Category: Communication Media & Internet

French Insider Episode 12: Navigating the Metaverse with Jim Gatto [PODCAST]

Joining host Sarah Aberg is Jim Gatto. Jim joins us today to discuss the metaverse, the technology and business models involved in these virtual worlds, the role of NFTs and cryptocurrency in the digital economy, and the legal, regulatory, and governance issues that can arise when companies seek to enter that space.

Jim Gatto is a partner in Sheppard Mullin’s Washington, D.C. office, where he leads the  Blockchain & Fintech Team, Social Media & Games Team, and Open Source Team. Jim’s practice focuses on blockchain, interactive entertainment, digital art, AI, and online gambling. He advises clients on IP strategies, development and publishing agreements, licensing and technology transaction agreements, and tech regulatory issues. Jim has been involved with blockchain since 2012 and has been recognized as a thought leader by leading organizations including as a Cryptocurrency, Blockchain and Fintech Trailblazer by the National Law Journal.

Sarah Aberg is special counsel in the White Collar Defense and Corporate Investigations Group in Sheppard Mullin’s New York office. Sarah’s practice encompasses litigation, internal investigations and white collar defense.  Her areas of focus include financial services and securities, as well as corporate fraud in a variety of industries, including technology, construction, and non-profits.  Sarah’s regulatory practice encompasses market regulation, foreign registration and disclosure requirements, supervisory procedures, and sales practices.  Sarah represents corporations, financial services companies, and associated individuals in connection with investigations and regulatory matters before the U.S. Department of Justice, the Securities and Exchange Commission, the Commodity Futures Trading Commission, FINRA, the New York Stock Exchange, the New York State Department of Financial Services, and the New York Attorney General’s Office.

What We Discussed in This Episode:

  1. What is the Metaverse?
  2. How Do Metaverses Differ from Earlier Virtual Worlds?
  3. What Role Do NFTs Play in the Digital Economy?
  4. Investing in a Metaverse: What are the Risks?
  5. What are Legal, Regulatory, and Tax Considerations?
  6. What Governance Issues Exist for Brands Operating in a Metaverse?
  7. What are the Inflationary and Deflationary Aspects of the Virtual Economy?
  8. How Might Blockchain and Cryptocurrency Alter International Financial Transactions?
  9. Is the World Moving into a Virtual/Digital Economy?

Article By Sarah E. Aberg and James G. Gatto of Sheppard, Mullin, Richter & Hampton LLP

For more technology and internet legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

How Businesses Can Use LinkedIn Company Newsletters in Their Marketing Efforts

LinkedIn has added what I think is the most helpful tool in a long time for businesses to engage with and bring value to their followers – the ability for LinkedIn Company Pages to publish email newsletters right through LinkedIn.

This underscores the importance of having a company page and how it can be used as a content hub for marketing and recruiting your business.

Linked Company Page newsletters are available to businesses with more than 150 followers that actively maintain their LinkedIn presences.

You can create a LinkedIn Company Page newsletter in three simple steps:

  1. Create: Start writing an article on and select “Create a Newsletter.” Give it a title, add a header image (it prompts you with the dimensions) and cut and paste your text. You can add hyperlinks and images for each article too.
  2. Publish: When you publish your newsletter it will post to your feed and LinkedIn will notify your followers. They can opt in to receive email and in-platform notifications when you publish new content.
  3. Review performance: View the analytics of each newsletter sent out and see the number of subscribers. The number increases pretty quickly which is awesome. And it’s opt in so you don’t have to worry about GDPR rules.

There’s a lot of opportunity here because it is a new feature (for companies – it’s been available to individuals for a short time) and most companies don’t know about it yet (and certainly aren’t using it yet), so being an early adopter is to your benefit.

Even if you send out an email newsletter, you should still utilize the LinkedIn platform to send out a newsletter because you will reach a different audience and cast a wider net for your content.

In addition, people are opting into this newsletter, so it’s not building an audience from scratch, and if you haven’t ever sent out an email newsletter, this is a great way to start. If email marketing programs and CRM management tools overwhelm you, this is a great way to test out the waters.

It’s also really easy to repurpose content you already have. I would include hyperlinks to your website or blog with the full text (in order to keep the newsletter short and to drive traffic to your site).

You can embed links from YouTube into the newsletter to play. Check out my LinkedIn newsletter to see how it looks.

Here are some content ideas for what you can include in your LinkedIn Company Page Newsletter:

  • Article snippets with links to your latest blog posts or client alerts
  • Links to past webinars (provide a synopsis too)
  • Links to recent podcasts and videos (with shownotes)
  • Recent case studies
  • Q&As with your employees
  • Highlights of your community service/pro bono work
  • Announcements of your recent hires
  • Recent press coverage (this would be the only place where I would recommend including self-promotional items in the newsletter – the rest of it should be client-focused)
  • Upcoming events/webinars – this is a great way to promote them
  • Open jobs – why not promote them through this newsletter? It’s a competitive job market
  • News about your diversity and women’s initiatives programs – clients care a lot about this

Check out this new feature and let me know what you think of it. With nearly 800 million people on LinkedIn and the fact that your competitors are very likely not using it yet, it’s at least worth trying out.

Article By Stefanie M. Marrone of Stefanie Marrone Consulting

For more business of law thought leadership, click here to visit the National Law Review.

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.

WW International to Pay $1.5 Million Civil Penalty for Alleged COPPA Violations

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

Article By Sheila A. Millar and Tracy P. Marshall of Keller and Heckman LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

New UK IDTA and Addendum Come Into Force

The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.

The IDTA and Addendum replace the old EU Standard Contractual Clauses  (“Old EU SCCs”) for use as a UK GDPR-compliant transfer tool for restricted transfers from the UK, which also enables UK data exporters to comply with the European Court of Justice’s ‘Schrems II’ judgement.

For new UK data transfer arrangements or where UK organisations are in the process of reviewing their existing arrangements, use of the new ITDA or Addendum would be the best option to seek to future proof against the need to replace them in 2 years’ time.

Where the data flows involve transfers of personal data from both the UK and the EU, the use of the Addendum alongside the New EU SCCs, will enable organisations to implement a more harmonised solution.

To view copies of the documents please follow the links below:

To read our previous blog post on this topic, click here.

Article By Francesca Fellowes of Squire Patton Boggs (US) LLP. Hannah-Mei Grisley also contributed to this article.

For more data privacy legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

The federal Office of Inspector General (OIG) recently published a report (OIG Report) as part of a series of analyses of the expansion and utilization of telehealth in response to the COVID-19 public health emergency.  In its report, the OIG concludes that telehealth was “critical for providing services to Medicare beneficiaries during the first year of the pandemic” and that the utilization of telehealth “demonstrates the long-term potential of telehealth to increase access to health care for beneficiaries.” The OIG’s conclusions are notable because they come at a time when policymakers and health care stakeholders are determining whether and how to make permanent certain expansions of telehealth for patients nationwide.

The OIG Report is based on Medicare claims and encounter data from the “first” year of the pandemic (March 1, 2020 through February 28, 2021) as compared to data for the immediately preceding year (March 1, 2019 through February 29, 2020). Per the OIG Report, the OIG observed that approximately 43% of Medicare beneficiaries used telehealth during the first year of the pandemic, and that office visits were the most common telehealth encounter for those patients. The telehealth utilization data showed an 88-fold increase over the utilization of telehealth services for the prior year, which in part reflects the significant limitations on telehealth reimbursement under Medicare prior to COVID-19, in addition to the significant regulatory expansion of telehealth at the federal and state levels in response to COVID-19.

Interestingly, the OIG Report states that beneficiaries enrolled in a Medicare Advantage plan “were more likely to use telehealth” than Medicare fee-for-service beneficiaries, and that “CMS’s temporary policy changes enabled the monumental growth in the use of telehealth in multiple ways,” including by expanding the permissible patient locations, and the types of services that could be provided via telehealth. In addition, the OIG indicated that the use of telehealth for behavioral health services by beneficiaries “stands out” because of the higher incidence of beneficiaries accessing those services via telehealth, which may in turn influence policymaking and increase access to critical behavioral health care services.

Finally, the OIG Report notably includes a footnote which indicates that a separate report on “Program Integrity Risks” is forthcoming, which may shed light on corresponding compliance concerns that have arisen in connection with the significant expansion of telehealth in response to COVID-19.

Article By Conor O. Duffy of Robinson & Cole LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

“Levitating” Lawsuits: Understanding Dua Lipa’s Copyright Infringement Troubles

Even global stardom will not make copyright woes levitate away from British superstar Dua Lipa. The pop icon is making headlines following a week of back-to-back, bi-coastal lawsuits alleging copyright infringement with her hit “Levitating.” First, on Tuesday, March 1st, members of reggae band Artikal Sound System sued Dua Lipa for copyright infringement in a Los Angeles federal district court1. Then, on Friday, March 4th, songwriters L. Russell Brown and Sandy Linzer filed their own copyright infringement lawsuit against the pop star in a New York federal district court2. Both lawsuits were filed claiming violations of the Copyright Act, 17 U.S.C. §§ 101 et seq.3

The Artikal Sound System lawsuit is short and alleges that Dua Lipa and the co-creators of “Levitating” copied Artikal Sound System’s 2017 song “Live Your Life.”4 The lawsuit does not provide any details in the allegation, other than explaining that “Live Your Life” was commercially released in 2017, was available during the time Dua Lipa and her co-creators wrote “Levitating,” and that because the two songs are substantially similar “Levitating” could not have been created independently.5 As a remedy, Artikal Sound System seeks actual damages, a portion of Dua Lipa’s profits stemming from the alleged infringement, the cost of the lawsuit, and any additional remedies the Court sees fit.6

Similarly, the Brown and Linzer lawsuit alleges that Dua Lipa and her “Levitating” co-creators copied their works “Wiggle and Giggle All Night” and “Don Diablo.”7 More specifically, the Brown and Linzer lawsuit alleges that “Levitating” is substantially similar to “Wiggle and Giggle All Night” and “Don Diablo.”8

Accordingly, the lawsuit claims that the defining melody in “Levitating,” the “signature melody,” is a direct duplicate of the opening melody in “Wiggle and Giggle All Night” and “Don Diablo,” and therefore appears in all three songs.9 As additional support, the lawsuit points to professionals and laypersons noticing a similarity between the three songs, and Dua Lipa previously admitting that she “purposely sought influences from past eras for the album Future Nostalgia.”10

As for a remedy, Brown and Linzer request full compensatory and/or statutory damages, punitive damages, an injunction on “Levitating,” a portion of Dua Lipa’s profits stemming from the alleged infringement, the cost of the lawsuit, and any additional remedies the Court sees fit.11

The copyright infringement legal framework

A general overview of the copyright infringement legal framework is helpful in assessing the potential outcomes of the “Levitating” lawsuits. Specifically, the legal framework from the 9th Circuit, where one of the “Levitating” lawsuits was filed, provides great guidance.

In order to establish copyright infringement, one must prove two elements: owning a valid copyright and copying of “constituent elements of the work that are original.”12 Importantly, when there is no direct evidence of copying, but rather circumstantial evidence, plaintiffs must show that:

  1. the accused infringers had access to the copyrighted work, and

  2. the infringing work and the copyrighted work “are substantially similar.

Plaintiffs can easily show access to the copyrighted work, but “substantial similarity” is harder to show.

2-Part Test

Luckily, the 9th Circuit devised a 2-part test to prove “substantial similarity.”13 Under the test, there is sufficient copying, and therefore “substantial similarity,” if an infringing work meets an “extrinsic” and “intrinsic” prong.14 The intrinsic prong is met if there is “similarity of expression” between the works, as evaluated from the subjective standpoint of an “ordinary reasonable observer.”15 The extrinsic prong is objective and requires comparing the “constituent elements” of the copyrighted and infringing works to see if there is substantial similarity in terms of the “protected” elements in the copyrighted work.16

As such, if the commonality between the copyrighted and infringing works is not based on “protected” elements, then the extrinsic prong is not met, and there is no “substantial similarity” between the works for purposes of a copyright infringement action. It must be noted that the 9th Circuit recognizes that, in certain situations, there can be a “substantial similarity” even if the constituent elements are individually unprotected, but only if their “selection and arrangement” reflects originality.17

To understand “substantial similarity” one must define what is “protectable” under copyright law. Copyright protection extends only to works that contain original expression.18 In this context, the standard for originality is a minimal degree of creativity.19 According to the Copyright Act, protection does not extend to ideas or concepts used in original works of authorship.20 In the musical context, copyright does not protect “common or trite musical elements, or commonplace elements that are firmly rooted in the genre’s tradition” because “[t]hese building blocks belong in the public domain and cannot be exclusively appropriated by any particular author.”21

Katy Perry “Dark Horse” case and an ostinato

While the “Levitating” lawsuits are still young, a recent decision by the 9th Circuit in the infamous Katy Perry “Dark Horse” case is a good example of how courts conduct legal analyses in copyright infringement cases. The precedential ruling (Gray v. Hudson), released on March 10th, affirms a U.S. District Judge’s decision to vacate a jury verdict that awarded US$2.8 million in damages to a group of rappers who claimed Katy Perry’s “Dark Horse” copied their song “Joyful Noise.”22

The 9th Circuit’s opinion cogently applies copyright law to hold that the plaintiffs in the original lawsuit did not provide legally sufficient evidence that “Joyful Noise” and “Dark Horse” were “extrinsically similar” in terms of musical features protected by copyright law.23

Specifically, the Court reasoned that while “Dark Horse” used an ostinato (a repeating musical figure) similar to the one in “Joyful Noise,” the resemblance in the ostinatos stemmed from “commonplace, unoriginal musical principles” and made them uncopyrightable.24 Without the ostinatos, the plaintiffs could not point to any “individually copyrightable” elements from “Joyful Noise” that were “substantially similar” in “Dark Horse.”25

Additionally, the Court held that the “Joyful Noise” ostinato was not original enough to be a protectable combination of uncopyrightable elements.26 In turn, under the legal framework for copyright infringement the plaintiffs failed to meet their burden.27 The Court put it best by opining that:

[a]llowing a copyright over [the] material would essentially amount to allowing an improper monopoly over two-note pitch sequences or even the minor scale itself, especially in light of the limited number of expressive choices available when it comes to an eight-note repeated musical figure.”28

“Levitating” lawsuits likely outcomes

Applying the copyright infringement framework to the “Levitating” lawsuits allows us to understand the likely outcomes. First, the Artikal Sound System lawsuit does not allege any direct evidence of copying. As such, Artikal Sound System must show that Dua Lipa had access to “Live Your Life” and that “Levitating” is “substantially similar” to their song under the 2-prong test. Access is easily proved, as “Live Your Life” was commercially available on multiple streaming services when Dua Lipa wrote “Levitating.”29

However, the Artikal Sound System lawsuit does not provide enough information to pass the 2-prong “substantial similarity” test. The lawsuit only alleges that “Levitating” is “substantially similar” to “Live Your Life,” but does not detail any similarities much less provide any evidence that there is similarity of expression between the works from the point of view of a reasonable observer, as required by the intrinsic component of the test.30

More importantly, the lawsuit does not even mention any protectable elements from “Live Your Life” copied in “Levitating” and would, therefore, fail the extrinsic prong of the “substantial similarity” test.31 In turn, as submitted, the Artikal Sound System lawsuit fails to make a prima facie case of copyright infringement by Dua Lipa’s “Levitating.”

The story may be different for the Brown and Linzer lawsuit. Like the first suit, the Brown and Linzer lawsuit does not provide direct evidence of copying and will therefore only succeed if it passes the circumstantial evidence requirements of 1) access and 2) “substantial similarity.” Unlike the first suit, however, the Brown and Linzer complaint includes comparisons of the notes in “Levitating” to the notes in “Wiggle and Giggle All Night” and “Don Diablo” as support for the allegation of “substantial similarity.”

The 2nd Circuit, where the lawsuit was filed, held that a court can determine as a matter of law that two works are not “substantially similar” if the similarity between the two works concerns non-copyrightable elements of the copyrighted work.32 In practice, this means that the 2nd Circuit can apply the 2-prong “substantial similarity” test. Brown and Linzer can easily prove access to “Wiggle and Giggle All Night” and “Don Diablo” since both songs are internationally popular.33

Brown and Linzer can also meet the intrinsic prong of the test because, as they point out, “laypersons” (ordinary reasonable observers) have noticed the commonality between their copyrighted works and “Levitating,” as supported by widespread postings on mediums like TikTok.34 The extrinsic prong of the test is more uncertain.

In their lawsuit, Brown and Linzer point to a “signature melody” that repeats in “bars 10 and 11 of all three songs… [and] with some slight variation, in bars 12 and 13.”35 The court may find that this “signature melody” is not protected by copyright if it reasons that a melody is a basic musical principle, much like the 9th Circuit did for ostinatos in the Katy Perry “Dark Horse” case.

At its core, it seems like Brown and Linzer will have to convince the court that a melody, which they define as “a linear succession of musical tones,” qualifies as copyrightable because it is an original creative expression. Conversely, Brown and Linzer can concede that a melody is not copyrightable, but that their original arrangement and use of the melody in their copyrighted songs is copyrightable. In the end, it will be up to whether or not a court finds that the “signature melody” is copyrightable. As such, the outcome of Brown and Linzer’s action for copyright infringement is uncertain.

Nonetheless, one thing is for sure, copied or not, “Levitating” will continue powering gym visits and nights out dancing.

Footnotes

  1. See Complaint, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  2. See Complaint, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  3. See Complaint at ¶ 7, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022); Complaint at ¶ 12, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  4. See Complaint at ¶ 17, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  5. See Complaint at ¶ 15-18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  6. See Complaint at ¶ 19-22, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  7. See Complaint at ¶ 2, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  8. See Complaint at ¶ 2, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  9. See Complaint at ¶ 3, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  10. See Complaint at ¶ 49, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  11. See Complaint at 13-14, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  12. Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 361 (1991).

  13. Apple Comput., Inc. v. Microsoft Corp., 35 F.3d 1435, 1442 (9th Cir. 1994).

  14. Id.

  15. Id.

  16. Swirsky v. Carey, 376 F.3d 841, 845 (9th Cir. 2004).

  17. Satava v. Lowry, 323 F.3d 805, 811 (9th Cir. 2003).

  18. See 17 U.S.C. § 102(a); Feist, 499 U.S. at 345.

  19. See Feist, 499 U.S. at 345.

  20. See 17 U.S.C. § 102(b); Skidmore as Tr. for the Randy Craig Wolfe Tr. v. Led Zeppelin, 952 F.3d 1051, 1069 (9th Cir. 2020) (en banc).

  21. Skidmore, 952 F.3d at 1069.

  22. Gray v. Hudson, No. 20-55401, slip op at 26 (9th Cir. Mar. 10, 2022).

  23. Id.

  24. Id. at 14-21.

  25. Id. at 17.

  26. Id. at 22.

  27. Id. at 26.

  28. Id. at 24.

  29. See Complaint at ¶ 16, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  30. See Complaint at ¶ 18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  31. See Complaint at ¶ 18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).

  32. Peter F. Gaito Architecture, LLC v. Simone Dev. Corp., 602 F.3d 57, 63-65 (2d Cir. 2010).

  33. See Complaint at ¶ 35, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  34. See Complaint at ¶ 4, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

  35. See Complaint at ¶ 38, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

Article By Adrian Gonzalez Cerrillo and Sana Hakim of K&L Gates

For more intellectual property legal news, click here to visit the National Law Review.

Copyright 2022 K & L Gates

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review. 

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Congress Grants Five Month Extension for Telehealth Flexibilities

On Tuesday, March 16, 2022, President Biden signed into law H.R. 2471, the Consolidated Appropriations Act, 2022 (“2022 CAA”). This new law includes several provisions that extend the Medicare telehealth waivers and flexibilities, implemented as a result of COVID-19 to facilitate access to care, for an additional 151 days after the end of the Public Health Emergency (“PHE”). This equates to about a five-month period.

The 2022 CAA extension captures most of the core PHE telehealth flexibilities authorized as part of Medicare’s pandemic response, including the following:

  • Geographic Restrictions and Originating Sites: During the extension, Medicare beneficiaries can continue to receive telehealth services from anywhere in the country, including their home. Medicare is permitting telehealth services to be provided to patients at any site within the United States, not just qualifying zip codes or locations (e.g. physician offices/facilities).
  • Eligible Practitioners: Occupational therapists, physical therapists, speech-language pathologists, and qualified audiologists will continue to be able to furnish and receive payment for telehealth services as eligible distant site practitioners during the extension period.
  • Mental Health:  In-person requirements for certain mental health services will continue to be waived through the 151-day extension period.
  • Audio-Only Telehealth Services: Medicare will continue to provide coverage and payment for most telehealth services furnished using audio-only technology. This includes professional consultations, office visits, and office psychiatry services (identified as of July 1, 2000 by HCPCS Codes 99241-99275, 99201-99215, 90804-90809 and 90862) and any other services added to the telehealth list by the CMS Secretary for which CMS has not expressly required the use of real-time, interactive audio-visual equipment during the PHE.

Additionally, the 2022 CAA allocates $62,500,000 from the federal budget to be used for grants for telemedicine and distance learning services in rural areas. Such funds may be used to finance construction of facilities and systems providing telemedicine services and distance learning services in qualified “rural areas.”

Passage of the 2022 CAA is a substantial step in the right direction for stakeholders hoping to see permanent legislative change surrounding Medicare telehealth reimbursement.

Article By Joelle M. Wilson and Laura Little of Polsinelli PC

For more health law legal news, click here to visit the National Law Review.

© Polsinelli PC, Polsinelli LLP in California