Just over a month after the EU General Data Protection Regulation (GDPR) took effect, California passed its own sweeping privacy legislation, the California Consumer Privacy Act of 2018.

The Act stands to affect countless global companies doing business in California, many of which recently devoted extensive time and resources to GDPR compliance. These companies must now determine what additional steps are necessary to comply with the Act by the time it takes effect on January 1, 2020.

Join Socially Aware contributors Christine Lyon and Julie O’Neill on Thursday, September 20, 2018, for a deep dive into the key similarities and differences between the GDPR and the Act, as well as practical steps companies can take to assess gaps and chart a path to compliance. The areas they expect to cover include:

  • Notice requirements
  • Access and portability
  • Deletion
  • Opt-outs
  • Discrimination

If you are interested in attending this free webinar, please register here.

With the effective date of the EU’s General Data Protection Regulation (GDPR) less than one month away, companies subject to the GDPR are racing to comply with the regulation’s data privacy laws. But, for those companies, May 25 doesn’t represent a finish line as much as it does a starting gate.

In the coming months, as the most thorough and efficient methods of complying with the GDPR’s requirements come to light, the compliance processes that companies rushed to implement will need to evolve and change.

Do your company’s GDPR-compliance practices require an overhaul or just a few minor tweaks? Find out at Morrison & Foerster’s Data Protection Masterclass, a webinar that will help you to avoid wasting your organization’s precious resources by busting GDPR myths.

Join Socially Aware contributors Miriam Wugmeister, Christine Lyon, Alex van der Wolk, and Alja Poler De Zwart on Tuesday, June 19, from 12:00 pm until 1:00 pm ET to learn about data processors’ obligations, the GDPR’s impact on outsourcing and vendor agreements,  and more. If you are interested in attending this webinar, please register here. There is no charge to attend.

In a decision that has generated considerable controversy, a federal court in New York has held that the popular practice of embedding tweets into websites and blogs can result in copyright infringement. Plaintiff Justin Goldman had taken a photo of NFL quarterback Tom Brady, which Goldman posted to Snapchat. Snapchat users “screengrabbed” the image for use in tweets on Twitter. The defendants—nine news outlets—embedded tweets featuring the Goldman photo into online articles so that the photo itself was never hosted on the news outlets’ servers; rather, it was hosted on Twitter’s servers (a process known as “framing” or “inline linking”). The court found that, even absent any copying of the image onto their own servers, the news outlets’ actions had resulted in a violation of Goldman’s exclusive right to authorize the public display of his photo.

If legislation recently introduced in California passes, businesses with apps or websites requiring passwords and enabling Golden State residents younger than 18 to share content could be prohibited from asking those minors to agree to the site’s or the app’s terms and conditions of use.

After a lawyer was unable to serve process by delivering court documents to a defendant’s physical and email addresses, the Ontario Superior Court granted the lawyer permission to serve process by mailing a statement of claim to the defendant’s last known address and by sending the statement of claim through private messages to the defendant’s Instagram and LinkedIn accounts. This is reportedly the first time an Ontario court has permitted service of process through social media. The first instance that we at Socially Aware heard of a U.S. court permitting a plaintiff to serve process on a domestic, U.S.-based defendant through a social media account happened back in 2014.

Videos that impose celebrities’ and non-famous people’s faces onto porn performers’ to produce believable videos have surfaced on the Internet, and are on the verge of proliferating. Unlike the non-consensual dissemination of explicit photos that haven’t been manipulated—sometimes referred to as “revenge porn”—this fake porn is technically not a privacy issue, and making it illegal could raise First Amendment issues.

By mining datasets and social media to recover millions of dollars lost to tax fraud and errors, the IRS may be violating common law and the Electronic Communications Privacy Act, according to an op-ed piece in The Hill.

A woman is suing her ex-husband, a sheriff’s deputy in Georgia, for having her and her friend arrested and briefly jailed for posting on Facebook about his alleged refusal to drop off medication for his sick children on his way to work. The women had been charged with “criminal defamation of character” but the case was ultimately dropped after a state court judge ruled there was no basis for the arrest.

During a hearing in a Manhattan federal court over a suit brought by seven Twitter users who say President Trump blocked them on Twitter for having responded to his tweets, the plaintiffs’ lawyer compared Twitter to a “virtual town hall” where “blocking is a state action and violates the First Amendment.” An assistant district attorney, on the other hand, analogized the social media platform to a convention where the presiding official can decide whether or not to engage with someone. The district court judge who heard the arguments refused to decide the case on the spot and encouraged the parties to settle out of court.

Have your social media connections been posting headshots of themselves alongside historical portraits of people who look just like them? Those posts are the product of a Google app that matches the photo of a person’s face to a famous work of art, and the results can be fun. But not for people who live in Illinois or Texas, where access to the app isn’t available. Experts believe it’s because laws in those states restrict how companies can use biometric data.

The stock market is apparently keeping up with the Kardashians. A day after Kim Kardashian’s half-sister Kylie Jenner tweeted her frustration with Snapchat’s recent redesign, the company’s market value decreased by $1.3 billion.

Last year we covered a wide range of online legal and business subjects intended for readers ranging from Internet entrepreneurs to social media marketers, from online shoppers to e-tailers, from networkers to influencers (and the brands that pay them).

The topics of our blog posts covered a myriad of cutting-edge subjects, including a new federal law limiting a business’s ability to stop patrons from posting negative online reviews and a court opinion that gave online retailers some cause for celebration.

As interesting as those topics are, they weren’t the subjects of Socially Aware’s most widely read articles from last year. Here are the most popular posts that appeared on Socially Aware in 2017.

  1. Second Circuit Clarifies “Repeat Infringer” Policy Requirement for DMCA Copyright Safe Harbors
  2. N.Y.’s New Cybersecurity Regulations: What Financial Services Companies Need to Know
  3. The Hague District Court’s WhatsApp Decision Creates Concerns for Mobile App Developers
  4. Google Ordered to Comply with Warrant for Foreign-Stored User Data
  5. Limiting Statutory Damages in Internet Copyright Cases
  6. Court Orders Google to Turn Over Foreign-Stored Data
  7. Zazzle Fizzles: Website Operator Denied Copyright Safe Harbor Protection for Its Sale of Physical Products Featuring User-Generated Images
  8. Delaware Paves the Way for Blockchain Technology
  9. Brands Beware: FTC Continues Campaign on Social Media Influencer Disclosures
  10. FTC Report Reinforces the Rules for Cross-Device Tracking

As Socially Aware readers know, social media is transforming the way companies interact with consumers. Learn how to make the most of these online opportunities while minimizing your company’s legal risks at Practising Law Institute’s (PLI) 2018 Social Media conference, to be held in San Francisco on Thursday, February 1st, and in New York City on Wednesday, February 14th; both events will be webcasted. The conference will be chaired by Socially Aware co-editor John Delaney, and our other co-editor, Aaron Rubin, will also be presenting at the event.

Topics to be addressed will include:

  • The new business opportunities—and legal risks—that social media is providing for businesses
  • What every company should know about online contractual eco-systems
  • How to avoid running afoul of the law when employing social media influencers and using marketing tools like user-generated content, hashtags and native advertising online
  • The privacy-related developments that have arisen in connection with geo-location tracking and interest-based advertising
  • How to minimize the risks that accompany social media use in the workplace

In addition, an in-house panel will provide creative solutions to real-world social-media-related issues and address emerging social media trends.

Don’t miss this opportunity to get up-to-date information on the fast-breaking developments in the critical area of social media so that you can most effectively meet the needs of your clients.

For more information or to register, please visit PLI’s website here. We hope to see you there!

“My Google Home Mini was inadvertently spying on me 24/7 due to a hardware flaw,” wrote a tech blogger who purchased Google Inc.’s latest internet of things (IoT) device. Following the incident, a pact of consumer advocacy groups insisted the U.S. Consumer Product Safety Commission (CPSC) recall the Google smart speaker due to privacy concerns arising when the device recorded all audio without voice command prompts.

The CPSC is charged with protecting consumers from products that pose potential hazards. Traditionally, this has meant hazards that may cause physical injury or property damage. But as internet-connected household products continue to proliferate, issues like the “always-on” Google Home Mini raise an important question: Where does cybersecurity of consumer IoT devices fit within the current legal framework governing consumer products?

The Explosion of IoT

Forecasts predict that by 2020 IoT devices will account for 24 billion of the 34 billion devices connected to the internet. According to a recent Gemalto survey, “[a] hacker controlling IoT devices is the most common concern for consumers (65%), while six in ten (60%) worry about their data being stolen.”

The rapid growth of the IoT market and continued integration into daily life raises the question of which regulatory body or bodies, if any, should be responsible for consumer safety when it comes to cybersecurity for consumer IoT devices.

The Intersection of Consumer Product Safety, Privacy and Cybersecurity

The CPSC’s jurisdiction has traditionally been limited to physical injury and property damage. It is “charged with protecting the public from unreasonable risks of injury or death associated with the use of the thousands of types of consumer products under the agency’s jurisdiction.” Continue Reading Connected Devices Bring New Product Liability Challenges

Following a recent U.S. district court’s ruling, foreign companies operating cloud-based services may find themselves subject to federal long-arm jurisdiction under the Federal Rules of Civil Procedure 4(k)(2), even if they have no physical presence in the United States. In reaching its decision, the court noted that the question was ripe for consideration by the court of appeals; thus, it remains to be seen whether the decision will stand if appealed.

In Plixer International, Inc. v. Scrutinizer GMHB, the District Court of Maine ruled that, while jurisdiction would not exist under Maine’s long-arm statute, the court had specific personal jurisdiction over a German company under federal long-arm statute. Rule 4(k)(2), the federal long-arm statute, provides that serving a summons or filing a waiver of service establishes personal jurisdiction over a defendant if the defendant is not subject to jurisdiction in any state’s courts of general jurisdiction as long as exercising jurisdiction is consistent with the U.S. Constitution and laws.

Continue Reading Foreign Cloud-Based Service Providers May Be Subject to Personal Jurisdiction in the United States

The U.S. Supreme Court on Oct. 16, 2017, announced it had granted the government’s petition for certiorari in United States v. Microsoft and will hear a case this Term that could have lasting implications for how technology companies interact with the U.S government and governments overseas. At issue is a consequential Second Circuit decision from last year that held that warrants issued under the Stored Communications Act (SCA) do not reach emails and other user data stored overseas by a U.S. provider.

While no federal appellate court besides the Second Circuit has squarely addressed the issue, multiple district courts outside the Second Circuit have declined to follow the Second Circuit’s reasoning in similar fact patterns involving other technology giants. The result is that U.S. law enforcement has different authority to access foreign-stored user data depending on where in the United States a warrant application is made. Google, for example, has expended significant resources to develop new tools to determine the geographic location of its users’ data so as to be in accord with the Second Circuit’s approach. Yet the company currently faces a hearing on sanctions for its alleged willful noncompliance with law enforcement requests in the Ninth Circuit based on a district court ruling that parted ways with the Second Circuit.

Continue Reading SCOTUS to Resolve Lower-Court Dispute Over U.S. Warrants Seeking Foreign-Stored User Data

Recent challenges to the Federal Trade Commission’s (FTC) authority to police data security practices have criticized the agency’s failure to provide adequate guidance to companies.

In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements.

A series of blog posts that the FTC began on July 21, 2017, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. Some of the posts provide insight into specific data security practices that businesses should take, while others merely suggest what, in general, the FTC sees as essential to a comprehensive data security program. Continue Reading More Insight From the FTC on Data Security—or More of the Same?

Nearly all companies—whether they’re focused on the B2C market or the B2B market—have embraced social media as a way to promote their goods and services and to interact with customers and potential customers. The growing use of social media has, however, created challenges for federal securities regulators who must enforce antifraud rules that were written prior to the digital age.

Our Guide to Social Media and the Securities Laws summarizes how regulation has evolved in the face of the growing use of social media. It discusses the principal areas of focus for SEC-reporting companies, registered investment advisers, registered investment companies and registered broker-dealers that use social media.

Read our Guide to Social Media and the Securities Laws.