Ready or Not, New Proposition 65 Warnings and Lawsuits Are Coming – Are Your Products, Businesses, and Websites Ready?

If you’ve seen a “WARNING: This product contains a chemical known to the State of California to cause cancer” label on a product, or a similar sign in a business, you’ve seen a warning mandated by California’s Proposition 65 law.  Those warnings are about to get more specific and even more prevalent, and are about to go digital. Most companies doing business in California are working hard to be prepared for the changes to Prop 65 that will apply as of August 30, 2018.  Some companies still may not be aware of the changes and what they mean for their supply chain, as well as for their potential exposure to class action lawsuits and other legal trouble if they are not ready in time.

Here’s the background on what’s happening with Proposition 65, and why companies affected by it should move quickly to finish (or start) implementing processes and steps to ensure compliance.


What is Proposition 65?

Proposition65, also known as the California Safe Drinking Water and Toxic Enforcement Act or “Prop 65,” is a “right to know” statute enacted by California voters in 1986.  Under Prop 65, businesses with 10 or more employees must in most cases provide “clear and reasonable” warnings before “knowingly and intentionally” exposing Californians to certain chemicals that cause cancer, birth defects, or other reproductive harm.  The warnings apply to exposure in products they purchase, whether used in their homes or in workplaces, as well as to environmental and occupational exposure.  Prop 65 is administered by the Office of Environmental Health Hazard Assessment (OEHHA), part of the California Environmental Protection Agency (CalEPA).

There are over 900 chemicals for which Prop 65 warnings are required, maintained on a list administered by the State of California (the “Prop 65 list”) which is updated annually. If a product contains or is made using, or an environment or occupation could expose Californians to, one or more chemicals on the Prop 65 list, and the exposure is not low enough that it does not pose a significant risk of cancer, birth defects, or other reproductive harm, a Prop 65 warning is required for that product, environment, or workplace.

While any “clear and reasonable” warning can satisfy the Prop 65 requirements, a business creating its own warnings runs a risk that they are determined to not be “clear” and/or “reasonable” and therefore deficient under Prop 65.  Fortunately, the State of California has promulgated “safe harbor” warnings that most companies use to satisfy their Prop 65 compliance requirements instead of developing their own warnings.


So what’s changed in Prop 65?

Under the current law, “clear and reasonable” Proposition 65 warnings are required for consumer products and environmental/occupational exposure to listed chemicals, and certain “safe harbor” warnings have been made available for use. The revisions to the law becoming effective August 30, 2018 (and applicable to products manufactured or refurbished on or after August 30, 2018) make a number of important changes and updates, including:

  • New and more detailed content and format requirements which replace the somewhat generic current Proposition 65 safe harbor warnings.
  • While the existing law tries to minimize the impact of the law to retailers, the changes clarify that manufacturers, producers, packagers, importers, suppliers, and distributors can either provide the required warning on the product via a label, or annually notify the downstream retailer of the warning requirements and provide all necessary warning materials and language to that retailer, shifting the burden to provide the warning to the seller and giving the upstream supply chain partner an affirmative defense if the retailer fails to provide the warning.
  • The new law contains more explicit transmission and placement requirements for consumer product, environmental, and occupational warnings.
  • As the existing law was written in the 1980s, it does not contain specific requirements for online sales.  The new law imposes specific Internet and catalog disclosure requirements.For internet sales, the warning must be displayed in-line (or via specific hyperlink) on the product display page or otherwise prominently displayed prior to completing the purchase.  For catalog purchases, the warning must be included in a manner that clearly associates it with the item being purchased.  This is likely the most significant change, and the one that exposes online sellers to the most legal risk under Prop 65.


What are the new content and format warning requirements?

The revised regulations require different warnings based on the types of listed chemicals, number of listed chemicals, and method of transmission and placement. These include specialized safe harbor warnings for certain exposures, products, and places (from alcoholic beverages, to furniture, to amusement parks, to designated smoking areas, to restaurants, to hotels),

All new warnings require the word “WARNING” in bold capital letters, as well as a specific exclamation symbol (except for food labels) which is at least as big as the font used for the “WARNING” text.  Here is an example of a generic Prop 65 safe harbor warning for consumer products:


Do I have to provide warning in languages other than English?

Only if the consumer information on the product label and packaging is in English only.  The Prop 65 warnings must be provided in each language in which consumer information is provided on the product label or packaging. If you use multiple languages on your product packaging, your Prop 65 warning labels must similarly be in multiple languages.


Why it compliance important?

Manufacturers, distributors, and retailers in the entire supply chain are potentially liable for failure to comply with the compliance requirements under Proposition 65. Prop 65 is enforceable not just by the California Attorney General, but by private parties such as consumer advocacy groups and “bounty hunters,” which has given rise to a cottage industry of parties suing companies for Prop 65 compliance violations. Penalties for violations can be as high as $2,500 per violation per day. Any time there is a change in regulatory requirements such as this, it opens the door for private party bounty hunters to file class action suits against companies slow to comply with the new requirements.


Do Prop 65 warnings apply just to electronics?

No. It applies to any products which contain a chemical on the Prop 65 list or which use such chemicals in the manufacture process, and to environments and workplaces which may expose people to such chemicals.  Most plasticizers are on the Prop 65 list, meaning that if your product contains plastic or is manufactured using plasticizers, there’s a good chance your company need to comply with Prop 65 warning requirements in connection with that product.  This includes plastic parts, enclosures, connectors, etc.


My company only sells B2B.  Does it still have to comply with the warning requirements?

Yes.  Prop 65 is designed to protect Californians from exposure to products both at home and in the workplace.  The Prop 65 warning requirements apply regardless of whether a product is sold through a B2C and or B2B transaction, and regardless of whether a person is exposed at home or at work.


Do the warning requirements apply to new products only, or both new and refurbished products?

It covers both.  Refurbishment is a manufacturing process, and so the warning requirements also apply to refurbished products.  For example, if your business uses refurbished products to fulfill its warranty obligations, it must comply with Prop 65 requirements for those refurbished products.


What does my company need to do?

Update your Prop 65 warning signs and labels. Each company that sells products in California containing chemicals on the Proposition 65 list or manufactured using such chemicals, or which exposes Prop 65 chemicals environmentally or occupationally, must implement new Prop 65 warnings satisfying the new content and format requirements. This means working upstream in the supply chain to ensure manufacturers have properly determined if any chemicals on the Prop 65 list are used in the manufacture of products, that they are implementing the appropriate new safe harbor warnings, and that they are providing copies of warning materials for use downstream in the supply chain by online and catalog retailers.

Update your supply chain contracts.  The new law is the perfect opportunity to update your contracts with your suppliers, manufacturers, packagers, importers, suppliers, and/or distributors.  Ensure they are contractually obligated to comply with Prop 65 labeling requirements (and that they agree not to push the burden downstream), and that they will indemnify your company if they do not. If your contracts have a “compliance with laws” representation, warranty, or obligation, you can point to that language if they push back on compliance.

Ensure you are considering all sales channels.  Take time to think through all of your sales channels.  Does your company use resellers, distributors, or other sales channels?  If your company is in one of the “upstream from retailer” supply chain roles, ensure you are complying with any obligations your company has under the changes to Prop 65 to provide information to downstream retailers,

Implement Prop 65 warnings on your B2C and B2B sales websites. For products sold online, the new Prop 65 warning must be clearly and prominently displayed by the seller prior to product purchase, e.g., above the fold and easy to see and not something that someone has to search for.  There are two main ways to do this:

  • The static way: Display a clear and prominent image of the Prop 65 warning on the product detail page. This requires the least work but means everyone using the online store, Californian or not, will receive the warning.  My guess is that most online retailers will opt for the static way.
  • The dynamic way: Display the Prop 65 warning during the checkout process if the purchaser enters a ship-to ZIP code in California.  This limits the user experience impact to Californians, but requires coding work to dynamically display warnings based both on the ZIP code and the SKUs in the cart (the SKU will need to trigger the specific warning associated with that product or product bundle).

For product catalogs, the warning label must be clearly and conspicuously displayed in on the catalog product page.  For products we sell via phone order, if the product is being shipped to California or the purchaser resides in California, the order-taker should read the Prop 65 warning while taking the order and ensure the consumer agrees to proceed with the transaction.

Don’t forget about phone orders and warranty replacements.  The changes to the law do not specifically address phone orders or warranty replacements.  With respect to phone orders, consider how to address this. e.g., consider whether to read the warning to a phone purchaser and require them to confirm that they wish to proceed with the transaction.  With respect to warranty replacements, consider sending the Prop 65 warning for the replacement product (if manufactured or refurbished on or after August 30, 2018) with the RMA information.


Where can I learn more about Proposition 65?

There are some excellent online resources to help you understand your company’s requirements under Prop 65, including:


Eric Lambert is counsel for the Transportation division of Trimble Inc., an geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports the Trimble Transportation Mobility and Trimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a little voice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.


7 Tips to Avoid the Pitfalls on the Path to Marketing Success

Marketing in the 21st century encompasses a variety of printed marketing materials, online websites, blogs, case studies, text marketing, digital advertising, social media, and other digital, print and audiovisual materials. Its purpose includes providing information to current and potential customers, investors, and the public about your company, its vision, its goals, and its products/services; demonstrating thought leadership; building goodwill, credibility and trust with your target markets; and driving interest in your company and its offerings. It is a critical channel for generating new customers/clients, new revenue, and new value for investors and shareholders. Companies have a natural propensity to tout themselves and their products in the best possible light in their marketing, accentuating the positive and eliminating the negative. However, there are a number of common mistakes companies make in their marketing that inadvertently land them in hot water.

Think of the execution of your marketing strategies as walking a path on a mountain ridge. To the left are the legal and regulatory pitfalls. These include deceptive, unfair or unlawful advertising practices under federal and state law; native advertising issues; false advertising, trademark, and unfair competition claims by competitors; and the like. To the right are the contractual and customer relationship pitfalls. These include claims for fraudulent inducement to contract or material misrepresentation in your marketing materials, and clients/customers asserting a right to rescind their contract or commence legal proceedings against you, affecting your company’s revenue and reputation.

There are ways to navigate this path safely. Here are 7 key tips to help stay on the path to happy clients/customers and increased revenue.

1) Be transparent, truthful, and clear.

The easiest way for a company to get into trouble over its marketing practices is to be untruthful, unclear and/or misleading. The FTC and state attorneys general rely heavily on federal and state laws prohibiting deceptive and unfair trade practices as their “multi-tool” for cracking down on companies for marketing violations. According to the FTC, an act or practice is considered “deceptive” if it contains a material misrepresentation or an omission of information that is likely to mislead a reasonable customer.

To avoid transparency issues, make sure your marketing collateral and messaging includes all material facts and disclosures that a reasonable person would expect to see. For example, there are disclosures required under federal and state laws around “negative options” such as an auto-renewing subscription offer; there are opt-out and other disclosures needed for certain commercial email messages; if there are dependencies for your call to action (e.g., you must purchase a support package if you purchase a license to your company’s software), disclose them.

To avoid truthfulness issues, verify or qualify any facts or assertions you are using in your marketing. Keep a folder with documentation backing up your marketing facts and assertions. If you don’t have or can’t find the supporting facts, consider adding qualifications to your marketing statement.

To avoid clarity issues, marketing should be well-organized and well-formatted, written in short sentences with simple words and an appropriate level of detail, so that the information you are trying to convey is easily understood. Write from the perspective of the reader – is your marketing message(s) clear to someone who does not know much (if anything) about your company and its products/services?

2) Ensure your marketing meets design and functionality requirements.

One of the biggest mistakes companies make is assuming they know how their target audience will respond to their marketing, or worse, not thinking about it in advance at all. Proactive testing of marketing strategies before launch has parallels to performing user acceptance testing (UAT) in the software world. UAT is the process by which a deliverable is tested by actual or simulated users to validate that the deliverable meets its design and functionality requirements. Just like software UAT, before releasing marketing collateral and messaging it is important to validate that (a) it includes all important details, meets all legal requirements, and contains all legally required disclosures (the “design requirements” equivalent), and (b) it clearly and effectively delivers the marketing message such as a value proposition and/or call to action to its intended audience, and generates the target return on investment (ROI) or return on ad spend (ROAS) (i.e., “functionality requirements” equivalent). Investing time and energy to test your marketing, and incorporating feedback to ensure it meets its design and functionality requirements, will help it deliver the best possible ROI/ROAS.

3) Be careful using images of people or copyrighted works of others.

It’s often easy to grab a picture from Google Images or other online websites for use in marketing and social media. But remember, just because something is available online does not mean it is in the public domain, free to use. Even if you were not the person who originally posted a picture or other copyrighted content online, you could be liable for your use of it. (Even if you have an “innocent infringer” defense, you may still have to prove that in court, costing you and your company time and money.) Consider acquiring images for marketing use from a reputable stock photo company such as Getty Images, and ensure people whose images you capture for marketing use have given you a signed release and right to use the image. In general, you can’t use someone’s name or likeness to state or imply they are endorsing or promoting a product without their permission. Also, remember that images you use should not imply endorsement of your company’s products or services by a person without that person’s consent. Duane Reade, a drugstore chain, learned this lesson the hard way recently when they were sued by Katherine Heigl for $6 million after they used an image of her in a tweet without her permission.

4) Avoid unsubstantiated superlatives and figures.

Companies sometimes fall off the marketing path by using superlatives and figures that they can’t substantiate. One of the bedrocks of FTC policy is the FTC Policy Statement Regarding Advertising Substantiation. Under this policy, objective product/service claims “represent explicitly or by implication that the advertiser has a reasonable basis supporting these claims.” A “reasonable basis” depends on factors including the product which is the subject of the claim, the type of advertising claim, the consequences of a false claim, and the benefits of a truthful claim. Failing to have support for your claims is a deceptive and unfair trade practice under §5 of the FTC Act. Watch out for figures and superlatives such as “the best,” “the quickest,” etc. Make sure you have a reasonable basis for your superlative and data to back up your figures. For superlatives you cannot back up with documented facts (e.g., “a leading” vs. “the leading”), consider whether a comparative would work better (e.g., “easier” vs. “easy”, “more cost-effectively” vs. “cost-effectively,” etc.) As noted earlier, if a specific number is cited, ensure you have documentation for that specific number. If not, qualify it or generalize it (e.g., “approximately X,” “more than Y,” “less than Z,” “A to B”).

5) Avoid quoting quotes.

Just like images, it can be easy to find great quotes, facts and figures through an Internet search. If you are under a deadline or have a limited marketing budget, it might be tempting to find an article which cited the study and then cite to that article. However, beware of “quoting the quoter.” Quotes and cited facts/figures should be substantiated by the source material, not an article quoting the source material. If you quote a quote and not the source material, you run the risk that the author of the quote changed or misquoted the source material in their article. For example, suppose you’re looking for a statistic that at least half of participants in a study believe that the demand for products in your market segment will double in the next two years. You find and quote an online article citing research that 50% of respondents stated exactly that. What you didn’t know is that the number is really 46%, and the author of the article you cited decided to round up to 50%.  This inaccurate quote could cause significant headaches if the inaccuracy proves material to your marketing message or value proposition.

6) Tread carefully when using product endorsers and native advertising.

Native advertising, as defined by the FTC, is “content that bears a similarity to the news, feature articles, product reviews, entertainment and other material that surrounds it online.” For example, a featured article on a website that looks like an objective article, but is in fact an advertisement for a product or service written by or for the product or service provider, is native advertising. Native advertising uses the appearance of authenticity to drive interest in a product or service. This is also its Achilles’ heel. If it is too difficult to distinguish native advertising from surrounding content, it may be considered deceptive; the FTC looks at the “net impression [an] ad conveys to consumers” in determining deceptiveness. If an ad misleads a consumer by stating or implying that it’s not advertising, it’s likely deceptive. Native advertising must be accompanied by clear and prominent disclosures as to the source and/or sponsorship of the advertising to avoid misleading consumers, such as “paid content” or “advertisement” or “sponsored” disclaimers next to native advertising content or links. The FTC’s Native Advertising Guide for Business contains clear guidance on how to avoid running afoul of native advertising traps.

Similar issues have arisen with respect to “product endorsers,” people who endorse a product, brand or company. While paid celebrity endorsements (think Michael Jordan for Nike and Hanes, William Shatner for Priceline) are clearly paid to do so, companies also use employees, and non-employees such as bloggers and online personalities, to promote and drive interest in their products. Companies also run contests and sweepstakes through social media to drive awareness and increase buzz for their products. But content posted by employee brand ambassadors, compensated non-employee endorsers, and participants in a promotion who fail to identify their content as sponsored or paid may be deceptive and misleading in the eyes of the FTC (as Cole Haan discovered when they ran a Pinterest campaign to drive interest in their Wandering Sole product) and state attorneys general. The FTC stated that a “material connection” between a marketer and an endorser must be disclosed “if the relationship is not otherwise apparent from the context of the communication that contains the endorsement.”

7) Avoid statements that are forward-looking or may trigger a Regulation FD disclosure requirement.

Finally, if you work for a public company, SEC laws and regulations impose additional restrictions on what you can and cannot say in your marketing communications. Watch out for “forward-looking statements,” statements of potential or projected future events as expectations or possibilities. Saying “we plan on adding a European office in 2019” or “we expect to double our manufacturing capacity in the next six months” are likely forward-looking statements. Forward looking statements can lead to securities litigation unless accompanied by cautionary language required by the statutory “safe harbor” for forward-looking statements by public companies. Additionally, it’s important to ensure any targeted marketing or social media posts do not inadvertently selectively disclose material, non-public information about your publicly-traded company, which is prohibited by SEC Regulation FD (Fair Disclosure). For example, if an employee posts a picture while on-site at a prospective major new client, and the client’s identity can be determined by a logo in the background the employee did not see, the potential relationship inadvertently disclosed by the social media post may trigger the need for a Regulation FD disclosure.

Eric Lambert is Assistant General Counsel and Privacy Officer atCommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles invoice-over work and implementing and integrating connected home technologies.

The Rewards and Risks of Open-Source Software

Open-source software (or “OSS”) is computer software distributed under a license whose source code is available for modification or enhancement by anyone.  This is different than free (or public domain) software, which is not distributed under a license.  Free and open-source software are alternatives to “closed source,” or proprietary, software.

Companies use OSS for a variety of reasons.  In some cases, it’s used as part of a project deliverable, such as a DLL or a JavaScript library. In others, it’s used as a tool as part of the development process or production environment, such as a compiler, development environment, web server software, database software, etc.

The Rewards of OSS.  There are significant benefits to using open-source software in your business.  Here are some of the most significant:

  • Enhanced Security.Anyone can modify and enhance OSS, resulting in a larger developer base than proprietary software. This means that security holes are often found more quickly, and patched more quickly, than proprietary software.
  • Lower Cost. There is no license fee for open-source software.  (That does not mean it’s totally free – OSS is subject to license requirements.)
  • Dev Cycle Streamlining. Using OSS in a project cuts down development time by allowing developers to avoid “reinventing the wheel” on needed code if an OSS version of that code is available.
  • Perpetual Use. As long as you abide by the terms of the open-source software license, you can generally use it forever.  There are no annual renewal fees or license renegotiations for mission-critical software.
  • Adaptability/Customizability. Users of closed source software must find the software package that most closely aligns with the business’ needs, and adapt to it.  There’s no need to settle with OSS – since it can be customized and adapted, you can start with the existing code and modify it to fit your company’s exact needs.
  • Better Quality. Since there is a larger developer base, new and enhanced features and functionality are often rolled out, and usability bugs fixed, at a more rapid rate than in proprietary software.
  • Support Community. Many common closed source software packages require the purchase of a maintenance subscription along with a license.  Well-used OSS has a robust developer community that can help with questions.There are also companies that have sprung up around common OSS packages to provide support solutions.

Know Your OSS Licenses.The author of software code owns the copyright to that code.  If the author released software into the public domain, he/she is waiving his/her copyrights in that code, making it free for anyone to use.  However, if someone creates a derivative work of public domain code, the new portions of code are protected by copyright, and are not in the public domain.  In other words, by adding his/her own modifications, someone can take public domain software and make it proprietary.

That’s the primary difference between free software and OSS.  In most cases, when an author makes his/her software code open-source, that author is allowing use of his/her copyrighted code under an open-source software license, but is not relinquishing his/her copyright.  Under the OSS license, the author grants others a right to use the author’s copyrighted code to modify, copy and redistribute it, but only if they follow the terms of the open-source software license.  There are hundreds (or more) open-source licenses out there.  However, there are relatively few that are considered generally accepted with a strong developer community.  The Open Source Foundation (OSF) categorizes the most common OSS licenses here.  The most common are the GNU General Public License (GPL), the GNU Lesser General Public License (LGPL), the “New” BSD License, the “Simplified” BSD License, the MIT License, and the Apache License v2.  However, not all OSS licenses are the same.  There are many websites that can help you analyze the differences between OSS licenses, including tl;dr Legal and Wikipedia’s Comparison of Open-Source Software Licenses.

Many OSS licenses are “permissive” licenses, meaning that a work governed by that license (e.g., a BSD License) may be modified and redistributed under a different license as long as you comply with the requirements of the permissive license (e.g., attribution). Other OSS licenses are “copyleft” licenses.  A copyleft license is one under which a work may only be used, modified or distributed if the same license rights apply to anything derived from it.  The copyleft license will “infect” modifications and derivations of the source (some think of it as a “viral” license).  It’s a play on words as copyright and copyleft are converse terms: copyright gives exclusive rights to a work to one person, and copyleft gives non-exclusive rights to a work to everyone.  There are two types of copyleft licenses:

  • “Strong” copyleft licenses (e.g., the GNU GPL) state that if you modify code governed by a copyleft license, you must distribute the software as a whole under that copyleft license, or not distribute it at all.
  • “Weak” copyleft licenses (e.g., the GNU Lesser GPL) state that if you modify code governed by a copyleft license, portions of the software containing modifications (e.g., a software module or library) must be distributed under that copyleft license, but other portions may be distributed under a different license type.

The Risks of OSS.  Due to its benefits and rewards, most companies use open-source software, whether the management and Legal teams know it or not. Quite often, developers rely on OSS to deliver software development projects on time and within budget. The bigger question is whether developers are using OSS in a way that exposes the company to risk.  Unless your company has a well-defined OSS policy that has been well-communicated to the developers at your company, you’re “flying blind” when it comes to OSS usage. Here are some of the risks and considerations for companies using OSS:

  1. OSS makes more sense for “utility layer” software needs than for “competitive/proprietary layer” software needs.Think of the software used in business as two layers. The first is software at the “utility layer” – software packages that go to the general operation of the business and its IT infrastructure, and do not give the business a competitive advantage based on the code itself. Examples are web server software, database software, and standard APIs.  Above that is the software at the “competitive/proprietary layer” – software that gives your company a competitive advantage you’re your competition, or provides significant offensive or defensive IP protection. Examples are custom functionality on your website and specialized software applications. OSS makes a lot of sense at the utility layer – you don’t need something better than everyone else, just something that works and works well. Introducing OSS at the competitive/proprietary layer can be problematic as you may want to ensure the entire solution is proprietary.
  1. You can’t get IP warranties or indemnification for OSS.When you negotiate a software license agreement for proprietary closed source proprietary code, in most cases the software licensor will provide warranties and/or indemnification against claims of IP infringement. With OSS, there is no IP warranty or indemnity. If someone introduced proprietary code into the OSS earlier in its life, you bear the risk of infringement if you use it.
  1. Some OSS license types can snuff out IP rights to your own developed code (and even expose it). The type of OSS license governing OSS used in your business, and how you use OSS software, can directly affect your IP rights to your own developed code. If you use OSS governed by a strong copyleft license to enhance your own codebase, your entire codebase could potentially become governed by a copyleft license.  This means that a savvy competitor or customer that suspected or learned of OSS in your code could send you a letter demanding a copy of your source code under the copyleft license, or just decompile it and modify it, putting you on the defensive as to why your software license should override the copyleft open source license.
  1. If you don’t follow the license terms, you can be sued.Open source software is licensed. That means there are license terms you must follow.  If you don’t, you may face litigation from competitors or others.  There has been a recent upswing in litigation for breach of the terms of open source licenses, and that trend is expected to continue.  For example, VMware was sued in March 2015 alleging that it violated the GNU GPL v2 license by not releasing the source code for VMware software that used OSS subject to the copyleft license.

Implement a Company-Appropriate OSS Policy.  To mitigate the risks associated with OSS, all companies should implement an open-source software policy governing the when, why and how of using open-source software in the company’s codebase.  Here are some important considerations:

  • Ensure there is alignment on the goal of the OSS policy at the outset.Different stakeholders may have different views on the goal of an OSS policy.  To Legal, it make be to protect the company’s intellectual property; to IT, it may be to leverage OSS to reduce costs; to developers, it could be to ensure they are free to keep using the OSS they need to meet goals and deadlines.  One thing stakeholders cannot do is go in with the mindset that OSS is bad for business or that they can keep it out of their code.  OSS in business is a reality that can either be ignored or accepted.  The policy’s goal should be to ensure OSS is being used effectively to advance the company’s business objectives while protecting its IP and living within its risk profile.
  • An OSS policy must balance the practical needs of developers with risk management.OSS is the domain of the developer, not the Legal department.  While the risks are something lawyers consider, a policy written and imposed by non-developers on your developer corps will likely face an uphill battle, or worse, be viewed as “out of sync with the goals of the business” and just ignored.  The attorneys’ role in creating an OSS policy is to provide guidance on the risks of OSS to the company as a whole, provide “best practices” guidance in OSS policies, and to draft the actual policy from the outline in plain English (remember, developers, not other attorneys, are the audience).  IT management’s role is to provide guidance on the outside contours of the policy.  Developers need to be directly involved in developing the policy itself as they are the ones using OSS in their daily work.  Developers, Legal and IT should develop the company’s OSS strategy, and its OSS policy, as equal stakeholders.
    • Ensure senior management buys into the policy before it is finalized; it’s important that management understand how OSS is used in the business.
    • Ensure the policy covers key topics, e.g., sourcing OSS; selecting OSS code for use at the utility layer and the competitive/proprietary layer; the OSS approval process; support and maintenance requirements; redistribution; tracking OSS usage; and audits/training.
    • Ensure the policy covers independent contractor developers as well as employees.
  • OSS code review and approval must be a streamlined process.If the review and approval process is complicated, developers will be more likely to just skip it.  Make approval easy.  Provide a “pre-approved list” of OSS – certain combinations of license types, utility level software categories, and/or specific code packages that only need notification of usage for tracking purposes.
    • Have a simple process for vetting other usage requests, asking the critical questions (e.g., What is the name and version number of the software package for which use is requested? What license type applies? Where was the code sourced from? Will the code be modified? What is the support plan?  Will the code be distributed or used internally?  What is the expected usage lifetime of the code? Are there closed source alternatives? Etc.) so that the legal and business risks can be measured and balanced against the benefits of usage.
    • Determine who will do the first review and escalated review (IT, Legal).
    • Turn requests quickly as delays can impact development timeframes.
  • Keep a database of all used OSS, including where is it used and what license type applies.Knowing what OSS you’re using is critical to avoid introducing code that has a bad reputation or is governed by an OSS license your company is not comfortable with (e.g., a strong copyleft license). IT should maintain a database of OSS used by the company, including the license type for each OSS.  This database is also helpful when responding to security questionnaires and is often needed in M&A due diligence.
  • Other Considerations.Consider conducting quarterly or semi-annual reviews of OSS usage, e.g., questionnaires to developers.  Consider having developers acknowledge the OSS policy at hire, and on an annual basis.  Consider conducting OSS training if your company’s learning management system (LMS) has an available course module on OSS.  And most importantly, review the OSS policy no less than once a year with all stakeholders to ensure it is evolves as the world of OSS, and the company’s own needs, change over time.

Podcast – Implementing Compliance without Slowing Down Business

I recently had the privilege of being interviewed by Leona Lewis for ComplyEthic‘s “Masters of Disaster” podcast series, on the benefits of a “compliance by design” approach to manage risk without slowing down the business. Building strong relationships within the organization is one of the critical keys to a strong and effective compliance program.  You can listen to the podcast by clicking here.

10 Common Negotiation Positions and How To Work Through Them

One of the more frustrating things to run into during a contract negotiation is the “stock position.”  These are negotiation positions often used as tactics to shut down discussion on a point, or to push back on an otherwise reasonable request  Part of every attorney’s job is to find and leverage ways to make the negotiation cycle more efficient.  Being prepared for these 10 common negotiation positions, and knowing ways to work through them, can help you avoid a stumble on your way to the negotiation finish line.

10. It’s Locked Down (“We only send our agreement as a [PDF/locked Word document].”)
Why you hear this: Some companies try to limit redlines to their agreements by only distributing agreements as a PDF or a Word document locked against editing, making it very burdensome if you want to propose changes.
How to respond:  Propose capturing any changes in an amendment or rider to keep the agreement itself as-is, but ask for a Word version so you can show the changes you’d propose be captured in the amendment or rider.  If they won’t budge, consider creating your own Word version to redline (modern versions of Adobe Acrobat Pro have built-in OCR that lets you save a PDF in Word format, or you can print and then use Optical Character Recognition (OCR) to convert the PDF to an editable version). You can also create an unlocked version of a Word document for editing purposes fairly easily – see my earlier article on this topic.  If you create an editable version yourself, be sure to state in your cover note when sending the agreement back that you have created a Word version solely to facilitate your and their negotiation of the agreement, and reiterate that you would be happy to capture the agreed-upon changes in an amendment or rider to the agreement.

9. Can’t Help You There (“I don’t have the authority to negotiate that.”)
Why you hear this: The person you are negotiating with either doesn’t have the authority to approve changes to this provision, or wants you to think that he/she can’t make changes to it.
How to respond: If the change is important to your company, let them know why, and ask them if they can break out to seek approval from a person with authority (you’ll hold if on a call). Alternatively, ask if the person with authority can join the conference call or meeting so you can explain the importance of the change or provision directly.  If they balk, ask them to set up a follow-up call or meeting with the person with authority.  If they’re bluffing, asking them to bring in someone with authority may result in a change in position.

8. We’re The Best Around (“Do you know who we are? We’re the number one [vendor/supplier/provider/client] [of/to] [thing] in the [geographic area].”)
Why you hear this:  This response is the equivalent of “we’re the big fish in this pond – be lucky you’re working with us.”  They’re trying to use their market position to get you to back off your position or request.
How to respond: This is one of the reasons it’s important to have a credible backup partner/supplier/vendor waiting in the wings, or at least know who the other party’s major competitors are.  If your position or request is reasonable, you’ll need to stand your ground.  Let them know that while you are aware they are a major player, your request is important to your company, and that you hope they can negotiate on this point.  If you hold fast, you may have to drop the names of their competitors (if you know the name of a sales rep in your area, drop that) and let them know, expressly or by implication, that their willingness to work with you on this point is more important than your desire to work with the top player in the market.

7. Don’t Stop Us Now (“Why are you asking about that? You’re slowing the deal down/this [will/may] cause us to miss our [contract execution date/launch date/etc.].”)
Why you hear this: All too often, parties enter negotiation where one or both are already committed or invested in the relationship — implementation has already started, financial forecasting has already assumed the agreement is completed by a certain date, commitments regarding the agreement have been made to senior management, etc. The other side may be trying to leverage a “need for speed” on your company’s part to avoid discussion of potentially contentious or unfavorable points.
How to respond: It depends on what is more important to your company — getting the deal done quickly, or taking the time to negotiate your point.  If it’s a “nice to have” point, discuss the pros and cons internally of giving on the position in the interests of time.  If it’s a “must have,” call the other side’s bluff and let them know that while you understand that digging into this point may impact the negotiation or launch schedule, resolving this point must take precedence. If you do that, be aware that the other side may try to “forum shop” and reach out to one of the negotiating parties, or a superior, who they think is feeling pressure to close the deal and can exert leverage to get past this point. Propose alternative or compromise positions, and offer to work on a compromise in real-time on a call or via a WebEx or GoToMeeting session to keep the ball rolling.

6. Take Our Word For It (“I know the contract doesn’t say that, but it’s our practice.”)
Why you hear this: The contract template you are working from may be old and no longer tracks to the operational realities of the parties’ obligations and duties.  It’s also used where the other side is unwilling to commit contractually to a negotiating or marketing statement or position.
How to respond: Stress that the contract needs to accurately reflect the business and operational reality of the relationship.  If it’s their practice, they should be willing to give you a contractual commitment on it. If they refuse, let them know that if they can’t back up their statement with a corresponding obligation in the contract, that’s a red flag and you’ll need to discuss their position with your business team (in other words, give them a Don’t Stop Now). Consider ending the call/meeting early to huddle with your business team on this point – it can send a message to the other side that you are serious about this issue.

5. We Can’t Afford That (“That will affect our revenue recognition.”)
Why you hear this: The requested change could require them to spread the revenue across a longer period of time, or shift it from one fiscal month/quarter/year to the next. If the sales rep has already committed a contract close to the business, or is planning on it to meet quota or get bonus, this can be a major stumbling block for them. For example, a termination for convenience clause can often affect revenue recognition.
How to respond: This can be a legitimate argument.  However, there is often a creative way to structure terms that meets their revenue recognition requirements yet gives your company the flexibility it needs.  Put on the creativity hat and work with your business/legal counterpart, and your finance team, to try to find an alternative that will work.  If not, you’ll need to stand firm and see whether they want the business even with altered revenue recognition terms.

4. You Don’t Need To See That Now (“We don’t give our [customers/partners] our [documentation/policies] before they sign the agreement.”)
Why you hear this: If an agreement has policies that apply to your company and are referenced or incorporated by reference in the agreement (e.g., Terms of Use, Terms of Service, Vendor Code of Conduct, Conflict of Interest Policy, Trademark Guidelines, etc.), taking the time to review these policies can extend the negotiation cycle.  They agreement may also contain a warranty that the product or service conforms to the documentation, which you’ll need to review to understand how strong of a warranty you’re getting. If there’s anything in there that your company can’t abide by, you could be setting your company up for a problem out of the gate.
How to respond: Explain that your company can’t fully commit to an agreement until it has reviewed and signed off on all terms and policies related to the agreement. If they’re balking at providing documentation relating to a warranty section, let them know you need to see the documentation first.  See if there’s a group within your company that can play “bad cop” here, e.g., “Internal Audit needs to see it before we can sign.” Consider adding a 30-day right to rescind to the agreement in your client’s favor, which lets you sign first, but lets you back out if you don’t like the terms of their policies. Search online — many times you can find a policy on the other side’s own website.

3. I Can’t Believe You Said That (“We take offense to your position that we might [lose your data/breach the warranties, etc.]”)
Why you hear this: The “rightful indignation” argument is common when the other party wants to avoid a discussion on a topic, or truly doesn’t understand why you would be asking about that.  They may be confusing your risk management with an insinuation that you don’t trust they can live up to their obligations.
How to respond: Explain why the issue is important to your company.  If your company has been burned by the issue in the past, or your General Counsel/management team is focused on this issue, let them know — almost every company has some hot-button issue that can impact its contract negotiations.  You can also let them know you’ve seen recent articles about this issue and it’s top of mind.  Be sure to stress that you’re not playing Devil’s advocate and looking at the worst-case scenario, but you’re rather be prepared for the worst and have some extra words in the contract than be caught unprepared when the unthinkable happens.

2. That Comes Later (“We will [address/schedule] [your implementation/that topic] in a [SOW/Addendum] after we sign.”)
Why you hear this: Punting on a contentious or time-consuming issue, such as ownership of deliverables, can help move the agreement to completion.  Once the contract is signed, however, you may lose your leverage to negotiate that provision.  Alternatively, the other party may attempt to include a provision in the SOW/Addendum that will take precedence over a corresponding provision in the base agreement, essentially renegotiating it.
How to respond: If a provision is material or critical to the agreement or to your company, insist that it’s negotiated as part of, or at the same time as, the agreement. Ensure you have a strong order of precedence clause so your negotiated wins in the agreement aren’t undone in a later document.

1. That One’s New (“No one has ever asked us for that before/we’ve never given that to anyone before.”)
Why you hear this: Unless a company is very new, it’s very uncommon that no one has ever asked for a particular request before.  It’s more likely that the person you are negotiating with has never heard anyone ask for that before.
How to respond: Ask them to confirm they are saying that no contract the company has ever signed has had that provision.  If they hold firm, use it as an opportunity to push for a contractual representation to that effect (putting their money where there mouth is), and/or push for a “most favored nations” (MFN) clause on that term so that if they do offer that term to anyone in the future it will be automatically incorporated into your agreement. These approaches often lead to a change of tune. They may try to limit a rep or MFN clause to similarly situated clients/partners – consider whether this makes sense.

“Consumer Disclosure Icons” in Mobile and Social Marketing

The advent of mobile and social marketing has created a significant headache for attorneys and marketers alike.  The FTC has stated that consumer disclosure requirements to avoid deception (e.g., ensuring that disclosures are clear and conspicuous, are in close proximity to the statement requiring the disclosure, are sufficiently prominent, are in understandable language, are not hidden behind a non-descriptive hyperlink, etc.) apply to marketers regardless of the medium in which they are delivered.  Whether you’re delivering a marketing communication via email to a desktop computer, via social media, or to a mobile or wearable device, these rules apply.

The result is an understandable tension between attorneys trying to ensure that required disclosures are being made to control risk, and marketers seeking to deliver a compelling message and CTA (call to action) in a limited amount of space.  Attorneys need to partner with their marketing brethren to find creative solutions to achieve both goals.

One idea for common ground here from an industry perspective worth pitching is to develop a set of standard “consumer disclosure icons,” or CDIs, that use a single character to denote a standard marketing disclosure phrase, e.g., “additional purchase required,” “no purchase necessary,” “subscription required,” “terms and conditions apply,” “sponsored promotion,” “paid advertisement,” etc.  These could be something as simple as a set of initials in a box, such as the following for “no purchase necessary”:


Using these as a single character in a standard browser font would mean each CDI only takes up one character in a text-based communication, freeing up valuable real estate for the communication itself.  Each could be a hyperlink to a page with explanations of the meanings of standard CDIs.  Companies would want to use them consistently, e.g., at the end of each paragraph with claims triggering a disclosure.

CDIs would not work for non-standard disclosures, and companies would need to be careful not to improperly use CDIs where a custom disclosure is required.

Through efforts such as “Operation Full Disclosure” in September 2014, the FTC is looking to the industry to demonstrate their compliance with standard consumer marketing requirements even as the medium in which these messages are delivered continues to evolve (and shrink in size).  Devising a set of consumer disclosure icons for common disclosures in visual mobile and social marketing may be a solution embraceable by marketers, attorneys and regulators alike.

Safe Harbor Framework for EU to US Personal Data Transfers May Not Be “Adequate” After All

This week, the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment in an ECJ case recommending that the ECJ find the US-EU Safe Harbor Framework to be invalid.

For US companies with European subsidiaries that regularly need to transfer data back to the US home office, one of the primary data privacy considerations is compliance with the EU’s Data Protection Directive. Each EU member state has adopted their own data protection law based on the Directive. The Directive covers personal data in the European Economic Area (the EU, Iceland, Liechtenstein and Norway).

Under Article 25 of the Directive, the transfer of personal data to a country or territory outside of the EEA is prohibited unless that country or territory can guarantee an “adequate” level of data protection in the eyes of the EU.  In some cases, the EU will declare a country to have “adequate” protections in place (e.g., Canada based on their national PIPEDA data privacy law).

The US is one of the countries that is not deemed “adequate” by the EU.  (The US does not have a comprehensive national privacy law like Canada or the EU, but instead uses a “sectoral” approach to regulate data privacy.)  Because of this, the EU controller of the personal data must ensure that the US company receiving the data has an adequate level of protection for personal data to permit the data transfer.  This can be achieved in a number of ways, including:

  • The Directive defines a number of situations in which adequacy is presumed statutorily, such as where the data subject consents to the transfer, the transfer is necessary for the performance of, or conclusion of, the contract between the data subject and data controller, or it is necessary to protect the vital interests of the data subject.
  • A company’s Board of Directors can adopt binding corporate rules requiring adequate safeguards within a corporate group to protect personal data throughout the organization.
  • The EU entity and US entity can enter into an approved contract (utilizing a model contract terms approved by the EU) with provisions ensuring data is adequately protected.
  • The transfer is to a US entity which participates in the Safe Harbor Framework, a program agreed upon by the US and EU in 2000 under which US companies that self-certify that their data protection policies and practices are in compliance the requirements of the Framework are deemed to have an “adequate” level of data protection for EU data transfer purposes.  Over 5,000 companies have certified their compliance with the Safe Harbor Framework.

Edward Snowden’s revelations regarding US government surveillance programs and practices created many questions regarding whether the Safe Harbor Framework was truly “adequate” for EU purposes, since regardless of a company’s own policies and practices the US government could access the personal data of EU data subjects stored on US servers.  This week, in a case brought by an Austrian student challenging the transfer of his data to the US by Facebook under the Safe Harbor framework, the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment recommending that the ECJ find the Safe Harbor Framework to be invalid.  The ECJ can ignore the Advocate General’s recommendation, but does so only rarely.

The language of the decision will be very important, as the potential for US government surveillance of and access to personal data of EU data subjects stored in the US goes beyond the Safe Harbor framework.  A broad decision could create problems for the ability of US companies to achieve adequacy for EU data transfer purposes, regardless of the adequacy approach used — US government surveillance could be determined to trump any adequacy approach taken by US companies in the eyes of the EU. However, a finding that the US government’s surveillance practices call into question the adequacy the transfer of data to US companies in general could cause major headaches and disruptions for US businesses, and would have political and economic ramifications. It will be interesting to see how deep down this rabbit hole the ECJ is willing to go.

Companies which participate in the Safe Harbor Framework should immediately start looking at alternative choices for achieving “adequacy” in the eyes of the EU to allow for continued data transfers.  Companies should also look at whether any of their vendors rely on safe harbor in the performance of obligations, and contact them regarding their contingency plans if Safe Harbor is found to be invalid. If the ECJ adopts the Advocate General’s recommendation, it is unclear whether they will provide any grace period to all companies to implement an alternative approach.  Public reporting companies participating in the Safe Harbor framework may also want to consider whether this uncertainty should be cited in their risk factors for SEC reporting purposes.

FTC opens their nationwide tour to promote Start with Security

It’s not the latest group on tour with a band name and album name that needed a lot more thought.  Earlier this year, the FTC announced that they would be releasing guidance for businesses on data security.  In June, they did just that, releasing a guide called Start with Security: A Guide for Business.  It’s subtitled “Lessons Learned From FTC Cases” for a reason — it uses the 50+ FTC enforcement actions on data security to provide ten lessons companies should learn when approaching to security to avoid others’ missteps that led to enforcement actions, and practical guidance on reducing risks.  The lessons are:

  1. Start with security.  The FTC has long advocated the concept of “privacy by design,” meaning companies should bake an understanding of and sensitivity to privacy into every part of the business, making it part of the design process for new products and processes.  The FTC is advocating a similar concept of “security by design.” Guidance:  don’t collect personal information you don’t need (the RockYou enforcement action); don’t use personal information when it’s not necessary (Accretive and foru International); don’t hold on to information longer than you have a legitimate business need for it (BJ’s Wholesale Club).
  1. Control access to data sensibly.  Keep data in your possession secure by controlling access to it – limit access to those with a need to know for a legitimate business purpose (e.g., no shared user accounts, lock up physical files). Guidance: don’t let employees access personal information unless they need to access it as part of their job (Goal Financial); don’t give administrative access to anyone other than employees tasked administrative duties (Twitter).
  1. Require secure passwords and authentication.  Use strong password authentication and sensible password hygiene (e.g., suspend password after x unsuccessful attempts; prohibit common dictionary words; require at least 8 characters; require at least one upper case character, one lower case character, 1 numerical character, and 1 special character; prohibit more than 2 repeating characters; etc.)  Guidance: require complex and unique passwords (Twitter); store passwords securely (Guidance SoftwareReed ElsevierTwitter); guard against brute force attacks (Lookout ServicesTwitter, Reed Elsevier); protect against authentication bypasssuch as predictable resource location (Lookout Services).
  1. Store sensitive personal information securely (“at rest”) and protect it during transmission (“in motion”). Use strong encryption when storing and transmitting data, and ensure the personnel implementing encryption understand how you use sensitive data and can determine the right approach on a situation-by-situation basis.  Guidance: Keep sensitive information secure throughout the data life-cycle (receipt, use, storage, transmission, disposal) (Superior Mortgage Corporation); use industry-tested and accepted methods (ValueClick); make sure encryption is properly configured (FandangoCredit Karma).
  1. Segment your network and monitor who’s trying to get in and out.  Be sure to use firewalls to segment your network to minimize what an attacker can access.  Use intrusion detection and prevention tools to monitor for malicious activity.  Guidance: segment your network (DSW); monitor activity on your network (Dave & Buster’sCardsystem Solutions).
  1. Secure remote access to your network. Make sure you develop and implement a remote access policy, implement strong security measures for remote access, and put appropriate limits on remote access such as by IP address and revoking remote access promptly when no longer needed.  (The compromise of a vendor’s system via phishing, leading to remote network access, is how the Target breach started.)  Guidance: ensure remote computers have appropriate security measures in place, e.g., “endpoint security” (Premier Capital LendingSettlement OneLifeLock); put sensible access limits in place (Dave & Buster’s).
  1. Apply sound security practices when developing new products. Use “security by design” to ensure data security is considered at all times during the product development life-cycle.  Guidance: Train engineers in secure coding (MTS, HTC America, TrendNet); follow platform guidelines for security (HTC AmericaFandangoCredit Karma); verify that privacy and security features work (TRENDnetSnapchat); test for common vulnerabilities (Guess?).
  1. Make sure your service providers implement reasonable security measures. Make sure you communicate your security expectations to your service providers and vendors, and put their feet to the fire through contractual commitments and auditing/penetration testing. Guidance: put it in writing (GMR Transcription); verify compliance (Upromise).
  1. Put procedures in place to keep your security current and address vulnerabilities that may arise.  Data security is a constant game of cat-and-mouse with hackers – make sure to keep your guard up.  Apply updates to your hardware and software as they are issued, and ensure you are spotting vulnerabilities in, and promptly patching, your own software. Have a mechanism to allow security warnings and issues to be reported to IT.  Guidance: update and patch third-party software (TJX Companies); heed credible security warnings and move quickly to fix them (HTC AmericaFandango).
  1. Secure paper, physical media, and devices.  Lastly, while the focus these days seems to be on cybersecurity, don’t forget about physical security of papers and physical media.  Guidance: securely store sensitive files(Gregory NavoneLifelock); protect devices that process personal information(Dollar Tree); keep safety standards in place when data is en route (AccretiveCBR Systems); dispose of sensitive data securely (Rite Aid,CVS Caremark,Goal Financial).

As this guidance is based on what companies did wrong or didn’t do that led to FTC enforcement actions, it will be interesting to see how the FTC treats a company that suffers a data breach but demonstrates that they used reasonable efforts to comply with the FTC’s guidance.  I suspect the FTC will take a company’s compliance with this guidance into consideration when determining penalties in an enforcement action. The guidance is very high-level, so companies must rely on their IT and Legal teams to determine what steps, processes and protocols need to be implemented in alignment with the FTC’s guidance.

In addition to publishing the guide, the FTC has embarked on a conference series aimed at SMBs (small and medium-sized businesses), start-up companies, and developers to provide information on “security by design,” common security vulnerabilities, secure development strategies, and vulnerability response.  The first conference took place September 9 in San Francisco, CA; the second will take place November 5 in Austin, TX.

The FTC also announced a new website at which they’ve gathered all of their data security guidance, publications, information and tools as a “one-stop shop”.  You can find it at

Progressive Reduction, Progressive Disclosure and Legal Disclosures – Incompatible?

Progressive Disclosure and Progressive Reduction are two common user experience (UX) techniques in website and application design.  Both reduce the amount of information provided by default to a user, which can be very useful when you have a small amount of screen real estate available on a website or in an application or striving for a clean user interface.  Both are designed to favor selective content disclosure over mouse clicks (it takes more clicks to view all of the information, but many people may not need to see the additional information and therefore won’t need the clicks).

Progressive Disclosure stack ranks information, features and options by usage, and breaks the display of the information, features and options onto multiple screens so that only the most commonly used or popular items appear by default.  The intent of Progressive Disclosure is to simplify the user interface and avoid overwhelming a user with information, features and options on a single screen (which results in a bad user experience).  Common examples of Progressive Disclosure in apps and on websites are “Learn More” links and expandable/collapsible data elements that are collapsed by default but expandable by the user. An example of Progressive Disclosure in the legal context is a “layered” privacy policy with an initial summary and links to the longer, full privacy policy.

Progressive Reduction uses user profiles and other information or options to progressively reduce content elements based on time or usage.  As the user becomes more familiar with the website or app (or as more time passes), the design can be simplified and reduced, as the assumption is that the user will still understand what to do.  For example, suppose a website has a prominent “Change Your Preferences” button with an icon.  As a user becomes more familiar with that button, it can be reduced to a “Preferences” button with an icon, and then just the icon.  Another example is expandable/collapsible data elements that are expanded by default, where if the user collapses them the website or application will remember the user’s preference and collapse them by default thereafter.

The Federal Trade Commission and state Attorneys General expect websites and apps to have “clear and conspicuous” and “legible and understandable” legal disclosures to avoid deceptive trade practice claims.  Requiring a click to access important disclosures is neither clear nor conspicuous to a user.  Thus, the concepts of Progressive Disclosure and Progressive Reduction seem to conflict with proper legal disclosures.  So can they coexist?  The answer is yes, but not for (1) the critical elements of the initial disclosure, and (2) information you are legally obligated to present to the user.

An initial website legal disclosure (e.g., special terms regarding a product, automatic renewal terms, etc.) must be clear, conspicuous, legible and understandable, as the FTC and state AGs expect. Progressive Disclosure and Progressive Reduction should not be used for the initial disclosure, and should never be used to break apart a legal agreement such as click-through terms. (If space is a concern, an attorney should try to make the disclosure as concise as possible, or use a scroll box with a greyed-out checkbox for consent or greyed-out “continue” button until the consumer scrolls to the bottom of the scroll box.)  For legal policies posted on a website, using a layered approach is a common way to apply principles of Progressive Disclosure.

In some cases, there are supplemental references to or confirmations of the initial disclosure, such as in an order confirmation email, or online notices of a policy change previously communicated by email or postal mail.  The supplemental references to, or confirmations of, a website legal disclosure are generally used to remind the consumer what they have agreed to, which can help defend against a claim that the disclosure was not clearly or conspicuously provided.  In some circumstances, such as with auto-renewing subscriptions in California, the full initial disclosure must be provided in the supplemental disclosure.  However, where there is no legal requirement to do so, Progressive Disclosure can be applied to the supplemental disclosure as long as the terms initially displayed are the ones for which the consumer would most expect to be reminded, i.e., the most critical terms.

A strong partnership with the User Experience team is critical to ensuring that legal disclosures are properly presented in websites and apps.  Demonstrating an understanding of UX concepts, and how to strike the right balance with legal disclosure requirements, strengthens their view of counsel as a valued business partner and problem solver.

What’s the Point of a “Termination on Bankruptcy or Insolvency” Clause?

Almost every contract drafted today contains a clause allowing for a party to terminate the agreement if the other party files for bankruptcy, is forced into bankruptcy by a third party (involuntary bankruptcy), makes an assignment for the benefit of creditors, becomes or admits to being insolvent or generally unable to pay its debts when due, breaches a covenant related to financial condition, ceases to do business, etc.  This type of clause is commonly known as an ipso factoclause.  Ipso factois Latin for “by the fact itself,” and means that the occurrence of something is a direct consequence and effect of the action in question.  The action is the bankruptcy or insolvency of Party A, and the occurrence is the right to terminate by Party B.  This clause is considered “boilerplate” in most contracts, and is rarely negotiated (or even discussed).  However, attorneys and business persons alike should be very careful in relying on the right to terminate in this clause, as it’s generally unenforceable.

State law generally governs whether a contract is enforceable or non-enforceable.  However, one very big exception to that rule is the federal law governing bankruptcies (Title 11 of the United States Code, known as the “Bankruptcy Code”).  One of the primary goals of federal bankruptcy law is to allow a debtor to reorganize their business.  In order to do that, the Bankruptcy Code overrides state enforcement of ipso factoclauses and invalidates them (in most cases) as a matter of federal law.  Section 365(e)(1) of the Bankruptcy Code states that an “executory contract” (i.e., a contract where there’s still performance obligations outstanding) may not be terminated following commencement of bankruptcy solely because of a termination right based on the insolvency or financial condition of the debtor at any time before the closing of the bankruptcy.  In other words, you generally can’t exercise an ipso factoclause under federal bankruptcy law once a bankruptcy starts, no matter what the contract says.  (Another clause, Section 541(c), states that a property interest becomes property of the estate upon commencement of bankruptcy, meaning that the property interest can’t be terminated by an ipso factoclause.)  Once bankruptcy starts and while it’s underway, only the trustee of the debtor can assume or reject an executory contract – it’s out of your hands.

Ipso factoclauses have remained in agreements through the years even though they’re no longer very useful, like a contract’s version of a human appendix.  There’s actually a few good reasons to keep them around.  It’s important to remember that the clause’s unenforceability under federal law is tied to the actual commencement of bankruptcy; if that never happens, the clause is still enforceable, or at least potentially usable as a saber that can be rattled.  (Keep in mind that if you terminate under the clause and then bankruptcy is filed, the debtor may try to petition the court to reinstate the agreement and rescind the termination, similar to a “preference payment.”)  There are also a couple of limited exceptions under Section 365(e)(2) of the Bankruptcy Code, such as where applicable law excuses the other party from accepting performance (whether or not the contract prohibits or restricts the assignment or delegation), and that party doesn’t consent to the assumption or assignment, e.g., the debtor is was commissioned to paint a mural based on his expertise – the building owner doesn’t have to accept the trustee’s paint job as a substitute.  Finally, it’s always possible the Bankruptcy Code could be changed in the future to allow for the enforcement of ipso factoclauses under state law, perhaps through an expansion of the exceptions under Section 365(e)(2).