COPPA 2.0: Preparing the Connected Vehicle Industry

Advisory

Although The Children and Teens’ Online Protection Act – also known as “COPPA 2.0” – is not yet law, either it or a version of it seems likely to become law in the near future. One of the law’s hallmarks is to expand privacy protections currently afforded to children under 13 to children under 17. Interestingly, however, COPPA 2.0 as currently drafted also expands the law’s reach to additional types of online platforms, including “mobile applications.” “Mobile applications” are software programs that run on the operating system of a cell phone, tablet, or similar wireless portable computing device which “includes a service or application offered via a connected device.”

This expansion is likely to bring many types of autonomous and connected vehicles, which frequently interface with users through a mobile application, into the scope of the potential law, raising new questions about how businesses in the sector can and should prepare for COPPA 2.0.   

Broadening the protected class of users to under 17 would sweep in an entirely new population of young drivers and consumers of connected and autonomous vehicle app services. Regulated businesses must be prepared with mechanisms to obtain clear, affirmative consent from such users before collecting any personal information from them. Further, such consent cannot be obtained through subversive design techniques known as “dark patterns,” on which the FTC has focused increased attention in recent years.   

Among other things, COPPA 2.0 would prohibit covered businesses from processing the personal information of users under 17 for purposes associated with targeted advertising and would also require users under 17 to be able to request the deletion of information that they have provided through the application or which is made available to others through the service. These new prohibitions and rights require the implementation of data handling processes and privacy controls – such as segmentation of data which may not be used under any circumstances for targeted advertising – which businesses may not have currently implemented or planned for.   

Although the foregoing is not an exhaustive examination of how COPPA 2.0, or another bill like it, would impact the rapidly developing connected and autonomous vehicle industry, it is enough to make clear that businesses in the sector must be prepared for the change that is coming their way sooner rather than later. Remaining apprised of the latest iteration of COPPA 2.0 and similar bills will help relevant businesses know what to expect and efficiently plan for compliance.   

Cybersecurity for Employee Benefit Plans: Updated EBSA Guidance

New DOL Cybersecurity Guidance

In updated guidance, the Employee Benefits Security Administration (EBSA) subdivision of the U.S. Department of Labor (DOL) confirmed that their 2021 guidance on cybersecurity applies to all ERISA-covered employee benefit plans, including health and welfare plans. Plan fiduciaries, third-party service providers, and plan sponsors should take steps to ensure cybersecurity practices meet regulatory requirements for all employee benefit plans.

Employee benefit plans are targets for cybercriminals because of the large amounts of sensitive data they require. As new threats become increasingly complex and continue to emerge, fiduciaries can work to better protect participant data and mitigate their own losses by establishing adequate compliance now.

Here are the key highlights from the updated guidance:

Cybersecurity Program Best Practices

Plan fiduciaries and recordkeepers should carefully review and assess which of the guidance’s best practices, outlined below, have been implemented and what should be implemented to efficiently and effectively mitigate cybersecurity risks.

  • Maintain a well-documented cybersecurity program that identifies, assesses, and responds to cybersecurity threats. Include written policies regarding appropriate disclosures, notification requirements, and issue correction.
  • Perform regular and comprehensive risk assessments and correct identified risks and gaps.
  • Have a third-party contractor conduct an independent annual audit of security controls and implement corrections to any identified weaknesses.
  • Have clearly defined information security roles and responsibilities at all appropriate levels for your business, including at the executive level, where a cybersecurity program can be overseen.
  • Implement strong access control procedures. This includes using multi-factor authentication (MFA), limitation of access based on need, and monitoring access activity.
  • Conduct updated cybersecurity awareness training for all personnel at least annually.
  • Implement a secure system development life cycle program (SDLC) to ensure that new systems are developed with cybersecurity concerns in mind.
  • Implement a resiliency program to enable your business to adapt quickly to maintain operations and isolate issues in the event of a disruption.
  • Ensure standards for data encryption and technical controls are being met.

Service Provider Suggestions

Plan sponsors and fiduciaries should carefully assess service providers’ cybersecurity practices.

  • Evaluate and compare the service provider’s information security standards and policies and ensure that their level of security has been backed by audit reports and risk assessments.
  • Evaluate the service provider’s track record, including public information on security breaches, litigation, and legal proceedings.
  • Ask whether the service provider has applicable insurance coverage.
  • Ask how the service provider has responded to potential and actual security breaches in the past, including their current incident response plan.
  • Ensure that your contract requires ongoing compliance and has sufficient detail to create a reasonable expectation of compliance.

The updated guidance also includes several suggestions for participants as individuals, including a reminder to plan sponsors that the same suggestions apply to their benefit plans. In light of this updated guidance, plan fiduciaries, service providers, and plan sponsors should evaluate and refresh their cybersecurity policies to ensure compliance for all employee benefit plans. Cybersecurity practices for employee benefit plans should also be part of a more comprehensive business-wide program.

For any questions regarding the new guidance or to learn more about how it can impact your organization or business, please contact a member of Varnum’s Employee Benefits or Data Privacy and Cybersecurity teams. Our attorneys are prepared to help you navigate the evolving regulatory landscape and ensure your systems and policies are in compliance.

Texas Federal Court Blocks FTC Non-Compete Ban Nationwide

Texas Federal Court Blocks FTC Non-Compete Ban Nationwide

On August 20, 2024, the United States District Court for the Northern District of Texas permanently blocked the Federal Trade Commission’s (FTC) ban on non-compete agreements on a nationwide basis. While the preliminary injunction the court issued last month signaled that it was likely to block the rule, the relief initially had only applied to the named plaintiffs in the lawsuit.

In the opinion, the Texas federal judge held that the FTC lacked the statutory authority to issue the non-compete rule and that it was arbitrary and capricious. Importantly, the federal judge rejected the FTC’s argument that the relief should be limited to only the named plaintiffs. Instead, the judge held that the Administrative Procedures Act requires the FTC non-compete rule to be set aside in its entirety.

As of August 21, the FTC is “seriously considering a potential appeal” of the decision to the Fifth Circuit. The key takeaway for now is that the FTC’s non-compete rule will not go into effect on September 4, 2024. Even though the ban has been blocked, non-compete agreements remain a hot topic. The FTC retains authority to bring enforcement action on a case-by-case basis challenging non-compete agreements as a violation of federal competition law. Additionally, four states generally ban the use of non-compete agreements and 33 states plus Washington, D.C. restrict the use of non-compete agreements. In most cases, non-compete agreements remain enforceable in the context of a sale of business, subject to reasonableness and other factors.

Varnum’s Labor and Employment and Corporate Practice Teams will continue to monitor this situation.  If you have questions on your company’s use of non-compete agreements, please contact your Varnum attorney.

Michigan Employers Take Note: New Ruling Impacts Paid Leave and Minimum Wage

MI Supreme Court Declares "Adopt-and-Amend" Strategy Unconstitutional

Varnum is hosting an Earned Sick Time Act (ESTA) Discussion on Wednesday, November 20, 2024, at 12:00 P.M. Register today to reserve your spot.

Today, July 31, 2024, the Michigan Supreme Court released a highly anticipated opinion in the case of Mothering Justice v. Nessel. This case assessed the constitutionality of the Michigan Legislature’s 2018 “adopt-and-amend” strategy under which the Legislature adopted, and then immediately changed, two ballot proposals that would otherwise have been included on the November 2018 ballot for decision by Michigan voters. The ballot proposals pertained to Michigan minimum wage and paid sick leave requirements, and were originally entitled the Earned Sick Time Act (ESTA) and Improved Workforce Opportunity and Wage Act (IWOWA). The Legislature’s “adopt-and-amend” action had narrowed the original ballot proposal language, and resulted instead in the enactment of the Michigan Paid Medical Leave Act (PMLA) and current minimum wage provisions in effect since early 2019.

After years of legal challenge, the Michigan Supreme Court reversed a 2023 decision of the Michigan Court of Appeals, and ruled that the “adopt-and-amend” approach utilized by the Michigan Legislature violated the Michigan Constitution. The Court determined both of the ballot initiatives as originally adopted by the Legislature should be reinstated in lieu of current, amended versions. In the interests of justice and equity, the Court ordered the reinstatement to occur, but only after a time period the same as that which employers would have been provided to prepare for the new laws absent their improper amendment.

Therefore, significant new legal requirements will become effective February 21, 2025. These include:

  1. The paid leave ballot proposal as initially adopted by the Legislature in 2018, in the form of the ESTA, is reinstated effective February 21, 2025, in place of the PMLA. All covered employers must amend existing paid leave policies or implement new leave policies as applicable that comply with the ESTA by February 21, 2025. Key elements of the ESTA include:
    • All Michigan employers, except for the U.S. government, are covered.
    • All employees of a covered employer, rather than only certain categories of employees as provided under the PMLA, are covered.
    • Covered employers must accrue sick time for covered employees, at a rate of at least one hour of earned sick time for every 30 hours worked. 
    • Employers with 10 or more employees, as defined by the ESTA, must allow employees to use up to 72 hours of paid earned sick time per year.
    • Employers with fewer than 10 employees, as defined by the ESTA, must provide up to 40 hours of earned paid sick time, and are permitted to provide remaining earned sick leave up to the required 72 hours per year on an unpaid basis, rather than paid.
    • Employers may not prohibit the carryover or cap the accrual of unused earned sick time.
    • Employers may limit the use of earned sick time in any year to 72 hours.
  2. The minimum wage ballot proposal as originally adopted by the Legislature in 2018, in the form of the IWOWA, is also effective February 21, 2025, subject to a phase in of certain requirements that remains to be determined at this time. The IWOWA will replace the narrower amendments that previously were enacted and took effect in 2019. Key provisions effective February 21, 2025, include:
    • The state minimum wage rate will be $10.00 plus the state treasurer’s inflation adjustment, which has yet to be calculated and released.
    • Future increases will be calculated annually based on inflation as specified in the IWOWA.
    • The existing “tip credit” provisions employers of tipped employees currently utilize to calculate whether they have been paid minimum wage will be phased out over a period of years and eliminated entirely by February 21, 2029.

The above will be applicable absent further judicial, legislative, or voter-driven constitutional action that prescribes a different course. As to judicial action, opportunities for appeal or rehearing of a state Supreme Court decision are limited and discretionary. As to voter-driven constitutional action, such as a referendum, the timing of the Court’s decision may well not permit for such action to be included on the 2024 ballot, even if sufficient support for such action were shown.

In terms of any legislative action to amend, such action could only occur in a future legislative session, meaning January 2025 or later. As to the level of support required, because the ballot proposals were adopted by the Legislature rather than approved by a majority of Michigan voters in an election process, the normal requirements will apply. Had the ballot proposals been approved by a majority of Michigan voters in the election, a 75% supermajority of both houses of the Legislature would have been required for any amendment passage.

We will continue to monitor these matters for further developments. Please contact a member of the Varnum Team for legal advice and assistance in preparing for the new laws.

For those interested in further detail regarding the history and impact of this case, click here.

 

Michigan Lifts Ban on Surrogacy and Passes Law to Protect Children Born by Assisted Reproduction

Michigan Passes Surrogacy and Assisted Reproduction Act

The Michigan legislature recently passed the Assisted Reproduction and Surrogacy Parentage Act (the Act), repealing the criminal and civil bans on surrogacy and establishing laws to regulate the process and protect all involved parties. This advisory will briefly cover the background leading up to the Act and outline some of the key components of Michigan’s new surrogacy legislation, which is set to take effect in March of 2025.

Before passage of the Act (also known as the Family Protection Act), Michigan was the last remaining state with a broad criminal ban on surrogacy arrangements. When it was instituted in 1988, this ban was one of the first surrogacy statutes enacted in the United States. Prior to passage of the new law, Michigan also had a civil ban, rendering surrogacy agreements void and unenforceable.

On April 1, 2024, the Michigan legislature passed the Act as a package of bills (HB 5207-5215), lifting the prior ban and instituting requirements for surrogacy agreements and protections for all involved parties, including the surrogate, intended parents, and child. The legislation also ensures a secure legal relationship between parents and children conceived through assisted reproduction, including in vitro fertilization. By establishing clear parental rights for those relying on surrogacy and assisted reproductive technologies, the legislation ensures that more Michigan families, including same-sex couples, have access to parental rights and protections.

The Act provides certain protections for all parties, including the following:

  • The intended parents and surrogate must be at least 21 years old.
  • The intended parents and surrogate must complete a mental health evaluation.
  • The surrogate and intended parents must have independent legal representation of their choosing throughout the entire process, from the agreement negotiation process through the duration of the agreement.

Under the Act, there are also certain safeguards specific to the surrogate, including:

  • The surrogate’s legal counsel must be paid for by the intended parents.
  • The agreement must permit the surrogate to choose her health care practitioner.
  • The agreement must permit the surrogate to make all health and welfare decisions regarding the surrogate and the pregnancy, such as whether to consent to a cesarean section or multiple embryo transfer.
  • The surrogate may be compensated under the agreement.

Passage of the Assisted Reproduction and Surrogacy Parentage Act means that Michigan residents have more options for expanding their families. By providing clear legal protections and guidelines for surrogates and intended parents, the state is ensuring that all parties involved are protected throughout the process. Varnum’s Family Law and Health Care attorneys are prepared to assist those seeking guidance in navigating this new and emerging legal landscape.

American Hospital Association v. Becerra: U.S. Department of Health and Human Services’ Health Privacy Guidance Vacated by Federal Judge

Positive News for HIPAA-Regulated Entities Using Online Tracking

The ruling in American Hospital Association v. Becerra is good news for HIPAA-regulated entities that utilize third-party online tracking technologies. In short, the U.S. District Court for the Northern District of Texas ordered that by restricting HIPAA-regulated entities’ use of such technologies, the HHS had overstepped its authority. The District Court’s decision marks a victory for health care providers, as it will likely discourage similar litigation brought against HIPAA-regulated entities. However, these entities should still carefully manage their tracking technologies, as uncertainty continues to surround the future of protected health information and its intersection with artificial intelligence.

What Happened in American Hospital Association v. Becerra?

On June 20, 2024, a federal judge in Texas vacated a portion of health privacy guidance issued by the U.S. Department of Health and Human Services (HHS). Specifically, U.S. District Judge Mark Pittman vacated the HHS’s declaration that HIPAA obligations are triggered in: “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.”

Unauthenticated public webpages are webpages that do not require an individual to log in (i.e., these webpages do not require user verification or login credentials) before the individual may access the webpage. The HHS offered the following example, to demonstrate how a visit to an unauthenticated public webpage can result in the disclosure of protected health information: “[I]f an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address . . . or other identifying information showing their visit to that webpage is a disclosure of [protected health information] to the extent that the information is both identifiable and related to the individual’s health or future health care.”

Initially, the HHS issued the now-vacated guidance out of concern for patient privacy, due to the rise in hospitals’ use of third-party online tracking technologies. The agency’s main concern was that third-party online tracking technologies would reveal individually identifiable health information (IIHI), which is protected under HIPAA. In particular, the HHS argued, the technology would connect an individual’s IP address with that same individual’s online search regarding his or her medical condition. The HHS concluded that the individual’s data would be IIHI in this scenario, and it issued the health privacy guidance in response, requiring providers to protect this “novel” category of information.

Ultimately, Judge Pittman disagreed with the HHS and sided with the plaintiffs, the American Hospital Association, who argued that online tracking technology allows HIPAA-regulated entities to serve patients more effectively. In his order, Judge Pittman ruled that the HHS had exceeded its actual authority, both beyond the scope of HIPAA and beyond the “plain meaning” of IIHI. Put more simply, Judge Pittman ruled that the HHS had unlawfully redefined what is considered protected health information under HIPAA: “[T]his is a case about power. More precisely, it’s a case about our nation’s limits on executive power.” And, Judge Pittman felt that the HHS had overstepped its power in issuing this health privacy guidance, at the expense of hospitals and other entities that are required to comply with HIPAA.

What Happens Now?

First, this vacatur is nationwide. However, Judge Pittman’s order is limited only to the specific portion of the guidance regarding third-party online tracking technologies. Therefore, HIPAA-regulated entities should take care to abide by the remainder of the HHS guidance.

Additionally, Judge Pittman did not issue an injunction against the HHS, and the HHS has no requirement to obtain court approval for future revisions of its guidance. So, the agency is free to revise and/or continue to update its guidance as it sees fit (as long as it does so without violating Judge Pittman’s order). Accordingly, HIPAA-regulated entities should continue to check the HHS website for any updates, in order to ensure continued compliance with HHS guidance. The website currently states that HHS is “evaluating its next steps in light of [Judge Pittman’s] order,” and the agency has until August 19, 2024, to appeal the order, if it chooses to do so.   

In the meantime, HIPAA rules remain the same, and entities should maintain best practices to comply with HIPAA, in addition to closely monitoring any new guidance issued by the HHS. Though HIPAA no longer applies to the now-vacated portion of the HHS guidance, HIPAA-regulated entities must also ensure that they remain compliant with state laws applicable to such tracking technologies. Entities should carefully investigate what data and areas of their business are subject to HIPAA, as well as which are subject to state privacy laws, in order to ensure proper compliance overall. Moreover, entities should be cognizant of additional litigation that arises regarding either the HHS’s health privacy guidance, or the use of online tracking technologies by hospitals and other HIPAA-regulated entities.

If you have any questions or concerns about the ruling of American Hospital Association v. Becerra and its potential effects on your business, or about maintaining compliance as a HIPAA-regulated entity, please reach out to one of Varnum’s data privacy attorneys. Additionally, if you are interested in discussing the use of artificial intelligence in health care, please reach out to a member of our Health Care AI Task Force.

2024 summer associate Rebecca Krasity contributed to this advisory. Rebecca is currently a student at the University of Wisconsin Law School.

Impact of Chevron Decision on Compliance Risk Under Data Protection Regimes

Overturning of Chevron Shifts Authority on Data Privacy Regulation

A recent pivotal Supreme Court decision marks a significant shift in the authority of federal agencies to interpret regulations related to data privacy and security as well as the influence of judicial review over ambiguities in the same. This shift poses new challenges and uncertainties for agencies’ ability to regulate and meaningfully govern purported insufficiencies in privacy and data security programs.

1984 Chevron Decision

In its landmark 1984 decision, Chevron v. Natural Resources Defense Council, 467 U.S. 837, the Supreme Court established a framework for judicial review of federal agency interpretations of statutes. This framework, known as “Chevron deference,” dictated that when a statute is ambiguous, courts should defer to a federal agency’s reasonable interpretation of the law. For the past 40 years, Chevron deference has been applied to thousands of cases, significantly shaping the regulatory landscape.

Recent Decision Overturning Chevron

The U.S. Supreme Court recently issued a ruling (Loper Bright v. Raimondo, together with Relentless v. Dept. of Commerce) overturning the Chevron decision. The Court ruled that, under the Administrative Procedures Act, courts can no longer defer to federal agencies’ interpretations of statutes. Instead, courts must rely on their own interpretation of ambiguous laws. The facts underlying Loper Bright and Relentless involved fishermen challenging the National Marine Fishery Service’s interpretation of the Magnuson-Stevens Fishery Conservation and Management Act of 1976, which required them to pay for monitors onboard their vessels. While the underlying facts concerned fishery management, the implications of this ruling span across all federal agencies, as they will no longer receive deference from courts when their rulemaking is challenged. Consequently, courts will now play a more critical role in interpreting statutes and assessing whether agencies have properly applied the law or exceeded statutory limits.

Impact on Federal Agencies Regulating Data Privacy and Cybersecurity Laws

The full extent of the impact this decision will have on the rulemaking capabilities of federal agencies that have historically held significant authority over the interpretation of laws related to the collection, sharing, and protection of personal information, such as the Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (US DHHS), remains unclear. Indeed, FTC representatives have stated that this change will have little effect on key issues related to data privacy. Further, this change will not impact settlements and consent decrees that are already in place.

Nonetheless, heightened scrutiny of agency actions stemming from interpretations of unclear elements of data protection laws over which they have historically had authority is expected. For example, in its rulemaking on data privacy and cybersecurity, the FTC has relied on Section 5 of the FTC Act, a relatively ambiguous statute authorizing the FTC to address “unfair or deceptive acts or practices.” In these scenarios, the FTC has previously utilized its authority under Section 5 of the FTC Act to allege that data collection and disclosure practices of various companies have been conducted in a manner that could be deemed to be unfair or deceptive. Similarly, the FTC has exercised authority under the Gramm-Leach-Bliley Act (GLBA) and US DHSS has exercised similar authority under the Health Insurance Portability and Accountability Act (HIPAA), each to assess what companies fall within the scope of the two laws given the broad but at times ambiguous nature of the definitions of “financial institutions” and “business associates,” respectively. Another commonly discussed area of ambiguity would be the security components of GLBA, 15 USC 6801, and HIPAA, 45 CFR 164.306, where in-scope entities are mandated to protect the more sensitive personal information within the purview of each of those laws by implementing appropriate technical and security measures.

While the FTC and others argue that the ambiguity under each of these data protection laws are intentionally designed to accommodate evolving technologies and business practices, it is this vagueness and broadly construed language that may now lead to more judicial scrutiny in the absence of Chevron deference. For example, it is likely no longer within the FTC’s authority to definitively assess whether a financial institution subject to GLBA has implemented appropriate or sufficient technical and organizational measures. This would now be a question to be decided by the courts.

The impact of Loper Bright on other aspects of FTC rulemaking and enforcement are less clear. The relatively underutilized Section 18 rulemaking, which empowers the FTC to prescribe rules that define “unfair or deceptive acts or practices” within the purview of Section 5 of the FTC Act, is already subject to more rigorous procedural hurdles, such as public consultation and advance notice to Congress, and arguably has not relied on Chevron deference. One such rule promulgated pursuant to Section 18 of the FTC Act is the Children’s Online Privacy Protection Act (COPPA) Rule, which requires websites and online services to get parental consent before collecting, using, or disclosing personal information from children under 13.  It is arguable that both prior to and post-Loper Bright, ambiguity in a rule promulgated under Section 18 would be subject to judicial review and not entitled to Chevron deference, although that point remains unclear. Additionally, FTC enforcement actions resolved by settlements (generally in the form of consent orders) were never reliant on Chevron deference as courts have historically considered these actions to “lack the force of law,” making them ineligible for such deference. However, while the overturning of Chevron deference may not directly impact the FTC’s ability to enter into consent decrees, it could diminish the agency’s leverage in persuading companies to agree to such orders, as the lack of judicial deference may weaken the agency’s perceived authority.

Conclusion

The strategic approach a company takes as it develops a comprehensive privacy program often requires the company to assess the risks associated with the development of each component of the program. This includes interpretating applicable data protection and security laws that are high-level in nature and generally less prescriptive to assess what that company has to do to achieve better compliance hygiene. This recent Supreme Court ruling should undoubtedly be taken into consideration when assessing those risks.

If you have any questions or want to learn more about how the recent Supreme Court rulings may impact your business or the development of your privacy program, please contact a member of Varnum’s Data Privacy and Cybersecurity Team. Our team can leverage our years of practical experience in operationalizing privacy programs to help you find pragmatic approaches on the path to compliance.

Michigan Adopts the Uniform Power of Attorney Act

Michigan Adopts the Uniform Power of Attorney Act

Powers of Attorney (POA) in Michigan are subject to a new law which went into effect on July 1, 2024. If you have executed (or are considering executing) a POA to give a trusted individual the ability to access your financial accounts or sign documents on your behalf, whether in case of emergency or simply for convenience, you should review that POA to confirm its execution complies with the new law and to ensure you can take full advantage of the benefits of the new law.

By executing a POA, you grant someone else important powers to act on your behalf. The person you appoint is called your “Agent.” A POA can be “Durable” or “Non-Durable.” A Durable POA can be particularly useful because, unlike a Non-Durable POA, your Agent’s authority to act on your behalf will not be terminated even if you are incapacitated.

As of July 1, 2024, the new law, titled the Uniform Power of Attorney Act (UPOAA), provides increased accessibility, effectiveness, and standardization for POAs. Given the increased mobility of the population and modernization of technology, the UPOAA codifies state legislative trends across the United States and creates a cohesive set of best practices for drafting and utilizing POAs. To date, a version of the UPOAA has been enacted in 31 states.

The UPOAA accomplishes several important objectives:

  • It promotes uniform acceptance of notarized POAs. No longer will third parties be permitted to refuse to accept a validly executed POA simply because the document didn’t clear the entity’s legal department. The UPOAA provides sanctions for persons or entities who refuse to accept an acknowledged POA. “Acknowledged” means verified before a notary public (or other individual authorized to take acknowledgements).
  • It provides protection for third parties who rely on notarized POAs. The UPOAA is designed to protect third parties who accept a notarized POA in good faith, and also provides clear circumstances where acceptance of a POA can and should be denied. If there is any doubt, the third party can request a certification or opinion of counsel as to the validity of the POA within a seven-day window of the presentment of the document. 
  • It provides a series of default rules for POAs. If the POA is executed in compliance with certain requirements, the POA will automatically be durable under the UPOAA. This is a change from former Michigan law which mandated that there be an affirmative statement as to durability in the POA. There are other helpful default rules in the UPOAA including provisions regarding the determination of incapacity, and the coordination of co-agents’ authority, successor agents, and court-appointed guardians and conservators.
  • It promotes accessibility and frees up judicial resources. Michigan has had a statutory form Will and statutory form Designation of Patient Advocate for some time. Now, there is a statutory form Power of Attorney. The purpose of the form is to give the public easy access to creating POAs, which will decrease the necessity of guardianships and conservatorships. However, as clearly stated on the form, because of the important authority granted in POAs, individuals should use caution in preparing these important forms without the assistance of counsel.

Given these sweeping changes promulgated by the UPOAA, it’s a good time to revisit your POA. The UPOAA applies to all POAs, even those executed prior to July 1, 2024. As long as your POA was validly executed at the time it was signed, your POA is still valid under the new law – but you may want to confirm that your POA is notarized. Many individuals executed legal documents during the pandemic when it may have been difficult to obtain a notary. If your POA is not notarized, you may want to re-execute the document before a notary to garner the additional protections that the UPOAA provides to acknowledged POAs.

This advisory was originally published on November 20, 2023.