Category: Communication Media & Internet

The Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Draft Connecticut Privacy Legislation: An Overview and Practical Guide

Just when organizations start to feel comfortable with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), this year we saw the passage of two new comprehensive privacy laws in Virginia and Colorado and nearly another in Connecticut. This article discusses the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CoPA) and identifies parallels and differences between these statutes and other privacy laws. The article also discusses the pending comprehensive privacy law in Connecticut – we anticipate its passage in the near future.

For those familiar with current privacy laws, both in the United States and globally, the VCDPA and the CoPA do not present entirely new concepts. They are variations on a theme, in that the provisions and concepts are mostly based on the Fair Information Practice Principles, as are many other privacy laws. Proponents of the VCDPA and the CoPA hail them as an adoption of the best parts of current privacy laws while opponents refer to them as an odd mish-mash of current regulations.

This article provides an overview of the VCDPA and the CoPA with an emphasis on the portions of the laws that we anticipate will receive the most inquiries from attorneys general enforcing the acts. The article provides a brief overview of the key dates and provisions, the similarities and shared concepts between the statutes and other laws, newly introduced concepts by the statutes, as well as expectations for enforcement.

It is assumed that those reading this article are familiar with the basic requirements of the CCPA and the European Union’s General Data Protection Regulation (GDPR).

Important Dates

Virginia enacted the Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, becoming the second state to enact comprehensive legislation regarding data privacy (behind only California). Following California and Virginia, Colorado became the third state to enact a comprehensive privacy law with the passage of the Colorado Privacy Act (CoPA) on July 8, 2021. A comprehensive privacy law overwhelmingly passed in the Senate in Connecticut but was stricken by the House shortly before the remaining parts of the bill were presented to the Governor for his signature.

VCDPA Effective Date

While the VCDPA was signed into law on March 2, 2021, the VCDPA is not effective until January 1, 2023, in order to provide organizations and stakeholders time to prepare for the changes.

CoPA Effective Date

Similarly, while the CoPA was signed into law on July 8, 2021, it does not become effective until July 1, 2023. The CoPA includes a number of other significant dates as well. The notice and cure period (discussed below) are automatically repealed on January 1, 2025. Additionally, the Colorado Attorney General (the “Colorado AG”) must adopt rules outlining technical specifications for opt-out mechanism by July 1, 2023, and the Colorado AG is also authorized to adopt rules by January 1, 2025, which would then become effective on or before July 1, 2025.  The VCDPA, by contrast, does not require any implementing regulations.

Definitions of Key Terms

The VCDPA and the CoPA define parties and information differently than the CCPA, and this article will briefly mention some of the key defined terms.

“Consumers”

The VCDPA and the CoPA were enacted to empower “consumers” to protect their personal information and to require companies to be responsible with personal information they obtain. “Consumers” is defined by the statutes to include an individual who is a Colorado/Virginia resident acting only in an individual or household context and does not include someone acting in a commercial or employment context.[1]

“Controller” vs. “Processor”

Borrowing a concept from the GDPR, the VCDPA and the CoPA regulate “controllers” and “processors.”[2] A “controller” is the person or entity that “determines the purpose and means of processing personal data”, whereas a “processor” is a person or entity that “processes personal data on behalf of a controller.”[3]

“Personal Data” vs. “De-Identified Data” vs. “Sensitive Data”

The VCDPA and the CoPA regulate the collection, storage and use of “personal data,” which is defined to include information that is linked or reasonably linkable to an identified or identifiable individual. As in other privacy laws, personal data does not include “de-identified data.”[4]

De-identified data is also similarly defined by both statutes to include data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:

(a) takes reasonable measures to ensure that the data cannot be associated with an individual;

(b) publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and

(c) contractually obligates any recipients of the information to comply with these requirements.[5]

Borrowing a concept from the GDPR and the CPRA, the VCDPA and the CoPA also provide special protections for a subset of personal information defined as “sensitive data”, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data for the purpose of uniquely identifying a natural person; and personal data collected from a known child.[6]

Scope of Application: Who is Covered?

The VCDPA and the CoPA deviate from the CCPA in that an entity is covered by the statutes regardless of the amount of that entity’s revenues.[7]  

Under the VCDPA, an entity is covered if it conducts business in the Commonwealth or produces products or services that target residents of the Commonwealth, and:

  • during a calendar year, controls or processes personal data of at least 100,000 consumers; or
  • controls or processes personal data of at least 25,000 consumers and derives over 50% percent of gross revenue from the sale of personal data.[8]

Similarly, under the CoPA, a controller is covered if it conducts business in the state or produces or delivers commercial products or services that are intentionally targeted to residents in the state; and:

  • controls or processes the personal data of 100,000 consumers or more during a calendar year; or
  • derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

In addition to exempting de-identified data and certain categories of information that are already subject to privacy regulations, the VCDPA provides blanket exemptions for certain types of organizations, including (1) government agencies and authorities, (2) financial institutions subject to GLBA, (3) “covered entities” regulated by HIPAA and HITECH, (4) nonprofit organizations, and (5) institutions of higher education.[9] The CoPA similarly exempts de-identified data and exempts certain categories of information, but it has fewer categories of institutions that are per se exempt from the statute.[10]

Shared Concepts and Provisions regarding Controllers[11]

In addition to having some similar definitions and the scope of their application, the VCDPA and the CoPA have many similar requirements and provisions. The statutes create a number of rights for consumers, place a number of obligations on controllers, require processes for consumers whose requests for information are denied, and impose similar data protection requirements.

Consumer’s Rights

The VCDPA and the CoPA provide consumers[12] with a number of rights concerning their personal data, including:

  1. The Right to Know whether “whether a controller is processing the consumer’s personal data;”
  2. The Right to Access such personal data;
  3. The Right to Correct Inaccuracies in the consumer’s personal data;
  4. The Right to Delete personal data provided by or obtained about the consumer;
  5. The Right to a Data Portability that allows a consumer to obtain a copy of the consumer’s personal data; and
  6. The Right to Opt Out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.[13]

The CoPA’s Right to Opt Out of the processing of personal data slightly deviates from the VCDPA.[14] The CoPA requires that consumers be provided with a “universal opt-out mechanism” that is compliant with the technical specifications that must be promulgated by the Colorado AG.[15] The Colorado AG’s “technical specifications” must ensure that the mechanism is not used to unfairly disadvantage another controller, sufficiently informs consumers about the opt-out choices available to them, represents the consumer’s affirmative and unambiguous choice to opt out, is consumer friendly, is consistent with any similar mechanisms required by law or regulation elsewhere in the United States, and permits the controller to accurately authenticate the consumer.[16]

Data Collection, Security, and Management

While the VCDPA and the CoPA have differences, they also share a number of concepts and provisions with respect to imposing obligations on controllers. We discuss the key concepts and provisions below but recommend that you read the actual text of the statutes to understand nuances and distinctions of the laws.

The VCDPA and the CoPA have adopted the data minimization concept, which generally provides that controllers’ collection of personal data and must be limited to that data which is adequate, relevant, reasonably necessary for the specified purpose for which the data was collected.[17]

The VCDPA and the CoPA also require controllers to disclose the purpose for which the personal data is collected and processed, and a controller cannot process personal data for purposes other than those that are disclosed.[18] 

The VCDPA and the CoPA also require controllers to take reasonable actions to secure the personal data during both storage and use of the data to protect the confidentiality, integrity, and accessibility of the personal data.[19]

Finally, under the VCDPA and the CoPA, a controller is prohibited from processing “sensitive data” without first obtaining the consumer’s consent.[20] “Sensitive data” includes “(a) [p]ersonal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) Personal data from a known child.”[21]

Processes for Appeals

Not only do the statutes endow consumers with rights, they also require that controllers must be provided with an avenue to exercise those rights, and controllers are required to respond to consumer inquiries. Specifically, consumers may submit requests to controllers to specify the rights the consumer wishes to invoke, and the laws require that controllers must respond within 45 days of receiving the request with only one possible 45-day extension when “reasonably necessary” and when certain conditions are met.[22]

Further, the controller must establish an internal process wherein consumers may appeal a controller’s decision to refuse to take action on the consumer’s request to exercise any of its rights.[23] If the appellate process does not cause the controller to change its position, the controller is required to provide the consumer with the contact information for the attorney general in order to submit a complaint.[24] 

Data Protection Assessments

The VCDPA and the CoPA also require controllers to “conduct and document a data protection assessment” of certain processing of personal data for purposes of targeted advertising or profiling in certain circumstances, the sale of personal data, and the processing of sensitive data.[25]

The data protection assessments are to identify and weigh the benefits that may flow, directly and indirectly, from the data processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing. The assessment also must be disclosed to the attorney general when such data protection assessment is relevant to an investigation.[26]

Litigation and Enforcement

Timeline for Enforcement

The Virginia and Colorado AGs cannot commence enforcement activities under the VCDPA and the CoPA until January 1, 2023 and July 1, 2023, respectively. However, based on the approach taken by the California AG in enforcing the CCPA, organizations can expect investigations and enforcement activity to begin as soon as the statutes permit. Additionally, using what we know from the California AG’s first year of CCPA enforcement, expect that the Colorado AG and Virginia AG Offices will have very busy years.[27]

VCDPA – Enforcement and Fines

The VCDPA provides no private right of action. The Virginia AG has exclusive authority to enforce the VCDPA.[28] The Virginia AG is even given broad authority and can begin an investigation even before a violation occurs if it has reasonable cause to believe that a person is “about to engage in any violation” of the Act.[29]

The VCDPA provides a controller or processor with a 30-day period after receiving written notice from the Virginia AG of an alleged violation in order to cure that violation.[30] If the controller or processor does not cure such violation within the 30-day period, the Virginia AG may initiate a lawsuit to seek an injunction and to recover civil penalties of up to $7,500 for each violation and reasonable expenses, including attorneys’ fees.[31]

The VCDPA also creates a special fund called the Consumer Privacy Fund, and all civil penalties, expenses, and attorneys’ fees recovered under the VCDPA shall be credited to the Fund, which is then used to support the Virginia AG’s work to enforce the VCDPA.[32]

CoPA – Enforcement and Fines

Likewise, the CoPA does not create private right of action.[33] It instead will be enforced by the Colorado Attorney General and Colorado’s district attorneys.[34] 

The CoPA notes that the Colorado Attorney General must provide a controller or processor with a 60-day period to cure an alleged violation before bringing an enforcement action.[35]  However, effective January 1, 2025, the Colorado AG is no longer required to provide a cure period but can immediately bring an enforcement action.[36]

Violations of the CoPA are considered a deceptive trade practice, which allows for a civil penalty of $20,000 for each violation.[37] 

No Check-the-Box Compliance

The AGs will likely focus on a number of areas for enforcement but with a general theme. Specifically, using the California AG’s experience with enforcing the CCPA, we can expect that the Virginia and Colorado AGs will want to ensure that organizations are not treating the new laws as check-the-box exercises but, rather, are providing consumers with required information and timely engaging with consumer’s requests. Indeed, not only will the AGs want organizations to provide the necessary information, they will demand that it be conveyed in a way that can be easily understood by the average consumer and in which consumers will have the fewest number of steps to access the information and exercise their rights.

Scope of the CCPA and Compliance Strategies

 

Implementing Regulations

 

CCPA Notice and Cure Provision Relating to Data Breaches

 

CCPA Enforcement Series

 

GDPR Overview and Updates

 

Virginia Consumer Data Protection Act Series

  1.  See Va. Code Ann. § 59.1-575; Colo. Rev. Stat. § 6-1-1303(6)
  2. See Colo. Rev. Stat. § 6-1-1303(7) (slightly different definition of controller) see GDPR, Art. 4(7) (defining Controller); id. Art. 4(8) (defining Processor). The proposed bill in Connecticut likewise used this distinction. See CT Senate Bill 893 § 1(8), (20).
  3. Va. Code Ann. § 59-1-571.
  4. Colo. Rev. Stat. § 6-1-1303(17); Va. Code Ann. § 59.1-575.
  5. Colo. Rev. Stat. § 6-1-1303(11); Va. Code Ann. § 59.1-575; see id. § 59.1-581.
  6.  Colo. Rev. Stat. § 6-1-1303(24); Va. Code Ann. § 59.1-575 (the VCDPA’s definition also includes “precise geolocation data” as sensitive information).
  7. In order for an entity to be considered a business, and hence regulated by the CCPA, it must satisfy at least one of three thresholds. One such threshold is whether the business has gross annual revenue over $25 million. See Cal. Civil Code 1798.140(c)(1)(A) (Oct. 2020).
  8.  Connecticut proposed similar qualifications. See CT Senate Bill 893.
  9.  Connecticut has likewise proposed similar exemptions. CT Senate Bill 893 § 3.
  10.  Colo. Rev. Stat. § 6-1-1304(2).
  11.  For more information concerning the role of processors, please refer to Va. Code Ann. § 59.1-579 and Colo. Rev. Stat. § 6-1-1305.
  12. “Consumer” is a specifically defined term in the Acts. Va. Code Ann. § 59.1-575; CT SB893 § 1(7).
  13. Va. Code Ann. § 59.1-577.A; Colo. Rev. Stat. § 6-1-1306. Connecticut SB 893 contained similar requirements.  See CT SB 893 § 4(a).
  14.  Colo. Rev. Stat. § 6-1-1306(1)(a)(IV).
  15. Id.
  16.  Colo. Rev. Stat. § 6-1-1313.
  17. Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. § 6-1-1308(3).
  18. Va. Code Ann. § 59.1-578(A)(1); Colo. Rev. Stat. §§ 6-1-1308(2), (4).
  19.  Va. Code Ann. § 59.1-578(A)(3); Colo. Rev. Stat. § 6-1-1308(5).
  20. Va. Code Ann. § 59.1-578(A)(5); Colo. Rev. Stat. § 6-1-1308(7).
  21. Colo. Rev. Stat. § 6-1-1303(24); see Va. Code Ann. § 59.1-575 (similarly defining “personal data” but also including “precise geolocation data”). Connecticut Senate Bill 893 included similar provisions. See CT SB 893 § 5(a).
  22.  Va. Code Ann. §§ 59.1-577.A.-C.; Colo. Rev. Stat. § 6-1-1306(2); see CT SB 893 § 4.
  23. Va. Code Ann. § 59.1-577.C.; Colo. Rev. Stat. § 6-1-1306(3).
  24. Id.
  25. Va. Code Ann. § 59.1-580.A. (also requiring a data protection assessment for “[a]ny processing activities involving personal data that present a heightened risk of harm to consumers”); see Colo. Rev. Stat. § 6-1-1309.
  26. Va. Code Ann. § 59.1-580.C.
  27. Bloomberg Law, Top Takeaways from a Year of CCPA Enforcement (published Aug. 6, 2021)
  28.  Va. Code Ann. § 59.1-584.A.
  29. Va. Code Ann. § 59.1-583.
  30. Va. Code Ann. § 59.1-584.
  31. Va. Code Ann. § 59.1-584.C.-D.
  32. Va. Code Ann. § 59.1-585.
  33. Unlike the CCPA, the VCDPA and the CoPA do not have a carve-out that allows consumers to bring an action for statutory damages in the event of a data breach. See Colo. Rev. Stat. § 6-1-1310.
  34. Colo. Rev. Stat. § 6-1-1311.
  35.  Id.
  36.  Id.
  37. Colo. Rev. Stat. §§ 6-1-1311 and 6-1-112.

©2021 Troutman Pepper Hamilton Sanders LLP

Article By Seth M. Erickson, Ashley L. Taylor, Jr.

and Sadia Mirza of  Troutman Pepper
For more articles on privacy law, visit the NLRCommunications, Media & Internet section.

 

Federal Regulators Issue New Cyber Incident Reporting Rule for Banks

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.

The final rule requires a banking organization to notify its primary federal regulator “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” The rule defines a “notification incident” as a “computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  1. Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  3. Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Under the rule, a “computer-security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

Separately, the rule requires a bank service provider to notify each affected banking organization “as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” For purposes of the rule, a bank service provider is one that performs “covered services” (i.e., services subject to the Bank Service Company Act (12 U.S.C. 1861–1867)).

In response to comments received on the agencies’ December 2020 proposed rule, the new rule reflects changes to key definitions and notification provisions applicable to both banks and bank service providers. These changes include, among others, narrowing the definition of a “computer security incident,” replacing the “good faith belief” notification standard for banks with a determination standard, and adding a definition of “covered services” to the bank service provider provisions. With these revisions, the agencies intend to resolve some of the ambiguities in the proposed rule and address commenters’ concerns that the rule would create an undue regulatory burden.

The final rule becomes effective April 1, 2022, and compliance is required by May 1, 2022. The regulators hope this new rule will “help promote early awareness of emerging threats to banking organizations and the broader financial system,” as well as “help the agencies react to these threats before they become systemic.”

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.
For more articles on banking regulations, visit the NLR Financial Securities & Banking section.

Text Messaging for Lawyers: Building Stronger Client Relationships

In today’s world of instant gratification and text savviness, lawyers should consider changing the way they communicate with clients. Some people detest answering calls, and with the rise of robocalls, this aversion is only getting worse with all generations. Add in the fact that today’s consumer expects a response within seconds, it’s clear that text messaging is becoming the new way of communication for most businesses.

For lawyers that are accustomed to emailing their clients, this may come as a curveball. Especially, considering that the legal industry has an average open rate of 18.30 percent for emails. Phone calls and emails are no longer the preferred method of communication, which is why you should be texting your clients.

Benefits of Texting

Marketers have been studying the effectiveness of text messaging and spreading the news of its benefits so much that 62 percent of business marketers plan to use automated text messaging in the next year. What is it that has these marketing experts so convinced?

  • Change of Preference – The vast majority of consumers prefer to communicate via text instead of calls or email. If a business is trying to send a message to prospects, it’s important to know it’s actually going to be seen.
  • Faster Delivery – When time is of the essence, delivering a message via text is the fastest way to ensure your recipient sees your communication. Email open rates are at an all-time low, so those messages may go days without being seen, if they’re seen at all.
  • Faster Response – With faster delivery comes faster response times. Studies have shown text response rates are eight times faster than that of email.

Business Text Messaging

Business owners have already started incorporating text messaging in both their marketing and client retention strategies. Studies have shown that the new generations will ignore calls, even from known contacts, and typically only use email to reset passwords and register for services. As a workaround, businesses are enlisting the help of text messaging services to reach out to potential customers.

Instead of only investing in generating prospects, more and more businesses are using technology to help retain customers by enabling text help and communication. This feature is often embedded on the business’s website and allows the customer to text a business directly from their phone for quick, personalized help.

Text messaging has increasingly grown in popularity across several industries. Studies show that businesses that respond to a customer’s inquiry within five minutes increase their chances of converting that prospect by nine times. In addition, studies show that the majority of consumers will go to the business that responds first, regardless of affiliation, pricing, or worthiness.

With statistics like this, industries across the spectrum are seeing the need for lightning-fast responses which can only be achieved through text messaging. The legal industry is no exception.

Text Messaging for Lawyers

The legal industry is not one that has historically been quick to respond to change, so it’s no wonder that some lawyers are hesitant to adopt text messaging in their communication process. Common objections to this method of communication seem to be propriety and confidentiality, while others are admittingly stuck in their old ways.

While the third issue is difficult at best to overcome, there are clear solutions and arguments for the first two which are detailed below.

Is It Appropriate to Text Clients?

This question comes up often when lawyers are trying to decide if text messaging is a professional mode of communication. However, instead of viewing it from a proprietary standpoint, a lawyer should be asking the legal duty they have to communicate to their client efficiently. As the younger generations are coming of age and becoming clients, it’s important to adapt to their preferred mode of communication.

If a client only has a cell phone and no easy access to email, the lawyer should accommodate the client and reach out to them in the best way possible. For most, that means adopting text messaging as a primary mode of communication.

Are Text Messages Confidential?

Text messages may not be confidential in nature, creating challenges for texting clients. Instead of avoiding text messaging due to this potential issue, lawyers should ask their clients to use screen locks and other security features on their phones. In most cases, clients are just as dedicated to protecting their privacy as their lawyer.

While expectations should be discussed in advance, it’s easy for conversations to slip into gray areas. If a conversation may be veering into a confidentiality issue, the lawyer may suggest switching to a phone or in-person conversation.

Best Practices for Text Messaging Clients

As lawyers make the transition to using text messages more often, the standards for best practices will grow. Thus far, the top tips for texting clients include:

  • Adopt a legal practice management software that provides users with a business number to text clients within the platform and safely stores all correspondences with each contact.
  • Never negotiate terms of attorney-client relationships or anything that feels like a grey area. Remember: business text messages are supposed to be quick and informal.
  • Discuss expectations and appropriate topics for texting. Make sure clients understand some topics are off-limits for text messaging and should be saved for in-person meetings.

Keeping with the Times

While many lawyers may remember calling their client’s on wall-mounted phones and landlines, times have quickly changed. The legal industry has to get on board if it’s going to serve clients effectively and retain clients.

Despite the concerns, the benefits of text messaging outweigh the cons, and law firms will likely see an increase in client retention and improved communication once they adopt text messaging. With a minimal upfront effort, lawyers can start texting their clients while maintaining confidentiality and professionalism, allowing clients to receive the best, and most convenient, representation possible.

 

This article was prepared by PracticePanther. For more articles about client relations, please see here.

POT HOLE: Cannabis Companies Getting Caught in the Mini-TCPA Trap

One of the biggest TCPA trends earlier in the year was the onslaught of suits against cannabis companies related to marketing texts.

After my big interview with the National Cannabis Industry Association, those filings went down as dispensary TCPA awareness went up. (You’re welcome.)

But the trend of high dollar TCPA class suits against pot dealers seems to have moved South for the winter–down to the Sunshine State.

We’ve picked up a few new recent filings brought under the Florida Telephone Solicitation Act (Mini-TCPA). The suits allege that the blast text platforms used to send marketing texts meet the state’s extremely broad definition of an autodialer and require express written consent (which is allegedly missing).

For instance in the latest suit filed earlier today, the allegations focus on the automatic selection and dialing of numbers: Defendant utilized a computer software system that automatically selected and dialed Plaintiff’s and the Class members’ telephone numbers.

Notably this suit appears to be brought against a cannabis delivery platform and not an actual dispensary.

Read all about it here: Herban Delivery

Per usual the suit seeks to represent all individuals receiving similar messages in the state of Florida. It is brought by the folks at Shamis and Gentile who file a lot of these things.

© Copyright 2021 Squire Patton Boggs (US) LLP

Article By Eric J. Troutman of Squire Patton Boggs (US) LLP

For more articles on the TCPA, visit the NLR Communications, Media & Internet section.

OFAC Reaffirms Focus on Virtual Currency With Updated Sanctions Law Guidance

On October 15, 2021, the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) announced updated guidance for virtual currency companies in meeting their obligations under US sanctions laws. On the same day, OFAC also issued guidance clarifying various cryptocurrency-related definitions.

Coming on the heels of the Anti-Money Laundering Act of 2020—and in the context of the Biden administration’s effort to crackdown on ransomware attacks—the recent guidance is the latest indication that regulators are increasingly focusing on virtual currency and blockchain. In light of these developments, virtual currency market participants and service providers should ensure they are meeting their respective sanctions obligations by employing a “risk-based” anti-money laundering and sanctions compliance program.

This update highlights the government’s continued movement toward subjecting the virtual currency industry to the same requirements, scrutiny and consequences in cases of noncompliance as applicable to traditional financial institutions.

IN DEPTH

The release of OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry indicates an increasing expectation for diligence as it has now made clear on several occasions that sanctions compliance “obligations are the same” for virtual currency companies who must employ an unspecified “risk-based” program (See: OFAC Consolidated Frequently asked Questions 560). OFAC published it with the stated goal of “help[ing] the virtual currency industry prevent exploitation by sanctioned persons and other illicit actors.”

With this release, OFAC also provided some answers and updates to two of its published sets of “Frequently Asked Questions.”

FAQ UPDATES (FAQ 559 AND 546)

All are required to comply with the US sanctions compliance program, including persons and entities in the virtual currency and blockchain community. OFAC has said time and again that a “risk-based” program is required but that “there is no single compliance program or solution suitable for all circumstances” (See: FAQ 560). While market participants and service providers in the virtual currency industry must all comply, the risk of violating US sanctions are most acute for certain key service providers, such as cryptocurrency exchanges and over-the-counter (OTC) desks that facilitate large volumes of virtual currency transactions.

OFAC previously used the term “digital currency” when it issued its first FAQ and guidance on the subject (FAQ 560), which stated that sanctions compliance is applicable to “digital currency” and that OFAC “may include as identifiers on the [Specially Designated Nationals and Blocked Persons] SDN List specific digital currency addresses associated with blocked persons.” Subsequently, OFAC placed certain digital currency addresses on the SDN List as identifiers.

While OFAC previously used the term “digital currency,” in more recent FAQs and guidance, it has used a combination of the terms “digital currency” and “virtual currency” without defining those terms until it released FAQ 559.

In FAQ 559, OFAC defines “virtual currency” as “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; and is neither issued nor granted by any jurisdiction.” This is a broad definition but likely encompasses most assets, which are commonly referred to as “cryptocurrency” or “tokens,” as most of these assets may be considered as “mediums of exchange.”

OFAC also defines “digital currency” as “sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.” This definition appears to be an obvious effort by OFAC to make clear that its definitions include virtual currencies issued or backed by foreign governments and stablecoins.

The reference to “sovereign cryptocurrency” is focused on cryptocurrency issued by foreign governments, such as Venezuela. This is not the first time OFAC has focused on sovereign cryptocurrency. It ascribed the use of sovereign backed cryptocurrencies as a high-risk vector for US sanctions circumvention. Executive Order (EO) 13827, which was issued on March 19, 2018, explicitly stated:

In light of recent actions taken by the Maduro regime to attempt to circumvent U.S. sanctions by issuing a digital currency in a process that Venezuela’s democratically elected National Assembly has denounced as unlawful, hereby order as follows: Section 1. (a) All transactions related to, provision of financing for, and other dealings in, by a United States person or within the United States, and digital currency, digital coin, or digital token, that was issued by, for, or on behalf of the Government of Venezuela on or after January 9, 2018, are prohibited as of the effective date of this order.

On March 19, 2018, OFAC issued FAQs 564, 565 and 566, which were specifically focused on Venezuela issued cryptocurrencies, stating that “petro” and “petro gold” are considered a “digital currency, digital coin, or digital token” subject to EO 13827. While OFAC has not issued specific FAQs or guidance on other sovereign backed cryptocurrencies, it may be concerned that a series of countries have stated publicly that they plan to test and launch sovereign backed securities, including Russia, Iran, China, Japan, England, Sweden, Australia, the Netherlands, Singapore and India. With the release if its most recent FAQs, OFAC is reaffirming that it views sovereign cryptocurrencies as highly risky and well within the scope of US sanctions programs.

The reference to a “digital representation of fiat currency” appears to be a reference to “stablecoins.” In theory, stablecoins are each worth a specified value in fiat currency (usually one USD each). Most stablecoins were touted as being completely backed by fiat currency stored in segregated bank accounts. The viability and safety of stablecoins, however, has recently been called into question. One of the biggest players in the stablecoin industry is Tether, who was recently fined $41 million by the US Commodities Futures Trading Commission for failing to have the appropriate fiat reserves backing its highly popular stablecoin US Dollar Token (USDT). OFAC appears to have taken notice and states in its FAQ that “digital representations of fiat currency” are covered by its regulations and FAQs.

FAQ 646 provides some guidance on how cryptocurrency exchanges and other service providers should implement a “block” on virtual currency. Any US persons (or persons subject to US jurisdiction), including financial institutions, are required under US sanctions programs to “block” assets, which requires freezing assets and notifying OFAC within 10 days. (See: 31 C.F.R. § 501.603 (b)(1)(i).) FAQ 646 makes clear that “blocking” obligations applies to virtual currency and also indicates that OFAC expects cryptocurrency exchanges and other service providers be required to “block” the virtual currency at issue and freeze all other virtual currency wallets “in which a blocked person has an interest.”

Depending on the strength of the anti-money laundering/know-your-customer (AML/KYC) policies employed, it will likely prove difficult for cryptocurrency exchanges and other service providers to be sure that they have identified all associated virtual currency wallets in which a “blocked person has an interest.” It is possible that a cryptocurrency exchange could onboard a customer who complied with an appropriate risk-based AML/KYC policy and, unbeknownst to the cryptocurrency exchange, a blocked person “has an interest” in one of the virtual currency wallets. It remains to be seen how OFAC will employ this “has an interest” standard and whether it will take any cryptocurrency exchanges or other service providers to task for not blocking virtual currency wallets in which a blocked person “has an interest.” It is important for cryptocurrency exchanges or other service providers to implement an appropriate risk-based AML/KYC policy to defend any inquiries from OFAC as to whether it has complied with the various US sanctions programs, including by having the ability to identify other virtual currency wallets in which a blocked person “has an interest.”

UPDATED SANCTIONS COMPLIANCE GUIDANCE

OFAC’s recent framework for OFAC Compliance Commitments outlines five essential components for a virtual currency operator’s sanctions compliance program. These components generally track those applicable to more traditional financial institutions and include:

  1. Senior management should ensure that adequate resources are devoted to the support of compliance, that a competent sanctions compliance officer is appointed and that adequate independence is granted to the compliance unit to carry out their role.
  2. An operative risk assessment should be fashioned to reflect the unique exposure of the company. OFAC maintains both a public use sanctions list and a free search tool for that list which should be employed to identify and prevent sanctioned individuals and entities from accessing the company’s services.
  3. Internal controls must be put in place that address the unique risks recognized by the company’s risk assessment. OFAC does not have a specific software or hardware requirement regarding internal controls.
    1. Although OFAC does not specify required internal controls, it does provide recommended best practices. These include geolocation tools with IP address blocking controls, KYC procedures for both individuals and entities, transaction monitoring and investigation software that can review historically identified bad actors, the implementation of remedial measures upon internal discovery of weakness in sanction compliance, sanction screening and establishing risk indicators or red flags that require additional scrutiny when triggered.
    2. Additionally, information should be obtained upon the formation of each new customer relationship. A formal due diligence plan should be in place and operated sufficiently to alert the service provider to possible sanctions-related alarms. Customer data should be maintained and updated through the lifecycle of that customer relationship.
  4. To ensure an entity’s sanctions compliance program is effective and efficient, that entity should regularly test their compliance against independent objective testing and auditing functions.
  5. Proper training must be provided to a company’s workforce. For a company’s sanctions compliance program to be effective, its workforce must be properly outfitted with the hard and soft skills required to execute its compliance program. Although training programs may vary, OFAC training should be provided annually for all employees.

KEY TAKEAWAYS

As noted in OFAC’s press release issued simultaneously with the updated FAQ’s, “[t]hese actions are a part of the Biden Administration’s focused, integrated effort to counter the ransomware threat.” The Biden administration’s increased focus on regulatory and enforcement action in the virtual currency space highlights the importance for market participants and service providers to implement a robust compliance program. Cryptocurrency exchanges and other service providers must take special care in drafting and implementing their respective AML/KYC policies and in ensuring the existence of risk-based AML and sanctions compliance programs, which includes a periodic training program. When responding to inquiries from OFAC or other regulators, it will be critical to have documented evidence of the implementation of a risk-based AML/KYC program and proof that employees have been appropriately trained on all applicable policies, including a sanctions compliance policy.

Article By Joseph B. Evans, Edward B. Diskant, and Alexandra C. Scheibe of McDermott Will & Emery.

Ethan Heller, a law clerk in the firm’s New York office, also contributed to this article.

© 2021 McDermott Will & Emery
For the latest in Financial, Securities, and Banking legal news, read more at the National Law Review.

Meta Announces the End of Facial Recognition Technology on Facebook

The Facebook company now known as Meta announced this week that it is shutting down the Face Recognition system on Facebook.  Meta stated that this is part of a company-wide move to limit the use of facial recognition technology in its products. What does this mean? If you have a Facebook page and you previously opted-in to be automatically recognized in photos and videos on Facebook, this feature will be disabled. Meta also announced that it is deleting more than a billion people’s individual facial recognition templates.

Meta claims in a press statement released this week that it needs to “weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules.”  Although Meta doesn’t elaborate on what the details are of the growing societal concerns, the company states that it seeks to move toward narrower forms of personal authentication.

Copyright © 2021 Robinson & Cole LLP. All rights reserved.

For more articles on facial recognition, visit the NLR Communications, Media & Internet section

Why Legal Teams Need Digital Contracting for Modern Business

Legal teams have always had the arduous task of analyzing legal documents, which is not only time-consuming but also requires close attention to detail and years of education and training. On top of that, because this is traditionally done manually, the critical data buried within contracts has remained lost.

While manually analyzing contracts might have worked in the past, it simply won’t cut it in the fast-paced reality of today. It’s time for legal teams to join the digital transformation. Over the last decade and a half, every other facet of business has undergone digitization…except contracts. And with digital transformation investments projected to hit a total of $7.8 trillion from 2020 to 2024, it’s legal’s turn to get on board.

Businesses rely on contracts to survive. Think sales contracts, employment and partnership agreements, NDAs, licensing agreements and more. But as they exist today, contracts are a workflow impediment and the data they hold isn’t being used to its full potential.

Data is currently trapped in contracts

There is all kinds of information-rich, operational data hidden in contracts critical to a company’s success. As much as 90% of company spend and investments are determined by contract terms. At the same time, suboptimal terms and inefficient contract management can result in a whopping 9% loss of annual revenue. While the specific information businesses choose to focus on will vary, some common points hidden in contracts include:

  • Total contract value – the total value of the contract once it’s active, its recurring revenue and charges.
  • Auto-renewal opt-out notification period – the amount of time auto-renewal can be opted out of.
  • Personally identifiable information (PII) exchange – data identifying an individual.
  • Counterparty address region – the party on the other end of the contract.
  • Ability to terminate for convenience – the power to terminate a contract if it becomes unsatisfactory.
  • Exclusivity – a type of agreement where one party agrees to work exclusively with the other.

This critical data isn’t readily available and there’s no good way of tracking it unless we adopt a new way of doing things. Once unearthed, contracts will help businesses become efficient, effective and more accurate.

Contract data allows legal teams to operationalize and reduce risk

Legal teams need to be able to keep up in a world that runs on increasingly larger numbers and more complex scenarios. To do so, they need to be equipped with resources enabling them to be data-driven. For example, today, legal teams may lack the answers to simple questions about the contract pipeline simply because these insights aren’t stored, compiled and updated in real time. Without this, legal teams are unable to operationalize their processes, making it impossible to put the systems in place that allow for more efficient work. After all, inefficient contracts can cause losses ranging from five to 40% of deal value. It also exposes the company to danger because, without tracking, contracts are ripe with risk.

Contracts hold the operational and substantive information legal teams need to operationalize, set goals, mitigate risk and prove their value to the company. Operational data includes the number of workflows launched and completed as well as turnaround and response times. Substantive data, such as governing tax law, contract amount, data protection and implementation obligations, exposes risk and obligation.

With the right tools and a centralized system, legal teams can have access to all the details they need to prove their team’s value, work more efficiently and protect their companies.

A new standard: digital contracting

A new standard for companies and legal teams to keep up with a fast-paced, data-driven world: digital contracting, a standardized system for business contracting to connect people to systems and data. Once digitized, contracts will become living, collaborative documents to easily find and track the once-hidden goldmine of data within. The result is resilient teams.

Legal tech is leading the way in developing the software needed to support digital contracting. Next-generation contract management software makes metadata searchable and readily accessible. This will enable entire businesses to have the information they need to make well-informed decisions at their fingertips.

Soon, the days of in-house lawyers having to paper chase will be long gone. Instead, lawyers will be able to create agreements instantly, collaborate and get approval with ease, while having access to version history and the metadata needed to operationalize and reduce risk.

It’s time for legal teams to get the tools they need to thrive in today’s fast-paced work environment by getting on board with a better, faster, more sustainable way of work through digital contracting.

© 2021 Ironclad, Inc. All rights reserved.

Article By Chris Young of Ironclad

For more articles on the legal industry, visit the NLR Law Office Management section.

Legal Implications of Blockchain in Supply Chain: What’s Law Got to Do With It?

Blockchain in Supply Chain: Article 6

The advent of new technology brings along with it the murkiness of how the American legal system will treat such technology.  Before the rise of blockchain for instance, businesses were uncertain how courts would treat electronic records and signatures until the federal legislature enacted the E-Sign Act on June 30, 2000.1 To provide even more clarity to businesses, the National Conference of Commissioners on Uniform State Laws drafted the Uniform Electronic Transactions Act (the “UETA”)2 to provide states with a framework to enact laws governing the enforceability of electronic records and signatures.  Now, almost every state in the U.S. has adopted some form of the UETA,3 and industry heavily relies on electronic contracting.

The legislative process has already begun for blockchain technology. Arizona and Tennessee both enacted laws stating that (1) a blockchain technology signature is considered an electronic signature, and (2) a blockchain technology record is considered an electronic record.  Further, these laws say that courts may not deny a contract legal validity because the contract contains a “smart contract” term.4  Other states are also attempting to adapt their current commercial laws to blockchain technologies.  Wyoming, for example, is breaking ground by addressing blockchain’s impact on the attachment, perfection, and priority rules of Article 9 of the Uniform Commercial Code.5  Similarly, Delaware and Maryland have amended their general corporation and limited liability company laws to permit the use of blockchain technologies for creating and maintaining company records with respect to equity interests.6

Beyond when and how legislatures and courts will solidify blockchain technology as a valid platform for contracting, there are other possible legal questions and ramifications for the use of blockchain in the supply chain. Some possible areas of legal considerations follow below.

Potential Modifications to Contract Terms in Supply Agreements

As companies begin to implement blockchain solutions, drafters should give thought as to what contract terms to adjust in supply agreements and other commercial contracts related to the use of blockchain in the supply chain.  Some potential modifications to consider follow:

Blockchain Governance

Parties to a supply agreement will need to decide whether a supply agreement should detail which transactions can (or must) occur on the blockchain, or whether the parties should set forth which transactions should occur on the blockchain in a separate agreement governing the implementation, governance, funding and maintenance of the supply chain blockchain. Flexibility will be important as blockchain technology continues to evolve and becomes more prevalent, so it may be most practical for both parties to execute an addendum listing transactions that the parties can agree to update.

Requirements on Suppliers and Sub-suppliers

A buyer may consider whether it would be beneficial to contractually require its suppliers to join the buyer’s supply chain blockchain.  A buyer could take this approach a step further and extend it to sub-suppliers as well. A contract could require both the supplier and its suppliers to join the buyer’s supply chain blockchain, which would provide the buyer a deeper visibility into its supply chain. For smaller suppliers and sub-suppliers, the ability to keep up and participate in this evolving area may present a challenge that impacts their ability to compete for certain business.

Confidentiality

With multiple member blockchains, the parties may want to explicitly state whether or not a receiving party adding certain confidential information of a disclosing party to the blockchain would be considered a permitted disclosure by the receiving party.  The parties must also consider the contract’s provisions on removal and return of confidential information at the end of a contract with the immutability of blockchain in mind.

Purchase Orders and Payment Terms

If a buyer must place purchase orders or releases through the blockchain system, the parties will need to revise the ordering mechanism of the contract to reflect this process.  Additionally, if the parties plan to handle payment by blockchain smart contracts, the parties will need to revise the traditional approach of invoicing after shipment and paying within a certain period to account for the terms of any smart contract.

Product Acceptance

If the buyer will make payment automatically via smart contract at the time of product acceptance, the supply agreement should be very precise as to when product acceptance occurs.

Indexing and Shipping Costs

Many supply chain contracts use some form of indexing for raw materials or other cost inputs to adjust pricing periodically. Blockchain has the potential to significantly streamline this process by allowing parties to modify contract pricing that is linked to an index faster and easier by using a smart contract to rewrite the new price to the ledger and automatically update payments via blockchain based on the new contract pricing. Although traditionally raw materials have been the focus of indexing provisions, given the recent massive fluctuations in freight and container costs, contracting parties can share risk for fluctuating shipping costs by indexing through blockchain technology as well.

Force Majeure

When drafting force majeure provisions, the parties may want to explicitly define whether issues with the blockchain such as smart contract malfunction or compromise of a party’s access to the blockchain would be considered a force majeure event that can be relied upon by a party to excuse from performance under the contract. In most cases, parties may want to align this issue with whether existing language covers IT system issues.  If such issues are included as force majeure events, the parties should consider adding a threshold requirement that a party cannot claim force majeure for issues resulting from the party’s own failure to maintain industry-appropriate protective measures.

Effect of Termination

In the event of termination of a supply agreement, the parties will want to explicitly set forth any requirements to unwind the blockchain or terminate the related smart contracts. Alternatively, the effect of termination provisions could point to a separately executed agreement specifically dedicated to blockchain governance which would cover the rights and responsibilities of the parties if the supply agreement dictates the parties must unwind the blockchain.

Conflicts

In the resolving conflicts section of the supply agreement, which provides the order of precedence of contract terms in the event of conflicting language, the parties should detail how to resolve a conflict between a coded smart contract or other blockchain terms and conditions and the text of the supply agreement.

Entire Agreement

When drafting the entire agreement section of a supply agreement, the parties will want to identify what, if any, terms and conditions set forth in the applicable blockchain network are part of the agreement between the parties and then provide that all other terms are not part of the agreement.

Service Level Credits

For logistics agreements, the parties may want to define key performance indicators (KPIs) or service level agreements (SLAs) based on data from the blockchain, because that data is considered trusted.  For instance, the parties could define processing time to receive inventory to a warehouse (i.e. “dock-to-stock” time) as the difference between the date and time of receipt of product at the warehouse and the date and time of stock of product in the warehouse, in each case, based on the data uploaded by any applicable IoT device to the supply chain blockchain.

Data Privacy Considerations for Blockchain

While blockchain is considered a highly secure means of data storage, paradoxically, some of blockchain’s other attributes (being decentralized and immutable), pose a compliance barrier with many data privacy regulations, such as the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.105) (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”).

Blockchain’s decentralized platform makes it tricky to determine which privacy laws apply.  The nature of a decentralized platform permits processing of an individual’s information in any number of locations around the world, because an individual’s personal data (such as a person’s full name, social security number, or email address) could be located on different nodes, each of which could exist in a different jurisdiction.  As each jurisdiction regulates the processing of personal data differently, attempting to manage the plethora of privacy laws, some of which may conflict with others, could be a daunting, if not impossible and cost-prohibitive effort.

The immutable nature of blockchain also poses a potential issue for data privacy.  For instance, Article 17 of the GDPR as well as the CCPA set forth the “right to be forgotten.”  The GDPR and CCPA require that processors of personal data erase the personal data of a person under certain circumstances, including if the person withdraws consent for the processing of their personal data.7

Because of the decentralized and immutable nature of blockchains, some potential approaches to handling personal data related to transactions on the blockchain are to store the personal data completely off the blockchain, or store only a hash of the personal data (a one-way mathematic function that represents the personal data, but from which the personal data cannot be determined) on the blockchain while storing the actual data on a private encrypted database.  Taking another approach, programmers could write smart contracts to allow for the revocation of access rights or deletion of information on the blockchain.8  Companies would have to customize any supply chain blockchain solution for data privacy compliance issues based on what personal data will be stored, what jurisdictions the data will be stored in, and the nature of the related blockchain concept.

Blockchain Hash Creation

Smart Contracts

Smart contracts are not necessarily contracts in the traditional sense.  Rather, a smart contract is a computer program stored on a blockchain that performs an action when triggered by an event. Smart contracts take the agreement of two adverse parties to the next level.  When two parties execute a traditional written agreement, they are promising to act in accordance in that agreement.  When two parties implement a smart contract, it is not a mere promise; they have already effected an outcome.

As previously discussed, certain states such as Arizona and Tennessee have laid the groundwork for courts to enforce smart contracts.  If blockchain continues to become more prevalent in business, the need for decisive regulations will pressure other states to follow suit and address smart contracts through legislation.

See Article 5 of this “Blockchain in Supply Chain” series for more information on smart contracts.

Antitrust Considerations for Blockchain

Blockchain provides an avenue for competitors to cooperate, particularly in a consortium or other permissioned structure.  As with any collaboration or joint venture among competitors, such collaboration raises potential antitrust risks and can create a slippery slope to claims of collusion and anticompetitive exclusionary conduct, among other anticompetitive practices.

For most blockchain collaborations among actual or potential competitors, the greatest practical antitrust risk involves collusion and implicates Section 1 of the Sherman Act.9  Section 1 prohibits agreements that unreasonably restrain trade, such as agreements among competitors to fix prices, rig bids or allocate customers or markets.  Oftentimes, courts can infer such anticompetitive agreements based on the exchange of competitively sensitive information among the participants.  Blockchain participants therefore must be mindful of the heightened antitrust risks that come into play should the blockchain arrangement involve the sharing of competitively sensitive information, such as pricing, costs, output or customer specific information.

To minimize this antitrust risk, particularly in a blockchain consortium involving competitors, participants should either avoid the exchange of competitively sensitive information altogether or narrowly tailor the information exchanged and adopt other appropriate safeguards where reasonable. Safeguards to consider include setting up permissions so that only intended recipients of data have access to a block of information and adopting read permission restrictions to prevent employees who have responsibility over pricing, marketing, strategy and competitively important strategic decisions from accessing competitively sensitive information shared on the blockchain.  Aggregating or anonymizing sensitive data or limiting the information exchange to historical information only (instead of current or future data) could also minimize the antitrust risks associated with any information exchange that is necessary to the blockchain arrangement. In any event, participants in a blockchain arrangement should be prepared to articulate why the participants need to exchange the specified type or level of information to achieve pro-competitive benefits of the blockchain arrangement.

Consortium blockchain participants may also face antitrust liability under Section 1 if they reach an agreement to exclude competitors from the blockchain collaboration where accessing a blockchain has become essential to doing business in a particular market or industry. Participants should document and consistently enforce well-defined and reasonable criteria for membership.  Participants should also exercise additional caution in restricting membership if development of the blockchain technology or any related applications involve standard-setting or the adoption of standard, essential patents, both of which present unique antitrust risks.

Relatedly, antitrust scrutiny may also extend to the way in which consortium members approve transactions.  Nodes (or members of the supply chain) validate transactions to be added to a blockchain in accordance with certain pre-determined validation rules.  Then, nodes only add transactions to a blockchain if the rules for adding a block to the blockchain are satisfied (“consensus”).  Antitrust risk can increase where these consensus mechanisms prioritize clearance of transactions by certain members or decline to validate transactions by particular parties without a legitimate and objective basis for doing so. Participants should ensure the validation and consensus mechanisms use objective criteria and that no single participant controls these processes.

In addition to the most prevalent antitrust risks highlighted above, participants should consider other potential antitrust complications when forming or participating in a collaboration with competitors to develop blockchain technology and related applications.  Participants should be mindful of these risks and consult antitrust counsel early in the process as they harness the benefits of blockchain technology to meet their supply chain needs.

1The Electronic Signatures in Global and National Commerce Act (E-Sign Act), FDIC Consumer Compliance Examination Manual – January 2014

2 Final Act, With Comments: Uniform Electronic Transactions Act (1999), Uniform Law Commission (last retrieved on September 8, 2021)

3 Uniform Electronic Transactions Act (UETA), Practical Law (last retrieved July 22, 2021)

4 ARS § 44-7061; TN Code § 47-10-202

5 Wyoming’s Digital Assets Amendments: Marked Out or Missed Out? A Review of Recent Amendments to Article 9 of the Wyoming UCC, American Bar Association (October 1, 2019)

6 Id.

7 Art. 17 GDPR and Cal. Civ. Code § 1798.105

8 GDPR & Blockchain: At the Intersection of Data Privacy and Technology, BDP (Iast retrieved July 22, 2021)

9 15 U.S.C. § 1

Co-authored by Vanessa L. Miller. Aaron K. Tantleff. Peter Vogel. Eugenia Wang. Kathleen E. Wegrzyn.

© 2021 Foley & Lardner LLP

Legal Implications of Facebook Hearing for Whistleblowers & Employers – Privacy Issues on Many Levels

On Sunday, October 3rd, Facebook whistleblower Frances Haugen publicly revealed her identity on the CBS television show 60 Minutes. Formerly a member of Facebook’s civic misinformation team, she previously reported them to the Securities and Exchange Commission (SEC) for a variety of concerning business practices, including lying to investors and amplifying the January 6th Capitol Hill attack via Facebook’s platform.

Like all instances of whistleblowing, Ms. Haugen’s actions have a considerable array of legal implications — not only for Facebook, but for the technology sectors and for labor practices in general. Especially notable is the fact that Ms. Haugen reportedly signed a confidentiality agreement or sometimes call a non-disclosure agreement (NDA) with Facebook, which may complicate the legal process.

What are the Legal Implications of Breaking a Non-Disclosure Agreement?

After secretly copying thousands of internal documents and memos detailing these practices, Ms. Haugen left Facebook in May, and testified before a Senate subcommittee on October 5th.  By revealing information from the documents she took, Facebook could take legal action against Ms. Haugen if they accuse her of stealing confidential information from them. Ms. Haugen’s actions raise questions of the enforceability of non-disclosure and confidentiality agreements when it comes to filing whistleblower complaints.

“Paradoxically, Big Tech’s attack on whistleblower-insiders is often aimed at the whistleblower’s disclosure of so-called confidential inside information of the company.  Yet, the very concerns expressed by the Facebook whistleblower and others inside Big Tech go to the heart of these same allegations—violations of privacy of the consuming public whose own personal data has been used in a way that puts a target on their backs,” said Renée Brooker, a partner with Tycko & Zavareei LLP, a law firm specializing in representing whistleblowers.

Since Ms. Haugen came forward, Facebook stated they will not be retaliating against her for filing a whistleblower complaint. It is unclear whether protections from legal action extend to other former employees, as is the case with Ms. Haugen.

Other employees like Frances Haugen with information about corporate or governmental misconduct should know that they do not have to quit their jobs to be protected. There are over 100 federal laws that protect whistleblowers – each with its own focus on a particular industry, or a particular whistleblower issue,” said Richard R. Renner of Kalijarvi, Chuzi, Newman & Fitch, PC, a long-time employment lawyer.

According to the Wall Street Journal, Ms. Haugen’s confidentiality agreement permits her to disclose information to regulators, but not to share proprietary information. A tricky balancing act to navigate.

“Big Tech’s attempt to silence whistleblowers are antithetical to the principles that underlie federal laws and federal whistleblower programs that seek to ferret out illegal activity,” Ms. Brooker said. “Those reporting laws include federal and state False Claims Acts, and the SEC Whistleblower Program, which typically feature whistleblower rewards and anti-retaliation provisions.”

Legal Implications for Facebook & Whistleblowers

Large tech organizations like Facebook have an overarching influence on digital information and how it is shared with the public. Whistleblowers like Ms. Haugen expose potential information about how companies accused of harmful practices act against their own consumers, but also risk disclosing proprietary business information which may or may not be harmful to consumers.

Some of the most significant concerns Haugen expressed to Congress were the tip of the iceberg according to those familiar with whistleblowing reports on Big Tech. Aside from the burden of proof required for such releases to Congress, the threats of employer retaliation and legal repercussions may prevent internal concerns from coming to light.

“Facebook should not be singled out as a lone actor. Big Tech needs to be held accountable and insiders can and should be encouraged to come forward and be prepared to back up their allegations with hard evidence sufficient to allow governments to conduct appropriate investigations,’ Ms. Brooker said.

As the concern for cybersecurity and data protection continues to hold public interest, more whistleblower disclosures against Big Tech and other companies could hold them accountable are coming to light.

During Haugen’s testimony during  the October 5, 2021 Congressional hearing revealed a possible expanding definition of media regulation versus consumer censorship. Although these allegations were the latest against a large company such as Facebook, more whistleblowers may continue to come forward with similar accusations, bringing additional implications for privacy, employment law and whistleblower protections.

“The Facebook whistleblower’s revelations have opened the door just a crack on how Big Tech is exploiting American consumers,” Ms. Brooker said.

This article was written by Rachel Popa, Chandler Ford and Jessica Scheck of the National Law Review. To read more articles about privacy, please visit our cybersecurity section.

Legal Marketing Budgets with Good2BSocial [PODCAST]

Rachel and Jessica meet with Guy Alvarez, founder and CEO of Good2BSocial, to review legal marketing budget changes since the beginning of the COVID-19 pandemic.

Please read on below for a transcript of our conversation, transcribed through artificial intelligence.

Rachel

Hello, and welcome to Legal News Reach, the official podcast for the National Law Review. Stay tuned for a discussion on the latest trends, legal marketing, SEO, law firm best practices, and more.

Rachel

So my name is Rachel, a web content specialist for the National Law Review.

Jessica

And my name is Jessica and I do about the same.

Rachel

In this episode, we’ll be taking a look at legal marketing budgeting post COVID-19, with Guy Alvarez, founder and CEO of Good2bSocial. Would you like to tell our listeners a little bit about yourself?

Guy

Sure, Rachel. So as you said, my name is Guy Alvarez. I am a former practicing attorney. And currently I am the founder and chief engagement officer at Good2bSocial. Good2bSocialis a digital marketing agency that specializes in the legal industry. And basically what we do is we help our clients, law firms, as well as legal vendors and others, to leverage digital technology to accomplish their business objectives.

Jessica

We’ve worked with you guys before just on various things. So this is great, we get to have you in here and talk to you today. I’m excited, I’m excited to get started. Some things that are on legal marketers’ mind at this point with the covid 19 pandemic, hopefully coming to a close, what is the way they can handle their marketing budget? How has the pandemic affected the budgeting?

Guy

A great question, Jessica. And that’s a question I get a lot from both small firms as well as large law firms. So obviously, what’s changed significantly with COVID is the inability to really see other people in person, right. So a lot of firms in the past have dedicated their marketing budget, a lot of it has gone into conferences, or trade shows, or live events. And obviously, for the most part, those things aren’t happening today. Or if they’re happening, they’re happening in a very limited way. Also, people don’t really like to travel or travel as much. So that’s also made an impact in terms of their marketing budget, from the business development side. A lot of budget in the past has gone to client entertainment, right? So lawyers taking out clients dinners, or sporting events or theater or things like that. And those things aren’t happening either. So what we’re seeing is really a shift in terms of budget from the real world into the virtual world. And as a result, we’re seeing law firms spend a lot of their budget on digital marketing, right ways that they can enhance their website, ways that they can communicate to their clients and prospects, their knowledge, their experience, and basically stay top of mind and develop strategic relationships. So we’ve seen a lot of investment into webinars, it looks like almost every law firm is doing webinars these days, law firms are spending money on and creating podcasts like this one. So we’re working with a lot of firms who have decided to create one or more podcasts and they want to put it out. And then also firms are spending money on online advertising. More and more firms are struggling to take a dip into online advertising, whether that is paid social media like LinkedIn, and Facebook and Instagram, as well as Google ads and other forms of online advertising.

Jess

How much in general should a law firm look to spend on their marketing budget?

Guy

Great question. Historically, we have seen firms spend somewhere between two to 3% of their overall marketing budget on marketing activities. What we’re seeing now is firms are investing more closer to five to 6%. And the reason for that is because beat they don’t have the ability to get in front of their clients in person. So they’re looking to spend money to get in front of their clients through digital means.

Jess

That seems kind of interesting, especially since it’s shifting to online versus in person. Is that normal that it would double even though it’s digital now instead of you know, the wining and dining that hadn’t before?

Guy

Unfortunately, I feel like a lot of firms don’t know what they’re doing. So they’re wasting a lot of money, right? They’re spending money on advertising online without really understanding how to do it. So I’ll give you a perfect example. A lot of firms, especially corporate law firms right now are experimenting with LinkedIn advertising because LinkedIn is a great way to get in front of a professional audience. If you go to LinkedIn or if you talk to the LinkedIn sales people, they’ll basically tell you to spend as much as you possibly can, so that you can reach your target audience. So let’s say, let’s say you’re trying to reach in House counsel in the state of California, right? Let’s say you have a firm, and you really want to reach in House Counsel, and you go to LinkedIn, and LinkedIn will give you a recommended budget of between, let’s say, eight, and $20 per click, you know, that’s what they want you to bid, right. And so if you talk to LinkedIn, they’ll say, Oh, well, in this case, you should fit the $20. That way, you can make sure that your ad is going to be seen by your target audience. But the reality is, it doesn’t really work that way. Sure, if you’re going to bid more money, there is a possibility that more people will see it. But that’s not necessarily the case, you could bid less money. And if you have a really good offer, or a really good ad or post, people aren’t going to click on it, and then more and more people aren’t going to see it. It’s the same as if like, let’s say you went to an art auction, right? And someone’s was auctioning a painting. And the auctioneer said, Okay, we’re going to start the auctioning at $1,000 for this painting. And you raise your hand and you say, you know, a million dollars? Well, why would you do that? What you don’t know yet, you know, maybe you put it in for $2,000 $3,000 $10,000. So that’s why firms are spending money, but they’re not spending it in a productive, efficient manner. And part of the reason for that is that they’re just not familiar with how paid LinkedIn or other forms of advertising online, really work. And so that’s why we’re seeing more and more money spent, but not necessarily the most efficient type of spending.

Jess

So this is kind of a good Segway into my next question that I had. So how do firms know how to spend for a new law firm versus an established one?  A new law firm probably isn’t going to have the necessary background and know how to spend their money wisely.

Guy

So there’s two ways that you can, you know, make sure that you’re doing the best you can. One is you can hire an agency like ours, who has experience and knowledge and knows what they’re doing and has done it a billion times. Or you can train your team, right? invest in training, invest in getting them up to speed, so that when, when they’re doing it, they know what they’re doing.

Jess

I’m not surprised to hear that from you. I’m sure how many people you work with,they need help knowing how to budget. And that’s great, because that’s what you guys are there for to help guide them through that.

Guy

Yeah, and they could spend a little bit of money with us managing it, but at the end of the day, they’re getting a much better bang for their buck, because they’re not wasting a ton of money. I’ll give you another example. I see a lot of law firms that are doing Google advertising. And Google advertising can be really expensive, right? But what they’re doing is when they create the ad, they’re linking their ad back to their websites. And that’s a big No, no, you don’t want to link an ad back to your website, you want to link the ad to a landing page, where the visitor really has the option of either filling out a form or picking up the phone. If you’re sending them back to your website, they might forget why they thought there, they might start to explore other things. And all of a sudden, you wasted a ton of money, and you’re not getting the results that you wanted. So that’s just another simple example, of firms not knowing how to spend their money and spending their money in a non efficient way.

Rachel

So to sort of go off of that, we’ve spoken a little bit about how law firms should allocate their budget, and how they can best use their marketing dollars. But I was wondering if you could talk a little bit about what are the most important areas to focus on right now in terms of legal marketing spend.

Guy

Or so as I said, a lot of the money that used to go to trade shows conferences, sponsorships, you know, it’s not being spent anymore, because, you know, people aren’t going to real world events. So from my perspective, the best way to spend money is to give your audience your target audience and it could be either existing clients or new potential clients is to communicate to them the knowledge and the experience that your firm and that your attorneys have. And that’s why content is so important. Right, a lot of firms I know are like, Oh, you know, we want to improve our search engine visibility, we want to, you know, but they don’t understand that the only way to do that is by creating really good, valuable content. That’s the number one priority. Same thing with social media, if you’re not creating client centric, valuable thought leadership content, you’re not going to have a very successful social media strategy. So really, the focus should be first and foremost, on creating that really great content. And the way to do that is to really understand what your audience is interested in. They’re not necessarily interested in your awards, or your new hires or your qualifications, sure, that matters to them down the road. But right now, what they’re most interested in is, what their business and the problems or issues that they’re facing. So the more that you can put yourself in the shoes of your clients or your prospects, and create content that’s going to be really valuable and interesting to them, the more you’re going to have success from a marketing perspective. So I think first and foremost, the investment should be around client centric, thought leadership content. That’s number one. Number two, is I think you need to invest in a way to measure everything you’re doing, right? If I’m spending a ton of money, and then I asked you, well, you know, how are you doing? What are you getting out of it? And you don’t have an answer, then how can you possibly improve on what you’re doing? So you need the tools and technology to properly measure the effectiveness of your legal marketing? expenditures. And a lot of firms don’t have that, right. Some firms might measure and say, Oh, yeah, we look at Google Analytics. And I said, Great, well, what do you do after that? What do you do with the data? We send it to our lawyers, okay. And then what happens? Nothing happens. So if all you’re doing is looking at data, and not analyzing it, and not coming out with some meaningful insights out of it, then you’re not really gaining much. So you need to invest in technology. And in people that understand what’s working, what’s not working, and what you can do to adapt or change so that you can get the results that you want.

Rachel

We talked a little bit about measuring ROI and measuring how these campaigns are performing. What metrics should they be paying attention to? And how can they really get started?

Guy

That’s a great, great question, right? A lot of times, I speak to marketers, and they’re really frustrated, cuz they say to me, God, you know, we just got, you know, 1000 new followers on LinkedIn, or we just got 20 new likes on Facebook, or we just improved our traffic, we’re getting now 2000 unique visitors to our website. But the lawyers don’t care, right. And the reason the lawyers don’t care is you need to be able to tie your metrics to actual business objectives, right? lawyers don’t care how many likes or follows or shares are bought, they don’t care. They care about, did we get any new business? Or were we mentioned in an article or publication, or you know that we get a new speaking opportunity? So you need to closely tie your digital metrics into real business objectives? In order to really be able to quantify, yes, we did this invested investment, and this is what resulted out of it. And I’ll give you another example. So as I said earlier, a lot of firms, especially over COVID, you know, have invested heavily on webinars, it looks like every firm was doing a webinar almost every day. But if you ask most of them, you know, what did you do after the webinar? How did you follow up, most of them may be sent out an email, thanking everyone. And that’s it. So now you spent all this time, effort and money in creating a webinar, and you did nothing to follow up. And so that is the types of things you need to do is make sure that you’re not only investing in the creation, but also measuring the execution afterwards and have a plan for how you’re going to be able to turn website or webinar visitors or registrations into potential clients.

Jess

That’s interesting. So that long game of follow up, is that one of the ways these firms can make sure that they’re getting the desired ROI Is that just one of the techniques? or What else could they implement?

Guy

Yeah, that that’s a very important technique, right? Because one of the things I tell law firms is, don’t think about it just because you weren’t you attend a webinar, it doesn’t necessarily mean you’re ready to hire someone, you know, you might just be interested in the topic, or maybe your boss has asked you about it, but they may not be ready to hire you. So you have to invest in the long term. And you got to make sure that okay, we did the way when it was about 100 registrations, and out of those 100 registrations 50 people showed up. So now you’re gonna have to have a strategy for those people that showed up, you should have a strategy for the people that didn’t show up. And what you want to do is you want to stay top of mind, so that when the timing is right, when they actually have the need, they’re going to be like, Oh, yes, this firm, that they continue to email me about this topic, they certainly know what they’re doing. Let me reach out to them. Right. So that is, that is definitely one of the ways to do that. The other thing is, you need to be able to repurpose your content, right? There is a process called cope, which talks about create once publish everywhere, right? What that means is for every piece of content you create, you should find a way to repurpose it. So if we’re doing this podcast right now, maybe we can take the transcript of the podcast and create a blog post. And maybe since we’re doing a podcast and a video, now we can chop up this video into little segments. And maybe out of that you can have, you know, 2030 different social media posts. So again, it’s really about how you’re investing in the content creation, find a way to repurpose it, because the other thing is, everyone likes to consume content in a different way. Some people like to read, some people like to listen to podcasts, other people like to watch videos, other people like to look at infographics. So you should be able to repurpose that content in as many different ways as possible, so that people can consume it in whatever way they choose to consume.

The follow up part seems to be just like an industry thing. I think they’re trying to pump out as much content, especially being new to webinars, I’m sure they’re just cranking those out doing a webinar series and not thinking about, well, how do we stay on people’s minds, the content is valuable, right, because the people go to the webinar to gain insight on that topic that they’re interested in. But once they leave, that has now no longer occupies the brain at that point,

Right, or they’ll make the mistake while they’re doing a webinar, but they don’t record it the right. And so just because you had 100 people show up, there’s a lot of value to that webinar. So you should take that webinar, you should post it to your website, you should email about it. I mean, again, it’s not just a one time thing. Every time you build content, it’s another asset that you can build on. So that eventually people will find you and hire you.

Jess

When these law firms that are having all these issues with their budgets, when they come to you guys and ask for your help to any firm that may listen to this episode with you guys on it, what do you want to tell them? like three things that your expertise, you know, is a tried and true? What would you want to say to them?

Guy

So that’s a really great question. You know, one of the things that we’re really different about other agencies and other companies like us, is we don’t take a cookie cutter approach to any of our clients, right? I have a lot of times prospective clients will call call me and say, okay, we need to, we need to do some SEO on our website, or we need to create a podcast, or we need to redesign our website. And I said, Okay, well tell me more about that. What Why do you want to do that? What are your what is the business objective, right? So just because they think of something that might not necessarily be the best way to accomplish what they’re trying to accomplish. So we start off with every one of our prospective clients, we start off by having them fill out a questionnaire, and then we do an audit of their digital properties to kind of see where they’re at, where their competitors are at, and what their business objectives are, and we don’t charge for that. That’s something that we do. And once we do that, then I have another conversation and I say, Okay, this is what we saw, this is what you told me, based upon that on that this is what we would like to do. And then we come up with a very specific strategy for them. That would enable them to accomplish their goals. And sometimes this gets frustrating for some clients or prospective clients are like, well, I just want to quote How much does it cost? And I’m like, I’m sorry, you I’m not just going to give you a call.  I need to understand more about what you’re trying to do, what your competitors are doing and where you’re at today. And, you know, that’s worked really well for us. So the one thing I would say is, if you come to us, you’re going to be treated as a unique, very distinct client. And we’re gonna develop a unique and intuitive strategy, just for you, that is going to be different from any other clients.

Jess

I think that’s definitely the biggest part of marketing. If you want to be different, you can’t do the same old tried and true, or maybe what used to work, you know, even with this post COVID environment, you got to change it up. And yeah, I’m glad you mentioned that every client’s needs are very specific. And budgeting is one of them. And I’m sure that changes how you approach marketing for them. So it’s interesting that you will look at all those metrics for free. And then you also have your own podcast, which is free for legal marketing, the legal marketing, 2.0 podcast. So you guys offer a lot of valuable insight for people. And that’s why we wanted to have you on this podcast so that if our clients or anybody else who listens knows that this is an option out there that they can use, because I think marketing is such a big thing, digitally, especially right now probably forever at this point.

Guy

Yeah, we’re big believers in in providing valuable information for free. You know, we publish a blog post every day, we do a weekly podcast, we do monthly webinars. We do other things. We publish free ebooks all the time. And the reason why is we want to educate our audience as much as possible, so that when they need someone, they may know a little bit about how to do it. But if they really want to do it, well, they’ll think of us first. And if they don’t, at least they get that really good information. And eventually that ends up helping them down the road to help sauce.

Rachel

So one thing that I was curious to get your point of view on is sort of the through line that we’re trying to focus our inaugural season our podcast on, which is sort of how legal marketing has both changed because of COVID. And also, where legal marketing is going post COVID are sort of in this weird Limbo state where we’re on the cusp of both things, going back to normal, or people starting to think about going back to normal. Also, things aren’t back to normal yet. So I was just curious, like, what have you seen change over the past year? And how do you see things changing more moving forward?

Guy

So it’s interesting, a couple of things. One is COVID has definitely accelerated the trend towards digital, there’s no question about that. So we were already starting to see that before COVID, more and more firms were investing in digital, you know, sprucing up their website, creating more content, blah, blah, blah. So that has definitely happened. It accelerated it to a point where a lot of CMOS and marketing directors that were complaining because they couldn’t get their attorneys to create content, all of a sudden, they were inundated by huge amounts of content, right? It was like they couldn’t put it out there quickly enough. You know, things settle down a little bit. So you’re starting to see less of that. But there’s still a ton of content that’s being created. And the problem is, you know, just throwing up a bunch of content and see what’s going to stick is really not a great strategy. So what I think is going to happen, what we’ve already started to see happen is firms are going to start to take a step back and say, wait a minute, it’s great that we’re creating content, but what’s the strategy behind it? You know, who do we really want to reach? We can’t market to everyone, right? So you got to really figure out like, what are the strengths of your firm? What are the markets that you really go out want to go after? What is your ideal client profile look like? You know, what are the types of companies that hire you, where you’re really profitable? And then so what they’re gonna start to look at is creating content and strip marketing strategies that focus on their ideal customer profiles, and then measuring everything that you do. So I think that’s really what’s going to ship is a focus on strategy, and narrowing that focus to your best potential client, and then creating strategies around those clients. So, you know, the only thing I would say is, you know, that’s the change into the digital world is, a lot of times I see firms get very stressed out about all these new technologies. And they want to make sure they don’t miss out on anything. And, you know, a few months back, everyone wanted to be on clubhouse/ Well, you know, clubhouse is a good new property, and there’s certainly value to it. But just because it’s out there doesn’t mean that you have to be on it, right. So I think the important thing is to really be measured in how you approach new technology and new channels. But most importantly, I think, if you’re going to improve your marketing, the one thing that I would recommend, is to focus in on your clients, and really gaining an understanding of what it is they really need. Right? That is the most valuable thing. And I don’t think that law firms spend enough time figuring that out, they don’t spend enough time doing research on their clients. Because if you talk to a client, they typically want three things. They want a firm that understands their industry, they want a firm that understands their business, and they want a firm that understands them, that individual that you’re dealing with. And the only way that you can do that is by spending some time doing research. And once you get that information, then you can create the nominal marketing strategies that really have an impact. So I think that’s something that firms are starting to realize. And I think that’s the right way to go. So if you’re a CMO at a firm, or marketing director of a firm, convince your lawyers to spend some time and some budget, really researching your existing clients, so that you can come up with strategies that are really going to make an impact.

Rachel

Great, thank you for giving that great takeaway. I think our listeners will be really interested to sort of really hone down on the direction that they should take their marketing, especially now that everything is going digital online, it’s more important than ever to have a strategy for that. So yeah, thank you for joining us today. That about wraps up our episode on legal marketing budgets, posts COVID-19. And Special thanks to Guy Alvarez with Good2bSocial for joining us.

Guy

Thank you, Jessica. And thank you, Rachel, it’s been a pleasure. And if any of your listeners want more information, go to good2bsocial.com. And check out our blog posts or podcasts, webinars, etc. Thank you.

Rachel

Thank you for listening to the National Law Review’s Legal News Reach podcast. Be sure to follow us on Apple podcasts, Spotify, or wherever you get your podcasts for more episodes. For the latest legal news, or if you’re interested in publishing and advertising with us, visit www.natlawreview.com We’ll be back soon with our next episode.

Copyright ©2021 National Law Forum, LLC

Article By Rachel Popa and Jessica Scheck of The National Law Review / The National Law Forum LLC

Click here for more episodes of Legal News Reach.