In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier. Continue Reading Times They Are A-Changin’: Oregon and Illinois Bills Latest in Push by States to Regulate Internet Privacy

Caution: Spoilers Ahead

The plot of last Sunday’s episode of HBO’s fantastic and hilarious show, Silicon Valley, titled “Terms of Service,” was driven entirely by “COPPA,” a somewhat obscure (though probably not to our blog readers) privacy law that stands for the Children’s Online Privacy Protection Act.  As someone who frequently advises clients on COPPA-related issues, this was a really fun episode for me to watch.  So I thought I’d share some of my musings.

Protection concept: computer keyboard with Key icon and word Privacy, selected focus on enter button, 3d render

Continue Reading My Thoughts on HBO’s Recent “Silicon Valley” Episode, “Terms of Service”

If you’re an online publisher or other internet service provider (“ISP”) that relies on moderators to police or curate user-generated comments or other content, your risk of liability for copyright infringement just increased.  In a recent opinion, the influential Ninth Circuit Court of Appeals sent shockwaves through the ISP community by ruling that LiveJournal.com, a social media platform, may not be immunized from copyright liability under the Digital Millennium Copyright Act (“DMCA”).  The court held that LiveJournal may be liable for infringing content submitted by users of the site because the company relied on paid and volunteer moderators to curate and police the content for substance and possible infringement. The opinion calls into question many widely held assumptions about the scope of DMCA immunity and raises serious concerns for websites that rely on user-generated content, curated by moderators, as part of their business model. The decision represents a sea change in the interpretation of the DMCA for internet media outlets. Here’s what you need to know. Continue Reading Federal Appeals Court Weakens DMCA Safe Harbor Protection for Moderated Online Content

Back in January, we posted about the circumstances in which your company, even if based in the US, must comply with the EU General Data Protection Regulation (GDPR), taking effect in May 2018. Now we get down to business. If your organization is covered, how do you start the process of preparing for compliance? There appear to be so many moving pieces, where to begin? Here we will provide a high level checklist to help you start down the path of GDPR readiness. As usual, this is not legal advice, just information based on the resources available from the EU authorities thus far designed to help you get your ducks in a row and start planning.

First, a reminder. Due to the extraterritorial jurisdiction provisions of the GDPR, your company is covered by the law even if you have no establishment in the EU if you process personal data of data subjects in the EU and that processing relates to (a) the offering of goods or services to those data subjects, irrespective of whether a payment of the data subject is required; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU. Processing means any operation which is performed upon personal data, whether or not by automatic means, including collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure and destruction. Personal data is also broadly defined and includes not only what we think of as traditionally personally identifiable information connected to a name or person, but also information connected to a particular device or even IP address. EU regulators can assess administrative fines of €20 million or up to 4% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.

If your organization is covered by the law, here is a list of things to consider —  and the sooner the better (with barely over a year to become compliant). Each of the following points will be the subject of a more detailed overview in a series of forthcoming blog posts over the next few months. Continue Reading Start Your Engines: We Have to Deal With GDPR, What Now?

In the past several years, the wide-spread availability of reliable, affordable unmanned aerial vehicles — drones — has fueled massive public interest in the new technology, including in a diverse array of commercial applications.  This is particularly true for photographers, and television or film productions companies, where drones have ability to deliver sweeping cinematic footage previously available only by using expensive, helicopter-mounted rigs. (Example 1) (Example 2)

But the promise of this technology comes with baggage: a complex web of regulations controlling virtually every aspect of how, when and where drones can fly.  Recently-implemented federal regulations have finally brought some measure of legal certainty to the realm of commercial drone use, but not simplicity.  Companies looking to use drones still face complicated regulatory and privacy issues, and risk significant fines or civil liability if they make a mistake.

Below, we review the need-to-know basics and flag the some more complex regulatory and privacy issues that might impact your plans to bring a drone online in your business. Continue Reading Still A Bumpy Ride: Compliance Challenges Persist For Companies Looking to Get Commercial Drone Use Off the Ground

Just this month, Major League Baseball issued a ground-breaking decision approving players’ use of biometric devices during games in the 2017 baseball season.  The devices, made by Whoop Inc. and which look like a sleek watch or bracelet, have been billed as the fitness tracker for elite athletes, with their ability to monitor various biometric factors like the wearer’s heart rate, heart rate variability, sleep performance, and recovery.   The data generated by the device will be used to assess players’ performance, endurance and recovery, with the goal of optimizing training and rest periods for players and potentially influencing batter line-ups and pitcher workloads.   Although the MLB’s decision marks the first time a major U.S. professional league has allowed such devices to be worn in-game, it is only the latest sign that the professional sports world is embracing wearable technology.  But as the saying goes, “with great power comes great responsibility,” and many are wondering whether the potential risks involved have been taken into account.  While few would dispute the helpful insights this technology can provide, there’s no doubt that significant privacy legal concerns are raised by professional athletes’ use of fitness trackers “at work.” Continue Reading SHOW ME THE DATA – How Wearable Technology Data May Change Baseball

On March 1, 2017, the Federal Communications Commission (the “FCC”) voted 2-1 to issue a stay order temporarily halting the implementation of the Protecting the Privacy of Customers of Broadband and Other Telecommunications Services order (the “2016 Privacy Order”). The 2016 Privacy Order was adopted in October 2016 with the intention of imposing greater obligations on broadband Internet service providers and other telecommunications carriers to protect the privacy of their customers. Specifically, the 2016 Privacy Order created three categories for the use and sharing of customer information based on sensitivity: opt-in, opt-out, and exceptions to the consent requirements. In addition, the 2016 Privacy Order imposed new requirements related to notice, customer approval, and breach notification. You can read further about the elements of the 2016 Privacy Order in our previous post. The 2016 Privacy Order faced criticism from broadband industry trade groups, who alleged that it would subject Internet service providers to a different standard than other companies operating in the Internet space.  Continue Reading Not So Fast: FCC Halts Implementation of Controversial 2016 Broadband Privacy Order and Congress Takes Steps to Roll Back Rules

On February 6, 2017, the Federal Trade Commission (“FTC”) in conjunction with the Office of the New Jersey Attorney General announced a settlement with Vizio Inc. (“Vizio”), including payment of $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended, over claims that Vizio’s smart TVs collected information about consumers’ video viewing behavior and shared that data with third parties without sufficient notice or consent. This settlement, along with pending class action litigation against Vizio involving similar allegations, reflects some of the privacy issues faced by developers in the Internet of Things space. Continue Reading Get Smart: Takeaways from FTC Settlement with Vizio over TV Viewing Data

On February 22, 2017, the FTC announced that it had reached a settlement with three companies over charges that the companies had falsely represented their involvement in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system (APEC CBPR) in their online privacy policies. Continue Reading Keep Your Promises: FTC Settles Misrepresentation Claims With Three Tech Companies

Protection background. Technology security, encode and decrypt, techno scheme, vector illustration

Biometric data — from, e.g., retina, face and fingerprint scans — plays a big role in the current wave of new technology services. For example, biometrics provide security features for financial and healthcare products. And biometrics are behind some cool new in-game offerings in the interactive entertainment and social media space. But companies using or thinking of using biometric data have to comply with myriad privacy and data security laws and regulations, or face potential enforcement action and litigation. On January 30, 2017, the Southern District of New York dismissed one such litigation brought against video game publisher Take-Two Interactive Software, Inc. for alleged violation of the Illinois Biometric Information Privacy Act (“BIPA“). Here’s a summary.

Continue Reading No Harm, No Foul: Court Dismisses Biometric Data Privacy Class Action Against NBA 2K Games