Social Media Archives - Page 5 of 25 - The National Law Forum

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

“Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
Expectation – Processing should correspond with data subjects’ reasonable expectations.
Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

Structure and ease of access:
- Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
- Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
- Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
- Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
Transparency:
- Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
- Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
- Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
Terminology & explanations:
- Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
- Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
- Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
- Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review.

Law Firms Respond to Russia’s Invasion of Ukraine: How the Legal Industry & the Public Can Help

On February 21, 2022, Russian President Vladimir Putin ordered ground troops into the eastern Ukrainian provinces of Donetsk and Luhansk. Invading under the guise of establishing independence for the region on February 24, Russia started bombing key points of interest around the country, including the capital city of Kyiv. At the time of writing, the skirmishes remain ongoing, with Russia expanding its invasion force as the days go on.

The ramifications of Russia’s war are widespread. In Ukraine, infrastructural damage is considerable, an estimated 2 million civilians are evacuating or have been driven from their homes. The death toll remains uncertain at this time, but the Ukrainian health ministry estimates that hundreds of citizens have been killed as a result of the violence. Globally, financial markets are in a state of rapid flux, seeing huge rises in inflation, a strained supply chain and plummeting stock prices.

Law firms in the United States and abroad have responded to the conflict by offering pro bono services in anticipation of resultant legal complications and organized means by which money can be donated to Ukrainian humanitarian efforts.

How Have Law Firms Responded to Russia’s Invasion of Ukraine?

In some instances, firms have also closed offices in Ukraine to protect workers, and severed ties with Russian businesses. Law firms that have closed offices in Ukraine include Dentons, CMS and Baker McKenzie, which have closed offices in Kyiv.

“Dentons has established a taskforce to monitor and manage the crisis situation, with a primary focus on protecting our people,” Tomasz Dąbrowski, CEO of Dentons Europe, told the National Law Review. “We are in regular contact with our team in Kyiv and are providing our colleagues and their families with any possible assistance, including transport, relocation and accommodation assistance in the neighboring countries. Furthermore, we have seen a wave of kindness and generosity from our people across Europe, who have volunteered to provide accommodation in their homes for Ukrainian colleagues. Furthermore, in addition to the financial support our Firm is providing to our Ukrainian colleagues, we have also received financial donations from around the world to help them resettle.”

Many law firms have announced they are closing offices in Russia, including Squire Patton Boggs, Latham & Watkins Freshfields Bruckhaus Deringer, Akin Gump Strauss Hauer & Feld and Morgan Lewis & Bockius, among others. Norton Rose Fulbright announced March 7 that they are winding down their operations in Russia and will be closing their Moscow office as soon as they can, calling Russia’s invasion of Ukraine “increasingly brutal.”

“The wellbeing of our staff in the region is a priority. We thank our 50 colleagues in Moscow for their loyal service and will support them through this transition.”

Norton Rose Fulbright said they “stand unequivocally with the people of Ukraine,” and are taking steps to respond to the invasion.

“Some immediate actions are possible and we are taking them. We are not accepting any further instructions from businesses, entities or individuals connected with the current Russian regime, irrespective of whether they are sanctioned or not. In addition, we continue to review exiting from existing work for them where our professional obligations as lawyers allow. Where we cannot exit from current matters, we will donate the profits from that work to appropriate humanitarian and charitable causes,” the statement read. “We are working with our charitable partners in every region to raise funds to help the people of Ukraine, as well as providing pro bono support to those Ukrainians and others who are being forced to relocate.”

Law firms have also stepped forward to offer pro bono assistance to those affected by the Russian invasion of Ukraine.

**Law Firms Offering Pro Bono Assistance to Ukraine**

Akin Gump Partner and Pro Bono Practice leader Steven Schulman explained how the legal industry is collaborating and working to provide assistance:

“So what we often do in these crises, we will self organize, [and] say who’s a point person who knows what’s going on, and then we will share information so that again, we’re lightening the load on the legal aid organizations.”

Another law firm offering assistance to Ukraine is Covington & Burling, which the country hired to help pursue its claim against Russia at the International Court of Justice (ICJ). Specifically, Ukraine asked the court to order Russia to halt its invasion. Covington filed a claim on behalf of Ukraine to the ICJ.

Nongovernmental organizations (NGOs) are providing emergency aid in Ukraine, as well as in neighboring countries, such as Poland, Hungary, Slovakia and Romania to help people displaced by the war as they come across the border, Mr.Dąbrowski said. These organizations are providing food, water, hygiene supplies and other necessities, and urgent psychological counseling. Specific NGOs on the ground in Ukraine include Mercy Corps, Fight for Right, Project HOPE, Hungarian Helsinki Committee, and Fundacja Ocalenie, among others.

However, NGOs need cash donations in order to keep providing aid. Mr.Dąbrowski detailed what pro bono work Dentons is doing, and how the firm is supporting NGOs:

“Our Positive Impact team is in touch with numerous NGOs and lawyers from our firm to identify opportunities for pro bono legal advice, mainly in the countries which share a border with Ukraine. We are already working with NGOs in Poland and Hungary which are helping Ukrainian refugees displaced by the war. We are assisting with issues related to employment law, contracts, establishment of charitable foundations, etc… We are also in discussions with an international relief agency which is looking to set up operations within Ukraine.

While men between the ages of 18 and 60 are currently prohibited from leaving Ukraine, as of March 10, 2022, the conflict has created one of the largest refugee crises within the last few decades.

“We have activated our registered charitable foundation to collect donations from our people around the world to support Ukrainian families – and particularly children – displaced by the war, including some of our own people from Kyiv. So far, our colleagues from around the world have donated or pledged close to €300,000,” Mr.Dąbrowski said. “We have already distributed €60,000 of that to eight NGOs in Poland, Hungary and Romania, which are providing emergency aid, food and water, hygiene supplies, transportation, medical and psychological care, shelter and schooling to Ukrainian civilians fleeing from the war”

Concerns with immigration and refugee asylum is the next expected complication. In the short-term, the Department of Homeland Security is prioritizing Temporary Protected Status (TPS) designations for those already in the U.S.

For the public, there are a number of actions to take to support Ukrainians. However, those wishing to help should make sure to do their research before making any donations in order to ensure the funds end up in the right hands.

How Can Members of the Public Help Ukraine?

Possible scam organizations and outreach programs are common during international crises, so it’s important to know the signs of fraudulent charities. Some best practices for providing support include:

Giving directly to an organization rather than through shared donation links on social media
Being wary of crowdfunding efforts
Doing a background check on an organization and its donation claims using Charity Watch, Give.org, and Charity Navigator.

Some examples of charitable organizations focused on Ukraine relief include:

Informational resources for those affected are provided below:

Conclusion

Law firms and the public alike have stepped up to offer assistance and financial help to those most affected by the Russian invasion. Law firms cutting ties with Russian businesses and closing offices in Russia shows that the legal industry is standing behind Ukraine as the conflict continues to escalate.

In upcoming coverage, the National Law Review will be writing about how law firms are helping clients handle Russian sanctions, as well as the immigration implications of refugees displaced by the war in Ukraine.

*The quotes and input of interviewees reflect the latest information on the Russian invasion of Ukraine as of March 7, 2022. Readers can find the latest legal news from around the world on The National Law Review’s Global Law page.*

Article By Chandler Ford, Jessica Scheck, and Rachel Popa of the The National Law Review / The National Law Forum LLC

February 2022 Legal News Roundup: Women in Law, Promotions & More

Happy belated Valentine’s Day from the National Law Review team. Please read on for new legal industry hires, promotions and awards.

Firm Recognition & Awards

Much is included on the 2022 Top Workplaces USA list, which recognizes organizations with a people-centered culture.

“At Much, our culture centers on people: our employees, our clients, and our community partners,” said Managing Partner Mitchell Roth. “We work each day to support a collaborative, kind, and service-oriented environment, so to be recognized for our culture on a national level is a tremendous honor.”

The rankings are based on employee feedback from a survey administered by Energage, an employee engagement technology partner. The survey gauged various aspects of workplace culture, including alignment, execution, connection, and more.

Womble Bond Dickinson is one of the Best Places to Work for lesbian, gay, bisexual, transgender and queer (LGBTQ+) workplace equality, earning a perfect score of 100 percent on the 2022 Corporate Equality Index (CEI).

The survey is administered by the Human Rights Campaign, and acts as a benchmarking tool to track how businesses are adopting equitable workplace policies, practices and benefits for LGBTQ+ employees. Womble Bond Dickinson earned perfect scores every year since 2015.

“We are honored to be named one of the HRC’s Best Places to Work for LGBTQ+ Employees once again,” said Betty Temple, Chair & CEO of Womble Bond Dickinson (US) LLP. “We at Womble Bond Dickinson have worked hard to promote diversity and inclusion. These efforts include earning Mansfield Rule 4.0 Certification. The goal of the Mansfield Rule is to boost the representation of historically underrepresented lawyers—including LGBTQ+ attorneys—in law firm leadership, partner promotions and lateral hires by broadening the pool of candidates considered for these opportunities. We have much more work to do, but we are proud to be recognized for the progress we have made.”

Lawdragon recognized Foley & Lardner partners Daniel Kaplan, John (Jack) Lord, Jr., and Rachel Powitzky Steely on its 2022 edition of 500 Leading U.S. Corporate Employment Lawyers, an annual recognition of the nation’s top advisors on workforce issues. Lawdragon selected the honorees based on submissions, editorial vetting and journalistic research.

Lawdragon said that this year’s honorees “specialize in defending corporations in everything from wage and overtime claims to trade secret disputes, while helping companies maintain global workforces throughout a pandemic.”

Law firm Hiring & Additions

Varnum LLP expanded its intellectual property practice with the addition of Timothy D. Kroninger. Joining the firm’s Detroit office as an associate, Mr. Kroninger focuses his practice on copyright law, trade secret law, patent and trademark prosecution and more. He also has experience in drafting design patent applications, as well as participating in United States Patent and Trademark Office (USPTO) trademark opposition proceedings.

Beyond his practice at Varnum, Mr. Kroninger works as a supervising attorney in the Trademark and Entrepreneur Clinic at University of Detroit Mercy College of Law. There, he instructs law students on copyright registration, drafting corporate documents, and protection of trademarks.

Beveridge & Diamond PC elected four new principals: Eric Christensen, located in Seattle; Allyn Stern, located in Seattle; Michael Vitris, located in Austin; and Gus Winkes, located in Seattle. Mr. Christensen practices in energy law, assisting companies and consumers in navigating the legal and regulatory landscape. Ms. Stern, former U.S. EPA regional counsel, helps clients develop environmental compliance strategies. Mr. Winkles practices in a variety of fields, providing solutions-oriented legal representation in the areas of enforcement defense, regulatory compliance, and contaminated site cleanup. Mr. Vitris, former litigation attorney with the Texas Commission on Environmental Quality, defends companies in class actions and environmental mass torts.

“Each of these Principals’ talents, skills, and expertise deepen and enhance B&D’s dynamic regulatory compliance and litigation practice as environmental and energy law continue to evolve,” said firmwide managing principal Kathy Szmuszkovicz. “They’ve proven their ability to deliver top-notch service to clients and to serve as thought-leaders at a particularly exciting time in our practice. We look forward to their continued success and contributions in their new roles.”

Barnes & Thornburg LLP added five new attorneys and legal professionals across various offices. Associate William Choi joined the firm’s Los Angeles office, and associate Albert D. Farr joined the New York office. Mr. Choi focuses his practice on product liability and complex civil litigation, and he is well-versed in all aspects of pretrial case management. Likewise, Mr. Farr practices in transactional tax law, counseling multinational strategic and private equity clients on transaction tax structuring, tax diligence and more.

Furthermore, legal professionals Amit Datta, Al Maloof, and Soyoung Yang joined Barnes & Thornburg’s Chicago, Indianapolis, and Washington D.C. offices, respectively. Dr. Datta, a business transaction advisor, provides targeted legal advice and strategic insight for European clients conducting business in the U.S. Mr. Maloof, a client relationship specialist, provides strategic consultation among the firm’s government services, compliance and regulatory attorneys. Ms. Yang, a legal fellow, aids attorneys and clients on matters related to international trade, customs and the supply chain.

William L. Nimick joined the Construction Litigation and Counsel practice group at Goldberg Segalla LLP. An experienced litigator, Mr. Nimick is located in the firm’s Raleigh office, where he counsels insurers, contractors, subcontractors and corporate entities in liability claims including but not limited to property damage, personal injury and construction defects.

Previously, Mr. Nimick worked as a civil litigator across North Carolina, representing clients in areas such as wrongful death, workers’ compensation, and subrogation. Specifically he handled subrogation claims such as motor vehicle accidents, product liability lawsuits and large fire losses.

Women in the Legal Industry

Angela Bowlin of Frilot LLC law firm has accepted a position serving on the International Association of Defense Council (IADC), an organization for attorneys who represent corporate and insurance matters. Ms. Bowlin focuses her practice on mass torts and class actions, with experience in asbestos and other toxic tort cases.

“I am honored to have been selected as a member of IADC and look forward to working on the many important committees related to the law and its many facets,” said Ms. Bowlin.

Nicole Archibald joined Foley Hoag LLP as their Director of Legal Recruiting. Ms. Archibald will work alongside the Foley Hoag team to attract and promote a diverse group of attorneys to help the firm achieve its diversity and inclusion goals.

“We’re very pleased to welcome Nicole to Foley Hoag, and are confident that she will be a great asset to the firm and its culture. Her considerable prior experience as a director of recruiting, legal search consultant and practicing litigator will prove a valuable asset as we look to 2022 and beyond. Our executive committee, practice leaders, hiring committee and I are excited to begin working with Nicole to attract new talent and strengthen our market-leading practices,” said Foley Hoag Co-Managing Partner Kenneth Leonetti.

“I look forward to collaborating with Foley Hoag’s management, department chairs and practice leaders, and hiring committee to develop, implement and execute proactive recruiting initiatives to further the firm’s hiring goals and strategic growth plan,” said Ms. Archibald.

Norton Rose Fulbright appointed New York partner Robin Adelstein as the Co-Head of Commercial Litigation, joining Houston partner Andrew Price. Ms. Adelstein brings extensive experience in litigating complex commercial disputes and advises companies with respect to antitrust issues regarding mergers, joint ventures and more.

“Robin has long been respected as a leader within the firm as our Global and US Head of Antitrust and Competition, and she is a highly-recognized practitioner in her field. I look forward to seeing the great work that our commercial litigation group will do under Robin’s and Andrew’s leadership,” said Jeff Cody, Norton Rose Fulbright’s US Managing Partner.

“Our firm has a longstanding reputation for advising clients on their most complex and significant matters. It is an honor to head Norton Rose Fulbright’s commercial litigation group along with Andrew; I am proud to be leading such a talented group of lawyers,” said Ms. Adelstein.

Article By Rachel Popa, Hanna Taylor, and Chandler Ford of The National Law Review / The National Law Forum LLC

For more on the business of law and legal news, click here to visit the National Law Review.

Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

The suit was filed in May 2020 when a group of Noom users alleged that Noom “actively misrepresents and/or fails to accurately disclose the true characteristics of its trial period, its automatic enrollment policy, and the actual steps customer need to follow in attempting to cancel a 14-day trial and avoid automatic enrollment.” More specifically, users alleged that Noom engaged in an unlawful auto-renewal subscription business model by luring customers in with the opportunity to “try” its programs, then imposing significant barriers to the cancellation process (e.g., only allowing customers to cancel their subscriptions through their virtual coach), resulting in the customers paying a nonrefundable advance lump-sum payment for up to eight (8) months at a time. According to the proposed settlement, Noom will have to substantially enhance its auto-renewal disclosures, as well as require customers to take a separate action (e.g., check box or digital signature) to accept auto-renewal, and provide customers a button on the customer’s account page for easier cancellation.

Regulators at the federal and state level have recently made clear their focus on enforcement actions against “dark patterns.” We previously summarized the FTC’s enforcement policy statement from October 2021 warning companies against using dark patterns that trick consumers into subscription services. More recently, several state attorneys general (e.g., in Indiana, Texas, the District of Columbia, and Washington State) made announcements regarding their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data.

Article By: Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review.

Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta, collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity Practice Group

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Organizational Use of Social Media: Boon or Burden?

Organizational use of social media has evolved precipitously from the early days when social media was viewed as little more than a novel marketing concept on the fringe of broader traditional advertising campaigns.

However, with the increase in innovation comes concern over the extent to which increased organizational activities on social media may expose the organization to potential civil liability. Indeed, organizational use of social media has been described by some as a “virtual Pandora’s Box,” which is at once an exciting boon for business but filled to the brim with the potential for legal exposure.¹ This article explores some of the most common insurance coverage issues organizations are likely to experience as their use of social media continues to expand and evolve. Although the article focuses on organizational issues, many of the principles described are equally applicable to coverage issues which may arise from an individual’s use of social media under consumer-focused policies.

As social media has become increasingly ingrained in the average consumer’s life, organizations and commercial entities have developed innovative ways to leverage their own social media presence as a marketing tool and as a means by which they can communicate directly with the consumer. For many organizations, this evolution means nothing more than using social media as an analogue to traditional advertising concepts, such as banner and sidebar ads, audio and video spots, product placement, and endorsement deals. For others, social media is at the core of the organization’s operations. Indeed, it is not uncommon for the world’s leading corporations to devote entire teams to the development and use of social media. Organizations running the gamut from national governments and major religious institutions, to startup social activist groups and mom-and-pop shops have found creative ways to use social media for endeavors ranging from disaster and emergency response, security at major events, breaking news coverage, broadscale organizational efforts, get out the word efforts, and customer service response centers.²

But as is all too often the case with innovation, the increase in organizational use of social media has been accompanied by litigation presenting novel legal questions on a variety of social media-related issues. And with the increase in litigation have come questions over the degree to which Commercial General Liability (“CGL”) insurance—the principles of which were developed decades before pioneering social media platforms such as MySpace and Friendster emerged—can keep up with ever evolving trends in the social media landscape. Fortunately, the legal theories under which social media-related lawsuits most typically arise are quite familiar. Libel, slander, copyright infringement, use of another’s advertising idea, and invasion of privacy all remain the stalwarts of the industry.³ Though courts throughout the nation have struggled at times to apply CGL’s pre-internet principles to modern day realities, traditional common law principles remain at the core of resolving these seemingly novel issues. Accordingly, and because courts have seemed inclined to require CGL carriers to provide coverage where the issues involved resemble otherwise traditional common law principles, organizations seeking to navigate the ever-evolving scope and substance of social-media related claims must keep traditional common law concepts in mind.

As a preliminary matter, social media comes with certain fundamental characteristics about which organizations must remain cognizant when developing their social media strategies. Indeed, the very feature of social media to which organizations are drawn most—the potential for cheap and instant access to 73% of the country⁴—necessarily implies that when a potentially problematic tweet or post catches steam, it stands to be shared far and wide and memorialized for all to see. Given the inherently “viral” nature of social media, plaintiffs are often well positioned to establish special damages by virtue of the far-reaching consequences of social media exposure alone. This is particularly problematic in libel-based defamation claims, which require proof of special damages as an element of the claim.⁵ Predictably, lawsuits alleging libel have grown in popularity as organizational use of social media has evolved,⁶ and given the wide array of theories under which such claims have been successful, they are perhaps the most problematic.⁷ Indeed, libel claims arising from organizational use of social media have become so common that that the phrase “Twibel”—a portmanteau of “Twitter” and “libel”—has emerged as a new favorite in the legal lexicon.

But claims arising from organizational use of social media are not limited to defamation alone. In jurisdictions that recognize the tort of invasion of privacy, courts have required CGL carriers to provide coverage in causes of action resulting from an insured’s role in the release of a third-party’s confidential information online.⁸ However, where the invasion of privacy has resulted from intentional conduct on the part of a third-party—such as a data breach—courts are divided on the issue of whether any potential negligence on the part of the insured satisfies the “publication” requirement of the invasion of privacy claim.⁹

Courts have also found that CGL coverage for so-called “advertising ideas” extends to social media-related claims.¹⁰ While these issues commonly resemble traditional trademark and trade dress infringement claims,¹¹ some courts have interpreted Coverage B to encompass claims arising from organizations’ alleged infringement on another’s advertising strategy more broadly.¹² Further, courts have used advertising ideas coverage to address publicity rights cases¹³ and, under certain circumstances, to encompass claims arising from patents related to internet and website functionality.¹⁴ Claims alleging intellectual property infringement have also commonly been held to apply to social media conduct under Coverage B’s express coverage for copyright, trade dress, and slogan infringement.¹⁵ Such claims are particularly likely to arise where an organization adopts content created by its social media followers without permission to do so.¹⁶

Importantly, recent revisions to CGL forms expressly contemplate certain social media conduct as “advertisement” for the purpose of coverage arising from advertising idea and infringement-related claims. Because these forms often set forth specific definitions of what constitutes an advertisement in the context of social media, organizations must pay close attention to what types of social media activity are and are not covered when developing their social media strategies.¹⁷

One interesting evolution in advertising in which such definitions have played an important role is the advent of an “influencer” industry, which has raised novel questions as to the degree to which a paid influencer’s representations of a product or infringement upon another’s intellectual property may constitute an advertisement for Coverage B purposes.¹⁸

Finally, it is worth noting that while Coverage B has been interpreted to cover a broad variety of claims arising from an organization’s use of social media, evolutions in policy exclusions and coverage limits may in some cases defeat coverage for social media-related claims.¹⁹ In particular, exclusions applicable to prior publication, intellectual property, media and internet, electronic chatrooms and bulletin boards, and unauthorized use of another’s name exclusions all stand to be implicated. However, because exclusions vary from policy to policy and are ever-evolving, a detailed examination of their potential broad applicability to social media-related claims generally is outside the scope of this article.

As this article demonstrates, organizational use of social media has emerged as a lucrative means by which organizations can market themselves and connect individually with their market base. However, as the means by which organizations use social media continues to evolve, so too have the legal theories under which social media-related claims are raised. However, with careful planning and an eye toward trends in the industry and the availability of increasingly diverse coverage options, organizations can make the most of the social media boon without falling prey to its potential pitfalls.

Susan Evans Jennings, Justin R. Blount, & M. Gail Weatherly, Social Media—A Virtual Pandora’s Box: Prevalence, Possible Legal Liabilities, and Policies, 77(1) Business & Professional Communication Quarterly, 96 (2014).
See generally Matteo Tonello, Corporate Use of Social Media, Harvard Law School Forum on Corporate Governance, May 17, 2016.
Although outside the scope of this article, organizational use of social media can under certain circumstances implicate federal regulatory issues. See Lord & Taylor Settles FTC Charges It Deceived Consumers Through Paid Article in an Online Fashion Magazine and Paid Instagram Posts by 50 “Fashion Influencers”, Federal Trade Commission (Mar. 15, 2016) https://www.ftc. gov/news-events/press-releases/2016/03/lord-taylor-settles-ftc-charges-it-deceived-consumers-through.
See Social Media Fact Sheet, Pew Research, https://www.pewresearch.org/internet/fact-sheet/social-media/.
See Restatement (Second) of Torts § 558 (describing the elements of defamation as “(1) a false factual statement concerning the plaintiff (2) published to a third-party (3) that is made either negligently or with malice, and (4) results in special damages”).
See Raymond Placid, Judy Wynekoop, & Roger W. Feicht, Twibel: The Intersection of Twitter & Libel, 90 Fl. Bar J. 8, 32 (Sep./ Oct. 2016).
See, e.g., AIX Specialty Ins. Co. v. Big Limo, Inc., Case No. 3:21-cv-08, 2021 WL 2708902, at *4–5 (S.D. Ohio July 1, 2021) (holding that an insurer had a duty to defend its insured nightclub under a theory of defamation where the nightclub had allegedly used a model’s picture in a Facebook post to promote a cabaret); Jar Labs. v. Great Am. E&S Ins. Co., 945 F. Supp. 2d 937 (N.D. Ill. 2013) (holding that an insurer had a duty to defend its insured under a theory of implied disparagement where the insured had published a Facebook post implicitly representing a competitor’s products in a false and misleading way).
See State Farm Gen Ins. Co. v. JR’s Frames, Inc., 181 Cal. App. 4th 429, 448 (2010); Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 644 F. App’x 245 (4th Cir. (Va.) 2016).
See, e.g., St. Paul Fire & Marine Ins. Co. v. Rosen Millennium, Inc., 2018 WL 4732718, at *3 (M.D. Fla. Sept. 28, 2018); Innovak Int’l v. Hanover Ins. Co., 280 F. Supp. 3d 1340 (M.D. Fla. 2017); Zurich Am. Ins. Co. v. Sony Corp. of Am., 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014) (denying claims for invasion of privacy where the publication at issue arose from intentional third-party conduct); but see Landry’s Inc. v. Ins. Co. of the State of Penn., 4 4th 366, 270 (5th Cir. (Tex.) 2021) (requiring an insurer to defend against publication of personally identifiable information resulting from a data breach).
See Atlantic Mut. Ins. Co. v. Badger Medical Supply Co., 528 N.W.2d 486, 490 (Wis. App. 1995) (defining “advertising idea” as “an idea for calling public attention to a product or business, especially by proclaiming desirable qualities so as to increase sales or patronage”).
See Cat Internet Servs., Inc. v. Providence Washington Ins. Co., 333 F.3d 138, 142 (3rd Cir. (Penn.) 2003).
See Great American Inc. Co. v. Beyond Gravity Media, Inc., Case No. 3:20-cv-53, 2021 WL 4192738 (S.D. Tex. Sept. 15, 2021) (finding that an insured’s use of the claimant’s martial arts-themed advertising strategy was subject to CGL coverage); See also Native Am. Arts, Inc. v. Hartford Cas. Ins. Co., 435 F.3d 729 (7th Cir. 2006); Gustafson v. Am. Family Mut. Ins. Co., 901 F. Supp. 2d 1289 (D. Colo. 2012).
See Air Eng., Inc. v. Industrial Air Power, LLC, 828 N.W.2d 565 (Wis. App. 2013); Hyundai Motor Am. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA., 600 F.3d 1092 (9th Cir. (Cal.) 2010); but see Holyoke Mut’l Ins. Co. in Salem v. Vibram USA Inc., 106 N.E.3d 572 (Mass. 2018) (rejecting claim that Coverage B provides coverage for traditional patent infringement claim).
See Gencor Indus, Inc. v. Wausau Underwriters Ins. Co., 857 F. Supp. 1560 (M.D. Fla. 1994).
See generally Daniel I. Graham Jr. & Thomas W. Arvanitis, Social Media Risks & “Personal & Advertising Injury” Coverage Issues, DRI Insurance Coverage & Practice Symposium, December 9–10, 2021. A special thanks to the authors for their extensive research, from which this article benefits considerably.
See Stross v. Redfin Corp., 730 Fed. App’x 198 (5th Cir. 2018).
See Graham & Arvanitis, supra, at 10–11.
Michael B. Rush, Social Media Advertising Under CGL Coverage B, The National Law Review, May 21, 2019.
See Graham & Arvanitis, supra, at 11.

This article was written by Christopher S. Etheredge of Steptoe & Johnson law firm. For more articles about social media use, please click here.

New Poll Underscores Growing Support for National Data Privacy Legislation

Over half of all Americans would support a federal data privacy law, according to a recent poll from Politico and Morning Consult. The poll found that 56 percent of registered voters would either strongly or somewhat support a proposal to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Democrats were most likely to support the proposal at 62 percent, compared to 54 percent of Republicans and 50 percent of Independents. Still, the numbers may show that bipartisan action is possible.

The poll is indicative of American’s increasing data privacy awareness and concerns. Colorado, Virginia, and California all passed or updated data privacy laws within the last year, and nearly every state is considering similar legislation. Additionally, Congress held several high-profile hearings last year soliciting testimony from several tech industry leaders and whistleblower Frances Haugen. In the private sector, Meta CEO Mark Zuckerberg has come out in favor of a national data privacy standard similar to the EU’s General Data Protection Regulation (GDPR).

Politico and Morning Consult released the poll results days after Senator Ron Wyden (D-OR) accepted a 24,000-signature petition calling for Congress to pass a federal data protection law. Senator Wyden, who recently introduced his own data privacy proposal called the “Mind Your Own Business Act,” said it was “past time” for Congress to act.

He may be right: U.S./EU data flows have been on borrowed time since 2020. The GDPR prohibits data flows from the EU to countries with inadequate data protection laws, including the United States. The U.S. Privacy Shield regulations allowed the United States to circumvent the rule, but an EU court invalidated the agreement in 2020, and data flows between the US and the EU have been in legal limbo ever since. Eventually, Congress and the EU will need to address the situation and a federal data protection law would be a long-term solution.

This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law. Click here to read more about the Data Privacy and Cybersecurity practice at Robinson & Cole LLP.

For more data privacy and cybersecurity news, click here to visit the National Law Review.

In the Coming ‘Metaverse’, There May Be Excitement but There Certainly Will Be Legal Issues

The concept of the “metaverse” has garnered much press coverage of late, addressing such topics as the new appetite for metaverse investment opportunities, a recent virtual land boom, or just the promise of it all, where “crypto, gaming and capitalism collide.” The term “metaverse,” which comes from Neal Stephenson’s 1992 science fiction novel “Snow Crash,” is generally used to refer to the development of virtual reality (VR) and augmented reality (AR) technologies, featuring a mashup of massive multiplayer gaming, virtual worlds, virtual workspaces, and remote education to create a decentralized wonderland and collaborative space. The grand concept is that the metaverse will be the next iteration of the mobile internet and a major part of both digital and real life.

Don’t feel like going out tonight in the real world? Why not stay “in” and catch a show or meet people/avatars/smart bots in the metaverse?

As currently conceived, the metaverse, “Web 3.0,” would feature a synchronous environment giving users a seamless experience across different realms, even if such discrete areas of the virtual world are operated by different developers. It would boast its own economy where users and their avatars interact socially and use digital assets based in both virtual and actual reality, a place where commerce would presumably be heavily based in decentralized finance, DeFi. No single company or platform would operate the metaverse, but rather, it would be administered by many entities in a decentralized manner (presumably on some open source metaverse OS) and work across multiple computing platforms. At the outset, the metaverse would look like a virtual world featuring enhanced experiences interfaced via VR headsets, mobile devices, gaming consoles and haptic gear that makes you “feel” virtual things. Later, the contours of the metaverse would be shaped by user preferences, monetary opportunities and incremental innovations by developers building on what came before.

In short, the vision is that multiple companies, developers and creators will come together to create one metaverse (as opposed to proprietary, closed platforms) and have it evolve into an embodied mobile internet, one that is open and interoperable and would include many facets of life (i.e., work, social interactions, entertainment) in one hybrid space.

In order for the metaverse to become a reality, that is, successfully link current gaming and communications platforms with other new technologies into a massive new online destination – many obstacles will have to be overcome, even beyond the hardware, software and integration issues. The legal issues stand out, front and center. Indeed, the concept of the metaverse presents a law school final exam’s worth of legal questions to sort out. Meanwhile, we are still trying to resolve the myriad of legal issues presented by “Web 2.0,” the Internet we know it today. Adding the metaverse to the picture will certainly make things even more complicated.

At the heart of it is the question of what legal underpinnings we need for the metaverse infrastructure – an infrastructure that will allow disparate developers and studios, e-commerce marketplaces, platforms and service providers to all coexist within one virtual world. To make it even more interesting, it is envisioned to be an interoperable, seamless experience for shoppers, gamers, social media users or just curious internet-goers armed with wallets full of crypto to spend and virtual assets to flaunt. Currently, we have some well-established web platforms that are closed digital communities and some emerging ones that are open, each with varying business models that will have to be adapted, in some way, to the metaverse. Simply put, the greater the immersive experience and features and interactions, the more complex the related legal issues will be.

Contemplating the metaverse, these are just a few of the legal issues that come to mind:

Personal Data, Privacy and Cybersecurity – Privacy and data security lawyers are already challenged with addressing the global concerns presented by varying international approaches to privacy and growing threats to data security. If the metaverse fulfills the hype and develops into a 3D web-based hub for our day-to-day lives, the volume of data that will be collected will be exponentially greater than the reams of data already collected, and the threats to that data will expand as well. Questions to consider will include:
- Data and privacy – What’s collected? How sensitive is it? Who owns or controls it? The sharing of data will be the cornerstone of a seamless, interoperable environment where users and their digital personas and assets will be usable and tradeable across the different arenas of the metaverse. How will the collection, sharing and use of such data be regulated? What laws will govern the collection of data across the metaverse? The laws of a particular state? Applicable federal privacy laws? The GDPR or other international regulations? Will there be a single overarching “privacy policy” governing the metaverse under a user and merchant agreement, or will there be varying policies depending on which realm of the metaverse you are in? Could some developers create a more “privacy-focused” experience or would the personal data of avatars necessarily flow freely in every realm? How will children’s privacy be handled and will there be “roped off,” adults-only spaces that require further authentication to enter? Will the concepts that we talk about today – “personal information” or “personally identifiable information” – carry over to a world where the scope of available information expands exponentially as activities are tracked across the metaverse?
- Cybersecurity: How will cybersecurity be managed in the metaverse? What requirements will apply with respect to keeping data secure? How will regulation or site policies evolve to address deep fakes, avatar impersonation, trolling, stolen biometric data, digital wallet hacks and all of the other cyberthreats that we already face today and are likely to be exacerbated in the metaverse? What laws will apply and how will the various players collaborate in addressing this issue?
Technology Infrastructure: The metaverse will be a robust computing-intensive experience, highlighting the importance of strong contractual agreements concerning cloud computing, IoT, web hosting, and APIs, as well as software licenses and hardware agreements, and technology service agreements with developers, providers and platform operators involved in the metaverse stack. Performance commitments and service levels will take on heightened importance in light of the real-time interactions that users will expect. What is a meaningful remedy for a service level failure when the metaverse (or a part of the metaverse) freezes? A credit or other traditional remedy? Lawyers and technologists will have to think creatively to find appropriate and practical approaches to this issue. And while SaaS and other “as a service” arrangements will grow in importance, perhaps the entire process will spawn MaaS, or “Metaverse as a Service.”
Open Source – Open source, already ubiquitous, promises to play a huge role in metaverse development by allowing developers to improve on what has come before. Whether or not the obligations of common open source licenses will be triggered will depend on the technical details of implementation. It is also possible that new open source licenses will be created to contemplate development for the metaverse.
Quantum Computing – Quantum computing has dramatically increased the capabilities of computers and is likely to continue to do over the coming years. It will certainly be one of the technologies deployed to provide the computing speed to allow the metaverse to function. However, with the awesome power of quantum computing comes threats to certain legacy protections we use today. Passwords and traditional security protocols may be meaningless (requiring the development of post-quantum cryptography that is secure against both quantum and traditional computers). With raw, unchecked quantum computing power, the metaverse may be subject to manipulation and misuse. Regulation of quantum computing, as applied to the metaverse and elsewhere, may be needed.
Antitrust: Collaboration is a key to the success of the metaverse, as it is, by definition, a multi-tenant environment. Of course collaboration amongst competitors may invoke antitrust concerns. Also, to the extent that larger technology companies may be perceived as leveraging their position to assert unfair control in any virtual world, there may be additional concerns.
Intellectual Property Issues: A host of IP issues will certainly arise, including infringement, licensing (and breaches thereof), IP protection and anti-piracy efforts, patent issues, joint ownership concerns, safe harbors, potential formation of patent cross-licensing organizations (which also may invoke antitrust concerns), trademark and advertising issues, and entertaining new brand licensing opportunities. The scope of content and technology licenses will have to be delicately negotiated with forethought to the potential breadth of the metaverse (e.g., it’s easy to limit a licensee’s rights based on territory, for example, but what about for a virtual world with no borders or some borders that haven’t been drawn yet?). Rightsholders must also determine their particular tolerance level for unauthorized digital goods or creations. One can envision a need for a DMCA-like safe harbor and takedown process for the metaverse. Also, akin to the litigation that sprouted from the use of athletes’ or celebrities’ likenesses (and their tattoos) in videogames, it’s likely that IP issues and rights of publicity disputes will go way up as people’s virtual avatars take on commercial value in ways that their real human selves never did.
Content Moderation. Section 230 of the Communications Decency Act (CDA) has been the target of bipartisan criticism for several years now, yet it remains in effect despite its application in some distasteful ways. How will the CDA be applied to the metaverse, where the exchange of third party content is likely to be even more robust than what we see today on social media? How will “bad actors” be treated, and what does an account termination look like in the metaverse? Much like the legal issues surrounding offensive content present on today’s social media platforms, and barring a change in the law, the same kinds of issues surrounding user-generated content will persist and the same defenses under Section 230 of the Communications Decency Act will be raised.
Blockchain, DAOs, Smart Contract and Digital Assets: Since the metaverse is planned as a single forum with disparate operators and users, the use of a blockchain (or blockchains) would seem to be one solution to act as a trusted, immutable ledger of virtual goods, in-world currencies and identity authentication, particularly when interactions may be somewhat anonymous or between individuals who may or may not trust each other and in the absence of a centralized clearinghouse or administrator for transactions. The use of smart contracts may be pervasive in the metaverse. Investors or developers may also decide that DAOs (decentralized autonomous organizations) can be useful to crowdsource and fund opportunities within that environment as well. Overall, a decentralized metaverse with its own discrete economy would feature the creation, sale and holding of sovereign digital assets (and their free use, display and exchange using blockchain-based payment networks within the metaverse). This would presumably give NFTs a role beyond mere digital collectibles and investment opportunities as well as a role for other forms of digital currency (e.g., cryptocurrency, utility tokens, stablecoins, e-money, virtual “in game” money as found in some videogames, or a system of micropayments for virtual goods, services or experiences). How else will our avatars be able to build a new virtual wardrobe for what is to come?

With this shift to blockchain-based economic structures comes the potential regulatory issues behind digital currencies. How will securities laws view digital assets that retain and form value in the metaverse? Also, as in life today, visitors to the metaverse must be wary of digital currency schemes and meme coin scams, with regulators not too far behind policing the fraudsters and unlawful actors that will seek opportunities in the metaverse. While regulators and lawmakers are struggling to keep up with the current crop of issues, and despite any progress they may make in that regard, many open issues will remain and new issues will be of concern as digital tokens and currency (and the contracts underlying them) take on new relevance in a virtual world.

Big ideas are always exciting. Watching the metaverse come together is no different, particularly as it all is happening alongside additional innovations surrounding the web, blockchain and cryptocurrency (and, more than likely, updated laws and regulations). However, it’s still early. And we’ll have to see if the current vision of the metaverse will translate into long-term, concrete commercial and civic-minded opportunities for businesses, service providers, developers and individual artists and creators. Ultimately, these parties will need to sort through many legal issues, both novel and commonplace, before creating and participating in a new virtual world concept that goes beyond the massive multi-user videogame platforms and virtual worlds we have today.

Article By Jeffrey D. Neuburger of Proskauer Rose LLP. Co-authored by Jonathan Mollod.

For more legal news regarding data privacy and cybersecurity, click here to visit the National Law Review.

Legal Implications of Facebook Hearing for Whistleblowers & Employers – Privacy Issues on Many Levels

On Sunday, October 3rd, Facebook whistleblower Frances Haugen publicly revealed her identity on the CBS television show 60 Minutes. Formerly a member of Facebook’s civic misinformation team, she previously reported them to the Securities and Exchange Commission (SEC) for a variety of concerning business practices, including lying to investors and amplifying the January 6th Capitol Hill attack via Facebook’s platform.

Like all instances of whistleblowing, Ms. Haugen’s actions have a considerable array of legal implications — not only for Facebook, but for the technology sectors and for labor practices in general. Especially notable is the fact that Ms. Haugen reportedly signed a confidentiality agreement or sometimes call a non-disclosure agreement (NDA) with Facebook, which may complicate the legal process.

What are the Legal Implications of Breaking a Non-Disclosure Agreement?

After secretly copying thousands of internal documents and memos detailing these practices, Ms. Haugen left Facebook in May, and testified before a Senate subcommittee on October 5th. By revealing information from the documents she took, Facebook could take legal action against Ms. Haugen if they accuse her of stealing confidential information from them. Ms. Haugen’s actions raise questions of the enforceability of non-disclosure and confidentiality agreements when it comes to filing whistleblower complaints.

“Paradoxically, Big Tech’s attack on whistleblower-insiders is often aimed at the whistleblower’s disclosure of so-called confidential inside information of the company. Yet, the very concerns expressed by the Facebook whistleblower and others inside Big Tech go to the heart of these same allegations—violations of privacy of the consuming public whose own personal data has been used in a way that puts a target on their backs,” said Renée Brooker, a partner with Tycko & Zavareei LLP, a law firm specializing in representing whistleblowers.

Since Ms. Haugen came forward, Facebook stated they will not be retaliating against her for filing a whistleblower complaint. It is unclear whether protections from legal action extend to other former employees, as is the case with Ms. Haugen.

“Other employees like Frances Haugen with information about corporate or governmental misconduct should know that they do not have to quit their jobs to be protected. There are over 100 federal laws that protect whistleblowers – each with its own focus on a particular industry, or a particular whistleblower issue,” said Richard R. Renner of Kalijarvi, Chuzi, Newman & Fitch, PC, a long-time employment lawyer.

According to the Wall Street Journal, Ms. Haugen’s confidentiality agreement permits her to disclose information to regulators, but not to share proprietary information. A tricky balancing act to navigate.

“Big Tech’s attempt to silence whistleblowers are antithetical to the principles that underlie federal laws and federal whistleblower programs that seek to ferret out illegal activity,” Ms. Brooker said. “Those reporting laws include federal and state False Claims Acts, and the SEC Whistleblower Program, which typically feature whistleblower rewards and anti-retaliation provisions.”

Legal Implications for Facebook & Whistleblowers

Large tech organizations like Facebook have an overarching influence on digital information and how it is shared with the public. Whistleblowers like Ms. Haugen expose potential information about how companies accused of harmful practices act against their own consumers, but also risk disclosing proprietary business information which may or may not be harmful to consumers.

Some of the most significant concerns Haugen expressed to Congress were the tip of the iceberg according to those familiar with whistleblowing reports on Big Tech. Aside from the burden of proof required for such releases to Congress, the threats of employer retaliation and legal repercussions may prevent internal concerns from coming to light.

“Facebook should not be singled out as a lone actor. Big Tech needs to be held accountable and insiders can and should be encouraged to come forward and be prepared to back up their allegations with hard evidence sufficient to allow governments to conduct appropriate investigations,’ Ms. Brooker said.

As the concern for cybersecurity and data protection continues to hold public interest, more whistleblower disclosures against Big Tech and other companies could hold them accountable are coming to light.

During Haugen’s testimony during the October 5, 2021 Congressional hearing revealed a possible expanding definition of media regulation versus consumer censorship. Although these allegations were the latest against a large company such as Facebook, more whistleblowers may continue to come forward with similar accusations, bringing additional implications for privacy, employment law and whistleblower protections.

“The Facebook whistleblower’s revelations have opened the door just a crack on how Big Tech is exploiting American consumers,” Ms. Brooker said.

This article was written by Rachel Popa, Chandler Ford and Jessica Scheck of the National Law Review. To read more articles about privacy, please visit our cybersecurity section.

What are “dark patterns” and when are they unlawful?

Is data minimisation compatible with the use of SMS two-factor authentication?

Consent withdrawal: same number of clicks?

Is creative wording indicative of a “dark pattern”?

Other key lessons for marketers and user interface designers

Best practices according to the EDPB

Next steps and international perspectives

Share this:

Like this:

Background

Google’s New Solution

Share this:

Like this:

How Have Law Firms Responded to Russia’s Invasion of Ukraine?

Law Firms Offering Pro Bono Assistance to Ukraine

How Can Members of the Public Help Ukraine?

Conclusion

Share this:

Like this:

Firm Recognition & Awards

Law firm Hiring & Additions

Women in the Legal Industry

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

What are the Legal Implications of Breaking a Non-Disclosure Agreement?

Legal Implications for Facebook & Whistleblowers

Share this:

Like this:

**Law Firms Offering Pro Bono Assistance to Ukraine**