The California Consumer Privacy Act of 2018 (“CCPA”) was signed into law by Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The CCPA gives significant new data privacy rights to California residents with respect to their personal information that is collected and maintained by companies doing business in California. Even if you are compliant with current privacy laws, you must consider how the CCPA may affect your business. And, if you have not already started steps for compliance with the CCPA, now is the time.

Businesses cannot afford to wait until next year to think about or prepare for the wide-ranging impacts of this new law. Specifically, affected businesses need to: (1) decide now whether they will or will not sell personal information to third parties (and analyze any modifications to business services that may be required if they will not (or cannot) sell such information); (2) update websites and privacy policies with required information disclosures; (3) ensure that sufficient systems, processes, and resources are in place to respond to consumer requests for access to or deletion of their personal information and required disclosures; and (4) analyze and adjust any contracts with service providers that may be necessary to ensure compliance with the law.

Does The CCPA Affect Your Business?

Unless you conduct business operations wholly outside of California (including having no online presence in California), the CCPA probably applies to your business. The CCPA applies to all businesses – regardless of location – that conduct business (including online sales) in California and collect personal information from California residents if at least one of the following thresholds are satisfied:

• Gross annual revenues in excess of twenty-five million dollars ($25,000,000)
• Collection of personal information from 50,000 or more California residents, households, or devices annually
• Fifty percent (50%) or more of annual revenues are derived from selling consumers’ personal information

For some businesses, this is an easy determination. But even if you do not believe your company meets these thresholds at first glance, you may want to give this further consideration. For example, because “personal information” under the CCPA is defined broadly enough to encompass essentially every piece of information related to a California resident or household, information such as IP addresses that are collected merely from website visits constitutes collection of personal information under the CCPA. Therefore, even putting aside what personal information your business collects from customers, employees and other California residents in the course of its transactions and operations, if your business has a website accessible to California residents, you are likely to exceed the 50,000-resident annual threshold, and your company must likely comply with the CCPA.

What Are Your Obligations Under The CCPA?

The CCPA provides the following privacy rights to California consumers:

• Right to know what personal information is collected about them
• Right to know whether their personal information is sold or disclosed to third parties
• Right to opt-out of the sale of their personal information
• Right to access portable copies of their personal information
• Right to request deletion of their personal information
• Right to equal service and pricing even if they exercise their privacy rights under law

This will require, among other things, that businesses:

1. Disclose to consumers – at or before the point of collection – the categories of personal information collected and the business purposes for such collection. Businesses must also disclose on their websites and in their privacy policies the categories of personal information they sell or disclose for a business purpose, or must provide a statement that they do not sell or disclose such information.
2. Have sufficient data mapping and inventories of the personal information they collect about California residents (and their households and/or devices) and internal processes and resources in place to be able to respond (within 45 days) to requests for access to or deletion of personal information submitted by consumers.Access requests require that a business provide consumers with: (1) the categories of personal information collected; (2) the sources from which that information is collected; (3) the categories of personal information sold or disclosed and the categories of third parties to whom it was sold or disclosed; and (4) the specific pieces of personal information the business has collected about the requesting consumer. Businesses must also disclose and make available various methods to consumers for making such information requests (including by toll free phone number, website, etc.) and train their employees to handle such requests properly.
3. Determine whether the business is (either intentionally or unintentionally) “selling” personal information as defined by the CCPA and either make adjustments to stop selling that information or make required disclosures on their website pages and privacy policies stating that they are selling personal information and notifying and enabling consumers to “opt out” of such sales.In this respect, compliance with the CCPA may require a “Do Not Sell My Personal Information” link on the website homepage. Because the CCPA defines “selling” information as any disclosure for valuable consideration, businesses should also consider whether adjustments need to be made to their vendor/service provider relationships and contracts to ensure that personal information is not unintentionally being “sold” as defined by the law. Additionally, businesses must ensure that they are not collecting any personal information from individuals under the age of 16 without affirmative “opt in” consent of the consumer (if between ages 13-16) or a parent/guardian (if under age 13).
4. Consider adjustments to business models or services offered (i.e., paid vs. free services) based on the inability to sell certain consumers’ information and the inability to discriminate against consumers who exercise their privacy rights.
5. Consider changes to internal policies regarding employee rights and understand the impact that new privacy rights of employees under the CCPA will have on the business. The CCPA does not distinguish between California residents in their roles as consumers, employees, patients, etc. Thus, employees have all the rights granted to any other “consumer” under the law, including rights to request access to and deletion of their personal information, rights to opt-out of the sale of their personal information, and a private right of action if their personal information is breached, among others. While employers may have a valid business reason to justify denying deletion requests during the period of employment, employees may request access to their confidential personnel files or other HR records about them and, without further clarification or amendment to the law, such information would presumably need to be provided. At a minimum, employees will need to be notified at or before the point of collection of any of their personal information and any internal policies should be updated to include disclosures of employee rights under the new law.

What Are The Penalties For Non-Compliance?

Businesses that fail to comply with the CCPA are subject to civil penalties in actions brought by the California Attorney General in amounts of $2,500 for each unintentional violation, or $7,500 for each intentional violation.

The CCPA also gives a private right of action to any California resident whose personal information is subject to a data breach and allows such residents to recover between $100-$750 per resident and incident, or actual damages, whichever is greater. The availability of statutory damages resulting from a data breach should provide significant incentives for companies to increase and improve their data security practices and breach response plans and procedures. Additionally, current state legislation is under consideration that would expand this private right of action to the violation of any provision of the new law.

Questions?

The above summary of the CCPA is a very high-level discussion of the duties and obligations businesses have under the new law and does not constitute legal advice with regard to compliance with the CCPA. There are many additional details and rights, as well as defenses and exemptions, to take into account in assessing what steps your business may need to take to comply with the CCPA. Please contact Litigation and Data Privacy partner Scott Hall at shall@coblentzlaw.com or 415.772.5798 to discuss additional questions or details and to determine how we can help your business be prepared for the CCPA.

Click here to download or print a PDF of this alert.

Originally Published in the Daily Journal, February 14, 2019.

Is your “smart building” connected? Is your high-tech office, residential building or entertainment facility, with embedded sensors, wireless networks, remote monitoring devices and internet-capable security cameras, now just another “thing” connected to the global “Internet of Things”? Does embedding internet-connected devices within a building infrastructure impose enhanced “cybersecurity” requirements on developers, owners, architects, contractors or other building stakeholders? Do any of those stakeholders have affirmative obligations to mitigate the potential for breaches, hacks or misuse of embedded devices? While, perhaps, an odd question, the “connectedness” of buildings, cars, and other “objects” requires renewed consideration of security protocols and practices in light of evolving laws, changing commercial expectations and the potential implications for ubiquitous connected “things.”

California recently passed the first state law imposing security requirements on “connected devices.” The law, effective Jan. 1, 2020 (to be codified at Title 1.81.26 of Part 4 of Division 3 of the California Civil Code), requires manufacturers of internet-connected devices (with exceptions for federally regulated and health care-related devices) to equip them with “reasonable security features.” While ostensibly applying mainly to “off-the-shelf” wireless devices, like security cameras, thermostats and similar products with which consumers are fairly familiar, the definition of “connected devices” goes beyond the plain English. Under the new statute, “connected devices” also include any “other physical object” that is “capable of connecting to the Internet, directly or indirectly,” and that is assigned an IP address or Bluetooth address. What might that broader definition capture, with nearly every physical object today embedded with wirelessly enabled electronics that permit the exchange of data through the internet? Refrigerators, toasters, coffee makers, smoke detectors, vacuum cleaners, door locks, electricity meters, and, indeed, even formerly “static” buildings, cars and trains all come today with an embedded capability that enables them to interact with the internet. And, of course, the ability to connect with the internet offers hackers the opportunity to enter those objects, to control those objects, to lock-down those objects, to extract data from those objects and to move from connected object to connected object within a network. In April 2016, internet users in Europe and North America experienced that susceptibility when a distributed denial of service attack against Domain Name System provider Dyn, Inc., which manages web addresses and routes internet traffic, resulted in several hours of extensive network outages. The malware responsible for that attack infected the Dyn network, and overwhelmed its servers, by taking control of nearly 150,000 connected devices, including wireless security cameras, lightbulbs and baby monitors. Experts suggested that the attack had been initiated by a lone disgruntled gamer upset with the Sony PlayStation game network.

The international research and advisory firm Gartner, Inc. estimates that by 2020, there will be 25 billion or more connected devices. PricewaterhouseCoopers estimates that nearly $6 trillion will have been spent by businesses and consumers between 2014 and 2020 on hardware, software and connectivity solutions for the Internet of Things. IDC Corporation predicts that the Internet of Things marketplace — software, services, hardware and connectivity — will reach $1.7 trillion in 2021. By all measures, the number and types of connected devices will increase exponentially and proliferate even faster. The cost of electronics components will continue rapidly to decline and components will continue to get smaller. Wireless speeds and network coverage will continue to improve, with next generation “5G” wireless networks nearly ready for commercial deployment. The collection, transmittal, storage and analysis of terabytes and terabytes of data through internet-enabled objects will continue to accelerate. The new California law, whether, intentionally or otherwise, demands that a broader cross section of stakeholders assume responsibility for, or, at least, consider the implications of lax, or non-existent, security within connected devices and objects.

Who qualifies as a “manufacturer” of an internet-connected object under the new statute? It seems rather uncontroversial to suggest that a “car” is today a connected device and that the automobile manufacturer has likely assumed a responsibility, legal and otherwise, for the design, manufacture and security of its wirelessly enabled, and potentially “hackable,” transportation platform (that responsibility to the public stands independent of possible reimbursement claims the car manufacturer may have through customary third party indemnification arrangements with specific component manufacturers). Does a building owner, developer, architect or construction firm face similar questions regarding a networked facility that it has helped to create?

The statute applies to the “manufacturers” of “connected devices” and “connected objects” that are sold or offered for sale in California. If a building, entertainment facility or sports arena is wirelessly enabled with embedded sensors, cameras and other internet-capable objects that are designed with input from a developer or construction firm, and built to owner specifications, might that developer, owner or construction firm qualify as the “manufacturer” of a physical object — the building, the arena, a room, a space, an office — that exchanges data with the internet?

Connected physical objects are required to have “reasonable security features” that are “appropriate to the nature and function of the device,” appropriate to the “information” that the device may collect and transmit, and designed to protect the device from “unauthorized access.” “Appropriateness,” as a legal standard, should be expected to evolve and should remain a constant source of inquiry. Beyond an overarching set of security principles, the statute provides that preprogrammed passwords unique to a device or features that require a user to create a new means of authentication before the device is first accessed will constitute “reasonable security features.” But even if preprogrammed passwords or other authentication measures are implemented, the “appropriateness” of those measures to the nature and function of a particular device or object will remain subject to further consideration.

The California statute does not create a private right of action. It limits enforcement to the “Attorney General, a city attorney, a county counsel, or a district attorney.” But while enforcement may initially be restricted, the effects of the statute, especially as the first of its kind in the nation, will no doubt be broad and the bar it establishes for security practices involving connected “things” will no doubt rise. If it seems a stretch to cast a building developer, owner or construction firm the “manufacturer” of a “connected object,” the underlying legislative intent is clear — turning an intentional or unintentional “blind eye” toward cybersecurity protections for connected objects is unacceptable. Expectations have evolved; standards and practices will need to catch up.

The California statute, directly and indirectly, demands that anyone placing a connected object in the market for use by consumers or businesses undertake a critical security assessment of that “thing.” With a statutory security framework for connected devices taking hold in 2020, and a heightened societal awareness occurring in parallel, is it, or will it become, “negligent” to design or install an embedded sensor network without appropriate security features? Are there, or will there arise, express or implied warranties regarding the security of embedded devices and sensors or wireless networks within newly constructed facilities? How far and wide among the engineering and construction stakeholders associated with a new building or facility will those warranties and obligations extend? Do legacy construction and design contracts effectively address responsibility for connected security? Will questions of device security eventually inform issues of occupant safety and habitability when, for example, sensitive network data or personally identifiable information is stolen, when internet-ready cameras are turned by hackers into voyeuristic tools, when ambient sensors are used to disrupt building cooling and heating systems or when medical refrigerators are remotely disconnected causing essential medicines to spoil? Did the builder, owner, construction manager, facilities operator or other vendors properly consider appropriate security features to incorporate into their connected object during the design or “build” stage? Whether the new California statute is applicable on its face or not, and whether it affords a private claim or not, the statute, if nothing else, requires anyone creating or developing an internet-connected platform, or making available a connected object, to consider and think proactively about the features and measures necessary to ensure appropriate security for the platform and objects they intend to interact with the Internet of Things.

Click here to download a PDF of this article.

Originally Published in the Daily Journal, February 7, 2019.

Digital technologies are disrupting the construction industry, which has been a notable laggard in technology adoption. For an industry that until recently has relied primarily on hardcopy versions of blueprints, excel spreadsheets to schedule subcontractors and track inventory, and old fashioned measuring tape to ensure the proper fit of building materials, the times “they are a changing’,” and quickly, as the song goes. And those changes demand new legal perspectives and more contemporary assessments of legacy agreements and contractual frameworks.

Sponsors and participants in new development projects have the opportunity to integrate new and emerging hardware and software technologies that will enhance productivity and increase visibility into the construction and development process, building performance and management, ongoing maintenance and future repair. Mobile applications can now deliver real-time, on-site access to digitized blue prints, punch lists, field progress reports and related data. Software platforms can enable online project bidding, vendor qualification, real-time inventory management and cost tracking. Building Information Modeling can provide 3-D digital representations of the physical and functional characteristics of facilities to architecture, engineering and construction professionals, eliminating future “guesses” about the location of mechanical, electrical and plumbing systems when maintenance is required. 3-D printing can allow onsite casting of concrete and steel objects, reducing transport and storage costs. Advanced building materials can enable the introduction of new building functionality and offer improvements in realizing sustainability objectives. Drone technology can permit remote inspection, measurement and monitoring of critical infrastructure assets, including dams, bridges and distant roadways. Embedded sensors can monitor and wirelessly report stress loads on building infrastructure. Modular construction and pre-fabrication techniques can compress project timelines, mitigate waste, reduce rework requirements and enhance coordination among subcontractors. Artificial intelligence and machine learning will offer further automation and potential efficiencies to industry participants.

The global construction industry accounted for about 13 percent of global GDP in 2013 and is expected to increase to nearly 15 percent of global GDP by 2020, representing trillions of dollars of investment. Despite the significant percentage of global GDP generated by the construction industry, the World Economic Forum reported that between 1964 and 2012, U.S. non-farm business labor productivity increased by 159 percent compared to a decrease in labor productivity of 19 percent in the construction industry over the same period. In 2015, the McKinsey Global Institute noted that the construction industry was second to last, above only “agriculture and hunting,” of the 24 industries it surveyed in the use and adoption of digital technologies. These statistics suggest not only the immediate need for the construction industry rapidly to accelerate its adoption and use of new (and, in many cases, now readily available) technologies, but confirm the tangible opportunities that exist within the sector to improve efficiencies, to improve safety and to increase return on investment.

While adoption of new technologies has been slow, the venture community has recently identified a significant opportunity within the construction sector. Investment in construction technology start-ups increased from about $4.5 million in 2008 to nearly $1.5 billion in 2018. Similarly, merger and acquisition activity has risen substantially. At the end of 2018, Autodesk Inc., a leading software services provider for the architecture, engineering and construction industries, spent more than $1.0 billion to acquire just two construction technology start-ups with relatively modest revenue streams. Venture investment, technology adoption and acquisition activity will continue to accelerate in 2019 and beyond. Increased digitization of project plans and construction-related information; increased availability and collection of construction-generated data; increased access to project analytics; increased industry transparency; increased use of advanced materials; and increased retention and dissemination of industry “know-how” — these and other advances made possible through the use of construction-focused technologies are fundamentally and forever changing expectations and outcomes for all stakeholders within one of the world’s oldest industries.

But, as those expectations and outcomes evolve, industry participants need to reconsider legacy contract terms, standards of performance and the implications for risk allocation. Contractors, vendors, architects, designers, financing sources and other constituencies must assess how, or whether, possible disruptions or failures of newly-adopted technologies have been effectively addressed in “off-the-shelf” forms of project agreements used for decades. They must evaluate how the use of these technologies may have influenced professional practices and how they are influencing expectations regarding the standards of professional conduct and care moving forward. Risk assessment and risk allocation, considered in the light of fundamental changes in business practices brought about by technology, must become an essential predicate to the design and planning stages of construction projects, and not simply an afterthought. Contractual pass-through provisions, like those routinely imposed by prime contractors on subcontractors, must be reevaluated to assess the varied effects that new technology solutions may have within the traditional construction ecosystem and on its participants.

What happens if a third-party software platform used to manage project scheduling, purchasing and inventory tracking suddenly crashes? Who is responsible if the platform stops working and construction comes to a halt, results in unforeseen delays or causes vendor payments to be missed? Who provides software platform support and to whom? What happens if blueprints that have been digitized become suddenly inaccessible or have inaccuracies? What happens if those digitized blueprints, or other digitized project information, is taken “hostage” through a ransomware attack and cannot be accessed for an extended period? Does construction stop? Do contractors need to obtain cyber insurance as the tools of their trade transition to the “cloud”? If project management software collects vendor data, where is that data stored and who “owns” the data? Since project “metadata” may offer valuable insights into regional purchasing trends and labor activity, among other things, who, if anyone, can mine and “monetize” that data during and after the project?

Technology adoption will also inevitably affect the post-construction phase. Connected devices are being embedded in new buildings to record performance loads and torque levels, to adjust room temperatures, to turn lights on and off based on the presence of tenants and even to change the tint of exterior windows as the day progresses. Embedded sensors are transitioning formerly static facilities into software platforms that will collect, analyze and store real-time data generated by both the building and its tenants. As sensor and similar technologies proliferate, owners, facilities managers, construction firms and other stakeholders must also consider the privacy, reliability, usability and related issues that will arise. Has patent indemnification coverage flowed through to protect a building owner sued for an alleged infringement tied to embedded sensors? If an in-building network is hacked, how is responsibility allocated among the manufacturers, installers, owners, managers and users of the network? To whom were relevant representations and warranties made with respect to the affected technologies? Were there third-party beneficiaries of licensed technologies employed in the construction process?

As digital technologies take hold within the construction industry, prudence requires a reassessment of legacy agreements and legal arrangements. Contracts that fail to account for the use, integration and permanence of advanced technologies, or that fail to reflect the terms, conditions, conventions and practices of the technology sector, are likely to result in undesirable or unanticipated allocations of project risk. The issues associated with increased adoption of construction-related technologies are not unique. Rather, they require the rethinking of traditional business methods and practices among industry participants through the lens of a technology user. And, they raise the need for heightened sensitivity, and indeed awareness, to the implications of technology adoption, to the terms on which technologies are purchased, licensed and used, to the ways in which technologies are integrated into industry processes and to the varied effects that these technologies may have, directly or indirectly, on construction industry stakeholders.

Click here to download a PDF of this article.

By Fred Alvarez and Laura Seegal. Originally Published in the Daily Journal, February 6, 2019.

It’s time to take another hard look at whether it’s worth it for employers to ask their departing employees not to recruit anyone away after they leave. Nobody wants their former employees to raid the ranks of their current employees, but they don’t want to be forced to defend an unfair competition lawsuit in California either. By the same token, nobody tempted to recruit their former colleagues wants to be sued for breach of contract or to have their new employer sued for interference with contractual relations. The need to balance those risks is becoming ever more acute.

Up until the 2008 California Supreme Court decision in Edwards v. Arthur Andersen LLP, 44 Cal. 4th 937, California employers routinely and comfortably relied on the 1985 Court of Appeal decision in Loral Corp v. Moyes, 174 Cal. App. 3d 268, to justify including employee nonsolicitation clauses in employment and severance agreements. (Applying a rule of reason analysis, the Loral court enforced an employee nonsolicitation covenant because it did not significantly restrain trade so as to run afoul of California Business and Professions Code Section 16600.) Those provisions typically prevent employees who have left their employment from recruiting current employees of their former employer to work elsewhere.

In Edwards, the court invalidated a noncompetition agreement that contained both noncompete and customer nonsolicitation clauses on the basis that Business and Professions Code Section 16600 unambiguously prohibits all restraints on trade, without regard to reasonableness. Though the agreement at issue in Edwards also contained an employee noncompetition clause, the plaintiff had not specifically challenged it. Therefore, despite the California Supreme Court’s sweeping rationale in Edwards, many employer-side attorneys continued to “whistle past the graveyard” on employee nonsolicitation clauses. Similarly, many employee-side attorneys had to urge caution to their clients who had signed nonsolicits but were anxious to bring former colleagues to their new ventures. Moreover, until recently no definitive Court of Appeal decision existed to compete with Loral. For these reasons, many employers routinely continue to include employee nonsolicitation clauses, just as they did before Edwards. Two recent developments have made reliance on Edwards’ silence as to employee nonsolicits a little more treacherous for employers — and a little less scary for ex-employees.

At least one Court of Appeal case, and some commentators, have assumed or even suggested that the Edwards rationale would logically encompass employee nonsolicitation clauses. Yet, the decision of the 4th District Court of Appeal in AMN Healthcare, Inc. v. Aya Healthcare Servs., Inc., 28 Cal. App. 5th 923 (2018), brought the fight directly to Loral. In AMN, the Court of Appeal ruled that an employer could not enforce its employee nonsolicit against former company recruiters, after finding that the clause would effectively prevent the recruiters from performing their jobs in violation of Section 16600. The AMN court went to some lengths to illustrate that the analysis and rationale in Loral were not compatible with the Supreme Court’s approach to Section 16600 in Edwards. It then boldly concluded that “We thus doubt the continuing viability of [Loral] post-Edwards.”

Employer attorneys looking to continue relying on Loral have harbored some hope that the particular facts in AMN — recruiters who could no longer practice their profession of recruiting — would help keep Loral on some solid ground despite its negative treatment in AMN. That hope was confronted with a dose of harsh reality in the recent decision of Barker v. Insight Glob., LLC, No. 16-CV-07186-BLF (N.D. Cal. Jan. 11, 2019). In Barker, Northern District Judge Beth Freeman, applying California law, reversed a decision she had made several months earlier in which she relied on Loral to dismiss a frontal attack on an employee nonsolicit. According to Judge Freeman, AMN was “a change in law warranting a fresh look and changed outcome” that now justified her denial of summary judgment in favor of an employer who sought to enforce an employee nonsolicit. In reaching this decision, Judge Freeman made two key points: (1) The particular facts in AMN — recruiters who could no longer recruit — did not limit AMN’s holding that Loral was no longer viable, and (2) the analysis in AMN was more persuasive than that in Loral.

There is no doubt that the AMN decision arose from facts that placed the employee nonsolicit in a particularly harsh light, and that Barker is merely one federal judge’s opinion about a long-standing proposition in California nonsolicit law. Yet, employers who continue to use employee nonsolicits would be well-advised to take heed. Of course, it is also true that until the California Supreme Court definitively overrules Loral, a good faith basis will continue to exist to support the routine usage of employee nonsolicits. On the other hand, with two courts now clearly rejecting the approach and making explicit the contention that Loral’s rationale does not survive Edwards, the risks of business as usual are more tangible than ever.

Employers should now anticipate that more employee-side attorneys will look critically at routinely imposed employee nonsolicits and that they will make litigation calculations about whether they are willing to undertake a direct challenge to those clauses based on California’s Unfair Competition law and other theories under California law. Indeed, the challenge in Barker was brought as a purported class action on behalf of all employees who had ever signed or been presented with an employee nonsolicit. Correspondingly, employers will need to assess whether these clauses are truly worth the risk that more courts will follow what could become an anti-employee nonsolicit parade following the AMN and Barker cases.

Click here to download a PDF of this article.

In August 2018, the U.S. Department of the Treasury issued final Regulations concerning the qualifications, designation, authority, and resignation of the required Partnership Representative under the new Centralized Partnership Audit Regime.[1] The rules are effective for tax years beginning after December 31, 2017 and apply to all partnerships and LLCs taxed as partnerships, although certain partnerships and LLCs may elect out of the regime to continue to be audited under the former rules. The option to elect out of the regime is limited to partnerships having 100 or fewer partners with individuals or corporate partners only (any partnership or LLC with a trust or a disregarded entity as a partner/member cannot elect out). Partnerships and LLC’s taxed as partnerships both will be referred to in this letter as “partnerships.”

Under the new partnership audit regime, the IRS can make an audit change to a partnership’s tax return and assess the tax against the partnership instead of the partners. This could result in the partnership paying additional tax for a prior year adjustment even though there are different partners or different ownership interests in the current year than in the year that was audited. As discussed, partnerships need to amend their agreements to address this and other partnership audit issues.

In addition, the new regime replaces the former “Tax Matters Partner” with a “Partnership Representative” (“PR”), but provides much greater authority for the role of the PR. Importantly, the PR has the sole and binding authority over all matters of the partnership before the IRS in audits under the Bipartisan Budget Act of 2015 (BBA). The partnership must designate the PR each year on its filed tax return for all tax years beginning after 2017. For a calendar year Partnership/LLC this would be its 2018 tax return, so this issue needs prompt attention.

Authority of the Partnership Representative in Centralized Partnership Audit Regime

The PR has the “sole authority to act on behalf of” the partnership. Other than the PR or designated individual for a PR that is an entity, no partner or other person may participate in administrative proceedings without permission by the IRS.[2] However, the rules are not intended to prohibit partnerships from using state law to limit the authority of the PR. Therefore, partnerships and LLCs should review and amend agreements carefully to tailor the duties and authority of the PR.

Designation and Eligibility of the Partnership Representative

Every partnership must designate a PR for each separate taxable year. There may only be one designated PR for a partnership taxable year at any time, and the designation will remain in effect for that year until terminated by resignation, revocation, or a determination by the IRS that a designation is not in effect. If a partnership fails to designate a PR, then the IRS will designate one for the partnership.[3] When designating a PR for the partnership, the IRS may designate anyone except an IRS employee, unless the IRS employee is a partner in the partnership or was a partner in the partnership for the year under audit.[4]

The PR need not be a partner or member of the entity. Any person or entity who meets the requirements in the Regulations may serve as the PR, even the partnership itself. If an individual is designated as PR, the person must have a “substantial presence” in the United States, which exists if (1) the person makes itself available to meet in person with the IRS, and (2) the person has a United States taxpayer identification number, a street address located in the United States, and a telephone number with a United States area code. If an entity is designated as the PR, there must be a “designated individual” appointed to act for the partnership at the time of designation, and the individual must meet the substantial presence requirements for an individual PR.[5]

Resignation, Revocation, or Determination by the IRS that a Designation is Not in Effect

Resignation. A PR or designated individual of an entity PR may resign by notifying the partnership and the IRS in writing of the resignation, but may not appoint a successor PR or designated individual.

Revocation. The partnership may revoke a PR designation for a tax year for any reason by notifying the PR and the IRS in accordance with applicable forms and instructions, but the partnership must designate a successor PR. However, the flexibility for revoking a PR designation is limited where the PR has been designated by the IRS.

IRS Determination that a Designation is Not in Effect.  The has the authority to determine that a PR designation is not in effect in situations including: the IRS becoming aware that the PR or designated individual does not have a substantial presence in the U.S., the partnership failing to appoint a designated individual of an entity PR, the partnership failing to make a valid designation of a PR, and the PR or designated individual resigning. Until a termination, resignation, or revocation is in effect, the PR’s authority to bind the partnership remains unaffected.[6] Therefore, a partnership will want be sure that the particular requirements for a valid resignation are followed.

Push-Out Elections

Partnerships and LLCs may make a “push-out” election to transfer the liability for underpayments from the partnership itself to those who were partners during the year being audited. The economic effect of this election may be material in situations where the ownership of the partnership may change from year to year.

Amendments to Consider in Partnership and LLC Agreements

Partnerships and LLCs taxed as partnerships should consider amending agreements to account for how the new rules might affect the liability of partners in the audit year and the prior year, and due to the amount of power vested in the PR, should specifically address the obligations and limitations on the PR’s authority. Amendments to agreements will vary, but items that should be considered include:

• The conditions for making the opt-out election (the election to opt out of the new regime) and push-out election (the election to cause audit adjustments to be allocated to those who were partners in the year under audit), and maintaining eligibility for making these elections;
• Indemnification by former partners if partners become liable for any tax, penalties, or interest that effectively pertain to a former partner with respect to a prior year;
• The manner and method of appointing and removing the PR;
• The PR’s fiduciary duties to the other partners, if any;
• The PR’s duties to notify and keep informed the partnership and the partners of any matters relating to its authority under the new rules;
• Extending the PR’s duties beyond the year of designation until the statute of limitations for such year has run; and
• Limiting the PR’s authority, such as by requiring cooperation with the partners prior to any settlement with the IRS.

This is not an exhaustive list, and new amendments will vary based on the needs of each partnership or LLC. Partnerships and LLCs should carefully review and amend their agreements to address the new audit procedures.

For more information, contact Coblentz Tax Partner Jeff Bernstein at jbernstein@coblentzlaw.com.

 

[1] See Treas. Reg. §§ 301.6223-1 and 301.6332-2.

[2] Treas. Reg. § 301.6223-2(d).

[3] Treas. Reg. § 301.6223-1(c) and (f).

[4] Treas. Reg. § 301.6223-1(f)(5).

[5] Treas. Reg. § 301.6223-1(b).

[6] Treas. Reg. § 301.6223-1(d) – (f).