Just over a month after the EU General Data Protection Regulation (GDPR) took effect, California passed its own sweeping privacy legislation, the California Consumer Privacy Act of 2018.

The Act stands to affect countless global companies doing business in California, many of which recently devoted extensive time and resources to GDPR compliance. These companies must now determine what additional steps are necessary to comply with the Act by the time it takes effect on January 1, 2020.

Join Socially Aware contributors Christine Lyon and Julie O’Neill on Thursday, September 20, 2018, for a deep dive into the key similarities and differences between the GDPR and the Act, as well as practical steps companies can take to assess gaps and chart a path to compliance. The areas they expect to cover include:

  • Notice requirements
  • Access and portability
  • Deletion
  • Opt-outs
  • Discrimination

If you are interested in attending this free webinar, please register here.

On July 19, 2018, in May, et al. v. Expedia Inc., U.S. Magistrate Judge Mark Lane issued a Report and Recommendation recommending that U.S. District Judge Robert Pitman for the Western District of Texas grant a motion to compel arbitration and dismiss a putative class action on the grounds that the plaintiff agreed to the defendants’ website’s Terms and Conditions, which contained a mandatory arbitration clause.

HomeAway User Files Putative Class Action 

HomeAway is an online marketplace for vacation rental properties where property owners can list their properties for rent and travelers can book rental properties. HomeAway’s original business model was to charge owners a fee to list their properties (either on a one-year subscription or pay-per-booking basis) and to allow travelers to search and book rentals for free. HomeAway was acquired by Expedia in 2015 and changed its business model to charge travelers a fee to book rentals in mid-2016. Plaintiff James May had been a property owner who used HomeAway since 2013. Continue Reading Sneaky Website User Bound by Online Terms of Use’s Arbitration Provision Despite Renewing Subscription in Spouse’s Name

An advertising executive who lost his job after being named on an anonymous Instagram account is suing the now-defunct account for defamation. The suit names as defendants not only the account—Diet Madison Avenue, which was intended to root out harassment and discrimination at ad agencies—but also (as “Jane Doe 1,” “Jane Doe 2,” et cetera) several of the anonymous people who ran it. Whether Instagram will ultimately have to turn over the identities of the users behind the account will turn on a couple of key legal issues.

A bill recently passed by the New York State Senate makes it a crime for “a caretaker to post a vulnerable elderly person on social media without their consent.” At least one tech columnist thinks the legislation is so broadly worded that it violates the U.S. Constitution. That might be so, but—in light of several news reports about this unfortunate form of elder abuse over the last few years—that same columnist may not be correct about the bill likely having been passed in response to a one-time incident.

A new law in Egypt that categorizes social media accounts and blogs with more than 5,000 followers as media outlets allows the government in that country to block those accounts and blogs for publishing fake news. Some critics aren’t buying the government’s explanation for the law’s implementation, however, and are suggesting it was inspired by a very different motivation.

Critics of the most recent version of the European Copyright Directive’s Article 13, which the European Parliament rejected in early July, brought home their message by arguing that it would have prevented social media users from uploading and sharing their favorite memes.

In a criminal trial, social media posts may be used by both the prosecution and the defense to impeach a witness but—as with all impeachment evidence—the posts’ use and scope is entirely within the discretion of the trial court. The New York Law Journal’s cybercrime columnist explains.

To thwart rampant cheating by high school children, one country shut down the Internet nationwide during certain hours and had social media platforms go dark for the whole exam period.

Snapchat now allows users to unsend messages. Here’s how.

Employees of Burger King’s Russian division recently had to eat crow for a tasteless social media campaign that offered women a lifetime supply of Whoppers as well as three million Russian rubles ($47,000) in exchange for accomplishing a really crass feat.

We’ve all heard of drivers experiencing road rage, but how about members of the public experiencing robot rage? According to a company that supplies cooler-sized food-delivery robots, its’s a thing.

 

 

 

 

 

If a web server located outside the United States hosts video content that can be viewed by Internet users located in the United States, does a public performance result under U.S. copyright law?

This has been a topic of hot debate for a surprisingly long time, with little or no direct guidance from the courts—until now. A recent decision from the D.C. Circuit, Spanski Enterprises v. Telewizja Polska, addresses this issue head-on, with the court finding that the uploading of video content in which a party held exclusive U.S. public performance rights and the subsequent directing of the content to U.S. viewers upon their request to be an infringing “performance” under the U.S. Copyright Act.

Telewizja Polska (“Polska”) is Poland’s national TV broadcaster that owns, operates and creates content for several Polish TV channels. Polska and Spanski Enterprises (“Spanski”), a Canadian corporation, entered into a licensing agreement granting Spanski exclusive broadcasting rights in North and South America to TVP Polonia, one of Polska’s TV channels. Polska provides online access to its programming through a video-on-demand feature on its Poland-based website and, to protect Spanski’s rights, Polska used geoblocking technology to block North and South American IP addresses from accessing the copyrighted content. The territorial restrictions were either incorporated into the digital video formats of the episodes themselves or assigned through a content management system. Continue Reading Copyright’s Long Arm: Foreign Website Found to Infringe U.S. Copyright Law by Providing U.S. Viewers Access to Site Content

As close observers of the implications of privacy law on companies’ data collection, usage and disclosure practices, we at Socially Aware were among the many tech-law enthusiasts anticipating the U.S. Supreme Court’s recent decision in Carpenter v. United States, in which the Court held that the government must obtain a warrant to acquire customer location information maintained by cellular service providers, at least where that information covers a period of a week or more.

Authored by Chief Justice John Roberts, the 5-4 opinion immediately enshrines greater protections for certain forms of location data assembled by third parties. It also represents the Court’s growing discomfort with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.

Background

Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (CSLI). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions. Continue Reading Location Information Is Protected by the 4th Amendment, SCOTUS Rules

Computer scientist and legal scholar Nick Szabo first proposed the idea of “smart contracts” in 1996. Szabo published his initial paper on the topic in a publication called Extropy, a journal of transhumanism, a movement seeking to enhance human intellect and physiology by means of sophisticated technologies. At the time, the idea was nothing if not futuristic.

Fast forward 22 years, and even if the actual use of smart legal contracts remains largely in the future, the idea of them has gone mainstream. What follows is our list of the top five things you need to know about this quickly evolving area.

  1. Their Name Is Somewhat Confusing

When lawyers speak of contracts, they generally mean agreements that are intended to be legally enforceable. In contrast, when most people use the term “smart contract” they’re not referring to a contract in the legal sense, but instead to computer coding that may effectuate specified results based on “if, then” logic.

Advocates of smart legal contracts envision a day when coding will automatically exercise real-world remedies if one of the parties to a smart contract fails to perform.. For example, if an automotive borrower were to fail to make a car payment, coding within the smart loan agreement could automatically trigger a computer controlling the relevant car to prevent the borrower from driving it, or could cause the car to drive autonomously to the lender’s garage.

Even then, whether coding itself could ever satisfy the requirements of a legally binding contract is up for debate. Continue Reading Five Things to Know About Smart Contracts

Most companies are familiar with the Children’s Online Privacy Protection Act (COPPA) and its requirement to obtain parental consent before collecting personal information online from children under 13.  Yet COPPA also includes an information deletion requirement of which companies may be unaware.  On May 31, 2018, the Federal Trade Commission (FTC) published a blog post addressing this requirement, clarifying (i) when children’s personal information must be deleted and (ii) how the requirement applies, as well as (iii) recommending that covered companies review their information retention policies to ensure they are in compliance.

(i) COPPA’s information deletion requirement.  The FTC clarifies that, under Section 312.10 of COPPA, companies may retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”  After that, a company must use reasonable measures to ensure such personal information is securely destroyed.

(ii) Application of the deletion requirement to children’s outdated subscription information.  In its post, the FTC applies the deletion requirement to the example of a subscription-based app directed to children under 13.  If the subscription period ends, and a parent decides not to renew the service, can the company keep the child’s personal information?  The answer, the FTC confirms, is “no”:  the information is no longer “reasonably necessary” to provide the app’s services, so it must be deleted.  This is true regardless of whether a parent affirmatively requests deletion.

(ii) Recommendation to review information retention policies in light of the deletion requirement.  The FTC recommends that companies review their information retention policies with COPPA’s deletion requirement in mind.  It lists questions to help guide companies as they navigate this requirement:

  • What types of personal information are you collecting from children?
  • What is your stated purpose for collecting the information?
  • How long do you need to hold onto the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
  • Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
  • When it’s time to delete information, are you doing it securely?

Key takeaway.  If a company possesses personal information collected online from a child under 13, and the information no longer serves the purpose for which it was collected, the company must delete it.  Companies should review their information retention policies to ensure compliance with this COPPA requirement.

*       *       *

For more on the Children’s Online Privacy Protection Act, please read the following Socially Aware posts: FTC Issues Substantially Revised COPPA Rule: and Review of Changes and Compliance Tips; and Mobile App Legal Terms & Conditions: Six Key Considerations.

Finding that President Trump’s Twitter feed constitutes a public forum, a federal judge in New York City held that it’s a First Amendment violation when the President or one of his assistants blocks a Twitter user from viewing or responding to one of the President’s tweets. As the New York Times points out, the decision “is likely to have implications far beyond Mr. Trump’s feed and its 52 million followers.” A blog post on the online version of the monthly magazine Reason provides some tips for politicians with social media accounts who want to stay on the right side of the law.

Speaking of President Trump, the former secretary of a federal judge is claiming the President got her fired. Okay, not exactly. The secretary, Olga Zuniga, who worked for a judge on Texas’s highest criminal court, filed a lawsuit alleging that the judge—a member of the GOP—terminated her employment because he found Facebook posts in which Zuniga criticized President Trump’s and other Republican politicians’ immigration policies. A post on Popehat, a fellow ABA Web 100 honoree, explores the strength of Zuniga’s case.

Unless you’ve been living in a cave, you know that the EU’s General Data Protection Regulation (GDPR) took effect last Friday, May 25th. Now that the dust has cleared, if you are interested in up-to-date information regarding GDPR developments and compliance insights, check out our GDPR Readiness Center. If you want details on what GDPR means for your outsourcing and other vendor agreements, you might want to attend our upcoming webinar.

The impact of GDPR is being felt across social media platforms in all sorts of ways. For example, in a move reportedly prompted by GDPR, Twitter has shut down accounts of those users who, at the time that they joined Twitter, were under 13 years of age, based on date-of-birth information voluntarily provided by such users during the registration process.

Facing an inbox full of companies’ privacy policy updates? You can blame that on the GDPR too. In fact, the onslaught of GDPR-induced privacy-policy updates inspired some pretty creative memes on Twitter.

Wait… the GDPR will also affect tourists taking photos with their phones?

Instagram is expanding its anti-bullying initiatives by using a machine-learning algorithm to filter out harassing comments and reviewing the accounts with an especially high number of blocked comments to determine whether the owners of those accounts have violated the platform’s community guidelines.

The still-unprofitable Snapchat will begin running six-second advertisements that its users will not be able to skip. These un-skippable commercials will not run during users’ personal stories, only during select Snapchat Shows—highly produced three-to-five minute programs from well-known entertainment companies.

The fascinating story of how Wired lost a small fortune in Bitcoin. . . . (Well, the Bitcoins are here, but the key has been destroyed.)

The Royal Wedding was a bigger topic on Pinterest than it was on Facebook. FastCompany speculates that it’s because Pinterest’s audience is predominantly women and reveals the subject of most of the Royal Wedding pins.

This is the famous Monkey selfie.

I confess: I have mixed emotions regarding the iconic “monkey-selfie” photo and all the hubbub it has created.

Don’t get me wrong; I think monkeys are wonderful, and the photo deserves its iconic status. Who can resist smiling while viewing that famous image of Naruto, the macaque monkey who allegedly snapped the self-portrait?

And the monkey selfie has been a boon to legal blogs. Our own posts regarding the photo have been among the most viewed content on Socially Aware (one of our posts prompted a call from my mother, who felt strongly that Naruto should be entitled to a copyright in the photo).

But, let’s face it, in an era where technology disruption is generating so many critical and difficult copyright issues, the law relevant to the monkey selfie is pretty straightforward, at least in the United States. As the U.S. Copyright Office states in its Compendium II of Copyright Office Practices, for a work to be copyrightable, it must “owe its origin to a human being,” and that materials produced solely by nature, by plants or by animals do not count. U.S. courts have reached the same conclusion. (Although I note that David Slater, the nature photographer whose camera was used to take the photo, claims that he—and not the macaque—is in fact the author of the photo for copyright purposes.) Continue Reading Monkey-Selfie Case Returns—To Court & (Maybe) a Theater Near You

With the effective date of the EU’s General Data Protection Regulation (GDPR) less than one month away, companies subject to the GDPR are racing to comply with the regulation’s data privacy laws. But, for those companies, May 25 doesn’t represent a finish line as much as it does a starting gate.

In the coming months, as the most thorough and efficient methods of complying with the GDPR’s requirements come to light, the compliance processes that companies rushed to implement will need to evolve and change.

Do your company’s GDPR-compliance practices require an overhaul or just a few minor tweaks? Find out at Morrison & Foerster’s Data Protection Masterclass, a webinar that will help you to avoid wasting your organization’s precious resources by busting GDPR myths.

Join Socially Aware contributors Miriam Wugmeister, Christine Lyon, Alex van der Wolk, and Alja Poler De Zwart on Tuesday, June 19, from 12:00 pm until 1:00 pm ET to learn about data processors’ obligations, the GDPR’s impact on outsourcing and vendor agreements,  and more. If you are interested in attending this webinar, please register here. There is no charge to attend.