New Media and Technology Law Blog

Online Platforms Sidestep Claims over User Content Decisions and Social App Functions

Despite continued scrutiny over the legal immunity online providers enjoy under Section 230 of the Communications Decency Act (CDA), online platforms continue to successfully invoke its protections. This is illustrated by three recent decisions in which courts dismissed claims that sought to impose liability on providers for hosting or restricting access to user content and for providing a much-discussed social media app filter.

In one case, a California district court dismissed a negligence claim against online real estate database Zillow over a fraudulent posting, holding that any allegation of a duty to monitor new users and prevent false listing information inherently derives from Zillow’s status as a publisher and is therefore barred by the CDA. (924 Bel Air Road LLC v. Zillow Group Inc., No. 19-01368 (C.D. Cal. Feb. 18, 2020)). In the second, the Ninth Circuit, in an important ruling, affirmed the dismissal of claims against YouTube for violations of the First Amendment and the Lanham Act over its decision to restrict access to the plaintiff’s uploaded videos. The Ninth Circuit found that despite YouTube’s ubiquity and its role as a public-facing platform, it is a private forum not subject to judicial scrutiny under the First Amendment. It also found that its statements concerning its content moderation policies could not form a basis of false advertising liability. (Prager Univ. v. Google LLC, No. 18-15712 (9th Cir. Feb. 26, 2020)). And in a third case, the operator of the messaging app Snapchat was granted CDA immunity in a wrongful death suit brought by individuals killed in a high-speed automobile crash where one of the boys in the car had sent a snap using the app’s Speed Filter, which had captured the speed of the car at 123MPH, minutes before the fatal accident. (Lemmon v. Snap, Inc., No. 19-4504 (C.D. Cal. Feb. 25, 2020)).    Continue Reading

Protecting against Cybersecurity Threats when Working from Home

With the spread of the novel coronavirus (COVID-19), many organizations are requiring or permitting employees to work remotely.  This post is intended to remind employers and employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.

Employers and employees alike should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies.  Unfortunately, as noted in a prior blog post, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes.

Employees working from home may be accessing or transmitting company trade secrets as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company.  Exposure of trade secrets or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger state or federal data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals.  The threat is not only an online concern – physical security is at issue as well. Unauthorized access to printed copies of sensitive documents could lead to additional exposures. Continue Reading

Coronavirus and the “100% Work-From-Home” Scenario: Review Agreements with Vendors of Remote Access Technology

As part of the response to the outbreak of COVID-19, many organizations are working on contingency and business continuity plans that include an all-employee “work-from-home” scenario.  If it becomes necessary to implement such a plan, all employees of the organization will access the organization’s networks and systems remotely. Unfortunately, many organizations that are testing these plans are discovering that that their remote access technologies may not be able to handle, without significant degradation in performance, the volume of activity this will generate.  Indeed, given the complex host of business applications and collaboration tools that many businesses employ, many entities may not be fully ready for their entire workforce to access their systems remotely without first checking in with their vendors and IT personnel.

This is understandable. Except for the case of those businesses that always operate “virtually” — without any fixed offices — most organizations build their remote access infrastructure (including the related telecommunications, security, videoconferencing, collaboration and other software tools that are involved in remote access) based on an assumption that only a portion of an organization’s employees will use remote access at any given point in time.  For example, contractual service level commitments (in which vendors promise certain levels of performance of their systems) often assume a simultaneous user base being a subset of all employees of the organization.  Further, SaaS-based services that are priced based on a specific number of “simultaneous users” may not anticipate all, or substantially all, of the company’s employees using the service at the same time.

Organizations should be reviewing their agreements with the myriad set of vendors that provide software related to remote access. These reviews should evaluate what commitments, if any, are included in those agreements that may be helpful in what may be this unprecedented “100% work-from-home” effort.  To the extent contractual deficiencies or other issues are identified, early engagement with vendors can be helpful.  For example, in the event service level commitments appear insufficient to meet anticipated demand, an early discussion with the vendor may result in an increased allocation of the vendor’s resources to that customer.  And while some SaaS service agreements priced by the number of simultaneous users may allow customers to exceed simultaneous user limits (with a premium true-up at a later date), others impose hard blocks on usage in excess of contract limitations.  To the extent these issues are identified in an agreement, customers are best served by engaging with the vendor in advance – to avoid premium true-ups or interference in service. Continue Reading

Facebook Brings Suit against Mobile Marketing Firm for Siphoning User Data without Authorization

In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials. Continue Reading

The Coronavirus and Force Majeure Clauses

Beyond the human toll of the current global health crisis, the coronavirus outbreak is having serious economic repercussions to the global economy and the supply chains on which it depends. Dun & Bradstreet reported, “at least 51,000 (163 Fortune 1000) companies around the world have one or more direct or Tier 1 suppliers in the impacted regions, and at least five million companies (938 Fortune 1000) around the world have one or more Tier 2 suppliers in the impacted region.” Factory closings, transportation restrictions and general concerns about a potential pandemic are causing shortages of critical supplies and employees, and are testing the bounds and obligations of various contracts entered into between vendors and customers.

As a result of this disruption, many businesses are assessing their contracts to understand the extent of their rights, remedies and obligations with respect to their business partners. Suppliers of goods and services unable to deliver on contractual obligations are looking to see what provisions, if any, may protect them from a default. And in turn, recipients encountering delays from suppliers unable to deliver goods and services in a timely manner (or at all) are also looking to their agreements to see what rights, obligations, and remedies they may have in these circumstances. Continue Reading

EU Releases “A European Strategy for Data”

As 2019 came to a close, we looked ahead into 2020 and noted that data would continue to be a huge issue for the digital economy.  We have not been disappointed. On February 19, 2020, the European Commission (the “Commission”) released its 35-page document entitled “A European strategy for data,” becoming just the latest of many developments in that area.

The document lays out a vision as to how – through legislation, technical standards and public-private initiatives – the EU can become a future leader in data and create a more permissive data economy.

The Commission’s goal is to create a single European data space – “a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimising the human carbon and environmental footprint.” The Commission envisions common European rules to ensure:

  • data can flow within the EU and across sectors;
  • European rules and values, in particular personal data protection, consumer protection legislation and competition law, are fully respected;
  • rules for access to and use of data are fair, practical and clear, and there are clear and trustworthy data governance mechanisms in place;
  • there is an open, but assertive approach to international data flows, based on European values.

The strategy document lays out a number of concerns, problems and obstacles to achieving its vision. One theme that runs throughout is the need to create common interoperable data platforms offering small and medium enterprises (SMEs) access to a host of cloud services and advanced data processing capabilities. As the Commission sees the current state of the data environment as dominated by the big tech companies, it noted that such a high degree of market power can “enable large players to set the rules on the platform and unilaterally impose conditions for access and use of data.”  But what incentives would exist for companies to share certain data to an EU platform?  The Commission states that organizations contributing data “would get a return in the form of increased access to data of other contributors, analytical results from the data pool, services such as predictive maintenance services, or licence fees.”

Generally speaking, the Commission’s data strategy includes a number of elements:

  • A cross-sectoral governance framework for data access and use. The Commission’s proposal for legislation would include a framework for a common European data space that would “support decisions on what data can be used in which situations, facilitate cross-border data use, and prioritise interoperability requirements and standards within and across sectors.”   This would also include facilitating decisions on “which data can be used, how and by whom for scientific research purposes in a manner compliant with the GDPR.”
  • The opening of key public sector data sets. The Commission would work on making more high-quality public sector data available for reuse, in particular in view of its potential for SMEs.
  • Legislative action on issues that affect relations between actors in the data-agile economy. The Commission would seek legislative solutions to provide incentives for horizontal data sharing across sectors, in particular “addressing issues related to usage rights for co-generated data (such as IoT data in industrial settings), typically laid down in private contracts.”  Notably, the Commission stated it would also seek to identify and address “any undue existing hurdles hindering data sharing and to clarify rules for the responsible use of data (such as legal liability).”
  • Legislation regarding limited circumstances where access to data should be made compulsory.

Ultimately, it appears that a number of forces will be concurrently seeking to reshape the future of the global digital economy.  In the EU, the efforts described above, as well as the EU’s proposed Digital Services Act, which will impact content on digital platforms, and continuing GDPR enforcement will be influential in this area. In the U.S., regulators are considering antitrust enforcement efforts in the technology sector, legislators are calling for major changes to the immunities under Section 230 of the Communications Decency Act, and privacy and data security legislation and enforcement are impacting data-oriented businesses.  Other global initiatives are ongoing as well, such as a sweeping personal data privacy bill recently introduced in India and the prior passage of Brazil’s general data protection law which is set to go into effect later this year. In the meantime, investment in “big data” is growing at double digit rates. With all these ingredients placed into the pressure cooker of the global economy, what will be the result? Stay tuned!

Court Enforces Arbitration Clause in Online Terms of Service Accepted by a Minor

Epic Games, Inc. (“Epic”) is the publisher of the popular online multiplayer videogame Fortnite, released in 2017. In recent years, Fortnight has gained worldwide popularity with gamers and esports followers (culminating in July 2019 when a sixteen-year-old player won the $3 million prize for winning the Fortnite World Cup).  Players, in one version of the game, are dropped onto a virtual landscape and compete in a battle royale to survive.  In the real world, Epic recently survived its own encounter – not with the help of scavenged weapons or shield potions – but through its well-drafted end user license agreement (“EULA” or “terms”).

Earlier this month, the District Court for the Eastern District of North Carolina granted Epic’s motion to compel individual arbitration of the claims of a putative class action.  The action arose in connection with a cyber vulnerability that allowed hackers to breach user accounts. The court concluded that the arbitration provision contained in the EULA was enforceable in this case, even where a minor was the person who ultimately assented to the terms. (Heidbreder v. Epic Games, Inc., No. 19-348 (E.D.N.C. Feb. 3, 2020)).    Continue Reading

FCC Enforcement Coming over Alleged Privacy Violations for Disclosure of Consumers’ Geolocation Data

UPDATE: On February 28, 2020, the FCC proposed over $200M in fines against the wireless carriers.

 

On January 31st, FCC Chairman Ajit Pai transmitted a letter in response to a prior inquiry from a number of House members regarding the status of the Commission’s investigation into reports that the major wireless carriers were allegedly disclosing consumers’ real time geolocation data to data aggregators.  The aggregators were, in turn, were selling location-based data and services to other companies or individuals, purportedly without the mobile user’s knowledge or consent.  In the letter, Chairman Pai stated that the agency had completed its investigation and concluded that at least one carrier had violated federal law.  Pai also stated that he and his fellow commissioners will be considering possible penalties against “one or more” carriers, which can contest any Notice of Apparent Liability for Forfeiture.

Public awareness and general scrutiny over the collection, selling and packaging of geolocation data has heightened in recent years.  The issue has earned the attention of both federal and state regulators and legislatures. Regardless of the outcome of the FCC’s enforcement in this matter, entities that rely on anonymized geolocation data for analytical products and services should be aware of the focus in this area.

LexBlog