New York is now one of the 43 states where “revenge porn,” the posting of explicit photographs or videos to the Internet without the subject’s consent, is punishable by law. See how far the states have come – find out how many had criminalized revenge porn as of 2014, when Socially Aware first covered the issue.

YouTube announced that it will not allow channels that promote anti-vaccination videos to run advertisements because such videos violate the platform’s policy, which, among other things, disallows the monetization of “dangerous content.” Many of the companies whose ads appeared alongside anti-vaccination content say they were not aware it was happening. Find out how that could be possible.

Senator John Kennedy (R-LA) has introduced a bill that would give Internet users considerably more control over their personal data by mandating that social media companies inform registrants—in simple, easy-to-understand terms—that they are entering into an agreement licensing their personal data to the company. Coined the Own Your Own Data Act, the legislation would also require social media platforms to make it easy for their registrants to cancel the licensing agreement and obtain the collected data and any analysis of it.

Another privacy bill, this one proposed by Senators Ed Markey (D-MA) and Josh Hawley (R-MO), would amend the Children’s Online Privacy Protection Act (COPPA) to completely prohibit the running of targeted advertisements on websites targeted to children. Find out how else the bill would amend COPPA, and how long companies would have to comply with the amendment if it became law.

The debate over whether politicians have a right to block people on social media rages on.

The United States isn’t the only country whose president favors social media as a vehicle for sharing his views.

A #TwitterLaw symposium is being held at the University of Idaho College of Law next month. Road trip, anyone?

Even the British Royal Family has to contend with social media trolls.

One of the next big items in Europe will be the expansion of “ePrivacy,” (which, among other things, regulates the use of cookies on websites). While the ePrivacy reform is still being worked on by EU lawmakers, one of the items the ePrivacy Regulation is expected to update is the use of “cookie walls.” Recently, the Austrian and UK data protection authorities (DPAs) issued enforcement actions involving the use of cookie walls, albeit with different findings and conclusions.

Cookie Walls

A cookie wall blocks individuals from accessing a website unless they first accept the use of cookies and similar technologies. The practice of using cookie walls is not prohibited under the current ePrivacy Directive.

However, the European Data Protection Board (EDPB), the successor to the Article 29 Working Party, has issued a non-binding opinion that the use of cookie walls should be prohibited under new EU ePrivacy rules. The EDPB argues that cookie walls run contrary to the General Data Protection Regulation (GDPR): “In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.”

Continue Reading The Cookie Wall Must Go Up. Or Not?

The cost for violating the Children’s Online Privacy Protection Act (COPPA) has been steadily rising, and companies subject to the law should take heed. Last week, the Federal Trade Commission (FTC) announced a record-setting $5.7 million settlement with the mobile app company Musical.ly for a myriad of COPPA violations, exceeding even the December 2018 $4.95 million COPPA settlement by the New York Attorney General. Notably, two Commissioners issued a statement accompanying the settlement, arguing that the FTC should prioritize holding executives personally responsible for their roles in deliberate violations of the law in the future.

COPPA is intended to ensure parents are informed about, and can control, the online collection of personal information (PI) from their children under age thirteen. Musical.ly (now operating as “TikTok”) is a popular social media application that allows users to create and share lip-sync videos to popular songs. The FTC cited the Shanghai-based company for numerous violations of COPPA, including failure to obtain parental consent and failure to properly delete children’s PI upon a parent’s request.

Continue Reading Thank You, Next Enforcement: Music Video App Violates COPPA, Will Pay $5.7 Million

The California Attorney General continued its series of public forums regarding the California Consumer Privacy Act (CCPA), with forums last week in Riverside (January 24, 2019) and
Los Angeles (January 25, 2019). As in the previous forums, there were a significant number of attendees, but few elected to speak publicly regarding their views on the Act. You can read our reports on the public forums held earlier this month in San Francisco and San Diego.

Lisa Kim, Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks at both forums and identified the areas of the AG’s rulemaking on which speakers should focus their comments, specifically those areas of the Act that call for specific AG rules.  Ms. Kim encouraged interested parties to provide written comments and proposed regulatory language during this pre-rulemaking phase. Consistent with the prior forums, she noted that the AG’s office would be listening, and not responding, to comments made in Riverside and Los Angeles.

Of note, the presentation slides made available at the forum (and available here) state that the AG anticipates publishing proposed rules in Fall 2019,and that after that there will be a period for public comment and additional public hearings.

Continue Reading California AG Hosts Two More Public Forums on CCPA in Riverside and Los Angeles

In anticipation of preparing rules to implement the California Consumer Privacy Act, the California Attorney General recently announced six public forums that he will host in January and February 2019 across California.  On January 8, 2019, the AG hosted the first of these forums in San Francisco.  The following provides an overview of the forum and the comments made at the forum.

Overview of the January 8, 2019, San Francisco Forum 

Stacey Schesser, the Supervising Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks.  Ms. Schesser confirmed that the AG’s office is at the very beginning of its rulemaking process.  Although the AG’s office will solicit formal comments after it prepares proposed rules, the AG is interested in receiving detailed written comments from the public with proposed language during this informal period.

These forums appear to be designed to inform the AG’s rulemaking and potentially streamline the process, by allowing public input before rules are drafted.  In this regard, Ms. Schesser clarified that she and other AG representatives in attendance at the San Francisco forum were there only to listen to the public comments and would not respond to questions or engage with speakers.  As a result, if the remaining forums follow a similar approach, it is unlikely that the forums will elicit meaningful intelligence regarding the AG’s anticipated approach to, or the substance of, the anticipated rulemaking.

Continue Reading California Attorney General Holds First California Consumer Privacy Act Public Forum

Just over a month after the EU General Data Protection Regulation (GDPR) took effect, California passed its own sweeping privacy legislation, the California Consumer Privacy Act of 2018.

The Act stands to affect countless global companies doing business in California, many of which recently devoted extensive time and resources to GDPR compliance. These companies must now determine what additional steps are necessary to comply with the Act by the time it takes effect on January 1, 2020.

Join Socially Aware contributors Christine Lyon and Julie O’Neill on Thursday, September 20, 2018, for a deep dive into the key similarities and differences between the GDPR and the Act, as well as practical steps companies can take to assess gaps and chart a path to compliance. The areas they expect to cover include:

  • Notice requirements
  • Access and portability
  • Deletion
  • Opt-outs
  • Discrimination

If you are interested in attending this free webinar, please register here.

As close observers of the implications of privacy law on companies’ data collection, usage and disclosure practices, we at Socially Aware were among the many tech-law enthusiasts anticipating the U.S. Supreme Court’s recent decision in Carpenter v. United States, in which the Court held that the government must obtain a warrant to acquire customer location information maintained by cellular service providers, at least where that information covers a period of a week or more.

Authored by Chief Justice John Roberts, the 5-4 opinion immediately enshrines greater protections for certain forms of location data assembled by third parties. It also represents the Court’s growing discomfort with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.

Background

Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (CSLI). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions. Continue Reading Location Information Is Protected by the 4th Amendment, SCOTUS Rules

With the effective date of the EU’s General Data Protection Regulation (GDPR) less than one month away, companies subject to the GDPR are racing to comply with the regulation’s data privacy laws. But, for those companies, May 25 doesn’t represent a finish line as much as it does a starting gate.

In the coming months, as the most thorough and efficient methods of complying with the GDPR’s requirements come to light, the compliance processes that companies rushed to implement will need to evolve and change.

Do your company’s GDPR-compliance practices require an overhaul or just a few minor tweaks? Find out at Morrison & Foerster’s Data Protection Masterclass, a webinar that will help you to avoid wasting your organization’s precious resources by busting GDPR myths.

Join Socially Aware contributors Miriam Wugmeister, Christine Lyon, Alex van der Wolk, and Alja Poler De Zwart on Tuesday, June 19, from 12:00 pm until 1:00 pm ET to learn about data processors’ obligations, the GDPR’s impact on outsourcing and vendor agreements,  and more. If you are interested in attending this webinar, please register here. There is no charge to attend.

In a decision that has generated considerable controversy, a federal court in New York has held that the popular practice of embedding tweets into websites and blogs can result in copyright infringement. Plaintiff Justin Goldman had taken a photo of NFL quarterback Tom Brady, which Goldman posted to Snapchat. Snapchat users “screengrabbed” the image for use in tweets on Twitter. The defendants—nine news outlets—embedded tweets featuring the Goldman photo into online articles so that the photo itself was never hosted on the news outlets’ servers; rather, it was hosted on Twitter’s servers (a process known as “framing” or “inline linking”). The court found that, even absent any copying of the image onto their own servers, the news outlets’ actions had resulted in a violation of Goldman’s exclusive right to authorize the public display of his photo.

If legislation recently introduced in California passes, businesses with apps or websites requiring passwords and enabling Golden State residents younger than 18 to share content could be prohibited from asking those minors to agree to the site’s or the app’s terms and conditions of use.

After a lawyer was unable to serve process by delivering court documents to a defendant’s physical and email addresses, the Ontario Superior Court granted the lawyer permission to serve process by mailing a statement of claim to the defendant’s last known address and by sending the statement of claim through private messages to the defendant’s Instagram and LinkedIn accounts. This is reportedly the first time an Ontario court has permitted service of process through social media. The first instance that we at Socially Aware heard of a U.S. court permitting a plaintiff to serve process on a domestic, U.S.-based defendant through a social media account happened back in 2014.

Videos that impose celebrities’ and non-famous people’s faces onto porn performers’ to produce believable videos have surfaced on the Internet, and are on the verge of proliferating. Unlike the non-consensual dissemination of explicit photos that haven’t been manipulated—sometimes referred to as “revenge porn”—this fake porn is technically not a privacy issue, and making it illegal could raise First Amendment issues.

By mining datasets and social media to recover millions of dollars lost to tax fraud and errors, the IRS may be violating common law and the Electronic Communications Privacy Act, according to an op-ed piece in The Hill.

A woman is suing her ex-husband, a sheriff’s deputy in Georgia, for having her and her friend arrested and briefly jailed for posting on Facebook about his alleged refusal to drop off medication for his sick children on his way to work. The women had been charged with “criminal defamation of character” but the case was ultimately dropped after a state court judge ruled there was no basis for the arrest.

During a hearing in a Manhattan federal court over a suit brought by seven Twitter users who say President Trump blocked them on Twitter for having responded to his tweets, the plaintiffs’ lawyer compared Twitter to a “virtual town hall” where “blocking is a state action and violates the First Amendment.” An assistant district attorney, on the other hand, analogized the social media platform to a convention where the presiding official can decide whether or not to engage with someone. The district court judge who heard the arguments refused to decide the case on the spot and encouraged the parties to settle out of court.

Have your social media connections been posting headshots of themselves alongside historical portraits of people who look just like them? Those posts are the product of a Google app that matches the photo of a person’s face to a famous work of art, and the results can be fun. But not for people who live in Illinois or Texas, where access to the app isn’t available. Experts believe it’s because laws in those states restrict how companies can use biometric data.

The stock market is apparently keeping up with the Kardashians. A day after Kim Kardashian’s half-sister Kylie Jenner tweeted her frustration with Snapchat’s recent redesign, the company’s market value decreased by $1.3 billion.

In February the U.S Supreme Court heard oral arguments in United States v. MicrosoftAt issue is Microsoft’s challenge to a warrant issued by a U.S. court directing it to produce emails stored in Ireland. With implications for government investigations, privacy law, and multi-national tech companies’ ability to compete globally, the case has attracted significant attention.

Over the course of the oral arguments it became clear that rendering a decision in United States v. Microsoft would require the justices to choose between two less-than-satisfactory outcomes: denying the U.S. government access to necessary information, or potentially harming U.S. technology companies’ ability to operate globally.

The conundrum the justices face is largely due to the fact that the 1986 law at issue, the Stored Communications Act (SCA), never envisioned the kind of complex, cross-border data storage practices of today.

Find out more about the case and how recently introduced legislation known as the CLOUD Act could wind up superseding the Court’s decision in United States v. Microsoft by, among other things, clarifying the SCA’s applicability to foreign-stored data while also providing technology companies with a new vehicle for challenging certain orders that conflict with the laws of the country where data is stored.

Read my article in Wired.