Category: Internet

Colorado AG Proposes Draft Amendments to the Colorado Privacy Act Rules

On September 13, 2024, the Colorado Attorney General’s (AG) Office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The proposals include new requirements related to biometric collection and use (applicable to all companies and employers that collect biometrics of Colorado residents) and children’s privacy. They also introduce methods by which businesses could seek regulatory guidance from the Colorado AG.

The draft amendments seek to align the CPA with Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, both of which were enacted earlier this year and will largely come into effect in 2025. Comments on the proposed regulations can be submitted beginning on September 25, 2024, in advance of a November 7, 2024, rulemaking hearing.

In Depth

PRIVACY OF BIOMETRIC IDENTIFIERS & DATA

In comparison to other state laws like the Illinois Biometric Information Privacy Act (BIPA), the CPA proposed draft amendments do not include a private right of action. That said, the proposed draft amendments include several significant revisions to the processing of biometric identifiers and data, including:

  • Create New Notice Obligations: The draft amendments require any business (including those not otherwise subject to the CPA) that collects biometrics from consumers or employees to provide a “Biometric Identifier Notice” before collecting or processing biometric information. The notice must include which biometric identifier is being collected, the reason for collecting the biometric identifier, the length of time the controller will retain the biometric identifier, and whether the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor alongside the purpose of such disclosure. This notice must be reasonably accessible, either in a standalone disclosure or, if embedded within the controller’s privacy notice, a clear link to the specific section within the privacy notice that contains the Biometric Identifier Notice. This requirement applies to all businesses that collect biometrics, including employers, even if a business does not otherwise trigger the applicability thresholds of the CPA.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent from the data subject before selling, leasing, trading, disclosing, redisclosing, or otherwise disseminating biometric information. The amendments also allow employers to collect and process biometric identifiers as a condition for employment in limited circumstances (much more limited than Illinois’s BIPA, for example).

PRIVACY PROTECTIONS FOR CHILDREN’S ONLINE DATA

The draft amendments also include several updates to existing CPA requirements related to minors:

  • Delineate Between Consumers Based on Age: The draft amendments define a “child” as an individual under 13 years of age and a “minor” as an individual under 18 years of age, creating additional protections for teenagers.
  • Update Data Protection Assessment Requirements: The draft amendments expand the scope of data protection assessments to include processing activities that pose a heightened risk of harm to minors. Under the draft amendments, entities performing assessments must disclose whether personal data from minors is processed as well as identify any potential sources and types of heightened risk to minors that would be a reasonably foreseeable result of offering online services, products, or features to minors.
  • Revisit When Consent Is Required: The draft amendments require controllers to obtain explicit consent before processing the personal data of a minor and before using any system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature.

OPINION LETTERS AND INTERPRETIVE GUIDANCE

In a welcome effort to create a process by which businesses and the public can understand more about the scope and applicability of the CPA, the draft amendments:

  • Create a Formal Feedback Process: The draft amendments would permit individuals or entities to request an opinion letter from the Colorado AG regarding aspects of the CPA and its application. Entities that have received and relied on applicable guidance offered via an opinion letter may use that guidance as a good faith defense against later claims of having violated the CPA.
  • Clarify the Role of Non-Binding Advice: Separate and in addition to the formal opinion letter process, the draft amendments provide a process by which any person affected directly or indirectly by the CPA may request interpretive guidance from the AG. Unlike the guidance in an opinion letter, interpretive guidance would not be binding on the Colorado AG and would not serve as a basis for a good faith defense. Nonetheless, a process for obtaining interpretive guidance is a novel, and welcome, addition to the state law fabric.

WHAT’S NEXT?

While subject to change pursuant to public consultation, assuming the proposed CPA amendments are finalized, they would become effective on July 1, 2025. Businesses interested in shaping and commenting on the draft amendments should consider promptly submitting comments to the Colorado AG.

© 2024 McDermott Will & Emery
For more news on Colorado Privacy Law, visit the NLR Communications Media Internet and Consumer Protection sections.

Get Off the Beaten Path: Three Ways Outsourcing Can Help Firms Achieve CRM & Data Quality Success

Normally, the path most traveled is thought to be the better road as it represents the path that leads to achieving goals and success while the less traveled path leads to stressful processes and unknowns.

But for firms trying to achieve CRM success, the “beaten path” involves investing tens of thousands of dollars into the latest and greatest technology and hiring internal Data Stewards to maintain the data flowing into the system. This can take up a significant number of firm resources and there is no guarantee that CRM Success will be achieved.

Let’s face it, the traditional approach to CRM and Data Quality Success often leads to more headaches and challenges than it does to success. Without the right experience and expertise, leading a CRM implementation project or a data quality clean-up can be disastrous.

Hundreds of thousands of records flow in from departmental databases which need to be analyzed and categorized properly. Meetings need to be held with firm leadership to understand their expectations for the system, and meetings need to be coordinated with vendors to set up demonstrations along with Requests For Proposals (RFPs).

To add more fuel to the fire, meetings also need to be held with end users to understand their needs and requirements so system selection can be catered to them. In the end, firms are left with high training and implementation costs; limited staffing pools due to required expertise; and increased employee burnout due to the overwhelming nature of the work.

The Path Less Traveled: Outsourcing

Many forward-thinking firms have taken the path less traveled to CRM success and have outsourced many of their core marketing technology positions and data quality work to trusted service providers. Outsourced Marketing Technology Managers and Data Stewards can provide all the benefits of retaining these positions in-house at a cost-efficient price all while reducing managerial headaches.

The route less traveled gives you access to a pool of highly skilled professionals without the additional costs associated with hiring internally. Many outsourced Marketing Technology Managers and Data Stewards have years of industry experience working with the nation’s top firms tackling complex data quality issues and guiding implementations ensuring they are implemented and integrated effectively.

To achieve CRM and data quality success, sometimes the beaten path won’t get you there. Here are three ways taking the path less traveled can help you achieve CRM and data quality success:

1. Cost Savings

Utilizing outsourced service providers for marketing technology or data quality roles can help firms save a significant amount of money. For firms with around 250 professionals, hiring an internal CRM Manager and Data Steward can cost firms around $116,640.

For firms that have limited resources and budgets, outsourcing providers offer various pricing models for their services. From contracting their workers on an as-needed basis for short-term or long-term projects to paying-as-you-go. This allows firms to allocate more of their investments to higher-priority projects or initiatives. Depending on the rate of the service provider, firms can expect to pay up to 33% less ($77,350) when they outsource their core marketing technology and data quality work.

2. Improved Data Quality

Opposed to internal Data Stewards, outsourced data quality professionals can focus on key responsibilities and can work more efficiently than their internal counterparts who have to focus on other tasks or priorities. These outsourced professionals understand the intricacies of the professional service industry and seamlessly fit into your firm’s day-to-day processes.

Outsourced Data Stewards have the ability and know-how to implement data standardization processes and protocols, minimizing the number of dirty records that may flow into the system. They also have access to industry-leading tools that can streamline and automate data management so your attorneys and professionals can worry less about maintaining their contacts and more about serving their clients.

3. Reduction In Turnover

Traditionally, hiring Data Stewards internally has been a revolving door, where firms would hire a new team member to maintain their data quality, train them, compensate them, motivate them, then, replace them. Given how outsourced service providers are not directly involved with the firm’s core services, they assume the role of finding, hiring, training, motivating and managing the data quality professional.

This frees up your marketing and business development teams to focus on growing the firm and nurturing client relationships rather than chasing down contact data from the organization’s professionals. They can help you with a wide range of data-related activities including:

  • Regularly reviewing new records
  • Enhancing records with geographical information, financial data, or who-knows-who relationships
  • Creation and management of segmented and targeted lists for marketing or business development campaigns

To achieve CRM and data quality success, sometimes the beaten path won’t get you there. So, if you are struggling with your marketing technology or data quality, don’t be afraid to explore alternate routes, like outsourcing. It can open your firm up to a pool of highly skilled professionals who have years of experience solving the same issues you may be going through. An outsourced team can provide your firm with significant cost savings, improved data quality, and a reduction in employee turnover and managerial headaches.

These operational efficiencies lead to greater productivity and returns on marketing spend – meaning greater profitability for the firm.

© Copyright 2024 CLIENTSFirst Consulting
For more news on CRM Development, visit the NLR Law Office Management section.

Fourth Circuit Reverses $1 Billion Award for Vicarious Liability Claim for More than 10,000 Works

On January 12, 2021, the U.S. District Court for the Eastern District of Virginia awarded a group of music recording companies (the plaintiffs) a $1 billion verdict against Cox Communications (Cox). The Virginia court’s ruling found that Cox, an internet service provider (ISP), was contributorily and vicariously liable for copyright infringement committed by certain subscribers on its networks. The plaintiffs alleged that the ISP allowed the unauthorized downloading and distribution of more than 10,000 copyrighted works by Cox subscribers who had already received three or more notices of infringement. The district court in Virginia established that the “takedown” notices sent by the plaintiffs provided Cox with the requisite knowledge of its subscribers’ repeated infringement to substantiate their claim that Cox was contributorily liable, suggesting that Cox had sufficient specific knowledge of infringement to have done something about it.

The plaintiffs’ notice to Cox identified the IP address of the subscriber, as well as the time of infringement and the identification of the infringed work, which the plaintiffs argued was sufficiently specific knowledge for Cox to be able to identify the subscriber and to exercise its policy by suspending or terminating the infringing subscriber. This case proceeded to trial on two theories of secondary liability – vicarious and contributory copyright infringement. The plaintiffs argued that Cox failed to act on these known repeat infringers, and the jury found Cox liable for willful contributory infringement and vicarious infringement, ordering Cox to pay more than $99,000 for each of the infringed-upon works. Cox appealed the jury verdict.

On appeal, before the U.S. Court of Appeals for the Fourth Circuit, Cox raised several questions of law concerning the secondary liability for copyright infringement, as well as what constitutes a derivative work in the Internet Age.

Vicarious Infringement
The Fourth Circuit’s analysis first considered whether the district court erred in denying plaintiffs’ vicarious infringement claim. “A defendant may be held vicariously liable for a third party’s copyright infringement [if the defendant] (1) profits directly from the infringement and (2) has a right and ability to supervise the direct infringer.” See Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 930 n.9 (2005) (internal citations omitted). The Fourth Circuit found that the plaintiffs failed to establish the first element as a matter of law and thus found that the plaintiffs failed to establish that Cox was vicariously liable.

In reaching this decision, the Fourth Circuit turned to the landmark decision in Shapiro, Bernstein & Co., 316 F.2d 304 (2d Cir. 1963), a case on vicarious liability for infringing copyrighted music recordings. In Shapiro, a department store was sued for the selling of “bootleg” records by a concessionaire operating in its stores. The store had the right to supervise the concessionaire and employees, demonstrating its control over the infringement. There, the store received a certain percentage of every record sale, “whether ‘bootleg’ or legitimate,” giving it “a more definite financial interest” in the infringing sales.” Thus, the Shapiro court found that the financial gains were clearly spelled out from the bootleg sales and acts of infringement in Shapiro.

Next, the Fourth Circuit recognized that courts have found that a defendant may possess a financial interest in a third party’s infringement of copyrighted music, even absent a strict correlation between each act of infringement and an added penny of profits. See Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996). In Fonovisa, the operator of a swap meet allowed vendors to sell infringing goods, and the operator collected “admission fees, concession stand sales, and parking fees” but no sales commission “from customers who want[ed] to buy the counterfeit recordings at bargain-basement prices.” The Fonovisa court found that the plaintiffs adequately showed a financial benefit from the swap meet owner and the sales of pirated recordings at the swap meet, which was a draw for customers. Thus, the infringing sales “enhance[d] the attractiveness of the venue of the potential customers, finding the swap meet operator had a financial interest in the infringement sufficient to state a claim for vicarious liability.”

The Fourth Circuit established that Shapiro and Fonovisa provided the steppingstones of the principles of copyright infringement to the internet and cyberspace and that Congress agreed that “receiving a one-time setup fee and flat periodic payment for service” from infringing and non-infringing users alike ordinarily “would not constitute a financial benefit directly attributable to the infringing activity.” Ellison v. Robertson, 357 F. 3d 1072, 1079 (9th Cir. 2004) (internal citations omitted). The Court also reviewed other court precedents, including A&M Records v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), to show that increased pirated music drew in users as a direct financial interest for vicarious liability., but also notes that courts have found no evidence of a direct financial benefit between subscribers of American Online (AOL) and the availability of infringing content.’’ Ellison, 357 F.3d at 1079.

Against this backdrop, the Fourth Circuit held that to prove Cox was vicariously liable, the plaintiffs had to demonstrate that Cox profited from its subscribers’ infringing download and distribution of the plaintiffs’ copyrighted songs, which – given the evidence at trial – it did not. While the district court found it was enough that Cox repeatedly declined to cancel an ISP subscriber’s monthly subscription fee, the Fourth Circuit found this evidence to be insufficient. Instead, the Fourth Circuit found that the continued monthly payment fees for internet service, even by repeat infringers, was not a financial benefit flowing directly from the copyright infringement. Cox established that subscribers paid a flat fee even if all of its subscribers stopped infringing. Recognizing that an internet provider would necessarily lose money if it canceled subscriptions only demonstrates that service providers have a direct financial interest in providing subscribers with access to the internet only. Thus, the Fourth Circuit held that vicarious liability demands proof that the defendant profits directly from the acts of infringement for which it is being held accountable.

To rebut this, the plaintiffs claimed that the jury could infer that subscribers paid monthly membership fees based on the high volume of infringing content. The Fourth Circuit rejected this argument and found that the evidence was insufficient to prove that customers were drawn to Cox’s internet service or that they continued the service because they were specifically drawn to the opportunity to infringe the plaintiffs’ copyrights. The plaintiffs further asserted that subscribers were willing to pay more for the opportunity to infringe based on Cox’s tiered structure for internet access – but the plaintiffs fell short in proving this claim because no reasonable inference could be drawn that Cox subscribers paid more for faster internet to infringe on the copyrighted works. Ultimately, the Court found that the plaintiffs could not establish a causal connection between subscribers’ copyright infringement and Cox’s revenue for monthly subscriptions. Thus, the Fourth Circuit held that Cox was not liable for its subscribers’ copyright infringement and reversed the district court’s ruling on this theory. The court vacated the $1 billion damages award and remanded the case for a new trial on damages, holding that the jury’s finding of vicarious liability could have influenced its assessment of statutory damages.

Contributory Infringement
The Fourth Circuit then examined the remaining issue of contributory infringement. Under this theory, “one who, with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another is liable for the infringement, too.” Cox argued that the district court erred by taking away the factual determination from the jury that notices of past infringement established Cox’s knowledge that subscribers were substantially certain to infringe in the future. Cox had contracted with a third party to provide copyright violation notices to users and asserted that it used these notices as their safe harbor under the Digital Millennium Copyright Act to alert violators and to terminate access to users who were repeat infringers. Despite this, the Fourth Circuit ultimately agreed with the jury’s finding that Cox materially contributed to copyright infringement occurring on its network and that its conduct was culpable.

Therefore, a three-judge panel found that Cox was liable for willful copyright infringement but reversed the vicarious liability verdict and remanded a new trial on damages. The Fourth Circuit held that because Cox did not profit from its subscribers’ acts of infringement, a legal prerequisite for vicarious liability, Cox was not liable for damages under the vicarious liability theory.

The Impact
The Fourth Circuit’s decision recognizes a new dawn breaking in copyright law, one that requires a causal connection between profit and/or financial gain and a defendant’s acts of infringement to prove vicarious liability in a copyright infringement claim under the Copyright Act. The plaintiffs attempted to bridge the financial gap between acknowledging access to infringing content through a monthly internet subscription and high-volume infringing acts. However, the Fourth Circuit found that this leap in logic was a step too far and reversed the award for vicarious liability for lack of evidence to find this missing connection between Cox subscribers and infringing plaintiffs’ content.

While this may be one route the courts may consider to reduce music piracy damages, it remains to be seen whether other courts will take this approach to determining that profit is the key element supporting other vicarious liability claims in cyberspace.

© 2024 Wilson Elser
For more news on Copyright Litigation, visit the NLR Intellectual Property section.

2024 Regulatory Update for Investment Advisers

In 2023, the Securities and Exchange Commission issued various proposed rules on regulatory changes that will affect SEC-registered investment advisers (RIAs). Since these rules are likely to be put into effect, RIAs should consider taking preliminary steps to start integrating the new requirements into their compliance policies and procedures.

1. Updates to the Custody Rule

The purpose of the custody rule, rule 206(4)-2 of the Investment Advisers Act of 1940 (Advisers Act), is to protect client funds and securities from potential loss and misappropriation by custodians. The SEC’s recommended updates to the custody rule would:

  • Expand the scope of the rule to not only include client funds and securities but all of a client’s assets over which an RIA has custody
  • Expand the definition of custody to include discretionary authority
  • Require RIAs to enter into written agreements with qualified custodians, including certain reasonable assurances regarding protections of client assets

2. Internet Adviser Exemption

The SEC also proposed to modernize rule 203A-2(e) of the Advisers Act, whose purpose is to permit internet investment advisers to register with the SEC even if such advisers do not meet the other statutory requirements for SEC registration. Under the proposed rule:

  • Advisers relying on this exemption would at all times be required to have an operational interactive website through which the adviser provides investment advisory services
  • The de minimis exception would be eliminated, hence requiring advisers relying on rule 203A-2(e) to provide advice to all of their clients exclusively through an operational interactive website

3. Conflicts of Interest Related to Predictive Data Analytics and Similar Technologies

The SEC proposes new rules under the Adviser’s Act to regulate RIAs’ use of technologies that optimize for, predict, guide, forecast or direct investment-related behaviors or outcomes. Specifically, the new rules aim to minimize the risk that RIAs could prioritize their own interest over the interests of their clients when designing or using such technology. The new rules would require RIAs:

  • To evaluate their use of such technologies and identify and eliminate, or neutralize the effect of, any potential conflicts of interest
  • To adopt written policies and procedures to prevent violations of the rule and maintain books and records relating to their compliance with the new rules

4. Cybersecurity Risk Management and Outsourcing to Third Parties

The SEC has yet to issue a final rule on the 2022 proposed new rule 206(4)-9 to the Adviser’s Act which would require RIAs to adequately address cybersecurity risks and incidents. Similarly, the SEC still has to issue the final language for new rule 206(4)-11 that would establish oversight obligations for RIAs that outsource certain functions to third parties. A summary of the proposed rules can be found here: 2023 Regulatory Update for Investment Advisers: Miller Canfield

© 2023 Miller, Canfield, Paddock and Stone PLC
For more news on 2024 Updates for Investment Advisers, visit the NLR Securities & SEC section.

A Holiday Gift From The State Department: Domestic Visa Revalidation Pilot Program And Visa Interview Waiver Guidance

Kris Kringle bestowed an old friend upon us for the 2023 holiday season, which, if successful, could permanently bring back stateside visa renewal.

Before biometrics were required for U.S. visas, foreign nationals (FN) legally in the U.S. on temporary (nonimmigrant) visas could renew their visa stamps through the Department of State. The process was typically efficient, resulting in a great time and expense saver for both the FN and U.S. employers. Then, biometrics became a requirement in 2002, and the State Department eliminated the program, reasoning that visa applicants’ biometrics were not available in the U.S.

History evolves, new challenges arise, and the State Department finds itself taking steps to resume this old process. The COVID-19 pandemic caused the global closure of U.S. consulates, resulting in an enormous backlog of visa processes. While the State Department has made significant progress in addressing some of these backlogs, the agency continues to struggle with lengthy wait times in many consular jurisdictions, causing considerable difficulty for individuals and businesses.

PILOT PROGRAM DETAILS
The Stateside Visa Revalidation Pilot Program was published in the Federal Register just before the Christmas holiday. However, this pilot holiday gift is limited.

Online applications will begin Jan. 29, 2024. Each week, the State Department will release approximately 2,000 application slots each for individuals whose most recent H-1B visas were issued by Mission Canada and by Mission India (approximately 4,000 combined total each week). The releases will be on Jan. 29; Feb. 5; Feb. 12; Feb. 19; and Feb. 26.

The criteria set out in the program notes:

The foreign national (FN) seeks to renew only an H-1B visa that was previously issued by Mission Canada or Mission India
20,000 renewals will be issued on a staggered schedule
To be eligible, the prior H-1B visa stamp must have been issued by Mission Canada with an issuance date from Jan. 1, 2020, through April 1, 2023, or by Mission India with an issuance date between Feb. 1, 2021, and Sept. 30, 2021
The FN is not subject to the payment of a “reciprocity fee” as part of a nonimmigrant visa issuance fee based on the country of birth
The FN is also eligible for a waiver of the in-person interview requirement based on a recent policy update
The FN submitted 10 fingerprints to the Department of State in connection with a previous visa application
An annotation of “clearance received” was not noted in prior visa stamps; this annotation will disqualify the FN for this program
No visa ineligibility that requires a waiver prior to visa issuance
Possess an approved and unexpired H-1B petition evidenced by an I-797 Notice
Most recently admitted to the United States in H-1B status
Currently maintaining H-1B status in the United States; a person on the 60-day grace period after a lay-off will not qualify
Must be in an unexpired period of authorized admission in H-1B status
Intends to reenter the United States in H-1B status after a temporary period abroad
NEW INTERVIEW WAIVER GUIDANCE
On a separate, but related, note, the State Department also published new Visa Interview Waiver guidance to replace expiring COVID-19 era policies; this guidance goes into effect on Jan. 1, 2024. This guidance applies to those individuals renewing visas abroad at a U.S. Consulate and allows Consular officers to waive interviews in certain instances.

The new interview waiver guidance will also make the following individuals eligible for interview waivers:

First time H-2 visa applicants (temporary agricultural and non-agricultural workers)
Other nonimmigrant visa applicants applying for any nonimmigrant visa classification who:
Were previously issued a nonimmigrant visa in any classification, unless the only prior issued visa was a B visa
Are applying within 48 months of their most recent nonimmigrant visa’s expiration date
This new guidance is indefinite in duration, but the State Department has indicated it will review this waiver guidance annually. This authority expands access to interview waiver eligibility, while also instituting some new restrictions from the 2023 authority. All nonimmigrant categories are considered under this authority. They can be mixed and matched and still be eligible for a waiver of interview, but are no longer eligible if their only prior visa issuance was a B visa. Overall, the population of people who are eligible for the in-person interview waiver will expand.

© 2023 BARNES & THORNBURG LLP

by: Tejas Shah , M. Mercedes Badia-Tavas of Barnes & Thornburg LLP

For more news on Domestic Visa Revalidation, visit the NLR Immigration section.

Clop Claims Zero-Day Attacks Against 130 Organizations

Russia-linked ransomware gang Clop has claimed that it has attacked over 130 organizations since late January, using a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, and was successful in stealing data from those organizations. The vulnerability is CVE-2023-0669, which allows attackers to execute remote code execution.

The manufacturer of GoAnywhere MFT notified customers of the vulnerability on February 1, 2023, and issued a patch for the vulnerability on February 7, 2023.

HC3 issued an alert on February 22, 2023, warning the health care sector about Clop targeting healthcare organizations and recommended:

  • Educate and train staff to reduce the risk of social engineering attacks via email and network access.
  • Assess enterprise risk against all potential vulnerabilities and prioritize implementing the security plan with the necessary budget, staff, and tools.
  • Develop a cybersecurity roadmap that everyone in the healthcare organization understands.

Security professionals are recommending that information technology professionals update machines to the latest GoAnywhere version and “stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel).”

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

To AI or Not to AI: U.S. Copyright Office Clarifies Options

The U.S. Copyright Office has weighed in with formal guidance on the copyrightability of works whose generation included the use of artificial intelligence (AI) tools. The good news for technology-oriented human creative types: using AI doesn’t automatically disqualify your work from copyright protection. The bad news for independent-minded AI’s: you still don’t qualify for copyright protection in the United States.

On March 16, 2023, the Copyright Office issued a statement of policy (“Policy”) to clarify its practices for examining and registering works that contain material generated by the use of AI and how copyright law’s human authorship requirements will be applied when AI was used. This Policy is not itself legally binding or a guarantee of a particular outcome, but many copyright applicants may breathe a sigh of relief that the Copyright Office has formally embraced AI-assisted human creativity.

The Policy is just the latest step in an ongoing debate over the copyrightability of machine-assisted products of human creativity. Nearly 150 years ago, the Supreme Court ruled at photographs are copyrightable. See Burrow-Giles Lithographic Company v. Sarony, 111 U.S. 53 (1884). The case involved a photographer’s claim against a lithographer for 85,000 unauthorized copies of a photograph of Oscar Wilde. The photo, Sarony’s “Oscar Wilde No. 18,” is shown below:

Sarony’s “Oscar Wilde No. 18"

The argument against copyright protection was that a photograph is “a reproduction, on paper, of the exact features of some natural object or of some person” and is therefore not a product of human creativity. Id. at 56. The Supreme Court disagreed, ruling that there was sufficient human creativity involved in making the photo, including posing the subject, evoking the desired expression, arranging the clothing and setting, and managing the lighting.

In the mid-1960’s, the Copyright Office rejected a musical composition, Push Button Bertha, that was created by a computer, reasoning that it lacked the “traditional elements of authorship” as they were not created by a human.

In 2018, the U.S. Court of Appeals for the Ninth Circuit ruled that Naruto, a crested macaque (represented by a group of friendly humans), lacked standing under the Copyright Act to hold a copyright in the “monkey selfie” case. See Naruto v. Slater, 888 F.3d 418 (9th Cir. 2018). The “monkey selfie” is below:

Monkey Selfie

In February 2022, the Copyright Office rejected a registration (filed by interested humans) for a visual image titled “A Recent Entrance to Paradise,” generated by DABUS, the AI whose claimed fractal-based inventions are the subject of patent applications around the world. DABUS’ image is below:

“A Recent Entrance to Paradise”

Litigation over this rejected application remains pending.

And last month, the Copyright Office ruled that a graphic novel consisting of human-authored text and images generated using the AI tool Midjourney could, as a whole, be copyrighted, but that the images, standing alone, could not. See U.S. Copyright Office, Cancellation Decision re: Zarya of the Dawn (VAu001480196) at 2 (Feb. 21, 2023).

The Copyright Office’s issuing the Policy was necessitated by the rapid and remarkable improvements in generative AI tools over even the past several months. In December 2022, generative AI tool Dall-E generated the following images in response to nothing more than the prompt, “portrait of a musician with a hat in the style of Rembrandt”:

Four portraits generated by AI tool Dall-E from the prompt, "portrait of a musician with a hat in the style of Rembrandt."

If these were human-generated paintings, or even photographs, there is no doubt that they would be copyrightable. But given that all four images were generated in mere seconds, with a single, general prompt from a human user, do they meet the Copyright Office’s criteria for copyrightability? The answer, now, is a clear “no” under the Policy.

However, the Policy opens the door to registering AI-assisted human creativity. The toggle points will be:

“…whether the ‘work’ is basically one of human authorship, with the computer [or other device] merely being an assisting instrument, or whether the traditional elements of authorship in the work (literary, artistic, or musical expression or elements of selection, arrangement, etc.) were actually conceived and executed not by man but by a machine.” 

In the case of works containing AI-generated material, the Office will consider whether the AI contributions are the result of “mechanical reproduction” or instead of an author’s “own original mental conception, to which [the author] gave visible form.” 

The answer will depend on the circumstances, particularly how the AI tool operates and how it was used to create the final work. This will necessarily be a case-by-case inquiry.” 

See Policy (citations omitted).

Machine-produced authorship alone will continue not to be registerable in the United States, but human selection and arrangement of AI-produced content could lead to a different result according to the Policy. The Policy provides select examples to help guide registrants, who are encouraged to study them carefully. The Policy, combined with near future determinations by the Copyright Office, will be critical to watch in terms of increasing likelihood a registration application will be granted as the Copyright Office continues to assess the impacts of new technology on the creative process. AI tools should not all be viewed as the “same” or fungible. The type of AI and how it is used will be specifically considered by the Copyright Office.

In the short term, the Policy provides some practical guidance to applicants on how to describe the role of AI in a new copyright application, as well as how to amend a prior application in that regard if needed. While some may view the Policy as “new” ground for the Copyright Office, it is consistent with the Copyright Office’s long-standing efforts to protect the fruits of human creativity even if the backdrop (AI technologies) may be “new.”

As a closing note, it bears observing that copyright law in the United Kingdom does permit limited copyright protection for computer-generated works – and has done so since 1988. Even under the U.K. law, substantial questions remain; the author of a computer-generated work is considered to be “the person by whom the arrangements necessary for the creation of the work are undertaken.” See Copyright, Designs and Patents Act (1988) §§ 9(3), 12(7) and 178. In the case of images generated by a consumer’s interaction with a generative AI tool, would that be the consumer or the generative AI provider?

Article By Nadia G. Aram and Dr. Christian E. Mammen of Womble Bond Dickinson (US) LLP

For more intellectual property legal news, click here to visit the National Law Review.

Copyright © 2023 Womble Bond Dickinson (US) LLP All Rights Reserved.

Lawyer Bot Short-Circuited by Class Action Alleging Unauthorized Practice of Law

Many of us are wondering how long it will take for ChatGPT, the revolutionary chatbot by OpenAI, to take our jobs. The answer: perhaps, not as soon as we fear!

On March 3, 2023, Chicago law firm Edelson P.C. filed a complaint against DoNotPay, self-described as “the world’s first robot lawyer.” Edelson may have short-circuited the automated barrister’s circuits by filing a lawsuit alleging the unauthorized practice of law.

DoNotPay is marketed as an AI program intended to assist users in need of legal services, but who do not wish to hire a lawyer. The organization was founded in 2015 to assist users in disputing parking tickets. Since then, DoNotPay’s services have expanded significantly. The company’s website offers to help users fight corporations, overcome bureaucratic obstacles, locate cash and “sue anyone.”

In spite of those lofty promises, Edelson’s complaint counters by pointing out certain deficiencies, stating, “[u]nfortunately for its customers, DoNotPay is not actually a robot, a lawyer, or a law firm. DoNotPay does not have a law degree, is not barred in any jurisdiction and is not supervised by any lawyer.”

The suit was brought by plaintiff Jonathan Faridian, who claims to have used DoNotPay for legal drafting projects, demand letters, one small claims court filing and drafting an employment discrimination complaint. Faridian’s complaint explains he was under the impression that he was purchasing legal documents from an attorney, only to later discover that the “substandard” outcomes generated did not comport with his expectations.

When asked for comment, DoNotPay’s representative denied Faridian’s allegations, explaining the organization intends to defend itself “vigorously.”

Article By Troy J. Chinnici of Wilson Elser Moskowitz Edelman & Dicker LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

© 2023 Wilson Elser

Locking Tik Tok? White House Requires Removal of TikTok App from Federal IT

On February 28, the White House issuedmemorandum giving federal employees 30 days to remove the TikTok application from any government devices. This memo is the result of an act passed by Congress that requires the removal of TikTok from any federal information technology. The act responded to concerns that the Chinese government may use data from TikTok for intelligence gathering on Americans.

I’m Not a Federal Employee — Why Does It Matter?

The White House Memo clearly covers all employees of federal agencies. However, it also covers any information technology used by a contractor who is using federal information technology.  As such, if you are a federal contractor using some sort of computer software or technology that is required by the U.S. government, you must remove TikTok in the next 30 days.

The limited exceptions to the removal mandate require federal government approval. The memo mentions national security interests and activities, law enforcement work, and security research as possible exceptions. However, there is a process to apply for an exception – it is not automatic.

Takeaways

Even if you are not a federal employee or a government contractor, this memo would be a good starting place to look back at your company’s social media policies and cell phone use procedures. Do you want TikTok (or any other social media app) on your devices? Many companies have found themselves in PR trouble due to lapses in enforcement of these types of rules. In addition, excessive use of social media in the workplace has been shown to be a drag on productivity.

Article By J. William Manuel and Anne R. Yuengert of Bradley Arant Boult Cummings LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

© 2023 Bradley Arant Boult Cummings LLP

FTC Launches New Office of Technology

On February 17, 2023, the Federal Trade Commission announced the launch of their new Office of Technology. The Office of Technology will assist the FTC by strengthening and supporting law enforcement investigations and actions, advising and engaging with staff and the Commission on policy and research initiatives, and engaging with the public and relevant experts to identify market trends, emerging technologies and best practices. The Office will have dedicated staff and resources and be headed by Chief Technology Officer Stephanie T. Nguyen.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity Practice Group

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.