Category Archives: Legal

Legal tips, tricks and thoughts

7 Tips to Avoid the Pitfalls on the Path to Marketing Success

Posted on by
Reply

Marketing in the 21st century encompasses a variety of printed marketing materials, online websites, blogs, case studies, text marketing, digital advertising, social media, and other digital, print and audiovisual materials. Its purpose includes providing information to current and potential customers, investors, and the public about your company, its vision, its goals, and its products/services; demonstrating thought leadership; building goodwill, credibility and trust with your target markets; and driving interest in your company and its offerings. It is a critical channel for generating new customers/clients, new revenue, and new value for investors and shareholders. Companies have a natural propensity to tout themselves and their products in the best possible light in their marketing, accentuating the positive and eliminating the negative. However, there are a number of common mistakes companies make in their marketing that inadvertently land them in hot water.

Think of the execution of your marketing strategies as walking a path on a mountain ridge. To the left are the legal and regulatory pitfalls. These include deceptive, unfair or unlawful advertising practices under federal and state law; native advertising issues; false advertising, trademark, and unfair competition claims by competitors; and the like. To the right are the contractual and customer relationship pitfalls. These include claims for fraudulent inducement to contract or material misrepresentation in your marketing materials, and clients/customers asserting a right to rescind their contract or commence legal proceedings against you, affecting your company’s revenue and reputation.

There are ways to navigate this path safely. Here are 7 key tips to help stay on the path to happy clients/customers and increased revenue.

1) Be transparent, truthful, and clear.

The easiest way for a company to get into trouble over its marketing practices is to be untruthful, unclear and/or misleading. The FTC and state attorneys general rely heavily on federal and state laws prohibiting deceptive and unfair trade practices as their “multi-tool” for cracking down on companies for marketing violations. According to the FTC, an act or practice is considered “deceptive” if it contains a material misrepresentation or an omission of information that is likely to mislead a reasonable customer.

To avoid transparency issues, make sure your marketing collateral and messaging includes all material facts and disclosures that a reasonable person would expect to see. For example, there are disclosures required under federal and state laws around “negative options” such as an auto-renewing subscription offer; there are opt-out and other disclosures needed for certain commercial email messages; if there are dependencies for your call to action (e.g., you must purchase a support package if you purchase a license to your company’s software), disclose them.

To avoid truthfulness issues, verify or qualify any facts or assertions you are using in your marketing. Keep a folder with documentation backing up your marketing facts and assertions. If you don’t have or can’t find the supporting facts, consider adding qualifications to your marketing statement.

To avoid clarity issues, marketing should be well-organized and well-formatted, written in short sentences with simple words and an appropriate level of detail, so that the information you are trying to convey is easily understood. Write from the perspective of the reader – is your marketing message(s) clear to someone who does not know much (if anything) about your company and its products/services?

2) Ensure your marketing meets design and functionality requirements.

One of the biggest mistakes companies make is assuming they know how their target audience will respond to their marketing, or worse, not thinking about it in advance at all. Proactive testing of marketing strategies before launch has parallels to performing user acceptance testing (UAT) in the software world. UAT is the process by which a deliverable is tested by actual or simulated users to validate that the deliverable meets its design and functionality requirements. Just like software UAT, before releasing marketing collateral and messaging it is important to validate that (a) it includes all important details, meets all legal requirements, and contains all legally required disclosures (the “design requirements” equivalent), and (b) it clearly and effectively delivers the marketing message such as a value proposition and/or call to action to its intended audience, and generates the target return on investment (ROI) or return on ad spend (ROAS) (i.e., “functionality requirements” equivalent). Investing time and energy to test your marketing, and incorporating feedback to ensure it meets its design and functionality requirements, will help it deliver the best possible ROI/ROAS.

3) Be careful using images of people or copyrighted works of others.

It’s often easy to grab a picture from Google Images or other online websites for use in marketing and social media. But remember, just because something is available online does not mean it is in the public domain, free to use. Even if you were not the person who originally posted a picture or other copyrighted content online, you could be liable for your use of it. (Even if you have an “innocent infringer” defense, you may still have to prove that in court, costing you and your company time and money.) Consider acquiring images for marketing use from a reputable stock photo company such as Getty Images, and ensure people whose images you capture for marketing use have given you a signed release and right to use the image. In general, you can’t use someone’s name or likeness to state or imply they are endorsing or promoting a product without their permission. Also, remember that images you use should not imply endorsement of your company’s products or services by a person without that person’s consent. Duane Reade, a drugstore chain, learned this lesson the hard way recently when they were sued by Katherine Heigl for $6 million after they used an image of her in a tweet without her permission.

4) Avoid unsubstantiated superlatives and figures.

Companies sometimes fall off the marketing path by using superlatives and figures that they can’t substantiate. One of the bedrocks of FTC policy is the FTC Policy Statement Regarding Advertising Substantiation. Under this policy, objective product/service claims “represent explicitly or by implication that the advertiser has a reasonable basis supporting these claims.” A “reasonable basis” depends on factors including the product which is the subject of the claim, the type of advertising claim, the consequences of a false claim, and the benefits of a truthful claim. Failing to have support for your claims is a deceptive and unfair trade practice under §5 of the FTC Act. Watch out for figures and superlatives such as “the best,” “the quickest,” etc. Make sure you have a reasonable basis for your superlative and data to back up your figures. For superlatives you cannot back up with documented facts (e.g., “a leading” vs. “the leading”), consider whether a comparative would work better (e.g., “easier” vs. “easy”, “more cost-effectively” vs. “cost-effectively,” etc.) As noted earlier, if a specific number is cited, ensure you have documentation for that specific number. If not, qualify it or generalize it (e.g., “approximately X,” “more than Y,” “less than Z,” “A to B”).

5) Avoid quoting quotes.

Just like images, it can be easy to find great quotes, facts and figures through an Internet search. If you are under a deadline or have a limited marketing budget, it might be tempting to find an article which cited the study and then cite to that article. However, beware of “quoting the quoter.” Quotes and cited facts/figures should be substantiated by the source material, not an article quoting the source material. If you quote a quote and not the source material, you run the risk that the author of the quote changed or misquoted the source material in their article. For example, suppose you’re looking for a statistic that at least half of participants in a study believe that the demand for products in your market segment will double in the next two years. You find and quote an online article citing research that 50% of respondents stated exactly that. What you didn’t know is that the number is really 46%, and the author of the article you cited decided to round up to 50%.  This inaccurate quote could cause significant headaches if the inaccuracy proves material to your marketing message or value proposition.

6) Tread carefully when using product endorsers and native advertising.

Native advertising, as defined by the FTC, is “content that bears a similarity to the news, feature articles, product reviews, entertainment and other material that surrounds it online.” For example, a featured article on a website that looks like an objective article, but is in fact an advertisement for a product or service written by or for the product or service provider, is native advertising. Native advertising uses the appearance of authenticity to drive interest in a product or service. This is also its Achilles’ heel. If it is too difficult to distinguish native advertising from surrounding content, it may be considered deceptive; the FTC looks at the “net impression [an] ad conveys to consumers” in determining deceptiveness. If an ad misleads a consumer by stating or implying that it’s not advertising, it’s likely deceptive. Native advertising must be accompanied by clear and prominent disclosures as to the source and/or sponsorship of the advertising to avoid misleading consumers, such as “paid content” or “advertisement” or “sponsored” disclaimers next to native advertising content or links. The FTC’s Native Advertising Guide for Business contains clear guidance on how to avoid running afoul of native advertising traps.

Similar issues have arisen with respect to “product endorsers,” people who endorse a product, brand or company. While paid celebrity endorsements (think Michael Jordan for Nike and Hanes, William Shatner for Priceline) are clearly paid to do so, companies also use employees, and non-employees such as bloggers and online personalities, to promote and drive interest in their products. Companies also run contests and sweepstakes through social media to drive awareness and increase buzz for their products. But content posted by employee brand ambassadors, compensated non-employee endorsers, and participants in a promotion who fail to identify their content as sponsored or paid may be deceptive and misleading in the eyes of the FTC (as Cole Haan discovered when they ran a Pinterest campaign to drive interest in their Wandering Sole product) and state attorneys general. The FTC stated that a “material connection” between a marketer and an endorser must be disclosed “if the relationship is not otherwise apparent from the context of the communication that contains the endorsement.”

7) Avoid statements that are forward-looking or may trigger a Regulation FD disclosure requirement.

Finally, if you work for a public company, SEC laws and regulations impose additional restrictions on what you can and cannot say in your marketing communications. Watch out for “forward-looking statements,” statements of potential or projected future events as expectations or possibilities. Saying “we plan on adding a European office in 2019” or “we expect to double our manufacturing capacity in the next six months” are likely forward-looking statements. Forward looking statements can lead to securities litigation unless accompanied by cautionary language required by the statutory “safe harbor” for forward-looking statements by public companies. Additionally, it’s important to ensure any targeted marketing or social media posts do not inadvertently selectively disclose material, non-public information about your publicly-traded company, which is prohibited by SEC Regulation FD (Fair Disclosure). For example, if an employee posts a picture while on-site at a prospective major new client, and the client’s identity can be determined by a logo in the background the employee did not see, the potential relationship inadvertently disclosed by the social media post may trigger the need for a Regulation FD disclosure.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

EU-US Privacy Shield Update – Roadworthy (For Now), But All Roads May Be Dead Ends

Posted on by
2

Last July, the new US-EU Privacy Shield framework became effective. The Privacy Shield replaced the International Safe Harbor Privacy Principles (commonly known as “Safe Harbor”) which had been in place since 2000. Under the EU Data Protection Directive, companies can only transfer data outside of the EU to a country deemed to have an “adequate” level of data protection, and the US (which takes a sectoral approach to data privacy and has no comprehensive national data privacy law) is not one of those countries. Given the importance of EU-US data transfer in the global economy, the Safe Harbor principles were developed as an entity-level, instead of country-level, adequacy mechanism, to allow a US company to achieve a level of adequacy (in the eyes of the EU) which allowed EU-US data transfers with that company to take place. Safe Harbor served as an alternative to two other entity-level adequacy mechanisms: standard contract clauses (SCCs, also known as model contract clauses), which are separately required for each EU company transferring data to a US entity making them difficult to scale, and binding corporate rules (BCRs), which require Board of Directors approval and significant time and resources and have only been implemented by very large multinational companies. (There is also an individual-level adequacy mechanism – direct consent.)

Everything changed in October 2015, when the European Court of Justice (ECJ) released its decision in a case brought against Facebook brought by Austrian citizen Max Schrems. The ECJ held that the Safe Harbor framework did not provide adequate privacy protections to EU individuals, and was therefore invalid. Among other reasons for invalidation, the ECJ found broad US government powers to access data (including data of EU citizens) held by private US companies directly conflicted with the EU’s declaration of data protection as a fundamental human right. Given the importance of the Safe Harbor program in facilitating EU-US data transfers, its invalidation had a far-reaching impact. While the EU agreed to wait a few months before bringing any actions against companies in the Safe Harbor program which did not move to an alternative entity-level adequacy mechanism, US companies faced a difficult choice – switch to an alternative and more difficult/costly approach, such as standard contract clauses, or wait and see whether the EU and US could quickly agree on a Safe Harbor replacement before the EU’s enforcement deadline.

Fortunately, The European Commission and the US government quickly accelerated existing talks on resolving shortcomings of the Safe Harbor principles, leading to the announcement of the Privacy Shield program in February 2016. The European Commission quickly issued a draft adequacy decision for the Privacy Shield program, and despite some misgivings about the program from certain groups the European Union gave its final approval on July 12, 2016. The Privacy Shield program is made up of 7 core principles and 15 supplemental principles. Like Safe Harbor before it, it is a self-certification program, and there are a number of the principles common to both Safe Harbor and Privacy Shield. The Privacy Shield program seeks to address a number of the perceived shortcomings of the Safe Harbor principles, including protection for onward transfer of information by US companies to third parties such as their service providers, multiple ways for individuals to make a compliant about a Privacy Shield-certified company, stronger enforcement mechanisms, and an annual review mechanism. Its intent is to be a replacement entity-level mechanism which addresses the concerns around Safe Harbor cited by the ECJ in the Schrems decision, complies with EU laws, and respects EU citizens’ fundamental rights to privacy and data protection.

Challenges and Headwinds

Since the Privacy Shield program went live in July, over a thousand companies (1,234 as of December 10, 2016, according to the Privacy Shield List) have self-certified under the program. However, the Privacy Shield program, and EU-US data transfers in general, continue to face challenges and headwinds.

  • Legal challenges – déjà vu all over again? After the Privacy Shield program was announced in February 2016, some groups and individuals expressed concerns about the program. When Privacy Shield was approved in July 2016, Max Schrems went on record stating his belief that the Privacy Shield framework was fundamentally flawed and could not survive a legal challenge. As the first legal challenges against Privacy Shield have been filed, we will find out how prescient Mr. Schrems’ comments are. In September, the digital rights advocacy group Digital Rights Ireland filed an action in the EU courts arguing that the EU’s finding of adequacy for the Privacy Shield should be annulled on the basis that the Privacy Shield program’s privacy safeguards are not adequate. In November, a similar challenge was brought by La Quadrature du Net, a French privacy advocacy group. The results of these challenges may result in the Privacy Shield program being very short-lived. Additionally, the ECJ is considering another challenge against Facebook referred to it by the Irish Data Protection Commissioner, this time to standard contract clauses. The proponents in that case are arguing that the same concerns behind the ECJ’s Safe Harbor decision should apply to standard contract clauses. The forthcoming decision in this challenge has the potential to create a precedent that could bring down the Privacy Shield program as well.
  • Other public and private actions may erode Privacy Shield’s validity. On December 1, 2016, a change to Rule 41 of the Federal Rules of Criminal Procedure became effective. The change was intended to give investigators more power to obtain warrants against cyber criminals using botnets or otherwise masking their identity, such as through secure web browsers or virtual private networks. Under the amended rule, law enforcement seeking to use remote access to search media and obtain electronically stored information can obtain a warrant from a magistrate judge located in a district where “activities related to a crime may have occurred” if the actual location of the media or information has been “concealed through technological means.” Since this rule is not limited on its face to servers in the US, without further clarification of the scope of this rule it is possible for it to be used by law enforcement to have a US magistrate judge issue a warrant to search and seize information from servers located in the EU. This global reach would likely be found in direct conflict with the concepts of privacy and data protection as a fundamental human right under the EU’s Charter of Fundamental Rights. Additionally, in early October, reports surfaced that Yahoo! had secretly scanned the email accounts of all of its users at the request of US government officials, which if true would likely be inconsistent with the terms of the Privacy Shield agreement. Opponents of Privacy Shield could use actions such as these as ammunition in their efforts to invalidate the program. In fact, there have already been calls for the European Commission and the EU’s Article 29 Working Party to investigate the Yahoo! scanning allegations, and according to a European Commission spokesperson statement on November 11, 2016, the EC has “contacted the U.S. authorities to ask for a number of clarifications.”
  • Can any EU-US framework be adequate? The legal challenges and public/private actions cited above all lead to one fundamental question that many parties involved in the Privacy Shield program have been hesitant to ask – is there a fundamental, irreconcilable conflict between (1) the United States’ approach to privacy and (2) the EU’s commitment to privacy and data protection as fundamental human rights? If yes, the US’s sectoral approach to data privacy legislation and powers for law enforcement to obtain information from privacy companies and servers may mean that no entity-level mechanism to facilitate EU-US data transfers is “adequate” in the eyes of the EU, meaning that EU-US data transfers are approaching a dead end. While the US government has imposed restrictions on its surveillance activities in the post-Snowden world, it remains very unclear whether anything short of concrete legislation protecting the rights of EU citizens (which would run counter to US counter-terrorism activities), or a modification of the EU’s principles, would be sufficient. I suspect there may be a difference between the view of those in the EU seeking a pragmatic approach (those that believe that the importance of EU-US data transfers, including economic and geopolitical benefits, necessitate some compromise), and those seeking an absolute approach (those that believe that the EU’s belief that data protection is a fundamental human right must trump any other interests). The forthcoming decisions in the challenges to standard contract clauses and the Privacy Shield program will likely help shed light on whether this fundamental conflict is fatal to any entity-level mechanism.
  • Compliance, not certification, with the Privacy Shield principles is what matters. A number of US companies have chosen to tout their Privacy Shield self-certification via blog posting or press release (for examples, see here, here and here). While a press release on Privacy Shield certification can be a useful to demonstrate its global presence and commitment to data privacy, remember that it’s a self-certification process (although some companies are using third-party services such as TrustE to help them achieve compliance). A company’s certification of compliance with the Privacy Shield principles is less important than the processes and procedures they have put in place to manage their compliance. If you need to determine if a company is self-certified under the Privacy Shield program, you can search the database of certified companies at http://www.privacyshield.gov/list, and check their website privacy policy which should contain disclosures affirming and relating to their commitment to the Privacy Shield principles. If you’re a company certified under the Privacy Shield, be prepared to answer questions from EU companies on how you comply with the Privacy Shield principles – you may be asked.

So, what does all this mean? At the moment, Privacy Shield may be a bit rickety, but unless your company can effectively use standard contractual clauses or binding corporate rules, short of direct consent it’s the only game in town for US companies which need to receive data from their EU client, customers and business partners. Even SCCs may be a short-lived solution, meaning many companies may not want to invest the time, effort and expense required to adopt that entity-level approach. Due to the current state of Privacy Shield and EU-US data transfers in general, US companies may want to consider the wisdom of the “Herd on the African Savanna” approach to compliance – the safest place to be in a herd on the African savanna is in the center. It’s almost always the ones on the outside which get picked off, not the ones in the center. Unless there is a compelling business reason to be on the outside of the herd (desire to be viewed as a market leader, willingness to risk doing nothing until clearer direction is available, etc.), the safest place from a compliance perspective is to stick with the pack. While that approach is not for everyone, many companies may feel that being in the center of the herd of US companies dealing with EU-US data transfers is the safest approach while the fate of the Privacy Shield, and EU-US data transfers in general, plays out.

Practical Tips for Managing Risks in Vendor, Supplier, and other Partner/Provider Relationships

Posted on by
Reply

The best place to stop a snowball from rolling the wrong way is the top of the hill.

When it comes to managing risk in business, there are two fundamental principles:

  1. You can’t disarm all of the land mines. A risk is like a land mine – it will detonate sooner or later once the right factors occur. Part of risk management is having enough information to know (or make an educated guess) at which risk “land mines” are more likely to go off than others, so you can stack rank and disarm the land mines in the right order. That way, hopefully you’ll disarm each one in time, and if one does goes off before you can disarm it it will cause minimal damage.
  2. You don’t have to stop every factor from occurring; you have to stop at least one factor from occurring. If a risk “land mine” detonates, a number of things all went wrong at the same time. Think of it as the lock on Pandora’s Box – for the lock to open (the land mine going off), the pins in the cylinder (the environmental factors) must align perfectly with the key (the catalyst). As long as one of the pins are misaligned, the lock won’t open. If you don’t have the resources or ability to ensure all pins are misaligned, try to ensure at least one pin is misaligned so the land mine can’t go off. (If more than one is misaligned, that’s even better.)

To manage a risk, a business must first mitigate and shift the risk to reduce the chance of the land mine detonating to the greatest extent possible, and then accept or rejectthe residual risk to the business. (For more on this, please see my earlier LinkedIn article on Revisiting Risk Management).

When it comes to your relationships with your key vendors, suppliers and other partners/providers, risk management principles should be applied to both existing partners/providers, prospective partners/providers, and “inherited” partners/providers (e.g., through acquisition). There are a number of ways to mitigate and shift risk in these relationships:

Mitigating the Risks

  • Do due diligence on your partners and providers. Perform research to see if the partner/provider has had security or privacy problems in the past. If they are public, look at the risk factors in their securities filings. Look at the partner/provider’s privacy policy to see if they make any claims they likely cannot live up to, or are overly broad in what they can do with your company’s data. Watch out for unrealistic marketing statements regarding privacy, security or their ability to perform the obligations you are contracting for. Use RFPs to gather information on prospective partners/providers up front (and keep it in case you need to refer to it later on if something they told in you in RFP proves not to be true).
  • Don’t automatically disqualify companies that have had past problems. If an RFP reveals that a partner/provider has had a past issue, focus on what steps they have taken to remediate the issue and protect against a recurrence. The result may be that they have a more robust security and risk management program than their peers.
  • Ask them what they do. Consider adding privacy and security questions to your RFP to gather information on current practices and past problems/remediation efforts (and to make them put it in writing). Watch out for answers that are too generic or just point you to their privacy policy.
  • Set online alerts, such as Google Alerts, to stay up-to-date on the news relating to your prospective or current partner/provider during the course of your negotiations and relationship, and escalate any alerts appropriately. If the partner/provider is public, set an alert for any spikes (up or down) in stock price.
  • Plan for the inevitable. Inevitably, your business relationship will end at some point. It could end when you’re ready for and expecting it, but you can’t count on that. If your partner/provider is mission-critical, develop an “expected” and “unexpected” transition plan and confirm that the partner/provider can locate and provide you the data you need to execute on that plan. For example, ensure you have all information and data you may need if the partner/provider ceases operations (for example, routinely download reports and data sets from their portal, or set up an automated feed). Alternatively, consider ways to ensure that if a partner/provider creates and stores mission-critical information (e.g., order or personal information, critical reports or data, etc.), it’s mirrored securely to a location in your control on a regular basis so that if there’s a problem, you have a secure and current data set to work from. This may be required or important under your company’s business continuity plan, and your contractual commitments to your clients.
  • Know your alternatives. Keep abreast of alternative partners/providers, do initial vetting from a security perspective, and maintain relationships with them. If a problem occurs, the company may have to switch partners/providers quickly. If you have taken the time to cultivate a “rainy day” relationship, that partner/provider may be happy to go out of their way to help you onboard quickly should a problem with your existing partner/provider occur (in the hopes that your company may reward their help with a long-term relationship).
  • Know what you have to do to avoid a problem. Once negotiated, contracts often go in the drawer, and the parties just “go about their business.” Make sure you know what your and your partner/provider’s contractual obligations are, and follow them. If they have “outs” under the contract, ensure you know what you need to do in order to ensure they cannot exercise them. If terms of use or an Acceptable Use Policy (AUP) or other partner/provider policies apply, make sure the right groups at your company are familiar with your obligations, and ensure they are being checked regularly in case they are updated or changed. If possible, minimize the number of “outs” during the negotiation. For existing or inherited partners/providers, consider preparing a list of the provisions you want to try to remove from their agreements so you can try to address them when the opportunity arises in the future (e.g., in connection with a renewal negotiation).
  • Put contractual provisions in place. Sales and Procurement should partner with IT and Legal to ensure that the right risk mitigation provisions are included in partner/provider agreements on an as-needed basis. Consider adding a standard privacy and security addendum to your agreements, whether on their paper or yours. Common provisions to consider include a security safeguards requirement; obligation to protect your network credentials in their possession; obligation to provide security awareness training (including anti-phishing) to their employees (consider asking for the right to test their employees with manufactured phishing emails, or getting an obligation that they will do so); requiring partners/providers to maintain industry standard certifications such as ISO 27001 certification, PCI certification, SOC 2 Type 2 obligations, etc.; obligation to encrypt sensitive personal information in their possession; obligations to carry insurance covering certain types of risks (ensure your company is named as an additional insured, and try to obtain a waiver of the right of subrogation); rights to perform penetration testing (or an obligation for them to do so); a obligation to comply with all applicable laws, rules and regulations); an obligation to complete an information security questionnaire and participate in an audit; language addressing what happens in the event of a security breach; and termination rights in the event the partner is not living up to their obligations. Not all of these provisions make sense for every partner/provider. Another approach to consider is to add appropriate provisions to a supplier/vendor code of conduct incorporated by reference into your partner/provider agreements (ensure conflicts are resolved in favor of the code of conduct).

Shifting the Risks

  • Use contractual indemnities. An indemnity is a contractual risk-shifting term through which one party agrees to bear the costs and expenses arising from, resulting from or related to certain claims or losses suffered by another party. Consider whether to include in your partner/provider agreement an indemnity obligation for breaches of representations/warranties/covenants, breach of material obligations, breach of confidentiality/security, etc. Consider whether to ask for a first party indemnity (essentially insurance, much harder to get) vs. a third party indemnity (insulation from third party lawsuits). Remember that an indemnity is only as good as the company standing behind it. Also, pay close attention to the limitation of liability and disclaimer of warranties/damages clauses in the agreement to ensure they are broad enough for your company.
  • Request a Parental Guaranty. If the contracting party isn’t fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a performance and payment/indemnification guaranty to ensure you can pursue the parent if the subsidiary you are contracting with fails to comply with its contractual obligations.
  • Acquire insurance. Finally, consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance, and consider asking your broker walk you through your coverage on an annual basis.

The Augmented World — Legal and Privacy Perspectives on Augmented Reality (AR)

Posted on by
Reply

You’ve likely heard that Augmented Reality (AR) is the next technology that will transform our lives. You may not realize that AR has been here for years. You’ve seen it on NFL broadcasts when the first down line and down/yardage appear on the screen under players’ feet. You’ve seen it in the Haunted Mansion ride in Disneyland when ghosts seem to appear in the mirror riding with you in your cart. You’ve seen it in cars and fighter jets when speed and other data is superimposed onto the windshield through a heads-up display. You’re seeing it in the explosion of Pokémon Go around the world. AR will affect all sectors, much as the World Wide Web did in the mid-1990s. Any new technology such as AR brings with it questions on how it fits under the umbrella of existing legal and privacy laws, where it pushes the boundaries and requires adjustments to the size and shape of the legal and regulatory umbrella, and when a new technology leads to a fundamental shift in certain areas of law. This article will define augmented reality and the augmented world, and analyze its impact on the legal and privacy landscape.

What is “augmented reality” and the “augmented world?”

One of the hallmarks of an emerging technology is that it is not easily defined. Similar to the “Internet of Things,” AR means different things to different people, can exist as a group of related technologies instead of a single technology, and is still developing. However, there are certain common elements among existing AR technologies from which a basic definition can be distilled.

I would define “augmented reality” as “a process, technology, or device that presents a user with real-world information, commonly but not limited to audiovisual imagery, augmented with additional contextual data elements layered on top of the real-world information, by (1) collecting real-world audiovisual imagery, properties, and other data; (2) processing the real-world data via remote servers to identify elements, such as real-world objects, to augment with supplemental contextual data; and (3) presenting in real time supplemental contextual data overlaid on the real-world data.” The real world as augmented through various AR systems and platforms can be referred to as the “augmented world.” AR and the augmented world differs from “virtual reality” (VR) systems and platforms, such as the Oculus Rift and Google Cardboard, in that VR replaces the user’s view of the real world with a wholly digitally-created virtual world, where AR augments the user’s view of the real world with additional digital data.

“Passive” AR (what I call “first-generation AR”) is a fixed system — you receive augmented information but do not do so interactively, such as going through the Haunted Mansion ride or watching your television set. The next generation of AR is “active,” meaning that AR will be delivered in a changing environment, and the augmented world will be viewed, through a device you carry or wear. Google Glass and the forthcoming Microsoft HoloLens are examples of “active AR” systems with dedicated hardware; when worn, the world is augmented with digital data superimposed on the real-time view of the world. However, AR has found ways to use existing hardware — your smartphone. HP’s Aurasma platform is an early example of an active AR system that uses your smartphone’s camera and screen to create digital content superimposed on the real world. What AR has needed to go fully mainstream was a killer app that found a way for AR to appeal to the masses, and it now has one — Pokémon Go. Within days of its launch in early July, TechCrunch reported that Pokémon Go had an average daily user base of over 20 million users. Some declared it the biggest “stealth health” app of all time as it was getting users out and walking.

Active AR has the capacity to change how people interact with the world, and with each other. It is an immersive and engaging user experience. It has the capacity to change the worlds of shopping, education and training, law enforcement, maintenance, healthcare, and gaming, and others. Consider an AR system that shows reviews, product data, and comparative prices while looking at a shelf display; identifies an object or person approaching you and makes it glow, flash, or otherwise stand out to give you more time to avoid a collision; gives you information on an artist, or the ability to hear or see commentary, while looking at a painting or sculpture; identifies to a police officer in real time whether a weapon brandished by a suspect is real or fake; or shows you in real time how to repair a household item (or how to administer emergency aid) through images placed on that item or on a stricken individual. For some, the augmented world will be life-altering, such as a headset as assistive technology which reads road signs aloud to a blind person or announces that a vehicle is coming (and how far away it is) when the user looks in the vehicle’s direction. For others, the ability to collect, process and augment real-world data in real time could be viewed as a further invasion of privacy, or worse, technology that could be used for illegal or immoral purposes.

As with any new technology, there will be challenges from a legal and digital perspective. A well-known example of this is the Internet when the World Wide Web became mainstream in the mid-1990s. In some cases, existing laws were interpreted to apply to the online world, such as the application of libel and slander to online statements, the application of intellectual property laws to file sharing over peer-to-peer networks, and the application of contract law to online terms of use. In others, new laws such as the Digital Millennium Copyright Act were enacted to address shortcomings of the existing legal and regulatory landscape with respect to the online world. In some instances, the new technology led to a fundamental shift in a particular area of law, such as how privacy works in an online world and how to address online identity theft and breaches of personal information. AR’s collection of data, and presentation of augmented data in real time, creates similar challenges that will need to be addressed. Here are some of the legal and privacy challenges raised by AR.

  • Rethinking a “reasonable expectation of privacy.” A core privacy principle under US law is that persons have a reasonable expectation of privacy, i.e., a person can be held liable for unreasonably intruding on another’s interest in keeping his/her personal affairs private. However, what is a “reasonable expectation of privacy” in a GoPro world? CCTV/surveillance cameras, wearable cameras, and smart devices already collect more information about people than ever before. AR technology will continue this trend. As more and more information is collected, what keeping “personal affairs private” looks like will continue to evolve. If you know someone is wearing an AR device, and still do or say something you intend to keep private, do you still have a reasonable expectation of privacy?

What is a “reasonable expectation of privacy” in a GoPro world?

 

  • Existing Privacy Principles. Principles of notice, choice, and “privacy by design” apply to AR systems. Providers of AR systems must apply the same privacy principles to AR as they do to the collection of information through any other method. Users should be given notice of what information will be collected through the AR system, how long it will be kept, and how it will be used. Providers should collect only information needed for the business purpose, store and dispose of it securely, and keep it only as long as needed.

AR systems add an additional level of complexity — they are collecting information not just about the user, but also third parties. Unlike a cellphone camera, where the act of collecting information from third parties is initiated by the user, an AR system may collect information about third parties as part of its fundamental design. Privacy options for third parties should be an important consideration in, and element of, any AR system. For example, an AR system provider could ensure users have the ability to toggle the blocking of third party personal data from being collected or augmented, so personal information is only augmented when the user wants it to be. AR system providers may also consider an indicator on the outside of the device, such as an LED, to let third parties know that the AR system is actively collecting information.

Additionally, AR may create interesting issues from a free speech and recording of communications perspective. Some, but not all, court rulings have held that the freedom of speech guaranteed by the First Amendment extends to making recordings of matters of public interest. An AR system that is always collecting data will push the boundaries of this doctrine. Even if something is not in the public interest, many states require the consent of both parties to record a conversation between them. An AR system which persistently collects data, including conversations, may run afoul of these laws.

  • Children’s Privacy. It is worth a special note that AR creates an especially difficult challenge for children’s privacy, especially children under 13. The Children’s Online Privacy Protection Act (“COPPA”) requires operators of online services, including mobile apps, to obtain verifiable parental consent before collecting any personal information from children under 13. “Personal information” includes photos, videos, and audio of a child’s image or voice. As AR systems collect and process data in real time, the passive collection of a child’s image or voice (versus collection of children’s personal information provided to a company through an interface such as a web browser) is problematic under COPPA. AR operators will need to determine how to ensure they are not collecting personal information from children under 13. I expect the FTC will amend the COPPA FAQ to clarify their position on the intersection of AR and children’s privacy.
  • Intellectual Property.  Aside from the inevitable patent wars that will occur over the early inventors of AR technologies, and patent holders who believe their patent claims cover certain aspects of AR technologies, AR will create some potentially interesting issues under intellectual property law. For example, an AR system that records (and stores) everything it sees will invariably capture some things that are protected by copyright or other IP laws. Will “fair use” be expanded in the augmented world, e.g., where an album cover is displayed to a user when a song from that is heard? Further, adding content to a copyrighted work in the augmented world may constitute a prohibited derivative work. From a trademark perspective, augmenting a common-law or registered trademark with additional data, or using a competitor’s name or logo to trigger an ad about your product overlaid on the competitor’s name or logo, could create issues under existing trademark law.
  • Discrimination.  AR systems make it easy to supplement real-world information by providing additional detail on a person, place or thing in real time. This supplemental data could intentionally or inadvertently be used to make real-time discriminatory decisions, e.g., using facial or name recognition to provide supplemental data about a person’s arrest history, status in a protected class, or other restricted information which is used in a hiring or rental decision. An AR system that may be used in a situation where data must be excluded from the decision-making process must include the ability to automatically exclude groups of data from the user’s augmented world.

The world of online digital marketing and advertising will expand to include digital marketing and advertising in the augmented world. Imagine a world where anything — and I mean anything — can be turned into a billboard or advertisement in real time. Contextual ads in the augmented world can be superimposed anytime a user sees a keyword. For example, if you see a house, imagine if an ad for a brand of paint appears because the paint manufacturer has bought contextual augmented ads to appear in an AR system whenever the user sees a house through the augmented world.

Existing laws will need to be applied to digital marketing and advertising in the augmented world. For example, when a marketing disclaimer appears in the online world, the user’s attention is on the ad. Will the disclaimer have the same effect in an augmented environment, or will it need to be presented in a way that calls attention to it? Could this have the unintended consequence of shifting the user’s attention away from something they are doing, such as walking, thereby increasing the risk of harm? There are also some interesting theoretical advertising applications of AR in a negative context. For example, “negative advertising” could be used to blur product or brand names and/or to make others more prominent in the augmented world.

  • The Right of Publicity.  The right of publicity — a person’s right to control the commercial use of his or her name, image, and likeness — is also likely to be challenged by digital marketing in the augmented world. Instead of actively using a person’s likeness to promote a product or service, a product or service could appear as augmented data next to a person’s name or likeness, improperly (and perhaps inadvertently) implying an endorsement or association. State laws governing the right of publicity will be reinterpreted when applied to the augmented world.
  • Negligence and Torts. AR has the capacity to both further exacerbate the problem of “distracted everything,” paying more attention to your AR device than your surroundings, as some users of Pokémon Go have discovered. Since AR augments the real world in real time, the additional information may cause a user to be distracted, or if the augmented data is erroneous could cause a user to cause harm to him/herself or to others. Many have heard the stories of a person dutifully following their GPS navigation system into a lake. Imagine an AR system identifying a mushroom as safe to eat when in fact it is highly poisonous. Just as distracted driving and distracted texting can be used as evidence of negligence, a distracted AR user can find him/herself facing a negligence claim for causing third party harm. Similarly, many tort claims that can arise through actions in the real world or online world, such as liable and slander, can occur in the augmented world. Additionally, if an AR system augments the real world in a way that makes someone think they are in danger, inflicts emotional distress, or causes something to become dangerous, the AR user, or system provider, could be legally responsible.
  • Contract liability. We will undoubtedly see providers of AR systems and platforms sued for damages suffered by their users. AR providers have and will shift liability to the user through contract terms. For example, Niantic, the company behind Pokémon Go, states in their Terms of Use that you must “be aware of your surroundings and play safely. You agree that your use of the App and play of the game is at your own risk, and it is your responsibility to maintain such health, liability, hazard, personal injury, medical, life, and other insurance policies as you deem reasonably necessary for any injuries that you may incur while using the Services.” AR providers’ success at shifting liability will likely fall primarily to tried-and-tested principles such as whether an enforceable contract exists.

None of the above challenges are likely to prove insurmountable and are not expected to slow the significant growth of AR. What will be interesting to watch is how lawmakers choose to respond to AR, and how early hiccups are seized on by politicians and reported in the press. Consider automobile autopilot technology. The recent crash of a Tesla in Autopilot mode is providing bad press for Tesla, and fodder for those who believe the technology is dangerous and must be curtailed. Every new technology brings both benefits and potential risks. If the benefits outweigh the risks on the whole, the public interest is not served when the legal, regulatory and privacy pendulum swings too far in response. Creating a legal, regulatory and privacy landscape that fosters the growth of AR, while appropriately addressing the risks AR creates and exacerbates, is critical.

Are IP and MAC Addresses Personal Information?

Posted on by
Reply

To many, “personally identifiable information” (also “PII” or “personal information”) means information that can be used to identify an individual, such as a person’s name, address, email address, social security number/drivers’ license number, etc. However, in the US, there is no uniform definition of personal information. This is because the US takes a “sectoral” approach to data privacy. In the US, data privacy is governed by laws, rules and regulations specific to market sectors such as banking, healthcare, payment processing, and the like, as well as state laws such as breach notification statutes). Companies, such as Google, often include their own definition of personal information in their privacy policy. Even though there is no uniform definition, however, it’s clear that that more and more information is falling under the PII/personal information umbrella.

One category of data with potentially significant implications to US businesses if classified as PII are Internet Protocol (IP) and Media Access Control (MAC) addresses.

  • An IP address is a unique numerical or hexadecimal identifier used by computing devices such as computers, smartphones and tablets to identify themselves on a local network or the Internet, and to communicate with other devices. IP addresses can be dynamic (a temporary IP address is assigned each time a device connects to a network), or static (a permanent IP address is assigned to a network device which does not change if it disconnects and reconnects). There are two types of IP addresses – the original IPv4 (e.g., “210.43.92.4”), and the newer IPv6 (e.g., “2001:0db8:85a3:0000:0000:8a2e:0370:7334”).
  • MAC address is a unique identifier used to identify a networkable device, such as a computer/phone/tablet/smartwatch, as well as other connected devices such as smart home technologies, printers, TVs, game consoles, etc. A MAC address is a 12-character hexadecimal (base 16) identifier, e.g., “30:0C:AA:2D:FB:22”. The first half of the address identifies the device manufacturer, and the second half is a unique identifier for a specific device. If a device needs to talk to other devices, it likely has a MAC address.
  • Why do devices need both? There are incredibly technical reasons for this, but at a very high level, MAC addresses are used to identify devices on a local wired or wireless network (e.g., your home network) to transmit data packets between devices on that local network, and IP addresses are used to identify devices on the worldwide Internet to transmit data packets between devices connected directly to the Internet. Your router has an IP address assigned by your ISP, as well as a MAC address which identifies it to other devices on the local network. Your router assigns a local IP address (e.g., 192.168.1.2-192.168.1.50) to connected devices by MAC address. Network traffic comes to your router via IP address, and the router determines what MAC device on the network to which to route the traffic.
  • Think of a letter mailed to your attention at your corporate office address of 1234 Anyplace Street, Suite 1500, Anytown, US 12345. The mailing address will tell the mail carrier what address to deliver it to, but the carrier won’t deliver it right to you personally. Suppose you are in Cube 324. Your mail room will look up your cube number, and deliver the letter to you. The letter is like an online data packet, the mailing address is like an IP address, the cube number is like a MAC address, and the mail room is like a router — the router takes the inbound packet delivered by IP address and uses the local device’s MAC address to route the packet to the right device on the network.

Canada’s approach. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner of Canada (OPCC) has released an interpretation making clear that this definition must be given a “broad and expansive interpretation,” and that it includes information that “relates to or concerns” a data subject. With respect to IP addresses, according to the OPCC an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual. (Note that in Canada, business contact information is not considered personal information, which implies that an IP or MAC address of a work computing device associated with an employee’s work contact information is not personal information.)

The European approach. In Europe, the current Data Protection Directive and the proposed Data Protection Regulation both define personal data as “any information relating to an identified or identifiable natural person.” Individual EU member states differ on whether an IP address should be considered personal data. The European Court of Justice (ECJ) has held that IP addresses are protected personal information “because they allow … users to be precisely identified,” and is considering whether to adopt an even stronger position that dynamic IP addresses collected by a website operator are personal information even if though the Internet service provider, and not the website operator, has the data needed to identify the data subject. The same rules should apply to MAC addresses. The new Data Protection Regulation, which will override member state implementations of the Directive, states in its findings that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In the US, the sectoral and state-by-state approach to data privacy does not paint a clear picture as to whether an IP address or MAC address should be considered personal information.

  • Specific laws. The one US statute that clearly states that IP and MAC addresses are personal information is the Children’s Online Privacy Protection Act (COPPA). In 2013, the FTC revised the COPPA Rule, which defines “personal information” as “individually identifiable information about an individual collected online,” as specifically including IP addresses, MAC addresses, and other unique device identifiers. The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as “identifiers” that must be removed in order to de-identify protected health information. State security breach notification laws define personal information, but those laws do not include IP address, MAC address, or other device identifier as PII.
  • The FTC’s view. In April, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, wrote on the FTC’s business blog about cross-device tracking. In her remarks, she restated the FTC’s long-held position that data is personally identifiable, “and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” She then specifically cited the FTC’s 2013 amendments to the COPPA Rule as an example of this in practice. Director Rich’s comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada — if it can be associated with an identifiable individual, it should be considered personal information.
  • Google’s View. It is also worth looking at Google’s definition from its privacy policy, given Google’s prominence as a collector and user of consumer personal information. Google defines personal information to include both information that personally identifies a person, as well “other data which can be reasonably linked to such information by Google, such as information we associate with your Google account.” This is essentially the FTC’s view, with a reasonableness standard.

Given all this, what should US businesses do?

  • Consider using a term to define IP addresses, MAC addresses, and other user device identifiers which identify a thing, not a person, but can be linked to an individual depending on what information is collected or obtained about that individual. I call this information linkable information.
    If linkable information is, or reasonably can be, associated or linked with an identifiable individual in your records, it becomes personal information.
  • Think of your driver’s license and your license plate as things. Your drivers’ license has your name, photo, and other information, so it identifies you. Therefore, a copy of your license would be personal information. On the other hand, your license plate by itself identifies a thing (your vehicle), and therefore by itself is linkable information, but not personal information. However, if your license plate is contained in a list of names and associated license plates maintained by a company, the license plate is associated with you, and therefore the company should handle it as personal information. Similarly, your phone number identifies a thing (your phone, not you, as you can let anyone use your phone) and therefore is linkable information; if your number is linked with an identifiable individual (e.g., the number is associated with a recording an individual’s voice on a phone call), the phone number becomes personal information.
  • An IP address in a server log, by itself, is linkable information not linked or associated with an individual, and therefore not personal information. However, an IP address as part of an electronic signature record, where the IP address is collected and stored with a person’s name, time/date stamp of acceptance, and IP address are collected, would be personal information.
  • If your company’s privacy policy defines personal information to include device identifiers such as IP addresses and MAC addresses, or defines when device identifiers would be considered personal information, ensure you are doing what your privacy policy says you will do. Failing to comply with a stated privacy policy can give rise to an FTC investigation and/or complaint under §5 of the FTC Act, as well as state AG investigations/actions and private litigation.
  • If you collect information from European consumers, given the extra-territorial reach of the upcoming Regulation US companies should carefully watch how IP and MAC addresses fall into the EU’s definition of personal data, and determine whether it needs to comply with Europe’s approach.
  • If you collect IP address information from a child under 13 through a website or app governed by COPPA, by law it’s personal information.
  • Talk to your IT group about whether you collect any device information, such as IP or MAC addresses, that could be linkable information, and analyze whether that data is linked or associated with personal information in your systems.

Are Your Website and App Legal Disclosures Saying Enough (Or Too Much)?

Posted on by
Reply

Almost every business has an online presence of some form. Many have a website which serves as anything from an online company brochure to a fully-featured online store or customer/vendor/user portal. Some have apps available through Google Play Store, the Apple App Store, or other app stores. A number of companies spend significant sums on their websites and apps to design robust features and content delivered through a compelling user experience. But if there’s one place website and app operators miss the mark, it’s ensuring the right legal disclosures are in place, and that the ones that are in place are saying the right things.

When most people think of a website or app disclosure, they think of a privacy policy and terms of use. These are definitely important. However, There are a number of other disclosures required or recommended under federal and state law that companies should consider to manage risk and avoid potentially distracting and costly litigation.  At the same time, saying too much in disclosures such as your privacy policy can expose your company to unnecessary risk.

There are four core rules that should apply to all website disclosures:

  1. Write them in plain English.
  2. Avoid using undefined technical jargon and using marketing bluster.
  3. Make them easy to understand and use.
  4. Make them 100% accurate and truthful.

Consider having your company’s User Experience group review your disclosures and policies to ensure they are as easy to read and navigate as possible. Consider using design elements such as progressive reduction and progressive disclosure (you can see my earlier blog post on this topic by clicking here.) The goal is to ensure consumers easily understand your disclosures. If you ever have an issue with a term or provision in your disclosures, being able to argue that the content and design were optimized for easy reading and navigation can pay dividends.

Here are some website and app disclosures to consider:

  • The Privacy Policy. States such as California have laws requiring companies to have online privacy policy. Since almost every website is accessed by users in California, it’s safe to say you are legally required by state law to have a privacy policy. Companies in certain industries or sectors such as in the healthcare sector (HIPAA) and financial sector (Gramm-Leach-Bliley) have specific requirements for their privacy policies. A privacy policy is also required by law in some states on an information category basis, such as Connecticut’s requirement that anyone collecting Social Security Numbers have a publicly displayed privacy policy with certain required disclosures. Certain laws also mandate that you cover certain topics in your privacy policy (e.g., California’s requirement to disclose how you handle “do-not-track” headers, and California’s requirement to provide information on how minors who are your registered website users can request that you remove their personal information). Don’t forget that your privacy policy needs to apply to, and be displayed on, your company’s apps as well.

    A company’s privacy policy obligations can be summarized simply: say what you do, and do what you say. “Say what you do” means ensure your privacy policy fully describes how you collect, use, and share information (both personally identifiable information, such as your name and address, and non-personally identifiable information such as behavioral data) collected from or about your customers. “Do what you say” means ensuring your day-to-day business activities with respect to information collected from consumers falls within the boundaries of what you say you do in your privacy policy. Two important rules to follow are, (1) if you want to change how you collect, use or share information from consumers, make sure your privacy policy allows it first, and give prior notice to website users that your privacy policy is changing; and (2) if you want to change how you use information you’ve already collected from consumers, you’ll need permission from the consumers first. Always include an effective date on your privacy policy (again, a state law requirement).

    Look for a more detailed post on privacy policies coming soon.

  • Terms of Use/Terms of Service. Your terms of use (sometimes also referred to as “terms of service”) should describe the rights and obligations applicable to both your company’s website/app/online service users and to your company itself with respect to the operation and/or use of an online website, app, and/or online service. It should cover topics such as ownership of the website and company-provided content on it (including your copyrights, trademarks and licensed trademarks), and associated restrictions (e.g., no screen scraping website content); disclaimers of third party content, such as third party ad networks on your site, and language to prevent use of your company’s trademarks other content to create the appearance of sponsorship by or affiliation with a third party; whether or not you collect information from children under 13 (if you do, ensure you are complying with the Children’s Online Privacy Protection Act or “COPPA”); an obligation to report lost or stolen passwords and change passwords regularly; what you can do with user-generated content uploaded or shared to the website (e.g., a broad right and license to use it), and related terms (e.g., it’s provided royalty-free and with no license costs, that it doesn’t infringe anyone else’s rights, etc.); a feedback provision if users may provide feedback or comments; links to third party content; and important legal terms such as jurisdiction, choice of law, indemnification, and the like. Many website operators include an acceptable use policy as part of their Terms of Use/Terms of Service; some have a separate policy on their website.
  • DMCA Notice. If your website collects, displays, or otherwise uses or shares user-generated content, consider a copyright notice (also called a “DMCA notice”). The Digital Millennium Copyright Act creates a “safe harbor” from copyright infringement for websites operators who honor takedown requests and display on their website information for their designated “copyright agent” to which takedown requests can be sent. There’s more to the statute than that, so if you need a DMCA notice please review one of the multitude of articles out then on crafting a proper DMCA notice. Don’t forget that you need to register your designated copyright agent with the US Copyright Office by filing a “Designation of Copyright Agent” form.
  • California “Shine the Light” Notice. In 2005, California enacted the “Shine the Light” law as part of its Consumer Records Act. The law requires businesses to provide disclosures to California consumers of the types of customer information they share with third parties for the third party’s direct marketing purposes during the immediately preceding calendar year. If your business shares collected personal information with third parties for the third party’s direct marketing purposes and does business in California, with a few exceptions this law applies to you. Businesses are required to let customers know how to submit requests for this information. While there are a few options, the simplest for most businesses is to include a link on the company’s homepage to “Your California Privacy Rights” or “Your Privacy Rights” to a page describing customer’s rights under the “Shine the Light” law and the email/physical address to which requests should be sent. There has been an uptick in class action litigation recently against companies which do not have a “Shine the Light” disclosure on their website.
  • Terms of Sale. If you sell products through your website, consider using a Terms of Sale to govern the sales transaction. Terms of Sale typically include provisions such as placing an order; when it is accepted by the company; delivery and fulfillment terms; the return/cancellation policy; information on prices (e.g., subject to change without notice, not required to honor incorrect pricing); license rights to software; etc.
  • Warranties. One policy you may want to consider adding to your website are product warranties. Last year Congress passed, and President Obama signed, the E-Warranty Act of 2015. This law amended the 1975 Magnuson-Moss Warranty Act to allow companies to put their warranties online instead of including them on or in product packaging. The product documentation or packaging would need to include a link to the online warranty, instead of the warranty terms themselves. Companies that sell products that come with warranties should consider reviewing and taking advantage of the E-Warranty Act.
  • Supply Chains Notice. In 2010, California enacted the Transparency in Supply Chains Act. The law requires large retailers doing business in California (over $100 million in annual revenue identifying itself as a retail seller or manufacturer on their CA tax return) to post disclosures on their websites on their “efforts to eradicate slavery and human trafficking from their [direct] supply chain for tangible goods offered for sale” in five specific areas: verification, audits, certification, internal accountability, and training. It requires the disclosures be accessible through the company’s homepage via a “conspicuous and easily understood” link.
  • Be careful your disclosures aren’t saying too much. While having the right disclosures for your websites and apps is important, avoid saying too much. Remember, when it comes to disclosures, what you say can hurt you. Website disclosures are not the place for marketing puffery. If you make a statement such as “100% guaranteed,” “we encrypt all data,” or “we use best-in-the-industry [whatever],” and it turns out to be false or inaccurate, you can expect state AGs and the FTC (and class action counsel) may come knocking. Generally, one of the roles of the Federal Trade Commission is to ensure that companies are not engaging in unfair or deceptive trade practices. This extends to ensuring that companies are making accurate and truthful disclosures on their websites. Some states, such as Pennsylvania, have expressly included false and misleading privacy policy statements as a deceptive or fraudulent business practice.
  • At the extreme end of this, consider what has been happening in New Jersey. Class action counsel have been using an extremely broad interpretation of NJ’s largely-ignored-until-recently Truth in Consumer Contract, Warranty and Notice Act to go after companies operating business-to-consumer (B2C) websites. The law prohibits sellers from providing notices, terms, or contracts with provisions that violate “any clearly established legal right of a consumer or responsibility of a seller” under federal or state law (whether or not the consumer is happy with the purchase). Class action counsel are bringing suit under this statute stating that just displaying a website notice with a general limitation of liability, broad disclaimers of warranty, statements that certain terms such as warranty disclaimers may not apply to particular consumers without specifying whether NJ consumers are affected, or other limitations on a consumer’s rights is a violation of the statute. Most of these cases are settling before trial, but like other nuisance lawsuits they can end up costing your business considerable time and lost productivity if you end up facing one.

Most companies place their website disclosures at the bottom of the page in a footer. Do not bury them or make them hard to find.  Your policies should be accessible through no more than 2-3 clicks via a logical navigation path. While putting your disclosures in the footer makes sense and is very common, consumers may argue that they simply never saw the disclosures because they never scrolled down to the bottom. Consider also making website disclosures “contextual,” i.e., place policy and disclosure links in close proximity to the related usage. For example, on pages where you are actively collecting information, consider putting a link to the privacy policy right next to the “submit” button, or before a consumer places an order on your e-commerce website, add language verifying they have read and agree to your terms of sale and privacy policy. Consider providing a welcome message, with notice of your privacy policy and terms of use, to consumers visiting your website as a disappearing pop-up, e.g., one that appears for 3-4 seconds at the top of the webpage then fades out, similar to “cookie disclosures” on many EU-based websites.

Finally, consider working with IT to create simple shortcuts for your most common policies (e.g., “privacy.company.com” or “www.company.com/privacy” for your privacy policy) so you have a short and simple URL you can use where you need to direct consumers to your online disclosures.

Imitation is the Sincerest Form of Copyright Infringement

Posted on by
Reply

The Internet is a vast repository of knowledge and information. Fortunately, there are a number of search engines, websites and tools (including Google, Bing, Yahoo, Ask.com, Wikipedia, and GitHub) to help navigate the waters. When you are looking for something personally or professionally — a picture, audio clip, or video clip for a presentation, a font for a poster, a great article on a topic you want to share with your friends, samples of others’ software code to get past a development issue, song lyrics, etc. — in many cases what you are looking for is just a few clicks and/or searches away. But once you’ve found it online, can you use it? To answer that question, let’s start by debunking a couple of myths.

Myth #1 – If it’s on the Internet, it’s free for anyone to use. Many people think “public domain” and “free to use” is synonymous with “on the Internet.” It’s not. The Internet is an incredible tool for communicating and sharing information. However, the Internet does not negate or trump intellectual property ownership rights. Just because someone posted content online does not automatically mean it’s actually free for anyone to copy and use it for any purpose. In almost all cases, posting something online does not automatically cancel any intellectual property rights held by the owner of the content, including copyright and rights of publicity. The Recording Industry Association of America’s war on consumer music file sharing through peer-to-peer file sharing networks (remember the original Napster?) is a great reminder that people who copy and reuse the copyrighted works of others may be held liable for doing so.

Myth #2 – If I don’t see a copyright notice, it’s not protected by copyright. Under the Berne Convention, an international agreement governing copyright, copyright protections apply once something is created physically or digitally and saved (“fixed in a tangible medium of expression” is the formal term), even if there’s no copyright notice on the protected work. (Registering a copyright with the US Copyright Office and including a copyright attribution, e.g., “© 2016 Eric Lambert,” gives you additional rights such as the potential for significant statutory damages.) Copyright protections include the exclusive right to control copying, public performance, or many other use the work by third parties. If someone re-posts copyrighted content without any ownership notice or attribution, it is still protected by copyright and that poster would likely be liable for copyright infringement. However, if you use that content, even without knowledge that it was copyrighted, you could find yourself receiving a cease-and-desist letter or lawsuit for using it too, and your claim that you didn’t know your use was infringing may not save you from liability.

Now that we’ve debunked the myths, let’s talk about how and when you can use online content. Online content can be grouped into 3 categories:

  1. Copyrighted or Otherwise Protected Content. The first category is content that is clearly covered by copyright or other intellectual property protections like rights of publicity. This category includes things like content with a copyright notice on it; content used under a license (“used with permission”); content on a site with terms of use or another disclaimer restricting the ability to copy or reuse content without permission; pictures of celebrities; famous cartoon characters; and so on. If you want to use copyrighted or otherwise protected content, you need the permission of the copyright owner, i.e., a license to use it. 
  3. “Fair Use” exception.  There is one important exception — the “fair use” exception — that provides a limited right to use copyrighted content for purposes such as commentary, criticism, scholarly research, news reporting, public classroom education, parody, or other “transformative” purposes (new meaning, added value, or a different manner of expression) without the copyright owner’s permission. The exception recognizes that in some cases, the benefit to society to allow use of a work outweighs the copyright holder’s rights to control use of the work. If it’s fair use, it’s not copyright infringement. However, there’s no definitive rule as to what is and is not fair use. Instead, courts look at four factors to determine fair use – (1) the purpose and character of the use (i.e., is it transformative, is it commercial or non-commercial, etc.), (2) the nature of the copyrighted work, (3) the amount and substantiality of the copyrighted work that is used (i.e., is it more than a “de minimis” portion of the work), and (4) the effect of the use on the potential market for, and value of, the copyrighted work).
  4. Open Source and “Public Licensed” Content. The second category of content is “open source” and “public licensed” content. “Open source” refers primarily to software — its computer software distributed under a license whose source code is available for modification or enhancement by anyone as long as the requirements of the license are followed. For more on open-source software, please see my earlier post on the topic.  You can use open source software you find online as long as you comply with the terms of the open source license. 
  6. “Public licensed” content is content distributed under a similar license. It grants anyone certain rights to use the content in a way that would normally be prohibited under copyright law, as long as the use is within the boundaries of the license. These public licenses preserve the owner’s copyright in the content, but cede certain rights to anyone who wants to use the content. The most common public licenses are the six Creative Commons licenses. Creative Commons licenses give anyone the right to use content for noncommercial purposes with attribution to the content owner, and depending on the type of license, may additionally be able to use the content commercially, create derivative works from the content, and/or share the content with others under the same license (“share-alike”). You can use public licensed content as long as you comply with the terms of the public license.
  7. Everything Else – “Murky Content”. The third category is everything else — anything not clearly subject to copyright or other IP protection, and not clearly open source or public licensed (let’s call it “murky content”). This is the content that causes the most trouble, because Internet users may have no way to know whether something they find online that looks like it’s free to use is actually subject to copyright or other intellectual property protection, or is governed by a public or open source license. In this case, you need to make a judgment/risk call whether to use murky content.  Generally, using murky content for commercial purposes carries the most risk, and using it non-commercially carries the least. Most people don’t create and freely share content for the fun of it — they derive value from it. If murky content looks like something someone would want to monetize, it’s likely protected content requiring some form of license to use. There’s no sure way to gauge the risk of using murky content — the only way you’ll ever know for use is if you get in trouble for using it, and by then it’s too late.
  9. Some argue there is an “implied license” to use online content which protects users of online content. They argue that if a content owner posts content on their website or makes it available through Google, promotes links to the content through methods such as social media buttons, and does not restrict the ability to copy the content (e.g., no disabling of the ability to save or “screen scrape” content), the content owner is implying that it’s OK to reuse it. The biggest issue with the “implied license” argument is that like fair use there’s no easy way to know if it applies or not — you have to make a judgment call. It’s also important to note that the implied license argument assumes that the content was posted by the content owner.  Courts may be very hesitant to embrace this concept as it would mean significantly watering down copyright protection for online content.

Don’t forget photos may bring up not just copyright issues, but rights of publicity as well. If you use someone’s picture found online to promote your product or service, not only could you face a copyright suit from the copyright owner of the photo, the subject of the photo could have a claim against you using their name or likeness in a commercial manner without their consent. It’s also worth noting that using images of a cartoon or corporate logo grabbed from the Internet could also create trademark infringement or trademark dilution issues.

Finally, as you navigate the world of online content, keep these simple rules in mind:

  • Check the applicable terms and policies before using web-based content. If you find content you want to reuse on a website or online service, check the Terms of Use, Applicable Use Policy, or similar terms or policy for ownership, license, or usage rights language that could give you the right, or restrict your right, to use the content.
  • Use license filters when searching images.  If you’re searching for images on Bing Images or Google Images, you can filter your search by license type (e.g., in Google Images, if you click “Search Tools” you can search by “Usage Rights” such as “Labeled for reuse with modification,” “Labeled for reuse,” “Labeled for noncommercial reuse with modification,” and “Labeled for noncommercial use.” Keep in mind that license information may be wrong, but you’ll have an argument that you relied on the license type filter.
  • If it looks professionally done, it probably is.  If you find content online that looks like it was made by a pro, it probably was. If there’s no license associated with professional-looking content, there’s a reasonable chance that someone else redistributed it without the ownership or copyright attribution. Also, if you can’t easily save content (e.g., the “save as” in the right-click context menu or the “copy” function for the browser is disabled on that website), it’s likely because the content owner does not want people capturing or “screen scraping” their content.
  • Just because it’s protected doesn’t mean you can’t use it. Finally, don’t forget that many copyright owners are willing to grant a license to use their work if you ask them. Some may just want the exposure and ask for an attribution; some may want a license fee. A little internet sleuthing can uncover the owner’s email address or other contact information for contact purposes. If you like the content and are willing to obtain a license to use it, make sure the license you receive is broad enough for the way you intend to use the content or work, both today and in the foreseeable future.

Don’t Overlook These 6 Important Contract Clauses

Posted on by
Reply

Managing the review and negotiation of contracts involves regular stack ranking of projects. With many agreements to review and other job responsibilities for both in-house counsel and business counterparts alike, the value or strategic importance of the agreement often determines the amount of attention it receives. Given this, attorneys and their business counterparts generally do not have time for a “deep dive” into every nook and cranny of an agreement under negotiation. They focus their available resources on the big-ticket items — obligations of the parties, termination rights, ownership, confidentiality, indemnification/limitation of liability, and the like — and may only have time for a cursory review (at best) of other contract terms that appear in most agreements, called the “legal boilerplate.”

If you have a little extra time to spend on an agreement, here are six clauses that are worth a closer review. Why these? If worded improperly, each of these clauses can have a significant adverse impact on your company in the event of an issue or dispute involving that clause.

(1) the Notices clause. Failure to provide timely notice can case major issues. So can failing to receive a notice that was properly served. If mail can take some time to be routed internally, consider avoiding certified or first-class mail as a method of service. Personal delivery and nationally or internationally recognized express courier service (FedEx, UPS, DHL, etc.) with signature required on delivery are always good choices. Notice by confirmed fax or by email to a role address (e.g., “legal@abc.com”) are also options to consider, either as a primary method of notice or as a required courtesy copy of the official notice. Use a role and not a named person in the ATTN: line – if the named person leaves, routing of the notice may be delayed. Consider requiring that a copy of every notice be sent to your legal counsel. Consider whether to make notice effective on delivery, versus effective a fixed number of days after sending (whether or not actually received). It is also worth considering making notice effective on a refused delivery attempt – the other side should not be able to refuse a package to avoid being served with notice. Ensure delivery is established by the delivery receipt or supporting records.

(2) the Dispute Resolution clause. Ensure the agreement’s dispute resolution mechanism (litigation vs. arbitration), and any dispute escalation language, is right for your company given the potential claims and damages that could come into play if you have a dispute. Make sure you’re OK with the state whose law governs the agreement (and ensure it applies without regard to or application of its conflicts-of-laws provisions). If neither home state law is acceptable, consider a “neutral” jurisdiction with well-developed common law governing contracts e.g., New York. Ensure you’re OK with the venue — consider whether it is non-exclusive (claims can be brought there) or exclusive (claims can only be brought there), and whether a “defendant’s home court” clause might be appropriate (a proceeding must be brought in the defendant’s venue). Finally, ensure the parties’ rights to seek injunctive relief — an order to stop doing something, such as a temporary restraining order or injunction, or an order to compel someone to do something — are not too easy or hard to obtain. In some cases, whether a party needs to prove actual damages or post a bond in order to obtain an injunction can play a critical role.

(3) the Order of Precedence clause. If your agreement has multiple components (e.g., a master services agreement, separate Terms and Conditions, incorporated policies from a web site, service exhibits or addenda, statements of work, project specifications, change orders, etc.), which piece controls over another can become critically important if there is a conflict between the two (e.g., liability is capped in Terms and Conditions, but unlimited in a Statement of Work). Ensure the order of precedence works for you. Consider whether to allow an override of the order of precedence if expressly and mutually agreed to in an otherwise non-controlling contract component. Don’t forget about purchase orders — they often have standard terms which can conflict with or override the contract terms unless they are specifically excluded. If you are negotiating a SaaS agreement, consider how acceptable use policies, terms of use, and other online policies may relate to the agreement. Watch out for other agreements/terms incorporated by reference, or on the other hand, consider incorporating your standard terms and having them control in the event of conflicting terms.

(4) the Assignment/Change of Control clause. If consent to assignment or a change of control is required, the clause can create significant headaches and delays during an M&A closing process or during a corporate reorganization. A client or vendor with “veto power” could leverage that power to get out of the contract, or to obtain concessions/renegotiated terms. Consider whether to include appropriate exclusions from consent in the event of a reorganization or change of control, but keep a notice requirement. Consider whether a parental guaranty is an appropriate trade-off for waiving consent. Also consider whether consent is needed in a transaction where the party continues to do business in the same manner it did before (e.g., change of control of a parent company only).

(5) the Subcontractor clause. Ensure you have approval rights over subcontractors where necessary and appropriate, especially if they are performing material obligations under the agreement or will have access to customer data or your systems. A service provider may not be willing or able to give an approval right to a subcontractor providing services across multiple clients, but may be OK with approval of a subcontractor providing services exclusively or substantially for your company. Include the ability to do due diligence on the subcontractor; remember that subcontractors can be an attack route for hackers seeking to compromise a company’s network. Ensure a party is fully liable for all acts and omissions of the contractor. Consider pushing security obligations through to the subcontractor. Require subcontractors to provide phishing training.  Consider limitations on what obligations of the other party can be subcontracted.

(6) the Non-Solicitation clause. Consider limiting a non-solicitation clause to those employees key to each party’s performance under the agreement, and other named personnel such as executive sponsors or corporate officers. Most often, neither party can live up to a clause that covers every employee at the company. Ensure there are appropriate exclusions for responses to job postings, recruiter introductions, and contact initiated by the covered party. Consider whether the clause prevents soliciting an employee as well as hiring them, and whether you want to restrict one or both.

Refresh your Contract Templates for Shorter Negotiations and Happier Clients/Customers

Posted on by
Reply

The old adage “if it isn’t broke, don’t fix it” was never meant for contract templates.  Businesses and business processes are always changing and evolving, and contracts need to change and evolve along with them. Over time, your contract will diverge from your marketing materials and sales proposals, the current operational reality of your business, and/or your company’s current risk profile.  When that happens, the contract may slow down a fast-moving customer sale by prolonging the negotiation cycle as you work through the inconsistencies or outdated commitments, or worse, a client or customer may look to hold your company to perform obligations you can’t satisfy as written.  Refreshing your contract template helps ensure you are keeping the negotiation cycle as short as possible and ensuring what you commit to contractually aligns with your actual performance under the agreement, which contributes to a positive client/customer relationship.

Setting Refresh Goals.  The first thing to do when starting a contract refresh cycle is to ensure the business and legal teams are aligned on the goals of the contract refresh.  In most cases, the goals include:

  • To ensure the contract template accurately reflects the operational reality of the business;
  • To shorten and clarify the contract template;
  • To make contract negotiations go more quickly and smoothly;
  • To remove as many ambiguous terms from the contract template as possible; and
  • To ensure the contract template is as fair and balanced as possible while protecting your company’s interests.

Once your goals are set, the following steps can help you get the most out of your contract refresh.  Keep your refresh goals in mind as you go through each of these steps.

  1. Re-evaluate (and if needed, optimize) the contract model. Take a look at the core model of your contract.  Is it a Master Services Agreement with Statements of Work, Project Assignments or Service Orders?  One single contract containing terms for all products and services offered by the company with a checklist and pricing to select the products and services to be provided? The first step in a contract refresh is to ensure the contract model is the best one for your business and the business offering. The contract model should present the terms for your product or service in the simplest way possible, while allowing for flexibility of adding on services if needed. Your current model may be the right one for your business, but it’s important to ask the question.  For example, if your clients/customers consistently try to push their own paper on you with a different contracting model, think about whether their model (or elements of it) might make sense for your business.While you want to ensure your agreement anticipates how you’ll do business generally for the next 12-24 months, be careful trying to “future-proof” your contract by adding terms for service offerings you plan to roll out in the future.  You don’t want to make the agreement longer than it needs to be, and until the service offering is finalized the terms relating to it may change, meaning the terms you put into the contract will need to be changed anyway.  In this case, design your template with add-on services in mind so they can be added later.  Also, consider whether on-line terms, or an online policy such as an acceptable use policy referenced in and incorporated by reference into the Agreement, may help streamline the contract and allow for greater flexibility in changing those terms to reflect changes in your business.The appearance and readability of your contract matters just as much as the content and model. Ensure the contract is readable — use a common font and a readable font size.  Be sure to use headers and footers with page numbers and a confidentiality legend if appropriate. If you don’t use version numbers on your templates, consider adding version numbers to make sure you can easily track different versions of your contract templates (e.g., v2016.02.24 for the version released on February 24, 2016).  Consider running your template by your marketing department for their suggestions on making it look good.
  2. Confirm alignment with the sales proposal and marketing collateral. It’s a good idea to compare the contract template against the sales proposal and your company’s corporate website and marketing collateral. While there is always marketing fluff in sales proposals and marketing, ensure that the contract accurately reflects the proposal terms and commitments in marketing materials. If there are inconsistencies, ensure they are resolved.  Few things will cause a contract negotiation to bog down right out of the gate than the other side thinking the terms in the contract don’t match the terms in the proposal or the company’s marketing collateral that led them to want to do business with your company.Consider gathering all of the pricing and key business terms into one section or appendix.  Having pricing and key business terms scattered throughout an agreement can be very confusing.  The pricing and key business terms in the contract should match up to those in your sales proposal or deal term sheet, and where possible should follow a consistent format, structure and layout.  That way, when the other side receives your contract and compares the contract terms to the proposal or term sheet, they’ll see a 1:1 match which can help keep positive momentum going.
  3. Review previous redlines, look at previous business disputes, and talk to sales personnel. Quite often, there are standard compromise or fallback positions that become commonly used in negotiation as the contract template diverges from the operational reality and/or company risk profile.  Go back through previous redlines to identify compromises or fallback provisions that are agreed to on a regular basis. Consider whether that fallback provision should become the new standard provision in the agreement to remove it as a common negotiating point. Also, look at any business disputes you’ve had with your clients/customers that arose from or related to an ambiguity or issue in the contract, and look at any resulting operational changes that were made. Consider whether revisions to the contract would help avoid similar disputes in the future or better reflect the revised operational process.Talk to sales personnel involved in the negotiation of agreements based on the template, either individually or as a group, for their input on what sections are most frequently negotiated.  Identify terms or provisions in the agreement that are regularly negotiated – e.g., the non-solicitation provision, press release language, security and data breach language, termination for convenience language, indemnities, limitation of liability, etc.  Look at those terms/provisions to see if there is an alternative provision, or alternative wording, that works for your company and will eliminate the need to negotiate that point every time.  For example, if your contractual payment terms are net 15 but most parties ask for net 30, and you don’t really charge interest on late payments until they are at least 30 days past due (45 days from invoice date), it may be worth changing the payment terms to net 30 in the contract to eliminate this negotiation point.
  4. Streamline and simplify the template. Review the contract template to streamline and simplify it as much as possible. Don’t say something in three sentences that can be said in one.  Use a defined term to avoid having to repeat a lengthy phrase throughout the agreement.  Avoid including fluff in the agreement, such as a full page of WHEREAS clauses, unless there’s a compelling need for it. Ask people at your company who don’t normally read contracts to read it and highlight any language that seems confusing, and see if clarifying revisions make sense.  Avoid legalese wherever possible. Ensuring your contract is as clear as possible helps avoid disputes with your clients/customers by minimizing the chance that an ambiguous term is interpreted differently by the parties (or worse, that a party relies on that interpretation to take a particular course of action that can’t easily be undone).
  5. Validate the pricing and terms/obligations with stakeholders. Obtain (or make) a list of all of the department heads and business owners in your company whose team/group/division has operational responsibility for terms in the agreement (for simplicity, we’ll call these department heads and business owners “stakeholders”).  The review should include not only the business terms with business stakeholders, but also the legal and risk allocation terms (e.g., representations/warranties, indemnifications, disclaimer of warranties, limitation of liability, etc.) with legal and compliance stakeholders.Mark up a copy of the template to identify which pricing and business terms and obligations are tied to which stakeholders.  Circulate the draft to each stakeholder, and set up a meeting with each to review, modify and obtain sign-off on contract language and provisions related to that stakeholder.  If you’ve already identified potential changes to streamline the contract (such as in #3 or #4 above), review those with the stakeholder to obtain buy-in, and ask the stakeholder if they have any additional suggestions on ways to streamline and simplify the agreement terms relevant to that Stakeholder. If a stakeholder indicates that your company doesn’t really do what a particular contract provision says, either remove the obligation from the agreement or ensure the stakeholder commits to the company’s performance of that obligation.

A few closing thoughts:

  • Once the contract refresh is complete, determine who needs to sign off on the new template before it’s introduced for use, and obtain their approval to start using the new template.
  • Consider using communication plan to introduce the refreshed template to personnel involved in negotiating the agreement such as your sales and Finance teams.  Also consider whether the creation of a companion explanatory document such as a contract FAQ, or embedded comments in the draft itself, would help your clients/customers better understand your agreement and further shorten the negotiation cycle.
  • If you are updating a set of online terms or an online agreement where the changes will automatically apply, ensure you follow any notice requirements for amendments or changes to the agreement.
  • Make sure you archive a copy of the contract template being refreshed.  You may need to refer to it later, e.g., if there is a client/customer dispute involving the older template.
  • Finally, set a regular review cycle (ideally no less than once a quarter) to check with Stakeholders and ensure there have been no major changes from a business or legal perspective that require changes to the agreement template.

The Rewards and Risks of Open-Source Software

Posted on by
Reply

Open-source software (or “OSS”) is computer software distributed under a license whose source code is available for modification or enhancement by anyone.  This is different than free (or public domain) software, which is not distributed under a license.  Free and open-source software are alternatives to “closed source,” or proprietary, software.

Companies use OSS for a variety of reasons.  In some cases, it’s used as part of a project deliverable, such as a DLL or a JavaScript library. In others, it’s used as a tool as part of the development process or production environment, such as a compiler, development environment, web server software, database software, etc.

The Rewards of OSS.  There are significant benefits to using open-source software in your business.  Here are some of the most significant:

  • Enhanced Security. Anyone can modify and enhance OSS, resulting in a larger developer base than proprietary software. This means that security holes are often found more quickly, and patched more quickly, than proprietary software.
  • Lower Cost. There is no license fee for open-source software.  (That does not mean it’s totally free – OSS is subject to license requirements.)
  • Dev Cycle Streamlining. Using OSS in a project cuts down development time by allowing developers to avoid “reinventing the wheel” on needed code if an OSS version of that code is available.
  • Perpetual Use. As long as you abide by the terms of the open-source software license, you can generally use it forever.  There are no annual renewal fees or license renegotiations for mission-critical software.
  • Adaptability/Customizability. Users of closed source software must find the software package that most closely aligns with the business’ needs, and adapt to it.  There’s no need to settle with OSS – since it can be customized and adapted, you can start with the existing code and modify it to fit your company’s exact needs.
  • Better Quality. Since there is a larger developer base, new and enhanced features and functionality are often rolled out, and usability bugs fixed, at a more rapid rate than in proprietary software.
  • Support Community. Many common closed source software packages require the purchase of a maintenance subscription along with a license.  Well-used OSS has a robust developer community that can help with questions.There are also companies that have sprung up around common OSS packages to provide support solutions.

Know Your OSS Licenses.  The author of software code owns the copyright to that code.  If the author released software into the public domain, he/she is waiving his/her copyrights in that code, making it free for anyone to use.  However, if someone creates a derivative work of public domain code, the new portions of code are protected by copyright, and are not in the public domain.  In other words, by adding his/her own modifications, someone can take public domain software and make it proprietary.

That’s the primary difference between free software and OSS.  In most cases, when an author makes his/her software code open-source, that author is allowing use of his/her copyrighted code under an open-source software license, but is not relinquishing his/her copyright.  Under the OSS license, the author grants others a right to use the author’s copyrighted code to modify, copy and redistribute it, but only if they follow the terms of the open-source software license.  There are hundreds (or more) open-source licenses out there.  However, there are relatively few that are considered generally accepted with a strong developer community.  The Open Source Foundation (OSF) categorizes the most common OSS licenses here.  The most common are the GNU General Public License (GPL), the GNU Lesser General Public License (LGPL), the “New” BSD License, the “Simplified” BSD License, the MIT License, and the Apache License v2.  However, not all OSS licenses are the same.  There are many websites that can help you analyze the differences between OSS licenses, including tl;dr Legal and Wikipedia’s Comparison of Open-Source Software Licenses.

Many OSS licenses are “permissive” licenses, meaning that a work governed by that license (e.g., a BSD License) may be modified and redistributed under a different license as long as you comply with the requirements of the permissive license (e.g., attribution). Other OSS licenses are “copyleft” licenses.  A copyleft license is one under which a work may only be used, modified or distributed if the same license rights apply to anything derived from it.  The copyleft license will “infect” modifications and derivations of the source (some think of it as a “viral” license).  It’s a play on words as copyright and copyleft are converse terms: copyright gives exclusive rights to a work to one person, and copyleft gives non-exclusive rights to a work to everyone.  There are two types of copyleft licenses:

  • “Strong” copyleft licenses (e.g., the GNU GPL) state that if you modify code governed by a copyleft license, you must distribute the software as a whole under that copyleft license, or not distribute it at all.
  • “Weak” copyleft licenses (e.g., the GNU Lesser GPL) state that if you modify code governed by a copyleft license, portions of the software containing modifications (e.g., a software module or library) must be distributed under that copyleft license, but other portions may be distributed under a different license type.

The Risks of OSS.  Due to its benefits and rewards, most companies use open-source software, whether the management and Legal teams know it or not. Quite often, developers rely on OSS to deliver software development projects on time and within budget. The bigger question is whether developers are using OSS in a way that exposes the company to risk.  Unless your company has a well-defined OSS policy that has been well-communicated to the developers at your company, you’re “flying blind” when it comes to OSS usage. Here are some of the risks and considerations for companies using OSS:

  1. OSS makes more sense for “utility layer” software needs than for “competitive/proprietary layer” software needs. Think of the software used in business as two layers. The first is software at the “utility layer” – software packages that go to the general operation of the business and its IT infrastructure, and do not give the business a competitive advantage based on the code itself. Examples are web server software, database software, and standard APIs.  Above that is the software at the “competitive/proprietary layer” – software that gives your company a competitive advantage you’re your competition, or provides significant offensive or defensive IP protection. Examples are custom functionality on your website and specialized software applications. OSS makes a lot of sense at the utility layer – you don’t need something better than everyone else, just something that works and works well. Introducing OSS at the competitive/proprietary layer can be problematic as you may want to ensure the entire solution is proprietary.
  1. You can’t get IP warranties or indemnification for OSS. When you negotiate a software license agreement for proprietary closed source proprietary code, in most cases the software licensor will provide warranties and/or indemnification against claims of IP infringement. With OSS, there is no IP warranty or indemnity. If someone introduced proprietary code into the OSS earlier in its life, you bear the risk of infringement if you use it.
  1. Some OSS license types can snuff out IP rights to your own developed code (and even expose it). The type of OSS license governing OSS used in your business, and how you use OSS software, can directly affect your IP rights to your own developed code. If you use OSS governed by a strong copyleft license to enhance your own codebase, your entire codebase could potentially become governed by a copyleft license.  This means that a savvy competitor or customer that suspected or learned of OSS in your code could send you a letter demanding a copy of your source code under the copyleft license, or just decompile it and modify it, putting you on the defensive as to why your software license should override the copyleft open source license.
  1. If you don’t follow the license terms, you can be sued. Open source software is licensed. That means there are license terms you must follow.  If you don’t, you may face litigation from competitors or others.  There has been a recent upswing in litigation for breach of the terms of open source licenses, and that trend is expected to continue.  For example, VMware was sued in March 2015 alleging that it violated the GNU GPL v2 license by not releasing the source code for VMware software that used OSS subject to the copyleft license.

Implement a Company-Appropriate OSS Policy.  To mitigate the risks associated with OSS, all companies should implement an open-source software policy governing the when, why and how of using open-source software in the company’s codebase.  Here are some important considerations:

  • Ensure there is alignment on the goal of the OSS policy at the outset. Different stakeholders may have different views on the goal of an OSS policy.  To Legal, it make be to protect the company’s intellectual property; to IT, it may be to leverage OSS to reduce costs; to developers, it could be to ensure they are free to keep using the OSS they need to meet goals and deadlines.  One thing stakeholders cannot do is go in with the mindset that OSS is bad for business or that they can keep it out of their code.  OSS in business is a reality that can either be ignored or accepted.  The policy’s goal should be to ensure OSS is being used effectively to advance the company’s business objectives while protecting its IP and living within its risk profile.
  • An OSS policy must balance the practical needs of developers with risk management. OSS is the domain of the developer, not the Legal department.  While the risks are something lawyers consider, a policy written and imposed by non-developers on your developer corps will likely face an uphill battle, or worse, be viewed as “out of sync with the goals of the business” and just ignored.  The attorneys’ role in creating an OSS policy is to provide guidance on the risks of OSS to the company as a whole, provide “best practices” guidance in OSS policies, and to draft the actual policy from the outline in plain English (remember, developers, not other attorneys, are the audience).  IT management’s role is to provide guidance on the outside contours of the policy.  Developers need to be directly involved in developing the policy itself as they are the ones using OSS in their daily work.  Developers, Legal and IT should develop the company’s OSS strategy, and its OSS policy, as equal stakeholders.
    • Ensure senior management buys into the policy before it is finalized; it’s important that management understand how OSS is used in the business.
    • Ensure the policy covers key topics, e.g., sourcing OSS; selecting OSS code for use at the utility layer and the competitive/proprietary layer; the OSS approval process; support and maintenance requirements; redistribution; tracking OSS usage; and audits/training.
    • Ensure the policy covers independent contractor developers as well as employees.
  • OSS code review and approval must be a streamlined process. If the review and approval process is complicated, developers will be more likely to just skip it.  Make approval easy.  Provide a “pre-approved list” of OSS – certain combinations of license types, utility level software categories, and/or specific code packages that only need notification of usage for tracking purposes.
    • Have a simple process for vetting other usage requests, asking the critical questions (e.g., What is the name and version number of the software package for which use is requested? What license type applies? Where was the code sourced from? Will the code be modified? What is the support plan?  Will the code be distributed or used internally?  What is the expected usage lifetime of the code? Are there closed source alternatives? Etc.) so that the legal and business risks can be measured and balanced against the benefits of usage.
    • Determine who will do the first review and escalated review (IT, Legal).
    • Turn requests quickly as delays can impact development timeframes.
  • Keep a database of all used OSS, including where is it used and what license type applies. Knowing what OSS you’re using is critical to avoid introducing code that has a bad reputation or is governed by an OSS license your company is not comfortable with (e.g., a strong copyleft license). IT should maintain a database of OSS used by the company, including the license type for each OSS.  This database is also helpful when responding to security questionnaires and is often needed in M&A due diligence.
  • Other Considerations. Consider conducting quarterly or semi-annual reviews of OSS usage, e.g., questionnaires to developers.  Consider having developers acknowledge the OSS policy at hire, and on an annual basis.  Consider conducting OSS training if your company’s learning management system (LMS) has an available course module on OSS.  And most importantly, review the OSS policy no less than once a year with all stakeholders to ensure it is evolves as the world of OSS, and the company’s own needs, change over time.