CGL Webinar Replay: Understanding Your HR Compliance Under The CPRA

Sign up for our next webinar: CGL Webinars

00:05
Hello, and welcome to today’s webinar, California Privacy Rights Act, understanding your HR compliance obligations. My name is Jessica Clark and I’m of counsel with CGL LLP, where I’ve helped clients identify and manage privacy and security risks. I’m joined today by my colleague Lindley Fraley, also of counsel at CGL. Lindley’s practice covers a wide range of Employment and Labor matters from employer counseling to wage and hour and employment discrimination litigation.
00:35
Hi, everyone, happy to be here.
00:38
If you’re joining today, you likely know that in January, California became the first state to provide expansive privacy rights to employees. In this webinar, Lindley and I hope to give you an overview of the new requirements and dig into what these changes will mean for businesses. Before I begin, I do have a few housekeeping items I’d like to mention. First, this webinar is being recorded. If you have any objection, you should disconnect at this time. We also will encourage you to submit questions throughout the session and to rate content afterwards, we have provided a few additional resources on state privacy laws that you can find in the Attachments section, if you would like to read a little bit more about this. And finally, we will be setting polls live throughout the session. And we encourage you to
participate in to cast your vote. Once the votes are in, we will, you’ll be able to see the results. So with that, let’s get started. In terms of the agenda for today, we’;re going to give a brief overview of the CPRA.

We’re going to talk about what new rights the CPRA gives to employees. We’re going to discuss how businesses can balance employee rights with conflicting legal and operational obligations. And then we’re going to discuss what businesses can do to prepare for potential misuse of these new CPRA rights as a pre-litigation discovery mechanism, we are going to assume that those of you attending today has some familiarity with the consumer, California Consumer Privacy Act or CCPA. So we’re not
going to cover all the nuances of the CCPA. Rather, we’re going to focus on what we think will be some of the core challenges in applying the CCPA to employees and HR data. And also just so that there’s no confusion. The CPRA is not a new law, rather it amends the CCPA. So if you hear us referring to the CCPA, or the amended CCPA. That’s the nomenclature we’re probably going to be using for the new law and the new requirements.

So with that introduction, let me start by asking bluntly, if you could summarize some of the major changes that the CPRA introduces.

02:58
of course, so I’m going to start with who this law applies to. It’s important to note that the new CPR policy is CPRA only applies to employers who either have a gross annual revenue of over 25 million in the preceding calendar year, or buy, receive or sell the personal information of 100,000 or more California residents, households or devices, or businesses that derive 50% or more of their annual revenue from selling or sharing California residents personal information. This means that
most small businesses that are not in the business of selling or receiving personal information are likely exempt from the new law. So that’s always good news for small businesses, because compliance is going to be probably a little bit cost and labor intensive, at least initially.

So let’s talk about the employee exception, because that’s really what’s changed under the law. So the the CPRA, as revised, now eliminates the employee exception. This means that California resident employees, applicants, or emergency contacts, beneficiaries, independent contractors, and members of boards of directors, and
throughout this presentation, we’ll call them employees all have the same rights as any other consumer under the law, which means that your private you have the same right to have your private information disclosed to you or deleted just as any other consumer would under the law.

So the three main obligations under it are for businesses, they have to post a detailed privacy policy about how the employer handles Human Resources data, including biometric data like fingerprints. Facial recognition, that kind of thing, which you might use to clock in and out of for non exempt employees, and share that
information with employees whose information as part of the data. Businesses also have to comply with new rights regarding human resources data. This includes employees rights to deletion and correction and how employees can obtain a copy of specific pieces of personal information. And then finally,
businesses have to include specific CPRA provisions in contracts with vendors that handle Human Resources data. So like if they have businesses that perhaps have contracts with health insurance companies, or life insurance companies, that kind of personal data does have to have a does have to be identified in an in a contract with those vendors. And the parties will have to work together to determine how information will be stored, collected, deleted, and all that fun stuff under the law. So the CPRA also makes a distinction between personal information and sensitive personal information, depending on what a business might be dealing with, with respect to its employees, and different rules will apply to those two different categories. So personal information is generally identified as information
that identifies relates to describes, is reasonably capable of being associated with or could reasonably be linked directly or indirectly, with a particular consumer or households. sensitive personal information is anything that reveals an individual's personal information. So this is when we’re talking more about
things like social security numbers, driver's license numbers, state identification cards, or passport numbers. Also included as sensitive personal information is something you might not think about would be like a consumers Account Login, a financial account number, a debit card or credit card number.
And then all in combination with any required security or access code, password or credentials, can also be a consumers precise geolocation, or a consumers racial or ethnic origin, religious or philosophical beliefs or union membership. So the purse or the sensitive personal identification, or the
sensitive personal information is actually a very broad category. And there will and there are laws that
are more strict with respect to that type of information. And basically, businesses will be required to
have more robust protections than that, that they use for personal information. And it will have to be

3
Transcribed by https://otter.ai
treated accordingly, you know, in their HR and privacy policies. Another important point to note for
businesses, and especially if you're thinking about all of the legal ramifications of this law, which is, you
know, probably why most of us are here talking about it, is that there's no private right of action right
now, which is good news, it's only for security incidents arising from failure to maintain reasonable
security. The newly formed law does bring an enforcement action, and you can have penalties of
$2,500 with a violation or up to $7,500 for intentional violations. But right now, employees do not have
the right to a private right of action. So that's all very good. And but you know, as, as we know, in
California, things can change very rapidly, and there could be a private right of action down the road.
So it's always very important to just be aware of your privacy policies and how you're moving forward
with that in the new year.
08:57
That's good. So there's a lot to think about, as I'm sure you, you can see there. And I think we're gonna
probably want to drill down into a lot of those issues that you just outlined. But I wanted to ask you first
about the scope. So you had mentioned that the CCPA isn't limited to current employees. It also covers
things like former employees, or even if you just applied for a job, board members, independent
contractors. As I understand this is a key difference from what current California Labor Code has
always required. Is that right?
09:32
That's right. So the California Labor Code gives rights to inspect and receive copies of certain
personnel records. But these rights are limited to actual employees, not beneficiaries, or emergency
contacts. It's just those people who either are currently employed or formerly employed. So you often
see these types of record requests when an employee leaves employment and they, he or she may be
believes that they have a legal claim at hand, and so they might have an attorney that's representing
them send a request for their personnel file their personal information that's been maintained that kind
of thing with the employer. But with the CCPA, you have a huge number of people that are covered by
this, because it's not just employees in the sense of the word of the people who are working there. But
it's all these people that they may have identified in their records that, you know, they they said was the
beneficiary for a life insurance policy, or, you know, their husband or spouse or partner is the contact
for in an emergency. So employers often don't even know that they have that type of personal
information related to the person that's covered by the Act. So that's just a very big challenge. And it's a
key difference from the labor code, because it's not just what you would typically think of personal
information.
10:58
Got it? Yeah. So it's something in HR departments are really going to need to sort of wrap their mind
around that this isn't the same, you know, these requests aren't going to be treated the same way. You
know, maybe they're used to maybe their current policies have always contemplated, it sounds like
compliance under the CCPA is going to be fairly complicated for employers that maintain large amounts
of personal data. Do you agree?
11:24

4
Transcribed by https://otter.ai
Unfortunately, I do agree with that there are just so many nuances to the CCPA that will cover minut
amounts of data that employers may not even know that they have in their possession.
11:37
So why don't we talk a little bit about the new rights that the CCPA gives to employees you mentioned,
but the new CPRA rights are in addition to some already existing rights that employees have had for a
number of years under the California Labor Code, I think you said to inspect and receive copies of
certain personnel records. Can you talk a little bit about what those existing rights are?
12:01
Sure. So most employers know, or at least large employers who have HR departments know that under
the California Labor Code, employees have the right to inspect and receive copies of certain personnel
records. It's not all of them, it's just some of them. So for example, wage statements and payroll
records, sign documents, and then personal grievance or performance evaluations are all things that
employees have a right to request and a right to copy, review, access, and even take copies with that.
So these documents, like I said, mostly pertain to what is kept in a typical personnel file for the
employee. It doesn't include things like emails regarding the employee, or other small documents, not
personnel related that could include personal identifying data. So the rights under the amended CCPA
are much more expansive than what the labor code currently allows, or has currently allowed in the
past.
13:06
Right? Yeah, and so I would, I would completely agree, it's going to be a huge spectrum of data that is
potentially going to fall under the new right of access that employees have under the CCPA. It's just a
much broader pool of information. And employers are really going to need to start thinking about what,
what which of this information they have. So under the CCPA, the amended CCPA. In addition to some
of the types of records that you just mentioned, employers potentially would also have to produce any
identifiers that they hold on an employee. And this isn't just sort of a name or an alias. But this could
include things like a passport number, a driver's license number, an IP address, anything that's sort of a
unique identifier. It also would cover information that is already covered under different California
statute, this section 17 98.80. This gets into things like signatures and telephone numbers, bank
account, credit card, debit card information, medical information, health insurance information. Also,
characteristics of protected classifications under California or federal law are covered. And for those
who don't know the classifications, the protected classifications under California law are actually much
broader than they are under federal law. So federal law covers things you might expect, like race, race,
and ethnicity, gender, religion, that sort of thing. But there are actually a wider array of protected
classifications under California law including things like political affiliation and marriage status. In
addition, commercial information is potentially subject to an access request. So that would be products
or services, you've purchased purchasing tendencies. biometric information, so fingerprints, iris and
retina scans, facial recognition, any of these sorts of tools, then some employers probably larger
employers may be using for either security or timekeeping purposes, will now be subject to an Access
Request. Also internet and electronic information so to the extent that you track your employees use of
the your network or the you know, devices that are provided to them company devices, that type of
information would now be subject to an access request, if an employee were to submit one geolocation

5
Transcribed by https://otter.ai
data. So if you think about, you know, if you do any sort of tracking of your employees, devices, or
where they are at particular times in the day, you know, if they you have delivery drivers who are
perhaps, you know, moving around throughout the city, and you're keeping track of that information,
that information would potentially be subject to an Access Request. Professional information, and I
think this is probably what overlaps most closely with existing regulations, this would be the sort of
personnel files, valuation evaluations, that sort of thing that we were talking about before, that is
actually covered and has been covered under California labor law. And then educational information
that's as defined by FERPA probably most businesses don't have a lot of that, but it's possible sensory
data, which would be audio visual data, you know, if you have CCTV scan cameras in your facilities
that could potentially be subject. And then finally inferences, which is a little bit harder to pin down
exactly what this could potentially entail. But I think it's something businesses would want to think
about, like what sort of inferences do we potentially make about our employees based on things like
ethnicity or marital status is there anything where we sort of generate information on our own drawn
from personal information of that type that we hold about our employees. So that's, that's a huge swath
of information that would now be encompassed within the new right of access that employees have
under the amended CCPA. And that's just one, right. And then they also have a new right to know,
which in practice means a right to receive notice of what information is being collected about them and
how that's being used. So that's a notice that you would need to provide to your employees at or before
the point of collection. They also have a right of deletion, a right of correction, right to opt out of
processing of sensitive PII, and a right to opt out of sales and sharing.
18:12
That's a lot of this a lot of information. But what I'm wondering, Jessica is about the right to access. I
mean, given that companies do have huge amounts of information on their employees, much of what
might not be owned by the HR department department. How do businesses really prepare for this? I
mean, what do they really need to know, to to be compliant?
18:38
Yeah, so it is going to be a big change for businesses. And I would say, you know, in order to respond
to an access request, you really need to know where the data is. So I would say as a first step, the first
thing to prioritize is data map, data map data map, you really can't have any confidence that you are
complying with any of the other obligations unless you've identified what information you have and
where it's stored. You know, you can't respond to an access request without and have confidence that
you've actually given over all the information that you are legally obligated to provide. Unless you know
what information you have. I would also remind businesses that data can live in many places within an
organization. So as you said, the HR department may not own or control all of this information they may
need to you know, it's going to be a more holistic effort to respond to an access request today, you're
going to need to talk to other teams within your organization to make sure that you've really have
collected all the information that's potentially relevant to the access request. So for instance, you know,
you can't just think about personnel files you also have to think about any collaboration tools you use.
So you know, is there a personal information held within slack or teams messages that would
potentially be subject to the rights request. Second, and second priority I would say is just having good
data hygiene and data governance. That can significantly less than a company's compliance burdens.
You want to review your email retention policies, and the rules for your messaging and collaboration

6
Transcribed by https://otter.ai
tools to make sure you're only retaining data for so long as is necessary to meet requirements under
other laws. Currently, there's only a one year look back period and one year and some change. But that
looked back period will continue to increase as we move further and further away from 2020 to January
120 22. So if you don't have good deletion policies in place today, yours can pass quickly. And you can
find yourself sitting on just mountains of data that is now potentially subject to a rights request. And
then finally, I would say really familiarize yourself with the exceptions, it's much more likely, you're
going to have to, like employee rights requests are going to require a higher touch than your ordinary
consumer rights request, it's just much more likely, the data you hold on an individual employee will be
intermingled with confidential business information or trade secrets, it could include the personal
information of another employee or another individual. So when you receive access requests, you're
going to really need to look at them, review them carefully, you may almost want to treat them similar to
a discovery request, you're going to want to make sure you go through and redact confidential
information, personal information of other individuals before you turn that information over to a
requester. So it's going to be companies are really going to need to sort of think this through. And one
thing that I would also say is they may want to consider really, when and how to consult with legal
counsel. So I think it's going to become a little bit more important than it maybe has been in the past.
And I will actually take this opportunity to pause and do a poll. So to our attendees, how likely are you
to consult with legal counsel when responding to employee requests? Very likely, somewhat likely, not
likely, are not sure. So I will put that out there. And when the results are in, I will close it and you will be
able to see the results live.
22:45
Okay, and maybe we can turn next to the right to delete. Unsurprisingly, one exception to the right to
delete is when you need to keep information in order to comply with other laws. What other laws are we
talking about? Lindley, maybe you can walk us through what those other laws what sort of other laws
might apply? Well, there are
23:05
all kinds of laws in California, aren't there? So that also becomes a very complicated, multi layered
question. Because when you're looking at an exception to delete, there are a host of different laws, I
mean, just a few off the top of my head like Americans with Disabilities Act, the Family Medical Leave
Act, the California Family Rights Act, Age Discrimination and Employment Act, the California Labor
Code, the Fair Labor Standards Act, and it goes on and on and on. So there are all kinds of things in
California and state or federal law that require you to maintain records. And just generally in my
practice, I always counsel employers to maintain employment records for a minimum of four years
because the statute of limitations for several different kinds of employment claims. And most notably,
wage and hour claims can date back at least in California, up to four years from the date of a claim. So
I mean, if you have an employee who has been employed for 20 years, you want to keep that whole
file, right, because that person is still working there actively. Once they're gone. If assuming that person
leaves, then you can, you can potentially delete some data, but you just want to be very, very careful,
because things like Wage and Hour records and actual personnel files and even related documents,
like emails about the employee and to and from the employee, are very important in some of these
litigation matters and should always be maintained for at least four years. Then there are all kinds of
other exceptions to deletion requests, not just the ones that deal with all of these fun California and

7
Transcribed by https://otter.ai
federal labor and employment laws. So some of these other exceptions to deletion requests include
down Then unnecessary to complete a transaction fulfill a warranty or product recall, provide a good or
service requested by a consumer or perform a contract with the consumer data that will help ensure
security and integrity. That could be very broad depending on your security system, what kind of
information you have, like IP addresses. Also data necessary to debug to identify and repair errors.
Data use for the exercise of free speech or another right provided by law. Again, another really vague
category, data necessary to comply with California's Electronic Communications Privacy Act, data
necessary to engage in peer reviewed scientific, historical or statistical research data necessary to
enable internal uses consistent with expectations of the consumer and compatible with collection
context. And then, of course, the exception of data necessary to comply with the law. So well,
employees might have a right to request deletion. There are all kinds of exceptions as well, that may
prohibit deletion, even if there's been a valid deletion request.
26:18
that I'm sure is good news to some of the businesses out there, wondering how they're going to do this,
and how they're going to carry on business, you know, if employees are requesting deletion of
everything they have on them. So that's good to know. And I would encourage our attendees, you
know, and, again, familiarize yourself with the exceptions. I think it's going to be important as you're
reviewing these sorts of things. So what about the right to limit use and disclosure of sensitive personal
information? How do you think this is going to affect businesses that collect things like race and
ethnicity for EEO reporting, or you know, like, a lot of companies today have voluntary diversity
programs? I'm sure many companies are thinking, what does this mean for those programs where
we're trying to do something good here? And doesn't this sort of undermine those efforts?
27:10
Well, I mean, with respect to EEO information, that generally should fall under an exception and likely
an exception that could deal with preservation of information necessary to comply with the law,
because the company has to be able to comply with applicable laws, right. So mandatory collection of
sensitive personal information for EEO, reporting should be allowed. But if you're using sensitive
personal information for non mandatory diversity programs, that's going to be more of a gray area, but
probably okay, and reasonably expected by employees, I would say, in general. You know, California
really values things like voluntary diversity programs, right. So a court is likely and I'm just, you know,
I'm just giving my opinion, a court is likely to say that collection and maintenance of that type of
information would be okay, right, for a non mandatory diversity program. But I also know that California
is a very employee friendly state. And if somebody has a real problem with fat, you know, there's the
potential that it could, it could pose a legal risk. Another issue that has come up with a lot of clients
lately is that it's just very common nowadays to use biometric data for clocking in and out of the
workplace. So this is these are things like you mentioned before a fingerprint, the iris of your eye, a
facial recognition system. So since that could relate to the timing of clocking in and out at the
workplace, it's probably something that's subject to an exception, but employers will have to consider
how they actually use the data and whether it contains any necessary information that prevents its
deletion after a valid deletion request. So that that type of information could be more of a case by case
basis.

8
Transcribed by https://otter.ai
29:10
Okay, interesting. So I'm curious. I'm curious, what do you think is going to be the biggest most difficult
challenge for businesses in this new environment?
29:24
I mean, I don't think it's really like one big challenge. I think it's really multi layered. The first biggest
challenge will really be how to identify how much personal identification data, a company maintains.
Most employers are going to find that they maintain personal identification data in many, many records
that they have not even thought about, including potential correspondence between an employer and
others at the company. It records those kinds of things like an IP address, you know, those, those can
be four steps removed, right? And that could be personal identification data. And also, when you think
about employees who have been employed for many years, this could be a very complicated situation
when the employee leaves, and potentially requests that his or her data be deleted. So that would be
number one. Number two, I think that wage and hour laws are going to be a big one for California
employers, many California employers struggle with compliance in terms of wage and hour laws. And
the CPRA really values the minimization of data collection and retention. But in order to be compliant
with wage and hour laws, and really protect your company, you value keeping everything right, like all
your records, all your time records, all your notes about those kinds of things. So that is just going to be
a true challenge for employers, because more documentation on employees, especially for wage and
hour purposes, is typically always better instead of less. So that, you know, there's just a little bit of a,
you know, a push and a pull between between the CPRA. And how employers have really viewed
maintaining data on it's on their employees. And then third, I mean, there will always be litigation
regarding the CPRA and deletion requests. And employers are going to have to justify why they have
kept certain information. So it's not going to be it's just, again, not another black and white law where
you can just easily look at your records and decide all of these things can be deleted, a lot of this
information is probably going to be or have to be done on a very individual basis of analyzing every
single record that's maintained, which is a very labor intensive job for a company to have to do. And, of
course, I always just recommend engagement of counsel who somebody who's well versed in the
CPRA. And with the intersection of employment law, because it will be very complicated to comply,
especially at the beginning, because it's new for everyone.
32:13
Absolutely. So I'm going to take this moment to actually do our second poll, and ask our attendees,
what do you believe will be the greatest challenge and expanding your CCPA program to employees, a
providing notice to individuals, B verifying requesters, identity, C responding to access and deletion
requests, or D, balancing data minimization against other legal and operational requirements. Okay,
and again, please do vote guys. It's we, it really provides a lot of insights, I think, to us, the panelists
and also to your peers, who are also watching to understand, you know, what the common consensus
is and what the challenges are that businesses are seeing. Okay, um, so why don't we turn to some
specific questions we've gotten from our attendees. First question, is there a statute of limitations when
it comes to when a former employee can make an access or deletion request? And maybe I'll take the
first pass at that? The answer is no, there is no statute of limitations. So somebody, you know, you
could have an employee who left the company 789 15 years ago, theoretically, and there would be no
statute of limitations to the extent that you still maintain data on that individual you would need to go

9
Transcribed by https://otter.ai
through. And you know, if it was subject to the rights request, and wasn't subject to any exception, it
would need to be provided. However, if you are following a clear data deletion policy, then after a
certain amount of time passes, you would no longer have data on that employee. So ideally, this is sort
of a good, good reason to make sure you do have policies in place about when you no longer need
data and making sure that you're regularly removing that data so that you can lessen your compliance
obligations down the road, if you were to get one of these requests, and you're not sort of scrambling
trying to dig up very, very old records. So next question, how do we verify or requesters identity? That's
a tricky one. So, I will get into Linley Linley. Can you walk us through on verification?
34:54
Great? Of course I can't. So, yes, how do we very firewall requesters identity well, you will need to
consider the type of information you're going to use to verify the identity. So if it's if you're using less
sensitive data, you just have to come up with two data points. If you're using more sensitive data you
might need if you're talking about more releasing or deleting more sensitive data, you might consider
three data points. But what you have to remember is that you can not request sensitive personal
information from the person to verify that person's identity. So that makes it very complicated because
you can use things like a name, a birth date, generally, and maybe an email address. But you cannot
use things like a social security number, and account number, a racial or ethnic origin, a religious
affiliation. And so those are the types of things you know, that are commonly requested. Like when you
call on the phone, and they want to identify your data, they might ask for the last four digits of your
social security number, technically, you're not even supposed to ask those kinds of things. So you will
have to be very general, the good news is that if the person is still an employee, and he or she can sign
in somewhere, like an online system, that's a de facto verification. So that means current employees
who can sign into their workstations can use like a self service portal for access and deletion requests.
And then you don't have to have a separate authentication process. So for most employers, I would
recommend, at least for your current employees have something that they can sign into, that
automatically allows them to be verified, and they can make deletion requests that way.
36:58
Got it. That's a great idea, too. But it's a great idea to have like a self service portal within whatever sort
of internal network that you're maintaining. So we have one more question here that I wanted to hit.
The we have a question, what's the business risk? And what are the penalties for not complying with
this new legislation? So I think this was something we touched on a little at the beginning, there are
penalties. There's no private right of action, right. But there are penalties that could be enforced by the
California Attorney General or later on by the California Privacy Protection Agency. And I would also
say there's reputational risks. And personally, I would say, I would think that one of the biggest risks to
be aware of is in handling these sorts of consumer requests, particularly I think, these give companies a
lot of external exposure. And if they're not handled properly, you're more likely to have a upset
employee who does go and make a complaint to one of these regulatory agencies. Anything to add to
that? Lynley, would you?
38:20
I mean, I agree, I think unhappy employees are definitely a definitely a risk, right? Like, if you've got
employees who just are disgruntled, I mean, I see it day in and day out. So the more compliant you can

10
Transcribed by https://otter.ai
be with their requests, the better it is. And I mean, I do think that just you know, trying to be compliant,
maintain your records in a proper manner, and be able to justify your reasoning for either keeping
certain records or deleting certain records is going to be very, very important. And of course, as the law
becomes more commonplace, we have, you know, a year under our belts, things will become more
obvious, there will be more decisions in the courts about how to what kind of information is really
covered and how you handle it, and what's an actual violation. And so, there that will develop over time,
right? So, I mean, right now, because it's all just very new, the best thing you can do is to just really
comply, you know, maintain good documentation, train your employees on the applicable employment
laws. Make sure questions are directed to HR or somebody who's in charge of your privacy program.
That's also very important. And then you want to just have things like your updated Employee
Handbook, you want to have your updated CPRA policy that's distributed to your employees. And then
also I would say, you know, strongly consider an arbitration agreement. Again, and those are those are
back back in full effect in California, at least for the time being. So something to consider moving
forward.
40:10
Okay. Finally, one question before, before we close, I know this is something I've already heard from
some of the clients that I've been working with is a concern about employees who might be misusing
these new CPRA rights as a way to get around traditional discovery mechanisms, or just sort of as a
fishing expedition, if they do feel they have a claim against their former employer. So what should
businesses be thinking about? How do they address this possibility and evaluate whether something,
you know is a legitimate request that they need to respond to? Or, or if they don't believe that there's
good faith behind it? Any suggestions?
40:55
I mean, I feel like a lot of records requests by employees are are meant as fishing expeditions. So
unfortunately, that's just the truth of the matter in California. So it's just, you know, it's really important to
be compliant. It's really, it's really important for businesses to know, what data they maintain and how
they're maintaining it, and then the justification for doing that.
41:21
Yeah, that makes a lot of sense. Okay, so it actually looks like we are about out of time. So any final
words of advice before we close?
41:33
Just that compliance is key to prevention. So consult with your legal counsel about how best to comply
and, you know, do the best you can I give that advice to a lot of a lot of my clients, but we can do it
working together, everyone will figure out this law and we'll get our records all in line.

41:57
Great. And with that, we will wrap up today's session. If we do not get to your question. I apologize for
that. Please do. Send us an email and we'll respond to you by email after Thank you Lindley for serving
as our expert panelists today. And thank you to all our attendees. We hope you will join us later this month for our next webinar in the series where we will talk about dark patterns and deceptive design.
And until then, I hope you all have a wonderful day. Bye.

42:32
Thanks bye