:
- Government-Wide SDVOSB Verification Won’t Happen Overnight. The 2021 NDAA calls for the certification requirement to kick in “2 years after the date of enactment of this Act.”
- The SBA Will Be in Charge. Under the 2021 NDAA, the SBA, not the VA, will run the Government-wide SDVOSB certification program. The VA’s Center for Verification will be abolished and its functions transferred to the SBA. This move makes sense, given that the SBA runs all of the other Government-wide socioeconomic programs, and that SBA judges already provide oversight over SDVOSB and VOSB applications. The VA, however, will continue to determine whether an individual qualifies as a veteran or service-disabled veteran.
- Self-Certified SDVOSBs Get a Grace Period. The 2021 NDAA says that once the program goes live (an event the bill calls the “transfer date”), a self-certified SDVOSB will have one year to file an application for certification. If the application is filed within the one-year period, the company can continue to rely on its self-certification for non-VA contracts until the SBA makes a decision on the application. Failing to apply within one year, however, will render the self-certification invalid.
After the grace period ends, self-certified SDVOSBs will no longer be eligible for set-aside and sole source contracts, government-wide. The 2021 NDAA adds this language to the Small Business Act:
A contracting officer may only award a sole source contract to a small business concern owned and controlled by service-disabled veterans or a contract on the basis of competition restricted to small business concerns owned and controlled by service-disabled veterans if such a concern is certified by the Administrator as a small business concern owned and controlled by service-disabled veterans.
So there you have it: under the 2021 NDAA, government-wide SDVOSB certification will happen, and the SBA will take control of the certification (not “verification,” anymore) program. As I alluded to earlier, the President has threatened to veto the 2021 NDAA for reason unrelated to SDVOSB certification. But even if Congress accedes to the President’s requests, it seems unlikely that Section 862 is going away. Our best bet is that it becomes law in the next several weeks.
This post originally appeared at https://smallgovcon.com/service-disabled-veteran-owned-small-businesses/congress-approves-government-wide-sdvosb-certification-requirement-transfers-cve-to-sba/ and was reprinted with permission.
Note from John: This is potentially huge news for the small business community. In recent years, the government has often put new or existing requirements directly onto a multiple-award large business IDIQ contract vehicle without doing an analysis to see if there are two viable small business entities capable of providing those services. This COFC finding mandates that the government do a Rule of Two analysis prior to moving the requirement onto the large business IDIQ. This will provide more opportunities for us…possibly many more.
This is a guest post by Nicole Pottroff of Koprince Law, LLC.
The United States Court of Federal Claims (COFC) has ruled that an agency has to conduct a small business Rule of Two analysis before it can use an existing multiple-award indefinite delivery indefinite quantity (MAIDIQ) contract vehicle to procure services. This is a landmark decision, given that GSA Schedule contracts are exempt from the Rule of Two.
The COFC’s decision in Tolliver Grp., Inc. v. United States, No. 20-1108C, 2020 WL 7022493 (Fed. Cl. Nov. 30, 2020), arose out of the Department of the Army’s decision to cancel two General Services Administration (GSA) Federal Supply Schedule (FSS) support staffing solicitations, which were 100% set aside for service-disabled veteran owned small businesses (SDVOSB). The solicitations sought fire support specialists training services for the Fires Center of Excellence field artillery school at Fort Sill. The Army had previously procured these services through a long-term omnibus MAIDIQ contract.
The Army first awarded the solicitations to two SDVOSBs. But it subsequently cancelled the solicitations and the awards for the purpose of transferring the work to an existing MAIDIQ. According to the Army, this Training Management Support (TMS) MAIDIQ would “provide a potentially better procurement vehicle for this requirement” than the GSA FSS contract.
Two SDVOSBs brought this lawsuit under the Tucker Act, arguing that the Army’s actions violated two laws: (1) the Administrative Procedure Act (more on that issue in an upcoming blog); and (2) the Rule of Two (the subject of this blog). Specifically, the plaintiffs argued that the Army violated the Rule of Two by “mov[ing] the unchanged requirements to the New Ft. Sill IDIQ, where only large businesses are eligible for award[.]”
The court explained:
The Rule of Two . . . is straightforward, and provides that the contracting officer shall set aside any acquisition over the simplified acquisition threshold for small business participation when there is a reasonable expectation that – (1) Offers will be obtained from at least two responsible small business concerns; and (2) Award will be made at fair market prices.
According to the court, the Army did not dispute that there were “at least two responsible business concerns capable of performing the work at fair market prices, or that, in general, the Rule of Two is mandatory.” The Army, instead, argued that the Small Business Act and the FAR gave it the discretion “to make use of a multi-award contract without first conducting a rule of two analysis to determine whether the task order should be set aside for small business.” The Army cited the following statutory language:
Federal agencies may, at their discretion:
(1) set aside part or parts of a multiple award contract for small business concerns . . . ;
(2) notwithstanding the fair opportunity requirements under section 2304c(b) of title 10 and section 4106(c) of title 41, set aside orders placed against multiple award contracts for small business concerns. . .; and
(3) reserve 1 or more contract awards for small business concerns under full and open multiple award procurements . . . .
The Army also cited the FAR clause for “[p]artial set-asides of multiple-award contracts[,]” which similarly says that “contracting officers may, at their discretion, set aside a portion or portions of a multiple-award contract” under certain circumstances.
Based on these sources, the Army argued that, since it “exercised its discretion not to set-aside any portion of the TMS MAIDIQ scope or any of the TMS MAIDIQ‘s contract awards for small business,” it could now “utilize the TMS MAIDIQ for any acquisition – and avoid the Rule of Two – so long as the contemplated scope of work is within the TMS MAIDIQ’s scope.”
But the court rejected this “sweeping inference.” The FAR and Small Business Act provisions the Army cited, instead, tell the agency “how a multiple award contract may be structured or how a task order competition under a multiple award contract may be competed.” They do not address whether the agency may ignore the Rule of Two simply because the agency prefers to use a MAIDIQ that already has been awarded. As the court explained:
[T]he fact that an agency has the discretion to partially set-aside “a portion” of a multiple award contract for small business does not lead to the ineluctable conclusion that having decided not to engage in a partial set-aside, an agency may thereafter dispense with the Rule of Two. The latter does not follow from the former. To the contrary, the grant of discretion applies even where the Rule of Two does not require a set-aside, but the grant of discretion does not somehow, by negative implication, eliminate the Rule of Two requirement.
As such, the court concluded that “[t]he Rule of Two unambiguously applies to ‘any’ ‘acquisition,’ FAR 19.502-2, without any loophole for MAIDIQ task orders.” The court noted, “where the FAR intends to make the Rule of Two entirely inapplicable to the selection of a particular procurement vehicle, the FAR knows how to do so,” and it cited FAR subpart 8.4, which expressly exempts FAR Part 8 FSS procurements from the Rule of Two requirements. The indefinite delivery contract regulations in FAR subpart 16.5, however, do no such thing.
Because there was no legal exemption from the Rule of Two for MAIDIQs, the court turned to the specific question of “whether the agency has any obligation to apply the Rule of Two to a particular scope of work that is covered by the scope of an already-issued multiple-award contract” before it can leverage the existing MAIDIQ.
To this, the court answered “yes.” Interestingly enough, its decision was actually based on a GAO decision, LBM, Inc., B-290682, where GAO found that the “Army violated FAR § 19.502-2(b) when [it] did not consider continuing to acquire the Fort Polk motor pool services under a total small business set-aside[.]” GAO’s decision there–and therefore, the court’s decision here–centered around the definition of an “acquisition.” The FAR defines an acquisition as:
the acquiring by contract with appropriated funds of supplies or services (including construction) by and for the use of the Federal Government through purchase or lease, whether the supplies or services are already in existence or must be created, developed, demonstrated, and evaluated. Acquisition begins at the point when agency needs are established and includes the description of requirements to satisfy agency needs, solicitation and selection of sources, award of contracts, contract financing, contract performance, contract administration, and those technical and management functions directly related to the process of fulfilling agency needs by contract.
According to GAO, the purchasing of services with appropriated funds in LBM was an acquisition, “regardless of the fact that the agency anticipated acquiring those services through their transfer to the [IDIQ] scope of work.” GAO said, “[h]ad the agency complied with the requirements of [the Rule of Two], it might have concluded that the [IDIQ] contracts were not the appropriate vehicle for this acquisition.” Thus, GAO concluded that “the agency’s intent to use a task order under [a multiple award contract] as the contract vehicle did not eliminate the legal requirement that the agency undertake that analysis.”
The COFC followed suit, stating:
The bottom line from this Court’s perspective is that the cancelled solicitations at issue here are themselves acquisitions. The government’s identification of a need – of a scope of work – that it must procure itself begins an acquisition. Accordingly, we view the identification of the continued need for [the two solicitations’] requirements as either part of in-process acquisition or a new acquisition.
According to the court, either way the acquisition is viewed, the Rule of Two applies. The court said, even if the Army had “satisfied its small business set aside obligations with respect to the TMS MAIDIQ acquisition in 2018,” that did not mean that it also satisfied those obligations with respect to the acquisitions of the requirements set forth in the 2020 solicitations. The court said:
In sum, the government’s failure to apply the Rule of Two prior to deciding to cancel the solicitations at issue is fatal to that decision, whether because that failure undermines the central rationale of the cancellation decision or whether because the decision to move the work to the TMS MAIDIQ prior to conducting a Rule of Two analysis constitutes an independent violation of law.
In the end, the COFC enjoined the agency from cancelling the solicitations and transitioning the work to the MAIDIQ (or to any other procurement vehicle) without first complying with the Rule of Two.
This is truly a landmark decision by the COFC–with the potential to affect a multitude of federal contracts. Especially of late, we have seen many federal agencies attempt to shuffle new requirements to existing IDIQs, often to simplify their acquisition procedures or avoid certain rules or litigation. At least now, those agencies will not be able to escape the small business Rule of Two in doing so.
This post was originally published on the SmallGovCon blog at https://smallgovcon.com/u-s-court-of-federal-claims/cofc-says-agency-must-consider-rule-of-two-before-using-multiple-award-idiq-contract-vehicle/ and was reprinted with permission.
While many federal agencies have already increased the thresholds for micro-purchase and simplified acquisition via deviations, the FAR has officially been updated as well. Effective August 31, 2020, the FAR has solidified the following thresholds:
- $10K for micro-purchase (previously $3,500)
- $250K for simplified acquisition threshold (previously $150K)
The increase to the simplified acquisition threshold should help small businesses, and here’s how: Purchases above the micro-purchase threshold, but not over the simplified acquisition threshold, shall be set aside for small business if two or more small firms are expected to compete. See FAR 19.502-2.
How can you leverage this rule to your advantage?
Micro-purchases or simplified acquisition threshold are ways in which smaller dollar amount contracts can be accomplished without any competition. These situations are perfect for new, emerging small businesses.
Opportunities exceeding these limits have to go according to the regular FAR guidelines and do a regular acquisition (competition), unless you can do something with a set-aside that gives you a sole source. Government requirements falling within these dollar value limits can even be awarded to large businesses.
There are some rules and regulations that must be considered, for example, you can’t do 10K a hundred times to support a $1,000,000 requirement but you can do 10K and even some renewals, etc.
Fundamentally this applies to something small, e.g., you’re going to send a couple employees in for a week of analysis and they can give you a sole source for $10,000 to do that easily.
For larger but still small increments up to $250K, there is a SAP (simplified acquisition procedure) FAR 19.502-2 explanation. That work that might only be a small amount to most big contracts, but it’s a way to get your foot in the door and get started, and you can do that on a sole source basis under the simplified acquisition rules.
So certainly anyone who’s starting out, this is a way to get business directly for yourself. You have to go look at the rules and understand them, but the point is you can get a $10K purchase order directly, straight up, no competition, and these $250K ones with certain rules and regulations, and under certain conditions.
Section 874 of NDAA 2020, Post-Award Explanations for Unsuccessful Offerors for Certain Contracts, “requires the FAR to be revised within 180 days to require that contracting officers provide a brief explanation of award, upon written request from an unsuccessful offeror, for task order or delivery order awards in an amount greater than the simplified acquisition threshold and less than or equal to $5.5 million issued under an indefinite delivery-indefinite quantity contract. Currently, offerors are only entitled to a debriefing after award of an order exceeding $5.5 million.” – Megan Connor, PilieroMazza
So what does this mean for us? Here’s what makes this important. Last year in the FAR rules, a detailed debrief of your losing proposal had to be made only if total value of the award exceeded $5.5 million.
If it was less than $5.5 million, under those old rules, you weren’t entitled to anything. They literally didn’t have to even give you the time of day. All they’d tell you is that XXX company won, not you. No explanation of what you did wrong or right. Hopefully you have all taken advantage of this rule change on every source selection this past year. If not, I suggest you add the request for a debrief into your standard process when an award notification (win or loss) is made.
The revised rule states anything above the simplified acquisition threshold from $250K to $5.5 million now may provide you a brief explanation of award. You do have to request this and you should ALWAYS ask for it immediately after you receive the notice.
The result is usually just a paragraph or two. It might be something like, “the offeror’s proposal was judged acceptable but not more than acceptable,” or it could say, “we awarded it to the lowest bidder.”
This rule means you will get more explanatory results from your IDIQ task order bids and useful information for that next proposal. I hope you have taken advantage of this.
This is a guest post by Haley Claxton of Koprince Law LLC.
Recently, GAO published a report on small business subcontracting plan compliance, concluding that agency oversight of these plans need improvement.
As many of our readers know, some federal contracts require large business prime contractors to utilize small business subcontractors under a small business subcontracting plan, as described in FAR 52.219-9. For context, in 2019, federal agencies “awarded more than 5,000 contracts requiring a small business subcontracting plan, and obligated more than $300 billion to contracts with required small business subcontracting plans.”
If a small business subcontracting plan is in place, contractors are required to report on any subcontracting achievements and make a “good-faith” effort to keep to the plan. In addition, some regulations and procedures require contracting officers to review the subcontracting plan before or after award to make sure certain information is included in the plan. Agencies are also required to provide SBA Procurement Center Representatives (or PCRs) the opportunity to review the proposed contract and associated subcontracting plan.
After a contract is in place, the FAR requires contracting officers to ensure that subcontracting reports are submitted via the eSRS web platform within a certain amount of time. Contracting officers must then review and decide whether to accept these reports. In addition to reviewing the reports, agencies are also required to perform annual evaluations of all contractor performance though CPARS (the Contractor Performance Assessment Reporting System). One aspect of the annual CPARS evaluation, where applicable, is compliance with the contractor’s small business subcontracting plan.
Despite the amount of oversight agencies appear to have over contractor compliance with small business subcontracting plans on paper, some folks at the Department of Defense were concerned about how much actual oversight agencies were providing to ensure contractors complied with their plans. Thus, GAO looked into how four representative agencies (the DLA, the Navy, GSA, and NASA) provide oversight. It found that the DoD was right to be concerned.
First, GAO looked to pre-award procedures for reviewing subcontracting plans. It found that COs from all four representative agencies reviewed and approved subcontracting plans as required in most, but not all, cases. More problematically, however, the “[a]gencies also could not demonstrate they followed procedures related to PCR reviews in about half of the contracts reviewed.” Put differently, most of the time, the SBA wasn’t involved in reviewing subcontracting plans before contract award, as required.
Next, GAO turned to agency overview of contractor compliance with their subcontracting plans post-award. GAO found this overview was pretty “limited.” Even though each representative agency did offer some amount training to contracting officers on subcontracting plans, GAO found that these contracting officers did not ensure contractors met their reporting requirements in most of the reviewed contracts. In addition, even where reports were submitted as required, many were not reviewed in the manner anticipated.
As a result of its investigation, GAO offered ten recommendations for the reviewed agencies and the SBA. These recommendations are outlined here, but in summary, they ask the relevant agencies to make sure they have steps in place to ensure appropriate review of subcontracting plans and contractor compliance with those plans.
Overall, an increased focus on compliance with subcontracting plans is likely to have an effect on many contractors–hopefully ensuring more contracting dollars go to small business subcontractors. For more on small business subcontracting plans, check out our related blog posts here.
This post originally appeared on the SmallGovCon blog at https://smallgovcon.com/statutes-and-regulations/room-for-improvement-gao-reviews-agency-oversight-of-small-business-subcontracting-plans/ and was reprinted with permission.
This is a guest post by David T. Shafer and Emily J. Rouleau of PilieroMazza PLLC.
Despite requests for delay due to COVID-19, California Attorney General Xavier Becerra has affirmed that enforcement of the California Consumer Privacy Act (CCPA) has started, effective July 1, 2020. The CCPA is a huge step forward in data privacy law, granting California consumers robust data privacy rights and increased control over their personal information. Previous PilieroMazza coverage of the CCPA can be viewed here and here.
While the CCPA has been in effect since January 1, 2020, companies that do business with California consumers will now risk penalties for noncompliance. Below is key information for companies seeking to ensure CCPA compliance and to avoid enforcement action.
Approval of Final Regulations
The Office of the California Attorney General submitted the final proposed CCPA regulations package to the California Office of Administrative Law (OAL) on June 1, 2020, for review. OAL has 30 working days, plus an additional 60 calendar days to review the package.
Once approved, the final regulation text will be filed with the Secretary of State and become enforceable by law. OAL is not expected to make significant changes to the regulations, so a full analysis of the rule will likely be necessary for the creation and implementation of a robust CCPA compliance program.
To understand whether or not you are subject to potential enforcement,, first determine if you fall within CCPA’s compliance criteria. Critically, the statutorily defined terms “consumer” and “personal information” are far broader than comparable statutes and regulations found in other jurisdictions, though that itself is currently the subject of debate in many state legislatures.
The enlargement of these terms causes CCPA’s jurisdiction to be larger than it appears on the face of the statute. Below are certain high-level questions that can help a business determine if it meets certain threshold standards:
- Do you, or any of your subsidiaries or affiliates, engage in business in California?
- Do you do business with contacts or employees who reside in California?
- Does your business have over $25 million in annual gross revenues?
- Does your business buy, sell, or receive personal information?
If you fit certain initial criteria, we recommend identifying the type of personal information your business collects. As briefly mentioned above, CCPA broadly defines personal information as any information that directly or indirectly identifies, describes, or can be reasonably linked to a particular consumer.
CCPA grants consumers significant rights to the use of their personal information, including general notice rights. It is here that companies can take proactive steps to prepare for CCPA’s implementation.
More specifically, CCPA grants consumers the right to know what personal information a business collects, sells, or discloses about them. Additionally, several sections of CCPA require businesses to make affirmative disclosures to consumers by way of privacy policies and other notices.
With the expiration of CCPA’s safe harbor and subsequent July 1, 2020 enforcement, steps that can be immediately taken may include, but are not limited to, the following:
- updating notices and privacy policies;
- reviewing data flows including data mapping and classification;
- segregating data and IT systems between regulated and non-regulated data repositories;
- implementing cookie banners and web beacons in accordance with CCPA-compliant privacy policies;
- implementing individual request processes (including opt-out and deletion); and
- implementing training to meet CCPA’s new requirements.
What to Watch
The California Secretary of State recently announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020, ballot. If approved by voters, the CPRA would significantly update and amend the CCPA, allowing California consumers to block businesses from using a new category of information known as “sensitive personal” information and establishing a new enforcement authority to protect data privacy rights.
PilieroMazza’s attorneys will continue to monitor the CCPA, along with legal developments for data privacy in other states. For assistance with CCPA implementation in your business, please contact the authors of this client alert, Dave Shafer and Emily Rouleau, or a member of the Firm’s Cybersecurity & Data Privacy Group.
This post originally appeared on the PilieroMazza website at https://www.pilieromazza.com/california-consumer-privacy-act-enforcement-effective-july-1/ and was reprinted with permission.
Section 872 of the 2020 NDAA makes many notable changes to the Department of Defense’s (DoD) Mentor-Protégé Program. Besides permanently authorizing the program, Section 872 required DoD’s Office of Small Business Programs to establish performance goals and periodic reviews to be submitted to the congressional defense committees by February 1, 2020. This serves to improve outcomes, define expectations, and set measurable goals for the DoD Mentor-Protégé Program going forward.
Notably, Section 872 changes the definition of a “disadvantaged small business concern” to align with how small businesses are defined in other programs. To be considered small, the original definition required a business to have “less than half the size standard corresponding to its primary North American Industry Classification System code.” The new definition states that a disadvantaged small business concern must not exceed the size standard corresponding to its primary NAICS code.
Note that this change has already been approved and signed by the President, and applies to fiscal year 2020, ending in September 2020.
In spite of the fact that this seems like a trivial matter, it is important to understand that unlike mentor-protégé programs in other departments, the DOD program has a healthy budget (typical agreements of $750,000 to $1M or $2M) that can in fact get passed through the mentor for the benefit of the mentor-protégé partnership, i.e., mostly the protégé.
The important thing to understand is that this allows the DOD to pay the mentor for money that is used by the mentor-protégé agreement in ways that benefit the protégé in the future. Because this is a money granting program, it’s authorized not in annual increments (though it’s still budgeted annually), but in multiple-year increments.
As noted above one of the changes with reauthorization was an alignment of the definition of small businesses with other definitions in other classification systems like NAICS codes. If those definitions are different you could be small in one place and not small in another.
One of the interesting things about this legislation is that the new definition says you cannot exceed the size standard of the primary NAICS code but doesn’t say how much work must be in that code.
Why is that important? At TAPE, for example, we have work in three or four different NAICS codes. We do a lot of work in 541611 (administrative), which is a size standard of $16.5M, and we’re larger than that. On the other hand, we have a lot of work in in 541512 and 541513 (IT), which have a size standard of $30.5M, which we’re within so we’re considered small, and 541330 (engineering), which has a size standard of $41.5M, where we’re also small.
So we do some of our work in a NAICS code for which we are large, which is perfectly okay. It just means if it was recompeted we’d have to compete as a large business, or find a small business partner.
After three or four months of working from home, it’s good to go back to one of the things that passed in 2019 and was signed by the President back before any of this happened.
This legislation affects lots of us, including joint ventures that involve an 8(a) protégé, or are led by an 8(a). It’s also particularly close to my heart, and may just be the most wonderful section that ever exists. Why? Because 823 also happens to be my birthday!
Section 823 of the 2020 NDAA increases the threshold for justification and approval for 8(a) Program sole-source awards. While the 2010 NDAA required justification and approval for 8(a) Program sole-source awards valued at or above $20 million (later increased to $22 million), Section 823 of the 2020 NDAA increases this threshold to $100 million.
[Note from Bill: $20M is a long way from the $4M threshold in place when I first started out!]
This change will benefit entity-owned 8(a) Program participants because, under the Federal Acquisition Regulation (FAR) and Small Business Administration’s (SBA) regulations, those are the only participants eligible for sole-source awards above the competitive thresholds ($7 million for manufacturing contracts and $4 million for all other contracts).
What this new legislation means is that if the contracting officer makes the determination that there is a single source that can perform a certain piece of work, and you can couch the language in such a way that states you are the only person that can do so, you can now get a sole-source contract for up to $100M. That is pretty cool!
For contracting officers, there is usually a threshold or limit as to what they can sign for (and this limit is now decidedly higher for 8(a) awards), before the award needs to be approved by another level of command or even by the Pentagon. Still, there is a big distinction in time and energy between a contract that anyone can compete on (e.g., in a vehicle), and a sole-source contract.
There’s still an approval process, but they don’t have to compete the award. They just need to write a J&A and get it approved by the appropriate levels of authority based on the number of dollars involved. Then lo and behold, they can award a contract.