Overview

On March 27, 2023, President Biden signed the Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security (EO), restricting federal agencies’ use of commercial spyware.  The Biden Administration cited targeted attacks utilizing commercial spyware on U.S. officials and human rights abuses abroad as motivations for these restrictions.

Usage Restrictions

The EO is not a blanket ban on commercial spyware.[1]  Instead, it bars federal government agencies from using commercial spyware tools if they pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses.  Indirect use of such spyware (e.g. through a contractor or other third party) is also prohibited.  The EO establishes risk factors indicative of prohibited commercial spyware, including:

  • Past use of the spyware by a foreign entity against U.S. government personnel or devices;
  • Past use of the spyware by a foreign entity against U.S. persons;
  • The spyware was or is furnished by an entity that maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. government, or has disclosed or intends to disclose non-public information about the U.S. government or its activities without authorization from the U.S. government;
  • The spyware was or is furnished by an entity under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
  • A foreign actor uses the commercial spyware to limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties; or
  • The spyware is furnished to governments that have engaged in gross violations of human rights, whether such violations were aided by the spyware or not.

The above restrictions do not apply to the use of commercial spyware for purposes of testing, research, analysis, cybersecurity, or the development of countermeasures for counterintelligence or security risks, or for purposes of a criminal investigation arising out of the criminal sale or use of the spyware.  Additionally, an agency may be able to obtain a waiver allowing it to temporarily bypass the EO’s prohibitions, but only in “extraordinary circumstances.”

Agency Reporting Requirements

The EO contains various agency reporting requirements.  Some are specific to the Director of National Intelligence (DNI) while some apply to all federal agencies:

  • Within 90 days of the EO, the DNI will issue a classified intelligence assessment on foreign commercial spyware and foreign use of commercial spyware.
  • Within 90 days of the DNI assessment, all federal agencies must review their use of commercial spyware and discontinue uses that violate the EO. 
  • If an agency elects to continue using commercial spyware, within one year of the EO it must report its continued use to the Assistant to the President for National Security Affairs (APNSA) and explain why its continued use does not violate the EO.

New Commercial Spyware Procurement Procedures

Agencies seeking to procure commercial spyware “for any purpose other than for a criminal investigation arising out of the criminal sale or use of the spyware” must:

  • Consider any relevant information provided by the DNI, and solicit such information from the DNI if necessary;
  • Consider the risk factors listed above;
  • Consider any controls the commercial spyware vendor has in place to detect and prevent potential security risks or misuse; and
  • Notify APNSA within 45 days of procurement and provide a description of its intended purpose and use(s) for the commercial spyware.  

Key Takeaways

While the EO signals that the federal government is approaching commercial spyware with caution, interested parties should note that the government has been careful not to rule out its usage altogether. The EO, for example, does not address the government’s use of non-commercial (i.e. government-produced) spyware, or mention state or local government use of commercial spyware at all. The EO also allows federal agencies to procure and employ commercial spyware so long as the agency determines that the spyware does not pose a significant risk to national security or for improper use. Vendors of commercial spyware should pay close attention to the risk factors identified in the EO and consider implementing internal controls to address them.

On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments: item risk, price risk, and supplier risk. The final rule introduces a new solicitation provision, DFARS 252.204-7024, which instructs contracting officers to consider these assessments, if available, in the determination of contractor responsibility.

SPRS risk assessments are generated daily using specific criteria and calculations based on the price, item, quality, delivery, and contractor performance data collected in the system.  Although compliance with cybersecurity clauses DFARS 252.204-7012, -7019, or -7020 are not currently used to generate supplier risk assessments, the potential cybersecurity implications are evident. Under DFARS -7019 and -7020, DoD requires contractors to demonstrate their compliance with cybersecurity standard NIST SP 800-171 by scoring their implementation of 110 controls and uploading their score to SPRS.

Some believe that DoD could incorporate the NIST 800-171 Basic Self-Assessment score into the supplier risk assessment at any time. If SPRS scores are incorporated into supplier risk assessments, this solicitation provision will make the accuracy and veracity of contractors’ SPRS scores significantly more important. Inaccurate SPRS scores could open contractors to legal risk, including False Claims Act (FCA) liability. Under the Department of Justice’s Civil Cyber Fraud Initiative, FCA actions regarding inaccurate cybersecurity representations have increased. Because these assessments will now influence award decisions, accuracy will become key.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law bill. If enacted, SF 262 would be the sixth state level privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut, and it would go into effect on January 1, 2025.

Iowa’s new law is closest to the Utah Consumer Privacy Act (UCPA), having broad exemptions and more limited obligations for controllers. Notably, SF 262 provides exemptions for consumer rights where “pseudonymous data” and “de-identified data” (as defined by the bill) are involved, including certain opt-out rights.

For the most part, Iowa’s bill treads familiar territory. Its scope extends to entities that conduct business in Iowa or produce products or services targeted to Iowa residents, and that meet the following requirements, in a calendar year: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from sale of personal data.

Iowa’s bill does not create new obligations for businesses compared to what is already required under other states’ privacy laws. For example, the Iowa bill’s privacy notice requirements are not unique to SF 262 – companies with privacy policies drafted to comply with the CCPA (California Consumer Privacy Act) and VCDPA (Virginia Consumer Data Protection Act) are not likely to have to amend their policies in order to comply with Iowa’s requirements. In addition, like Utah and Virginia, Iowa’s bill includes a narrow definition of “sale” of personal data (the exchange of personal data for monetary consideration by the controller to a third party), as well as numerous exceptions. 

Iowa’s bill notably diverges from consumer protections found in most existing state privacy laws. For example, it only requires clear notice and opt-out for sensitive data, while other states like Colorado, Connecticut, and Virginia adopted opt-in requirements. The Iowa bill also lacks a consumer right to correct data. There are no requirements for covered entities to conduct privacy impact assessments or establish data minimization principles. Furthermore, responses to consumer requests not only have a 90-day response period (compared to 45-days in other states) but also are subject to a potential 45-day extension.

This bill does not contain a private right of action; enforcement rights belong exclusively with the Iowa State Attorney General. The AG may seek injunctive relief and civil penalties of up to $7,500 per violation. However, this first requires providing a 90-day cure period before bringing any enforcement, and such cure period does not sunset.

We will continue to monitor the developments and keep you informed of any further updates.

Eight months after the issuance of the draft Measures on the Standard Contract for the Export of Personal Information (“SCC Regulations”), on February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the SCCs Regulations, along with the Standard Contractual Clauses (“SCCs”). The SCCs set a baseline for cross-border data transfer agreements. This can impact any business that relies on the sharing of information between China and third countries, like the United States.

The SCCs will come into effect on June 1, 2023, and companies have an additional six months (until November 30, 2023) to comply with the SCCs’ requirements for the transfer of data outside of China.

China’s Three Data Transfer Mechanisms are Now Settled

The PRC Personal Information Protection Law (“PIPL”) requires personal information processors (similar to the concept of data controllers under the General Data Protection Regulation) to implement one of the following three data transfer mechanisms, if personal information is transferred outside of China:

  1. Complete a Security Assessment by the CAC;
  2. Complete a Security Certification by a certification institution designated by the CAC; or
  3. Adopt the SCCs.

Prior to the release of the final SCCs, the CAC had already released the Measures on Security Assessment of Cross-Border Data Transfer and Specifications on Security Certification for Cross-Border Personal Information Processing Activities in the summer of 2022. These measures include detailed guidance on the security assessment and security certification process necessary for the transfer of data outside of China.

The issuance of the SCCs indicates that the final piece of the puzzle of China’s cross-border data transfer regime is now settled. Previously, many companies that were not required to go through the security assessment process took a “wait-and-see approach” pending the finalization of the SCCs. Now, with the final piece of China’s cross-border data transfer regime in place, a full assessment of the available data transfer mechanisms is required.

Application Scope of the SCCs

The SCCs may be a more user-friendly approach to qualify a data transfer, as the SCCsdo not require a review by the CAC or certification by a third-party institution. In addition, they provide for more definite contractual terms. However, the SCCs may be adopted only if all of the following conditions are met:

  1. The data exporter is not a critical information infrastructure operator (“CIIO”), which is broadly defined as an operator of critical network facilities or information systems in important industries (such as finance, energy, or transportation), where destruction, loss of function, or data leakage may seriously endanger China’s national security, peoples’ livelihood, or the public interest;
  2. The data exporter has not processed personal information of more than one million individuals (“Mass Processor”); AND
  3. Since January 1 of the previous year, the data exporter has not made aggregated transfers of:
  • personal information of more than 100,000 individuals; or
  • sensitive personal information of more than 10,000 individuals.

If any of the above conditions are not met, a CAC security assessment will be required instead, and the SCCs would not be an option. Notably, a CAC security assessment will also be triggered if any important data is transferred out of China, even if the SCCs are used to transfer data. Important data are broadly defined as any data that – if tampered with, destroyed, leaked, illegally accessed, or used – may endanger China’s national security, economic operation, social stability, or public health and safety.

Are Modifications to the SCCs Permissible?

According to the SCC Regulations, the parties are not allowed to make any modifications to the SCCs. The parties, however, may add terms, to the extent they do not conflict with the SCCs.

For companies who have already entered into a data processing agreement (“DPA”), questions abound regarding how the SCCs would interact and integrate with these existing agreements. Where corporations are considering combining the two through the use of exhibits, the SCCs may need to be the main body of an agreement, with any additional terms, including those in an existing DPA, placed into an exhibit.

Governing Law and Liability

Notably, the governing law of a DPA transferring data outside of China must be PRC law. However, the parties are granted some flexibility to submit their disputes under the SCCs to a PRC court or, if arbitration is preferred, to a PRC or international arbitration tribunal in a member state of the New York Convention.

Under the SCCs, the data exporter and the data importer assume joint and several liability to the data subjects.  As such, data subjects can enforce their rights against both such parties as a third-party beneficiary under the SCCs.

Are There Different Modules Available for Different Transfer Scenarios?

The European Union’s Standard Contractual Clauses cover four different modules: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. China’s SCCs do not draw any distinction among such transfers. China’s SCCs, however, do set out different obligations where the overseas data recipient is an “entrusted processor.” An entrusted processor is a processor who does not determine the purpose or method of the processing, but instead only processes personal information based on a data transfer agreement with the personal information processor and/or the instructions from the personal information processor.

Liabilities for Violating the SCC Regulations

Companies violating the SCCs Regulations may be subject to:

  1. civil claims by data subjects for any damages caused;
  2. administrative penalties, including a fine up to RMB 50 million (approximately USD 7.3 million) or 5% of the last year’s turnover (whichever is higher), suspension of relevant business and revocation of business license or other licenses/approvals; and/or
  3. criminal liabilities in worst cases.

The SCC Regulations create a whistle-blowing mechanism for individuals or organizations to report any non-compliance or violations to the CAC. The CAC may also request a meeting with a company and may issue an order to a company to take corrective measures, if any significant risks or any data breach are identified. 

What Steps Should Companies Take to Comply with the SCC Regulations?

Complying with China’s SCCs requires more than just signing the SCCs provided by the CAC. We set forth below some of the key steps that companies would take to comply with the requirements under the SCC Regulations.

Data Inventory: The first step toward compliance is often to conduct a data inventory to understand the type and volume of data transferred outside of China, the entities and jurisdictions involved, the purpose(s) and method of the processing, and the IT systems involved. The SCC Regulations specifically prohibit companies from dividing data among their subsidiaries in order to avoid volume thresholds that trigger the applicability of the security assessment.

Adopt an Appropriate Data Transfer MechanismBased on the findings of the data inventory, companies would then determine whether the data transfer triggers the security assessment by the CAC. If the security assessment is not triggered, the next step would be to determine the most appropriate data transfer mechanism. Generally, for intra-company data transfers, companies may choose to use security certifications or SCCs to qualify their data transfers out of China if the security assessment is not triggered.  For data processing that is subject to the extraterritorial effect of the PIPL (i.e., direct collection of personal information from individuals in China by a foreign personal information processor), it appears that the only option is a security certification, given the SCCs are generally used for transfers between a Chinese personal information processor and a foreign recipient.  For other transfers below the security assessment threshold, the SCCs may be adopted.

Personal Information Protection Impact Assessment (“PIA”): Data exporters are required to undertake a PIA before transferring any personal information outside of China. The PIA report is a required document for the subsequent filing with the local CAC (as explained below), in conjunction with a filing of a data processing agreement. There is no standard format yet for a PIA in the context of SCCs.

Implement Appropriate Internal Policies and Processes: The SCCs impose a series of obligations on data exporters and recipients, such as notifying the data subjects and obtaining their consent (or separate consent), where necessary; taking technical and organizational measures to protect the security of the personal information involved (e.g., encryption, de-identification, or access controls); establishing a process for responding to data subjects’ requests or complaints; and formulating an incident response plan. Companies should take steps to ensure that their internal policies and processes accommodate the requirements of the SCCs, and keep detailed records demonstrating their compliance in case of any audits, inspections, or investigations.

Execute the SCCs: Because data exporters are required to file the SCCs (or related DPA) with the local CAC within ten working days (as of the effective date of the SCCs), it is advisable for companies to complete the above preparatory work before execution of the SCCs. Otherwise, the filing may be rejected by the local CAC (if a PIA is not conducted and filed with the DPA, for example), or additional corrective measures may be required to mitigate any risks involved in the transfer.

Filing with the Local CAC: Data exporters must file the executed SCCs along with the PIA report with the provincial CAC where they are located within ten working days. All documents filed with the local CAC must be written in Chinese or translated into Chinese.

Although the SCCs Regulations provide a six-month grace period, given the amount of preparatory work involved in the implementation of the SCCs, companies should act as soon as practical to take necessary steps to implement the appropriate transfer mechanisms. Doing so will help avoid any disruption to their data transfer activities outside of China.

On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals.

In the Opinion, the EDPB noted substantial improvements in the proposed DPF compared to the former Privacy Shield, but also expressed concerns regarding the level of protection provided by the draft adequacy decision. Key takeaways from the EDPB’s Opinion are:

  • The EDPB welcomed the updates to the DPF Principles, but opined that the Principles to which the DPF organizations have to adhere remain essentially unchanged from the Privacy Shield, and the concerns previously raised by the Article 29 Working Party and the EDPB in relation to the Privacy Shield principles remain unaddressed. In particular, these concerns relate to the rights of data subjects, the absence of key definitions, the lack of clarity in relation to the application of the DPF Principles to processors, and the broad exemption for publicly available information.
  • The EDPB opined that the structure and complexity of the DPF makes it difficult for data subjects and relevant stakeholders to understand, and that some key definitions are missing from the text and terminology usage is not consistent.
  • Regarding the level of protection of individuals whose data is transferred, the EDPB noted that protection must not be undermined by onward transfers from the initial recipient of the transferred data. The EDPB invites the European Commission to clarify that the safeguards imposed by the initial recipient on the importer in the third country must be effective in light of third-country legislation, prior to an onward transfer in the context of the DPF.
  • Regarding government access to data transferred to the U.S., the EDPB acknowledged the significant improvements brought by Executive Order 14086, which introduced concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data (signals intelligence).
  • The Opinion recognized the specific safeguards provided by relevant U.S. law in different fields concerning automated decision-making and profiling by means of AI technologies. However, the EDPB pointed out that the level of protection for individuals seems to vary according to which sector-specific rules, if any, apply to the situation at hand. The EDPB maintained that specific rules concerning automated decision-making are needed in order to provide sufficient safeguards especially when AI decisions could significantly affect an individual.
  • The EDPB recommended clarification on the scope of exemptions, including on the applicable safeguards under U.S. law, in order to better identify their impact on data subjects. The Opinion also underlined that the European Commission should monitor the application and adoption of any statute or government regulation that would affect adherence to the DPF Principles. In relation to the list of exceptions to the right of access, the EDPB noted that some still tended to tip the balance towards the interests of DPF organizations, while the EDPB is concerned that there appears to be no requirement to consider the rights and interests of the individual.
  • The EDPB further addressed bulk data collection and asked for clarity regarding temporary bulk collection and the further retention and dissemination of such data. EDPB opined that collection of large quantities of data without discriminants (e.g., without the use of specific identifiers) presents higher risks for the individuals than targeted collection and thus requires additional safeguards to be adduced. The Opinion noted that the DPF lacks a requirement for prior authorization from an independent authority in advance of bulk data collection.
  • The EDPB highlighted that close monitoring, oversight, and enforcement of the DPF will be needed. The DPF continues to rely on a system of self-certification, although it recognizes commitments made by relevant agencies to investigate alleged DPF violations and monitor and enforce against entities making false or deception claims of participation.

Given the concerns expressed and the clarifications required, the EDPB suggests that these concerns should be addressed by the European Commission in future reviews. The EDPB further invites the European Commission to provide the requested clarifications in order to solidify the grounds for the draft adequacy decision and to ensure a close monitoring of the concrete implementation of this new legal framework, in particular the safeguards it provides. The draft adequacy decision will continue to make its way through the review and approval process. Once ratified, participating in the DPF will require that companies certify their adherence with the U.S. Department of Commerce.

We will continue to monitor the developments in this matter and keep you informed of any further updates.

In the past few years, privacy activists, consumers and national and European data protection authorities have become increasingly aware of the impact of cookies and other tracking technologies. As a result, most administrators of websites and mobile apps know that they have to provide users with a clear and prominent cookie banner. They also know that they should explain what cookies are being used and obtain the user’s consent before storing any non-essential cookies on their device. 

What they don’t know is how, exactly, this information should be conveyed. In theory, the conditions are straightforward and set forth in Directive 2002/58/EC (“ePrivacy Directive”) and Regulation (EU) 2016/679 (“GDPR”). In practice, however, requirements for obtaining consent for the use of cookies depend on the jurisdiction.

To address concerns regarding cookie banners and consent management on websites, the European Data Protection Board set up the “Cookie Banner Taskforce.” On January 17, 2023, the Cookie Banner Taskforce adopted a report detailing their findings. This report offers further guidance on the minimum requirements for transparency and efficiency of cookie banners and consent management practices within the European Union (“EU”).

The following are key takeaways from the report if you are a website or app owner:

  1. Ensure that your cookie banner includes a “reject button” on the first layer;
  2. Avoid using pre-ticked checkboxes for cookie consent;
  3. Provide a clear and direct option for users to reject, without using deceptive link designs;
  4. Avoid using deceptive button colors or deceptive button contrast;
  5. If you haven’t received consent for storing or accessing information through cookies, abstain from any further processing;
  6. Classify cookies as “essential” or “strictly necessary” only when they are truly required for your website to function; and
  7. Make it easy for users to withdraw their consent, such as by providing an icon that is visible at all times or a link placed on a visible and standardized place.

Despite the fact that they are not formally binding, the minimum requirements in the current report are expected to have a substantial impact on businesses and website owners operating within the EU. Consequently, they will have to ensure that their cookie banners and consent management practices meet the minimum thresholds set out in this report.

Unfortunately, the report only outlines minimum requirements. Website owners must still verify whether  additional national requirements (such as the ones specified by the French data protection authority) exist beyond the report’s minimum thresholds.

Additionally, please note that the ePrivacy Directive is currently being revised and a new, more harmonized, version is expected to be adopted in the near future. The new ePrivacy Directive is expected to introduce stricter rules on online tracking and data collection, particularly regarding cookies and other similar technologies which we will be sure to summarize upon its release.  

Source: Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023, https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

Summary and Analysis

The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security and improve critical infrastructure defenses.  It outlines five pillars of action, each of which implicates critical infrastructure entities, from strengthening their cybersecurity processes, to receiving support from the federal government. For example, the Strategy highlights improving the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, investing in quantum-resisting systems, developing a stronger cyber workforce, evolving privacy-enhancing platforms, and adopting security practices that are aligned with the National Institute of Standards and Technology (NIST) framework are some other suggested approaches that the private sector could take.

The Strategy makes evident the Administration’s desire to shift the burden of cybersecurity (and its associated costs and liability) from individuals, small businesses, and local government to the entities with the greatest expertise and resources, e.g., large owners and operators of critical infrastructure, vendors and software developers. To that end, we should expect legislation regarding baseline cybersecurity measures and establishing new liabilities for providers of software products and services. Further, the Administration emphasizes its support for legislative efforts for data minimization and increasing protection for sensitive data, which puts additional pressure on Congress to pass a federal privacy law.

The Strategy builds on sustained efforts by the Biden Administration to protect the nation’s critical infrastructure, including:

  • The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – expands the reporting obligations of covered entities;
  • The 2022 Creating Helpful Incentives to Produce Semiconductors (CHIPS) Act – reduces reliance on China-based suppliers of emerging technologies by providing a financial incentive for investment in U.S. semiconductor manufacturing and the creation of collaborative networks for research and innovation;
  • President Biden’s 2021 Executive Order – strengthens the nation’s cybersecurity defenses by mandating all federal agencies use basic cybersecurity measures (such as multifactor authentication and requiring new security standards for software makers that contract with the federal government); and
  • President Biden’s 2021 national security memorandum – directs his administration to develop cybersecurity performance goals for U.S. critical infrastructure.

The Five Pillars

Replacing the 2018 Trump Administration strategy, which focused on voluntary public-private partnerships and information-sharing practices, the new framework mapped out by the Strategy pushes for a more aggressive and comprehensive regulatory approach. Combining government actions with new requirements for the private sector, which owns the majority of the country’s critical infrastructure, the Strategy aims to tackle some of our nation’s most difficult and complex issues in cybersecurity, software liability, and regulatory programs by centering on the following five pillars:

  1. Defend Critical Infrastructure;
  2. Disrupt & Dismantle Threat Actors;
  3. Shape Market Forces to Drive Security and Resilience;
  4. Invest in a Resilient Future; and
  5. Forge International Partnerships to Pursue Shared Goals

I. Defend Critical Infrastructure

The Administration makes clear that this pillar “is vital to our national security, public safety, and economic prosperity.” This pillar focuses on private-public collaboration to equitably distribute risk and responsibility, and includes five strategic objectives:

  1. Establish Cybersecurity Requirements to Support National Security and Public Safety. Protecting critical services is essential to the American people’s confidence in the nation’s infrastructure and the economy, and the Strategy breaks out three categories of activity to accomplish this objective:
    • Establish Cybersecurity Regulation to Secure Critical Infrastructure. To the extent possible, the government plans to use existing authorities to create a set of “minimum expected cybersecurity practices” for the infrastructure sector that are performance-based and adaptable.  Where gaps in the law exist, the Administration plans to work with Congress to close them with the goal of ensuring that systems are designed to “fail safely and recover quickly.” The Administration plans to drive improvements in cybersecurity practices in the cloud computing industry and other essential services for these industry sectors.
    • Harmonize and Streamline New and Existing Regulations. A key goal of the Strategy is controlling the costs and other burdens of compliance for regulated entities to enable them to commit more resources to cybersecurity.  To that end, the Strategy calls for regulators to (1) seek to harmonize regulations, audits, and reporting requirements as they are developed—for example, by leveraging existing international standards where consistent with U.S. policy and law, and (2) work together to minimize instances where existing regulations are in conflict, duplicative, or overly burdensome.  
    • Enable Regulated Entities to Afford Security. The Strategy provides several strategies to accommodate critical infrastructure sectors with varying capacities to absorb such costs. This includes calling for regulation that will ensure a level playing field that bypasses competition to underspend peers on cybersecurity in sectors with a greater ability to absorb costs. The Strategy also describes how low-margin sectors will likely need incentives to invest in cybersecurity, for example through rate-making processes, tax structures, or other mechanisms.  
  2. Scale Public-Private Collaboration. The Strategy stresses the importance of creating a distributed network of cyber defense, developed by collaboration between defenders and enabled by the automated exchange of information. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) will employ Sector Risk Management Agencies (“SRMAs”) to coordinate with and support critical infrastructure owners to protect the assets they operate. The government plans to invest in developing SRMA capabilities to enable security and resilience improvements across critical infrastructure sectors and support maturation of third-party collaboration mechanisms. Additionally, information sharing and analysis organizations (“ISAOs”), sector-focused information sharing and analysis centers (“ISACs”), and similar organizations will be leveraged to facilitate cyber defense operations. The Strategy also acknowledges that machine-based solutions will be required to improve the sharing of information and coordination of defensive efforts. To accomplish this, CISA and SRMAs will explore technical and organizational mechanisms in partnership with the private sector to enhance and evolve data sharing, and the federal government will deepen its collaborative efforts with software, hardware, and managed service providers which have the capability to provide greater cybersecurity and resilience.
  3. Integrate Federal Cybersecurity Centers. Federal Cybersecurity Centers will serve as collaborative nodes that bring together capabilities across entities involved with homeland defense, law enforcement, intelligence, and diplomatic, economic, and military missions to drive intragovernmental coordination and support non-federal partners.
  4. Update Federal Incident Response Plans and Processes. The federal government will aim to present a unified, coordinated, whole-of-government response to cyber incidents when federal assistance is required, including, for example, that CISA will update the National Cyber Incident Response Plan (“NCIRP”). The Strategy discusses how these efforts will harmonize new requirements, such as CIRCIA’s to-be-finalized requirement that covered entities report cybersecurity incidents to CISA within hours in order to strengthen the collective defense, and current efforts by the Cyber Safety Review Board (CSRB), which is comprised of private and public sector cybersecurity leaders and will review incidents and guide industry remediation.
  5. Modernize Federal Defenses. The Administration will focus on long-term efforts to defend federal systems in accordance with zero-trust principles. In addition, it commits to develop plans to collectively defend federal civilian agencies, modernize federal technology systems, and defend national security systems.

II. Disrupt & Dismantle Threat Actors

Pillar 2 discussed the commitment to use “all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” focusing on heading off “sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States.”  One of the ways to accomplish this is to make cyber-enabled campaigns unprofitable. There are five strategic objectives for disrupting and dismantling threat actors:

  1. Integrate Federal Disruption Activities. The Strategy outlines three commitments to integrate the federal government’s disruption efforts. First, the DOD will update its departmental cyber strategy so that it is aligned with “the National Security Strategy, National Defense Strategy, and [the] Strategy” to ensure that cyberspace operations are integrated into other strategic defense efforts. Second, the National Cyber Investigative Joint Task Force (“NCIJTF”) will “expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale and frequency.”  Third, the DOD and the intelligence community “commit[s] to bringing to bear their full range of complementary authorities to disruption campaigns.”
  2. Enhance Public-Private Operational Collaboration to Disrupt Adversaries. To enhance the collaboration between the public and private sectors, the Strategy “encourage[s]” private companies to organize cyber-disruption efforts “through one or more nonprofit organizations that can serve as hubs for operational collaboration with the Federal Government, such as the National Cyber-Forensics and Training Alliance (NCFTA).”  The Strategy also commits the government to lowering barriers in the interests of supporting and leveraging collaboration.
  3. Increase the Speed and Scale of Intelligence Sharing and Victim Notification. One aspect of disruption and dismantling threat actors is to increase the speed and scale of intelligence sharing, both to and from victims. The Strategy commits to “proactively warn cyber defenders and notify victims when the government has information that an organization is being actively targeted or may already be compromised.” Part of implementing this is to “review declassification policies and processes to determine the conditions under which extending additional classified access and expanding clearances.” The Strategy also calls on “SRMAs, in coordination with CISA, law enforcement agencies, and the [Cyber Threat Intelligence Integration Center (CTIIC)to] identify intelligence needs and priorities within their sector and develop processes to share warnings, technical indicators, threat context, and other relevant information with both government and non-government partners.”
  4. Prevent Abuse of U.S.-Based Infrastructure. The Strategy commits to working with cloud and infrastructure providers to address the full gamut of issues that they may face, from quickly identifying malicious use of such infrastructure, notifying the government in the event of such malicious use, making it easier for victims to report such abuse, and preventing the malicious use in the first place. This strategy also places an expectation on “[a]ll services providers” to “make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior.”
  5. Counter Cybercrime, Defeat Ransomware. The Strategy calls out ransomware in particular as a threat and identifies four processes to combat it: “(1) leveraging international cooperation to disrupt the ransomware ecosystem and isolate those countries that provide safe havens for criminals; (2) investigating ransomware crimes and using law enforcement and other authorities to disrupt ransomware infrastructure and actors; (3) bolstering critical infrastructure resilience to withstand ransomware attacks; and (4) addressing the abuse of virtual currency to launder ransom payments.”  This effort includes contributions from the Counter-Ransomware Initiative (CRI) with 30 other countries and the Joint Ransomware Task Force. It also includes further consideration of international anti-money laundering and combating the financing of terrorism (AML/CFT) standards. To achieve these objectives, the Strategy focuses on mounting “disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable.”  Accordingly, the Strategy repeats the position that the U.S. government has held for years: “strongly discourag[ing] the payment of ransoms” and encouraging victims to report the incidents to law enforcement and other appropriate agencies.

III. Shape Market Forces to Drive Security and Resilience

Pillar 3 of the Strategy focuses on shaping market forces to reduce risk and strengthen our digital ecosystem to keep our country resilient and secure. To drive broader adoption of best practices in cybersecurity, market forces are important, but the Administration will shape the long-term security and resilience of the digital ecosystem by: increasing accountability, driving development of more secure connected devices, reshaping existing laws, using federal purchasing power to incentivize security, and stabilizing insurance markets against catastrophic risk with the following six strategic objectives:

  1. Hold the Stewards of our Data Accountable.The Administration supports legislative efforts to protect consumers by imposing limitations on technologies that collect personal information. Failures to protect personal information pass the harm on to consumers, and often the greatest harm falls upon the most vulnerable populations. To protect consumers, legislation should provide strong protections for personal and sensitive data and set national requirements to secure data consistent with the standards and guidelines developed by NIST.
  2. Drive the Development of Secure IoT Devices.Many IoT devices today are vulnerable to cybersecurity threats and exploitation by bad actors. The Administration will continue to improve IoT cybersecurity through research and development and risk management efforts under the 2020 IoT Cybersecurity Improvement Act and security labeling programs under Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cybersecurity Executive Order”) The goal is to expand IoT security labels, allowing consumers to compare protections for different IoT products, and create market incentive for greater security for IoT devices.
  3. Shift Liability for Insecure Software Products and Services.The Administration will begin to shift liability onto entities that fail to take reasonable precautions to secure their software while at the same time recognizing that even advanced software security programs cannot prevent all vulnerabilities.  Legislation will be designed to prevent manufacturers and software publishers from fully disclaiming liability and establish higher security standards, while also providing a safe harbor for companies that do securely develop and maintain their software products and services. These so-called safe harbor provisions will draw from current best practices, such as the NIST Secure Software Development Framework, but will also need to be flexible enough to evolve over time to keep up with technological advancements. The Administration also encourages coordinated vulnerability disclosures and further development of Software Bill of Materials (SBOMs), as well as processes for identifying and mitigating the risk of unsupported software used by critical infrastructure.
  4. Use Federal Grants and Other Incentives to Build in Security.The Administration is committed to investing in programs to improve infrastructure and the digital ecosystem supporting it, and balancing cybersecurity requirements. The federal government will collaborate with State, Local, Tribal and Territorial (“SLTT”) entities, private sector stakeholders, and other partners to drive investment in secure and resilient products and to fund cybersecurity research, development, and demonstration programs.
  5. Leverage Federal Procurement to Improve Accountability.One successful method of improving cybersecurity has been to implement specific contracting requirements for federal government vendors. The Cybersecurity Executive Order expands cybersecurity requirements for contracts, ensuring that such standards are strengthened and standardized across federal agencies. The Department of Justice’s (“DOJ’s”) Civil Cyber-Fraud Initiative (CCFA) will hold accountable entities that knowingly: put data at risk through deficient cybersecurity products or services, misrepresent cybersecurity practices or protocols, or violate obligations to monitor and report cyber incidents and breaches.
  6. Explore a Federal Cyber Insurance Backdrop.The Administration will assess the need for and the potential structure of a federal response to a catastrophic cyber event, which will include analyzing current cyber insurance offerings.  Input will be sought from Congress, state regulators, and industry stakeholders to determine if a plan is necessary and how to structure a response to stabilize and aid recovery to prepare for a catastrophic cyber event before one occurs.

IV. Invest in a Resilient Future 

The Strategy’s fourth pillar relies on the following five strategic objectives to accomplish the Administration’s commitment to investing in the concept of resilience in the face of near-certain cyber-attacks:

  1. Cybersecurity Research & Development. The Strategy recognizes that cyber adversaries have been weaponizing American innovation and using it against our country to steal intellectual property, sow dissent, interfere with elections, and undermine our national defenses. Because of this, the Strategy recommends that investment and innovation must go hand-in-hand with cybersecurity efforts, and that it will be critical for our government to harness emerging technologies for cybersecurity purposes as those technological advancements are made. 
  2. Securing the Technical Foundation of the Internet. Acknowledging that the very foundation of the Internet has inherent vulnerabilities that need to be addressed (specifically mentioning the Domain Name System and Border Gateway Protocol), the Strategy prioritizes protection of the multistakeholder model of Internet governance and standards development. Principles such as transparency, openness, and consensus are at the core of our nation’s values and will drive the evolution of more secure technical standards and technologies. Because of the rapid pace at which technologies are advancing, the Strategy advocates for the Federal Research and Development enterprise to direct projects to advance cybersecurity and resilience in areas such as encryption, the protection of industrial control systems, and artificial intelligence.
  3. Preparing for a Post-Quantum Future. The Strategy recommends preparation for a post-quantum future to protect the encryption systems that undergird the methods by which we protect data, authenticate users, and certify the accuracy of information. The means transitioning the nation’s cryptographic systems to interoperable quantum-resistant systems and advancing the notion of cryptographic agility to address unknown threats arising from quantum computing. This is one area of the Strategy that specifically recommends that the private sector follow the government’s Strategy to prepare for a post-quantum future.
  4. Development of a Digital Identity Ecosystem. Data breaches, COVID-19 fraud, and identity theft have caused billions in losses for the federal government because we do not yet have a comprehensive, secure, and accessible digital identity system. The Strategy promotes investment in strong, verifiable, privacy-enhancing digital identity platforms that comport with the values of transparency and accountability. 
  5. Strengthen Our Cyber Workforce. Great efforts will be made to address unfilled vacancies for cybersecurity positions in workforces across the nation. The need for cybersecurity professionals across industries means that the federal government will be coordinating a comprehensive strategy for cyber education and training pathways for all persons who wish to develop a career in cybersecurity, with a particular focus on the public’s need to develop and recruit cybersecurity talent to protect critical infrastructure. The Strategy is also committed to addressing the lack of diversity in the nation’s cybersecurity workforce as “both a moral necessity and strategic imperative.” 

V. Forge International Partnerships to Pursue Shared Goals

Pillar 5 consists of five strategic objectives that aim to “scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community” using the following five strategic objectives:

  1. Build coalitions to counter threats to our digital ecosystem. The U.S. will leverage existing partnerships, intergovernmental forums, and trade agreements to advance shared goals in cyberspace.  This includes using a variety of mechanisms, including the Declaration for the Future of the Internet (DFI), the Quadrilateral Security Dialogue (the Quad), the Indo-Pacific Economic Framework for Prosperity (IPEF), the U.S.-EU Trade and Technology Council (TTC), and the Americas Partnership for Economic Prosperity (APEP), among others. Coordination and collaboration with allies and partners are important, particularly in sharing cyber threat information, exchanging model cybersecurity practices, comparing security-specific expertise, driving secure-by-design principles, and coordinating policy and incident response activities.
  2. Strengthen international partner capacity. As the U.S. builds a coalition to advance shared goals, it will also strengthen capacity of allies and partners that support shared interests in cyberspace. To achieve this goal, the U.S. will “marshal expertise across agencies, the public and private sectors, and among advanced regional partners to pursue coordinated and effective” cyber capacity. The Strategy emphasizes the importance of working with law enforcement and explains distinct actions in which the DOJ, the DOD, and the Department of State (“DOS”) will engage. Specifically, the DOJ will work with law enforcement for more robust cybercrime cooperation, the DOD will strengthen military-to-military relationships to bolster collective cybersecurity posture, and the DOS will coordinate with the whole-of-government to ensure that federal capacity, as well as U.S., allied, and partner interests are strategically aligned.
  3. Expand U.S. ability to assist allies and partners. The U.S.  will provide support to allies and partners to investigate, respond to, and recover from cyberattacks. The U.S. will also establish policies to determine when such support is in the national interest, develop mechanisms to identify and deploy this support, and, when needed, “rapidly seek to remove existing financial and procedural barriers to provide such operational support.”
  4. Build coalitions to reinforce global norms of responsible state behavior. The U.S. will reinforce political commitments that every member of the United Nations has made to endorse peacetime norms and refrain from cyber operations that may “intentionally damage critical infrastructure” by holding irresponsible states accountable through meaningful and collaborative consequences, such as “diplomatic isolation, economic cost, counter-cyber and law enforcement operations, or legal sanctions, among others.”
  5. Secure global supply chains for information, communications, and operation technology products and services. The strategy recognizes that complex and globally interconnected supply chains are critical to the nation’s economy. Our dependency on foreign products and services introduces a degree of risk, which must be mitigated through long-term, strategic collaborations between public and private sectors in the U.S. and abroad. The federal government will work with allies and partners to “implement best practices in cross-border supply chain risk management and work to shift supply chains to flow through partner countries and trusted vendors,” making supply chains “more transparent, secure, resilient, and trustworthy.” 

On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act (“BIPA”) (the country’s first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject. Cothron v. White Castle Systems found based on the plain language of the statute that violations for collecting or disclosing biometric information occur at every scan or transaction. Cothron v. White Castle Sys., 2023 IL 128004. The court reached this conclusion while admitting the “absurd” implications, including that the ruling could result in damages of $17 billion. Id. at ¶ 40.

Cothron follows the recent decision in Tims v. Black Horse Carriers, Inc., which applying a uniform 5-year statute of limitations for all claims under BIPA. Tims et al. v. Black Horse Carriers Inc., case number 127801. Taken together, Cothron and Tims create a minefield of liability for organizations collecting biometric information and may significantly increase the number of plaintiffs, claims, and possible damages under BIPA.

Background

Latrina Cothron filed a proposed class action against White Castle System, Inc. (“White Castle”), her former employer, which required employee fingerprint scans to access computer systems and pay stubs. The scans were sent to a third-party vendor to verify and authorize access.  The White Castle policy, instituted in 2004, preceded the 2008 enactment of BIPA, but White Caste did not seek consent after BIPA’s enactment until 2018.  Cothron alleged that White Castle violated BIPA sections 15(b) and 15(d) by collecting and distributing her fingerprint identifier without prior consent. 

White Castle moved for judgment on the pleadings, arguing that Cothron’s action was time barred because it accrued in 2008, when it first obtained her biometric data after BIPA took effect. Cothron responded that a new claim accrued each time White Castle sent her biometric data to its third-party authenticator, and argued her action was timely as to the unlawful scans and transmissions that occurred within the statutory period.

To resolve the issue, the Court considered whether section 15(b) and 15(d) claims accrue each time an entity “scans a person’s biometric identifier and each time an entity discloses a scan to a third party, or only once, upon the first scan and transmission.” Cothron at ¶ 1. The relevant BIPA section, 15(b), states that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first” obtains consent from the data subject. 740 ILCS 14/15. Section 15(d) states that a private entity in possession of a biometric identifier may not “disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” there is consent or the disclosure is required by law. Id.

When 15(b) and 15 (d) claims accrue has important implications for both the limitations period and calculating damages because statutory damages under BIPA accrue per violation.  A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation. 740 ILCS 14/20.

Illinois Supreme Court Decision

The Illinois Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.” Cothron at ¶ 30.

For BIPA section 15(b), the court examined the plain text meaning of “collect” and “capture.” Id. at ¶ 23. The court found that information can be captured or collected more than once, explaining that each time the employee used their fingerprint to access pay stubs or computer systems, the system collected the fingerprint anew. Id. Therefore, each new capture constitutes a separate claim under BIPA.

For BIPA section 15(d), the court analyzed the plain meaning of “disclose” and “redisclose.” Id. at ¶ 27. It held that “redisclose” included repeated transmission to the same third-party. Id.  The court further pointed to the statutory catch-all language in BIPA providing that a violation occurs when entities “otherwise disseminate” the biometric information.  Thus, each disclosure represents a new violation. Id.

The majority in Cothron recognized the decision’s impact, stating “this court has repeatedly recognized the potential for significant damages awards under the Act.” Id. at ¶ 41. The court defended the decision as consistent with legislative intent, explaining that a “substantial potential liability” would give private entities “the strongest possible incentive to conform” to the statute. Id.  The court acknowledged that “if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” Id. at ¶ 40.

Key Takeaways

Far reaching consequences

Biometric information comes in many forms, and any time it is collected from Illinois residents, it must be handled consistently with the broad proscriptions of BIPA.  Critically, fingerprinting is not the only biometric information that falls under BIPA—its reach is broad.  BIPA claims have involved facial recognition features used to “tag” users in photos, collecting customers’ voices in drive-throughs, remote proctoring tools for online schooling, customer hotlines, vending machines, donation centers, and even virtual glasses try-on software. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), Carpenter v. McDonald’s Corp.  580 F. Supp. 3d 512 (N.D. Ill. 2022), Doe v. Nw. Univ., No. 21 C 1579 (N.D. Ill. 2022), Dorian v. Amazon Web Servs., Inc., No. 2:22-CV-00269 (W.D. Wash. 2022).  

Potential increase in damages and settlement amounts

Liability will now depend on the number of subjects from which organization collects data, as well as how that collection occurs.  An amusement park scanning fingerprints on entry may only accrue a handful of claims per data subject, whereas an employer scanning fingerprints for each employee several times per shift, as in Cothorn, may accrue hundreds of claims per subject. See Rosenbach v. Six Flags Entm’t Corp.,129 N.E.3d 1197 (2019). Companies that passively collect biometric information could see an astronomical number of claims. 

This increased liability risk under BIPA reinforces that companies must understand how they collect, store, use, and ultimately delete biometric information, to ensure that each step complies with BIPA.

Reduce Liability through Transparency – CONSENT IS KEY!

Organizations may be able to significantly mitigate risk through thoughtful and transparent implementation of biometric data collection.  Most recent biometric litigation has centered on notice and consent.  Organizations wishing to reduce liability and increase transparency can (1) obtain consent from employees before collecting biometric information and (2) maintain and publish a robust privacy policy outlining the use and retention of employee biometric information.  Businesses may significantly reduce their risk of BIPA exposure by establishing a culture of transparency throughout the organization.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

BIPA Claims Uniformly Have a 5-Year Statute of Limitations

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Earlier this month, two courts, one in California and one in Massachusetts under two different scenarios, opined on the enforceability of browsewrap and hybridwrap agreements, providing important warnings for companies relying on such agreements to obtain legally required consent for activities such as telemarketing or to otherwise impose terms and conditions on website users. Many cases turn on the enforceability of such agreements, and companies should evaluate their use of browsewrap agreements (e.g., terms of use available through a hyperlink at the bottom of a webpage) and hybridwrap agreements to determine whether changes are appropriate to improve enforceability and mitigate legal risk.

Background

Numerous companies rely on agreements, such as terms of use, that they form online with website users to meet legal requirements (e.g., to obtain consent), define rules for use of the website, and otherwise help limit the company’s liability. Courts generally categorize such agreements into two major groups. Clickwrap agreements require users to take an affirmative step (e.g., checking a box that says “I Agree”) to agree to the proposed terms. In contrast to browsewrap agreements, courts regularly uphold clickwrap agreements. Browsewrap agreements typically refer to those that are available as a hyperlink at the bottom of a webpage and require no affirmative action from the user indicating their assent. Instead, browsewrap agreements attempt to bind users solely because they appear on the visited webpage. Courts often find these agreements unenforceable unless the website owner can show the user had actual or constructive notice of the terms and conditions.

According to the Ninth Circuit in Berman, absent actual notice, a website owner can show constructive notice by demonstrating that (1) the website provides “reasonably conspicuous notice” of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms.[1]

The Berman court created a two-part test for determining whether terms of use presented on a website constitute “reasonably conspicuous notice.” First, the notice must be displayed in a font size and format such that the court can fairly assume that a reasonably prudent Internet user would have seen it. For example, in Berman, the challenged language did not meet this standard as it was in “tiny gray font” and surrounded by significantly larger text and other visual elements. Second, if the terms are presented via hyperlink rather than on the webpage itself, the fact that a hyperlink is present must be readily apparent. Simply underlining words or phrase will generally be insufficient to alert a reasonably prudent user to the presence of a clickable hyperlink. Use of a contrasting font color or all capital letters is more likely to draw attention to the hyperlink.

Some courts have also defined a third category of agreements, hybridwrap, falling between browsewrap and clickwrap agreements. Hybridwrap agreements incorporate elements of both browsewrap and clickwrap agreements, providing greater notice of the terms and the website owner’s intent to bind the user to such terms while stopping short of requiring affirmative assent.

Heather Gaker v. Citizens Disability, LLC—Massachusetts

In Gaker,[2] Heather Gaker alleged that Citizens Disability (“Citizens”) violated the Telephone Consumer Protection Act (“TCPA”) by placing telemarketing calls to her cell phone without her prior consent despite registering her number on the Do Not Call Registry. Citizens, a Massachusetts for-profit corporation that assists persons with disabilities in claiming Social Security benefits, argued that Ms. Gaker provided consent to receive telemarketing calls when she provided her personal information through a sweepstakes website (“Sweepstakes Website”) that offered a chance to win $50,000. At the bottom of the Sweepstakes Website was a box to “CONFIRM YOUR ENTRY” in addition to the following terms (“Terms”):

By clicking confirm your entry I consent to be contacted by any of our Marketing Partners, which may include artificial or pre-recorded calls and or text messages, delivered via automated technology to the phone number(s) that I have provided above including wireless number(s) that I have provided including wireless number(s) if applicable regarding financial, home, travel, health, and insurance products and services. Reply ‘STOP’ to unsubscribe from SMS service. Reply ‘Help’ for help. Standard Message & data rates may apply. I understand these calls may be generated using an autodialer and may contain pre-recorded messages and that consenting is not required to participate in the offers promoted. I declare that I am a U.S. resident over the age of 18 and agree to this site’s terms.

The words “Marketing Partners” contained a hyperlink to a page containing a list of companies, which included Citizens. A marketing vendor provided Citizens the information submitted through the Sweepstakes Website, after which Citizens placed seven calls to Ms. Gaker’s phone regarding the company’s disability services.

The TCPA prohibits telephone solicitations to a number registered on the national Do Not Registry unless the solicitor has obtained “prior express invitation or permission,” which must be evidenced by a “signed, written agreement between the consumer and seller which states that the consumer agrees to be contacted by this seller and includes the telephone number to which the calls may be placed.”[3] Further, the TCPA defines “prior express written consent” as

an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered.[4]

The agreement must contain a clear and conspicuous disclosure informing the person signing it that the person is authorizing the telemarketing calls and that signing the agreement is required as a condition of purchasing any property, goods, or services.[5] According to guidance from the Federal Communications Commission, when a question arises about whether a consumer has given consent, the telemarketer bears the burden to demonstrate that “a clear and conspicuous disclosure was provided and unambiguous consent was obtained.”[6]

Thus, the central question before the U.S. District Court for the District of Massachusetts was whether the Sweepstakes Website adequately disclosed the Terms such that Ms. Gaker gave “unambiguous consent” to be bound by the Terms. Relying on precedent on online terms and conditions, the court sided with Ms. Gaker and ordered Citizens to pay $500 per violation for a total of $3,500. The court concluded that Citizens had not met its burden to establish that “a clear and conspicuous disclosure was provided and unambiguous consent was obtained.” Salient factors in the court’s decision included the following:

  • The Terms were presented in a font smaller than other language on the page.
  • The Terms were also displayed in blue font against a blue background, with only slight variation in color between the two. No other language on the Sweepstakes Website was presented as inconspicuously, and all promotional language was presented in clearly contrasting colors.
  • The Terms appeared below the “CONFIRM YOUR ENTRY” box such that a user could click the button without ever reaching the Terms at the bottom of the page.
  • The Sweepstakes Website included images of gold coins and dollar signs in addition to other headlines and advertisements in large and legibly colored font, distracting visitors from the Terms at the bottom of the page.

Citizens argued that appearance of the language “By clicking confirm your entry I consent to be contacted by any of our Marketing Partners” on the Sweepstakes Website, without requiring the visitor to click a hyperlink, should have sufficed to constitute clear and conspicuous disclosure. The court determined that this was insufficient due to the “totality of the page,” given the factors above, indicating an intent to distract a reasonable user from the terms. For these reasons, the court also determined that the Terms did not meet the Ninth Circuit’s Berman test.

In addition, Ms. Gaker was not required to indicate that she had read the Terms before submitting her information (e.g., by checking a box). Therefore, the Terms did not meet the court’s definition of a clickwrap agreement, which would carry some presumption of validity. Instead, the court characterized the Terms as a browsewrap or hybridwrap agreement, which does not carry a presumption of validity.

Arisha Byars v. The Goodyear Tire and Rubber Co., et al.— California

At the heart of Byars[7] were allegations that The Goodyear Tire and Rubber Co. (“Goodyear”) engaged in wiretapping activities in violation of the California Invasion of Privacy Act. Of relevance to this client alert, however, is the decision’s discussion of browsewrap agreements in evaluating whether Ms. Byars consented to Goodyear’s forum selection clause.

Goodyear’s Terms of Use contain a forum selection clause stating that visitors to Goodyear’s website consent to litigating claims arising from use of the website in Ohio. Goodyear argued that Ms. Byars was on notice of its Terms of Use because Goodyear’s website displays a pop-up banner to all visitors that contains three hyperlinks: one to Goodyear’s Privacy Policy, one to view “Cookie Settings,” and one to “Accept [the] Cookies.” Goodyear also argued that there is a hyperlink to its Terms of Use at the bottom of every webpage. Ms. Byars argued that she was on neither actual nor constructive notice of the Terms of Use and therefore did not consent to the forum selection clause.

After examining Ninth Circuit precedent on clickwrap and browsewrap agreements, the court sided with Ms. Byars. According to the court, Goodyear’s Terms of Use “plainly” fell into the browsewrap agreement category as Goodyear’s website does not ask visitors to accept the Terms of Use, such as through the inclusion of an “I Agree” box. In addition, the court found the location of a Terms of Use hyperlink at the bottom of every page (where the website user might not look) consistent with the Ninth Circuit’s description of browsewrap agreements.

Because the court categorized Goodyear’s Terms of Use as a browsewrap agreement, it was only enforceable if Ms. Byars had actual or constructive knowledge of the Terms of Use. Goodyear failed to persuade the court that Ms. Byars had any reason to scroll to the bottom of the webpage or otherwise viewed the Terms of Use, and Ms. Byars affirmatively alleged that she did not see the Terms of Use. For these reasons, the court determined that Ms. Byars did not consent to the Terms of Use and its forum selection clause.

Takeaways

Gaker and Byars underscore the reluctance of courts to enforce browsewrap and hybridwrap agreements that use illegible text and place the challenged language at the bottom of the webpage. In the case of Gaker, this includes where the agreement is used to obtain TCPA-required consent to place telemarketing calls. In the case of regimes like the TCPA, which provides for a private right of action and potentially very significant damages – $500 per call and possible treble damages – using a browsewrap agreement may be very costly. Fortunately for the defendant in Gaker, the defendant only placed seven telemarketing calls to the plaintiff so the court awarded a total of $3,500 in damages, but for many other organizations heavily reliant on telemarketing to reach potential clients, the outcome could have been very different. Enforceability of terms of use is an issue that regularly comes up, and Gaker and Byars highlight the importance of presenting terms of use in a clear and conspicuous manner.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Key Takeaways

  1. While the CDA and DMCA are separate statutes, they work together to regulate online services
  2. Section 230 reform efforts could impact how Courts and commentators treat the DMCA
  3. The efforts to repeal or substantially reduce the protection for internet service provider under Section 230 raise questions for practitioners about potential corollary effects on use of the DMCA to advocate for users and websites.

Section 230 of the Communications Decency Act (CDA, codified at 47 U.S.C. § 230) and Section 512 of the Digital Millennium Copyright Act (DMCA, codified at 17 U.S.C. § 512) are separate legal structures that work together to uphold certain protections for online service providers against claims arising out user-generated content.

Enacted into law in 1996, Section 230 serves as a foundation of internet law, allowing major social media networks, blogs, digital marketplaces, and other websites to flourish.  Section 230 provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  47 U.S.C. § 230(c)(1).  The law was written at a time when the internet was still in its infancy, and allowed the internet to grow, as one commentator has stated, from “baby to … behemoth.”

In 2011, Section 512 was adopted to provide an affirmative defense to copyright infringement claims arising out of certain content displayed online at the direction of a user.  Section 512 only applies if the conditions for safe harbor have been met.  Specifically, Section 512 explains that “[a] service provider shall not be liable for monetary relief, […] injunctive or other equitable relief, for infringement of copyright […] if the service provider […] upon notification of claimed infringement, […] responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.” 127 U.S.C. § 512(c).  While the DMCA focuses on copyright infringements, its safe harbor provision mirrors protections offered by Section 230.

These are important statutes impacting companies and users of online services right now.  In the context of copyright law and the DMCA, a jury in the Eastern District of Virginia found that an internet service provider did not sufficiently implement DMCA requirements and awarded Plaintiffs a $1 billion verdict, which may encourage Plaintiffs to make such arguments with more frequency.  See Sony Music Entm’t v. Cox Comm’s, Inc., No. 1:18-cv-00950 (E.D. Va. Jan. 12, 2021).  In addition, on December 30, 2022, BackGrid USA filed a copyright complaint against Twitter in U.S. District Court for the Central District of California.  BackGrid USA identifies itself as a “premier celebrity-related photograph agency,” which “provides highly sought-after images of celebrities around the world to top news and lifestyle outlets.” Complaint at 6, BackGrid v. Twitter, No. 2:22-cv-09462-KS (C.D. Cal. Dec. 30, 2022).

In its complaint, BackGrid USA makes two copyright claims:

  1. Twitter Does Not Terminate Repeat Infringers as Required for Safe Harbor Protection Under 17 U.S.C. § 512(i); and
  2. Twitter Does Not Expeditiously Remove Infringements as Required for Safe Harbor Protection Under 17 U.S.C. § 512(b)-(d).  

According to BackGrid USA, “[d]espite sending more than 6,700 DMCA takedown notices [to Twitter], not a single work was taken down and not a single repeat infringer was suspended.”  BackGrid USA’s claims that Twitter’s inability to “expeditiously … remove, or disable access to, the material that is claimed to be infringing or to be the subject of the infringing activity” means they can no longer rely on Section 512 safe harbors.  See 17 U.S.C. § 512(e).

As technology practitioners that take on cases where Section 230 and the DMCA are at issue, there are two notable takeaways related to these statutes:

First, while the CDA and DMCA are separate statutes, they work together to regulate online services.

The exemption in 47 U.S.C. § 230(e)(2) explicitly states that Section 230 has “no effect on intellectual property law.”  According to the statute, “nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.”

This has been affirmed across the United States.  Federal appellate courts recognize that “federal district courts have held that § 230(e)(2) unambiguously precludes applying the CDA to immunize interactive service providers from trademark claims.”  Almeida v. Amazon.com, Inc., 456 F.3d 1316, 1322 (11th Cir. 2006).  And in Perfect 10, Inc. v. CCBill LLC, the Ninth Circuit explained that “the immunity created by § 230(c)(1) is limited by § 230(e)(2), which requires the court to ‘construe Section 230(c)(1) in a manner that would neither ‘limit or expand any law pertaining to intellectual property.’”  Gucci Am., Inc. v. Hall & Assocs., 135 F. Supp. 2d 409, 413 (S.D.N.Y. 2001) (quoting § 230(e)(2)).  As a result, the CDA does not clothe service providers in immunity from ‘law[s] pertaining to intellectual property.’  See Almeida, 456 F.3d at 1322.” 488 F. 3d 1102, 1118 (9th Cir. 2007).

In the Gucci case, the U.S. District Court explained that “Section 230 does not automatically immunize [Internet service providers (ISPs)] from all intellectual property infringement claims.  To find otherwise would render the immunities created by the DMCA from copyright infringement actions superfluous.”  135 F. Supp. 2d at 417.  The Court explained that, “[s]imilarly, in UMG Recordings, Inc. v. Escape Media Group Inc., the New York Supreme Court denied Defendant’s argument that ‘plaintiff’s claims are barred by the “safe harbor” provision set forth in Section 512 of the [DMCA] … and that plaintiff’s claims are preempted by Section 230 of the [CDA]…’” 948 N.Y.S.2d 881, 884 (2012).

Second, Section 230 reform efforts could impact how Courts and commentators treat the DMCA. 

The last few years have ushered in efforts to amend Section 230.  For example, Senator Mark Warner (D-VA) introduced S. 299, the SAFE TECH Act, which “limits federal liability protection that applies to a user or provider of an interactive computer service (e.g., a social media company) for claims related to content provided by third parties.”  Representative Paul Gosar (R-AZ) introduced H.R. 7808, the Stop the Censorship Act, which “eliminates immunity for restricting content that is otherwise objectionable and applies such immunity when a company restricts content that is unlawful or that promotes violence or terrorism” and confers immunity to “actions taken that provide users with the option to restrict access to any material, regardless of whether such material is constitutionally protected.”  Most recently, Senator Lindsey Graham (R-SC) introduced S. 2972, a Bill to Repeal Section 230, which would eliminate Section 230 in its entirety.

In addition, President Biden announced core principles for Enhancing Competition and Tech Platform Accountability, which included removing “special legal protections for large tech platforms” and called for “fundamental reforms to Section 230.”

The efforts to repeal or substantially reduce the protection for internet service provider under Section 230 raise questions for practitioners about potential corollary effects on use of the DMCA to advocate for users and websites.

Could reforms to Section 230 change the way courts and practitioners use the DMCA or put Section 512’s safe harbor protections at risk?  Repealing Section 230 would mean that online service providers—such as social media companies, search engines, review boards, blogs, and other sites that share user-generated content—could more readily be held liable for the content they host.  In turn, the scope of liability could force them to consider limiting or excluding certain material that may be construed as illegal. While the DMCA provides a “safe harbor” to providers who remove content after being notified that it may infringe on federal copyright law, it also provides a process for users to challenge the notice and allows the web platform to restore the content.

Would repealing Section 230 increase the reliance on copyright claims and potentially overwhelm courts with a flood of litigation on challenged content?  The DMCA’s protections would only insulate ISPs from liability if they met the notice and takedown provisions of the Act and impact another’s copyrights.  A repeal of Section 230 or a substantial carve-out would reduce in whole or in part one of the twin protections currently provided to online service providers.  Without Section 230, many internet services used by billions on a daily basis may become more costly.  It would increase liability exposure, which would in turn lead to rising provider costs.  It has been argued by Section 230 proponents that the loss of the protections could lead to a reduction in the current ability for users to post comments, engage with social media, or rate products found online.  Some services may opt to shut down.

The CDA and DMCA have been critical to the internet’s expansion to date.  How Courts construe and legislators act with respect to these laws could have lasting impacts on how the internet develops over the next decade.

For more information on Section 230 please watch Crowell & Moring LLP’s webinar, which is available online here.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.