With the effective date of the EU’s General Data Protection Regulation (GDPR) less than one month away, companies subject to the GDPR are racing to comply with the regulation’s data privacy laws. But, for those companies, May 25 doesn’t represent a finish line as much as it does a starting gate.

In the coming months, as the most thorough and efficient methods of complying with the GDPR’s requirements come to light, the compliance processes that companies rushed to implement will need to evolve and change.

Do your company’s GDPR-compliance practices require an overhaul or just a few minor tweaks? Find out at Morrison & Foerster’s Data Protection Masterclass, a webinar that will help you to avoid wasting your organization’s precious resources by busting GDPR myths.

Join Socially Aware contributors Miriam Wugmeister, Christine Lyon, Alex van der Wolk, and Alja Poler De Zwart on Tuesday, June 19, from 12:00 pm until 1:00 pm ET to learn about data processors’ obligations, the GDPR’s impact on outsourcing and vendor agreements,  and more. If you are interested in attending this webinar, please register here. There is no charge to attend.

In a decision that has generated considerable controversy, a federal court in New York has held that the popular practice of embedding tweets into websites and blogs can result in copyright infringement. Plaintiff Justin Goldman had taken a photo of NFL quarterback Tom Brady, which Goldman posted to Snapchat. Snapchat users “screengrabbed” the image for use in tweets on Twitter. The defendants—nine news outlets—embedded tweets featuring the Goldman photo into online articles so that the photo itself was never hosted on the news outlets’ servers; rather, it was hosted on Twitter’s servers (a process known as “framing” or “inline linking”). The court found that, even absent any copying of the image onto their own servers, the news outlets’ actions had resulted in a violation of Goldman’s exclusive right to authorize the public display of his photo.

If legislation recently introduced in California passes, businesses with apps or websites requiring passwords and enabling Golden State residents younger than 18 to share content could be prohibited from asking those minors to agree to the site’s or the app’s terms and conditions of use.

After a lawyer was unable to serve process by delivering court documents to a defendant’s physical and email addresses, the Ontario Superior Court granted the lawyer permission to serve process by mailing a statement of claim to the defendant’s last known address and by sending the statement of claim through private messages to the defendant’s Instagram and LinkedIn accounts. This is reportedly the first time an Ontario court has permitted service of process through social media. The first instance that we at Socially Aware heard of a U.S. court permitting a plaintiff to serve process on a domestic, U.S.-based defendant through a social media account happened back in 2014.

Videos that impose celebrities’ and non-famous people’s faces onto porn performers’ to produce believable videos have surfaced on the Internet, and are on the verge of proliferating. Unlike the non-consensual dissemination of explicit photos that haven’t been manipulated—sometimes referred to as “revenge porn”—this fake porn is technically not a privacy issue, and making it illegal could raise First Amendment issues.

By mining datasets and social media to recover millions of dollars lost to tax fraud and errors, the IRS may be violating common law and the Electronic Communications Privacy Act, according to an op-ed piece in The Hill.

A woman is suing her ex-husband, a sheriff’s deputy in Georgia, for having her and her friend arrested and briefly jailed for posting on Facebook about his alleged refusal to drop off medication for his sick children on his way to work. The women had been charged with “criminal defamation of character” but the case was ultimately dropped after a state court judge ruled there was no basis for the arrest.

During a hearing in a Manhattan federal court over a suit brought by seven Twitter users who say President Trump blocked them on Twitter for having responded to his tweets, the plaintiffs’ lawyer compared Twitter to a “virtual town hall” where “blocking is a state action and violates the First Amendment.” An assistant district attorney, on the other hand, analogized the social media platform to a convention where the presiding official can decide whether or not to engage with someone. The district court judge who heard the arguments refused to decide the case on the spot and encouraged the parties to settle out of court.

Have your social media connections been posting headshots of themselves alongside historical portraits of people who look just like them? Those posts are the product of a Google app that matches the photo of a person’s face to a famous work of art, and the results can be fun. But not for people who live in Illinois or Texas, where access to the app isn’t available. Experts believe it’s because laws in those states restrict how companies can use biometric data.

The stock market is apparently keeping up with the Kardashians. A day after Kim Kardashian’s half-sister Kylie Jenner tweeted her frustration with Snapchat’s recent redesign, the company’s market value decreased by $1.3 billion.

In February the U.S Supreme Court heard oral arguments in United States v. MicrosoftAt issue is Microsoft’s challenge to a warrant issued by a U.S. court directing it to produce emails stored in Ireland. With implications for government investigations, privacy law, and multi-national tech companies’ ability to compete globally, the case has attracted significant attention.

Over the course of the oral arguments it became clear that rendering a decision in United States v. Microsoft would require the justices to choose between two less-than-satisfactory outcomes: denying the U.S. government access to necessary information, or potentially harming U.S. technology companies’ ability to operate globally.

The conundrum the justices face is largely due to the fact that the 1986 law at issue, the Stored Communications Act (SCA), never envisioned the kind of complex, cross-border data storage practices of today.

Find out more about the case and how recently introduced legislation known as the CLOUD Act could wind up superseding the Court’s decision in United States v. Microsoft by, among other things, clarifying the SCA’s applicability to foreign-stored data while also providing technology companies with a new vehicle for challenging certain orders that conflict with the laws of the country where data is stored.

Read my article in Wired.

Companies that offer services, whether online or offline, to consumers on a subscription or other automatic renewal basis should be aware that such offers are heavily regulated at both the federal and state levels. A recent amendment to Section 17602 of California’s Business and Professions Code provides a good opportunity for businesses that make subscription offers to review their practices. As of July 1, 2018, the obligations under California law will expand in two ways that may require businesses to update those practices.

The first change relates to the information that businesses must provide to consumers regarding the terms of a subscription offer. The current law already requires a business to provide certain information about the renewal process—such as the amount of the recurring charges, the length of the renewal period, and the cancellation policy—both before the consumer accepts the agreement, and afterwards in an acknowledgement. The amendment provides that, as of July 1, 2018, if the offer includes any free trial or gift component, the information provided to consumers must also include a “clear and conspicuous explanation of the price that will be charged after the trial ends or the manner in which the subscription or purchasing agreement pricing will change upon conclusion of the trial.” Continue Reading Amended California Law Expands Requirements for Consumer Subscriptions

As Socially Aware readers know, social media is transforming the way companies interact with consumers. Learn how to make the most of these online opportunities while minimizing your company’s legal risks at Practising Law Institute’s (PLI) 2018 Social Media conference, to be held in San Francisco on Thursday, February 1st, and in New York City on Wednesday, February 14th; both events will be webcasted. The conference will be chaired by Socially Aware co-editor John Delaney, and our other co-editor, Aaron Rubin, will also be presenting at the event.

Topics to be addressed will include:

  • The new business opportunities—and legal risks—that social media is providing for businesses
  • What every company should know about online contractual eco-systems
  • How to avoid running afoul of the law when employing social media influencers and using marketing tools like user-generated content, hashtags and native advertising online
  • The privacy-related developments that have arisen in connection with geo-location tracking and interest-based advertising
  • How to minimize the risks that accompany social media use in the workplace

In addition, an in-house panel will provide creative solutions to real-world social-media-related issues and address emerging social media trends.

Don’t miss this opportunity to get up-to-date information on the fast-breaking developments in the critical area of social media so that you can most effectively meet the needs of your clients.

For more information or to register, please visit PLI’s website here. We hope to see you there!

“My Google Home Mini was inadvertently spying on me 24/7 due to a hardware flaw,” wrote a tech blogger who purchased Google Inc.’s latest internet of things (IoT) device. Following the incident, a pact of consumer advocacy groups insisted the U.S. Consumer Product Safety Commission (CPSC) recall the Google smart speaker due to privacy concerns arising when the device recorded all audio without voice command prompts.

The CPSC is charged with protecting consumers from products that pose potential hazards. Traditionally, this has meant hazards that may cause physical injury or property damage. But as internet-connected household products continue to proliferate, issues like the “always-on” Google Home Mini raise an important question: Where does cybersecurity of consumer IoT devices fit within the current legal framework governing consumer products?

The Explosion of IoT

Forecasts predict that by 2020 IoT devices will account for 24 billion of the 34 billion devices connected to the internet. According to a recent Gemalto survey, “[a] hacker controlling IoT devices is the most common concern for consumers (65%), while six in ten (60%) worry about their data being stolen.”

The rapid growth of the IoT market and continued integration into daily life raises the question of which regulatory body or bodies, if any, should be responsible for consumer safety when it comes to cybersecurity for consumer IoT devices.

The Intersection of Consumer Product Safety, Privacy and Cybersecurity

The CPSC’s jurisdiction has traditionally been limited to physical injury and property damage. It is “charged with protecting the public from unreasonable risks of injury or death associated with the use of the thousands of types of consumer products under the agency’s jurisdiction.” Continue Reading Connected Devices Bring New Product Liability Challenges

Happy 2018 to our readers! It has become a Socially Aware tradition to start the New Year with some predictions from our editors and contributors. With smart contracts on the horizon, the Internet of Things and cryptocurrencies in the spotlight, and a number of closely watched lawsuits moving toward resolution, 2018 promises to be an exciting year in the world of emerging technology and Internet law.

Here are some of our predictions regarding tech-related legal developments over the next twelve months. As always, the views expressed are not to be attributed to Morrison & Foerster or its clients.

From John Delaney, Co-Founder and Co-Editor, Socially Aware, and Partner at Morrison & Foerster:
Regarding Web Scraping

Web scraping is an increasingly common activity among businesses (by one estimate, web-scraping bots account for as much as 46% of Internet traffic), and is helping to fuel the “Big Data” revolution. Despite the growing popularity of web scraping, courts have been generally unsympathetic to web scrapers. Last August, however, web scrapers finally received a huge victory, as the U.S. District Court for the Northern District of California enjoined LinkedIn from blocking hiQ Labs’ scraping of publicly available user profiles from the LinkedIn website in the hiQ Labs, Inc. v. LinkedIn Corp. litigation. The case is now on appeal to the Ninth Circuit; although my sense is that the Ninth Circuit will reject the broad scope and rationale of the lower court’s ruling, if the Ninth Circuit nevertheless ultimately sides with hiQ Labs, the web scraper, the decision could be a game changer, bringing online scraping out of the shadows and perhaps spurring more aggressive uses of scraping tools and scraped data. On the other hand, if the Ninth Circuit reverses, we may see companies reexamining and perhaps curtailing their scraping initiatives. Either way, 2018 promises to bring greater clarity to this murky area of the law.

Regarding the Growing Challenges for Social Media Platforms

2017 was a tough year for social media platforms. After years of positive press, immense consumer goodwill and a generally “hands off” attitude from regulators, last year saw a growing backlash against social media due to a number of reasons: the continued rise of trolling creating an ever-more toxic online environment; criticism of social media’s role in the dissemination of fake news; the growing concern over social media “filter bubbles” and “echo chambers”; and worries about the potential societal impact of social media’s algorithm-driven effectiveness in attracting and keeping a grip on our attention. Expect to see in 2018 further efforts by social media companies to get out ahead of most if not all of these issues, in the hopes of winning over critics and discouraging greater governmental regulation.

Regarding the DMCA Safe Harbor for Hosting of User-Generated Content

The backlash against social media noted in my prior item may also be reflected to some extent in several 2017 court decisions regarding the DMCA safe harbor shielding website operators and other online service providers from copyright damages in connection with user-generated content (and perhaps in the CDA Section 230 case law discussed by Aaron Rubin below). After nearly two decades of court decisions generally taking an ever more expansive approach to this particular DMCA safe harbor, the pendulum begun to swing in the other direction in 2016, and this trend picked up steam in 2017, culminating in the Ninth Circuit’s Mavrix decision, which found an social media platform provider’s use of volunteer curators to review user posts to deprive the provider of DMCA safe harbor protection. Expect to see the pendulum continue to swing in favor of copyright owners in DMCA safe harbor decisions over the coming year.

Regarding Smart Contracts

Expect to see broader, mainstream adoption of “smart contracts,” especially in the B2B context—and perhaps litigation over smart contracts in 2019 . . . .

From Aaron Rubin, Co-Editor, Socially Aware, and Partner at Morrison & Foerster:
Regarding the CDA Section 230 Safe Harbor

We noted previously that 2016 was a particularly rough year for Section 230 of the Communications Decency Act and the immunity that the statute provides website operators against liability arising from third-party or user-generated content. Now that 2017 is in the rear view mirror, Section 230 is still standing but its future remains imperiled. We have seen evidence of Section 230’s resiliency in recent cases where courts rejected plaintiffs’ creative attempts to find chinks in the immunity’s armor by arguing, for example, that websites lose immunity when they use data analytics to direct users to content, or when they fail to warn users of potential dangers, or when they share ad revenue with content developers. Nonetheless, it is clear that the knives are still out for Section 230, including in Congress, where a number of bills are under consideration that would significantly limit the safe harbor in the name of combatting sex trafficking. I predict that 2018 will only see these efforts to rein in Section 230 increase. Continue Reading 2018: Predictions From Socially Aware’s Editors and Contributors

The government in Indonesia has warned the world’s biggest social media providers that they risk being banned in that country if they don’t block pornography and other content deemed obscene.

A member of the House of Lords has proposed an amendment to the U.K.’s data protection bill that would subject technology companies to “minimum standards of age-appropriate design” such as not revealing the GPS locations of users younger than 16.

A bill in Wisconsin would make impersonating someone on social media a misdemeanor.

Google’s general counsel wrote a blog post arguing that two new cases over right-to-be-forgotten requests and pending before the European Union’s top court put the search-engine company at risk of “restricting access to lawful and valuable information.”

Trucking is a $700 billion industry that stands to save billions from automation,  and will likely get self-driving vehicles on the road sooner than most people expected.

Social media platforms are often used to prey on potential sex trafficking victims, according to one FBI special agent.

A recent study shows that searching for information from unofficial sources on social media during a crisis is likely to result in the spread of misinformation and anxiety. Researchers recommend that, to quash rumors, emergency management officials should stay in regular contact with people even if they don’t have any new information.

This piece in Slate invites readers to imagine what the Internet would look like today if not for the passage of Section 230 of the Communications Decency Act, a statute that “says that in general, websites are not responsible for the things their users do or post.”

An op-ed in USA Today compares to swift spread of infectious diseases that resulted from the concentration of populations in urban areas to the swift spread of ideas that accompanied the invention of the Internet, and concludes that traditional training in critical thinking is as necessary to survive the latter as nutrition was to survive the former.

By allowing companies to provide consumers with verifiable information about things like their diversity-driven hiring practices and their products’ supply chains, blockchain is going to change the marketing industry significantly, the American Marketing Association reports.

A high school senior who was bullied in middle school created Sit With Us, the phone-based anti-bullying app that helps kids find a welcoming place to eat in their school cafeteria.

The U.S. Supreme Court on Oct. 16, 2017, announced it had granted the government’s petition for certiorari in United States v. Microsoft and will hear a case this Term that could have lasting implications for how technology companies interact with the U.S government and governments overseas. At issue is a consequential Second Circuit decision from last year that held that warrants issued under the Stored Communications Act (SCA) do not reach emails and other user data stored overseas by a U.S. provider.

While no federal appellate court besides the Second Circuit has squarely addressed the issue, multiple district courts outside the Second Circuit have declined to follow the Second Circuit’s reasoning in similar fact patterns involving other technology giants. The result is that U.S. law enforcement has different authority to access foreign-stored user data depending on where in the United States a warrant application is made. Google, for example, has expended significant resources to develop new tools to determine the geographic location of its users’ data so as to be in accord with the Second Circuit’s approach. Yet the company currently faces a hearing on sanctions for its alleged willful noncompliance with law enforcement requests in the Ninth Circuit based on a district court ruling that parted ways with the Second Circuit.

Continue Reading SCOTUS to Resolve Lower-Court Dispute Over U.S. Warrants Seeking Foreign-Stored User Data

With much fanfare, the Federal Trade Commission (FTC) continues to take actions relating to so-called “social media influencers” who allegedly fail to disclose material connections to the products or brands they endorse. Recurring enforcement actions and guidance—and the FTC’s ongoing promotion of its own efforts, such as through Twitter chats—make it clear that the FTC believes that its message has still not been heard by all of the players in this advertising ecosystem, including influencers themselves.

In short, any endorsements in any medium where the endorser has a material connection of any kind to the endorsed advertiser must be disclosed.

The most recent developments include an enforcement action against a company—and two of its officers—in connection with endorsements of the company made by the officers in YouTube videos and in social media.  Before turning to this case, however, we provide a brief overview of how the FTC has gotten here. Continue Reading Brands Beware: FTC Continues Campaign on Social Media Influencer Disclosures