Courtesy of CEB, we are bringing you selected legal developments in areas of California business law that are covered by CEB’s publications. This month’s feature is from the July 2022 update to Internet Law and Practice in California. References are to the book’s section numbers. The most significant legal developments since the last update include developments in such important topic areas as copyright, patent, trademark, electronic contracting, privacy, cybersecurity, Internet advertising, and First Amendment issues.
July 2022 Update
A transmission is public when it occurs in a place open to the public. 17 USC §101. In Bell v Wilmott Storage Servs., LLC (9th Cir 2021) 12 F4th 1065, the Ninth Circuit held that an image that was only accessible through the URL or a reverse Google image search was a display to the public. 12 F4th at 1072–74. Proof that anyone from the public actually viewed the work was unnecessary. Although Bell only addressed the public display right, and not the public performance right, Bell’s holding appears to apply with equal force to the public performance right. See §§1.11, 1.12.
The focus of the “de minimis” use question is on the amount copied, not the use. In Bell v Wilmott Storage Servs., LLC (9th Cir 2021) 12 F4th 1065, the Ninth Circuit held that the de minimis use defense focuses on the quantity and quality of the copying—not the extensiveness of the use. 12 F4th at 1076–79. In Bell, an image was copied in full onto the defendants’ servers, but the image was only accessible by knowing the URL for the image or through a reverse Google image search; the image was not incorporated into a website or text indexed through Google. In the proceedings below, the defendant successfully argued de minimis use. The Ninth Circuit reversed, holding that these facts were irrelevant; the relevant standard was the quantity and quality of the copying. See §1.33A.
If the work was registered within 3 months of its publication, the copyright holder may recover statutory damages of up to $150,000 for each willful infringement or up to $30,000 per infringement if the infringement was not willful. 17 USC §504(c). Statutory damages are only available per work, not per infringement. 17 USC §504(c). In Desire, LLC v Manna Textiles, Inc. (9th Cir 2021) 986 F3d 1253, the Ninth Circuit held that the plain meaning of 17 USC §504(c) “precludes multiple awards of statutory damages when … there is only one work infringed.” 986 F3d at 1265. The Ninth Circuit also clarified and narrowed its holding from Columbia Pictures Television, Inc. v Krypton Broad. of Birmingham, Inc. (9th Cir 2001) 259 F3d 1186. In Columbia, an individual who owned three separate television stations was liable for 440 statutory damages awards, even though some of the television stations infringed the same work. In Desire, the Ninth Circuit clarified that the multiple infringement awards in Columbia were because one television station was not jointly and severally liable for the infringement of another television station. 986 F3d at 1267–69. See §1.35.
With the continuing development of technology, an issue has arisen whether artificial intelligence (AI) can be a named inventor. In the U.S., one district court has ruled that AI cannot be an inventor, finding that it was the intent of Congress to define “inventor” as a natural person. Thaler v Hirshfeld (ED Va, Sept. 2, 2021, No. 1:20-cv-903 (LMB/TCB)) 2021 US Dist Lexis 167393, *25. See §2.6.
On February 1, 2022, the United States Patent and Trademark Office (USPTO) announced a new Patent Public Search tool that provides more convenient, remote, and robust full-text searching of all U.S. patents and published patent applications. See https://ppubs.uspto.gov/pubwebapp/. See §2.8.
In the past, simply adding the specific structures of an apparatus or machine that performed a recited function was sufficient to avoid a claim being considered an abstract idea. However, patent-ineligible subject matter case law has now evolved such that physical machines have been deemed to be abstract ideas. For example, in Yu v Apple Inc. (Fed Cir 2021) 1 F4th 1040, 1046, the Federal Circuit found that claims directed specifically to a camera, which even recited components of the camera (i.e., sensors, lenses, circuitry, memory, and processor), still constituted an abstract idea and were therefore not eligible for a patent. See §2.18C.
Aspects of a patented invention can be maintained as a trade secret despite the fact that patents are made publicly available, and the fact that trade secrets lose their trade secret status when lawfully publicly disclosed. For example, in Life Spine, Inc. v Aegis Spine, Inc. (7th Cir 2021) 8 F4th 531, 541–542, the Seventh Circuit found that a district court did not err in finding that a trade secret contained in an invention was not publicly disclosed by the patenting, displaying, and selling of the invention. The trade secret consisted of the precise dimensions of a component of the invention, and those dimensions were not disclosed in the patent and were not readily apparent in viewing the device. Rather, discerning the trade secret information required access to the device and sophisticated measurement technology, and
Mere adoption of a trademark without any bona fide use in commerce, in an attempt to reserve rights for the future, is not sufficient to establish rights in the mark. Under the Lanham Act, use in commerce requires use of a genuine character, in a way sufficiently public to identify or distinguish the trademarked goods in the public mind. Social Technols. LLC v Apple Inc. (9th Cir 2021) 4 F4th 811. See §§3.29, 3.35.
The Trademark Modernization Act of 2020 (TMA), effective December 2021, established two new procedures: ex parte expungement and ex parte reexamination proceedings. See Trademark Modernization Act of 2020, Pub L 116–260, §221, 134 Stat 1182, 2200 (Dec. 27, 2020) (to be codified in 15 USC §§1051–72). Before the TMA, the only method by which the USPTO could cancel an existing registration was through an inter partes cancellation proceeding before the TTAB. To attempt to cancel a trademark registration for certain goods or services that were not in use, a party had to file a cancellation petition on the grounds of abandonment or that the registration was void ab initio for failure to use the mark in commerce as of the date of the application or statement of use. The TMA, through new Lanham Act §§16A–16B (15 USC §§1066a–1066b), has created two new ex parte procedures that work outside of the TTAB structure: ex parte expungement and ex parte reexamination. These proceedings may be initiated either by a party or on the USPTO director’s own initiative. See §3.53.
As noted by the court in Sellers v JustAnswer LLC (2021) 73 CA5th 444, 464, online agreements are nearly always adhesion contracts, presented on a take-it-or-leave-it basis to a user who has no opportunity to negotiate the contract terms. In Sellers, the court denied a petition to compel arbitration because notices on the defendant’s website were not sufficiently clear and conspicuous. The court explained that for contracts on the internet (73 CA5th at 461),
a manifestation of assent may be inferred from the consumer’s actions on the website—including, for example, checking boxes and clicking buttons—but any such action must indicate the parties’ assent to the same thing, which occurs only when the website puts the consumer on constructive notice of the contractual terms. . . . [T]o establish mutual assent for the valid formation of an internet contract, a provider must first establish the contractual terms were presented to the consumer in a manner that made it apparent the consumer was assenting to those very terms when checking a box or clicking on a button.
See §§7.1, 7.3.
As stated by the Ninth Circuit in Berman v Freedom Fin. Network, LLC (9th Cir, Apr. 5, 2022, No. 20-16900) 2022 US App Lexis 9083, *12, “[c]ourts are more reluctant to enforce browsewrap agreements because consumers are frequently left unaware that contractual terms were even offered, much less that continued use of the website will be deemed to manifest acceptance of those terms.” In Berman, the court held that (2022 US App Lexis 9083, *13)
Unless the website operator can show that a consumer has actual knowledge of the agreement, an enforceable contract will be found based on an inquiry notice theory only if: (1) the website provides reasonably conspicuous notice of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms.
In addition to click-wrap and browse-wrap agreements, two other types of internet contracts by which providers seek to impose contract terms on consumers have been identified by the courts: scroll-wrap agreements and sign-in-wrap agreements. A scroll-wrap agreement is similar to a click-wrap agreement, but the user is presented with the entire text of the agreement, typically in a separate window, and must physically scroll down to the end of the agreement and click on a button labeled “I accept” or “I agree” in order to proceed with the transaction. A sign-in-wrap agreement is one by which a consumer signs up for an internet product or service, and the webpage states that signing up for that product or service constitutes acceptance of a separate agreement with the provider. Although the webpage usually provides a nearby link to the separate agreement, consumers are typically not required to indicate that they have read or agree to the terms of the separate agreement before signing up for the product or service. Sellers v JustAnswer LLC (2021) 73 CA5th 444, 463–464. See also Selden v Airbnb, Inc. (D DC, Nov. 1, 2016, No. 16-cv-00933 (CRC)) 2016 US Dist Lexis 150863. See §7.4A.
In 2021, in the aftermath of the presidential election, Florida and Texas enacted laws targeted on restricting the efforts of social media sites to moderate inflammatory and extremist content. These laws impact First Amendment rights of tech companies to moderate the content on their platforms and disallow posts that violate the community standards of the specific social media platform. In May 2021, Florida enacted the Stop Social Media Censorship Act, SB 7072. See https://www.flsenate.gov/Session/Bill/2021/7072. The legislation included, among other things, prohibitions against “deplatforming” political candidates running for public office in Florida, defined as “the action or practice by a social media platform to permanently delete or ban a user or to temporarily delete or ban a user from the social media platform for more than 14 days.” The law also compelled social media platforms to accept speech that would not otherwise meet their community standards or policies, and allowed the state to regulate how platforms curate, edit, or comment on that speech. A federal judge enjoined the new law as preempted by federal law and in conflict with 47 USC §230 (see §8.30) and the First Amendment as a content-based restriction. NetChoice, LLC v Moody (ND Fla, June 30, 2021, No. 4:21cv220-RH-MAF) 2021 US Dist Lexis 121951. The court held that “[t]he legislation now at issue was an effort to rein in social-media providers deemed too large and too liberal. Balancing the exchange of ideas among private speakers is not a legitimate governmental interest. And even aside from the actual motivation for this legislation, it is plainly content-based and subject to strict scrutiny.” 2021 US Dist Lexis 121951, *35. See §8.30A.
Similarly, in September 2021 the Texas legislature enacted House Bill 20. See: https://capitol.texas.gov/BillLookup/History.aspx?LegSess=851&Bill=HB20. The Texas law provided that social media companies with more than 50 million monthly active users “may not censor a user, a user’s expression, or a user’s ability to receive the expression of another person based on . . . the viewpoint of the user or another person.” This prohibition applied to users who reside in, do business in, or share or receive expression in Texas. The law also mandates public disclosure of content management and moderation practices of social media platforms, including quarterly transparency reports detailing when company removed or restricted content or users. In NetChoice, LLC v Paxton (WD Tex, Dec. 1, 2021, No. 1:21-CV-840-RP) 2021 US Dist Lexis 233460, the court enjoined the Texas law, holding that privately owned social media companies’ exercise of editorial discretion over their websites and content is protected by the First Amendment. Both the Florida and Texas cases are on appeal. See §8.30A.
In December 2021, under a new Democrat-led commission, the Federal Trade Commission announced its intent to use its rulemaking authority under 15 USC §57a to formulate rules intended “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” See https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202110&RIN=3084-AB69. As of this writing, it is unclear what those rules may look like and when those rules may be released. See §9.8A.
In 2021, the Supreme Court limited the FTC’s ability to obtain financial redress in federal court actions. In AMG Capital Mgmt., LLC v FTC (2021) ___ US ___, 141 S Ct 1341, the Court held that the “permanent injunction” language of §13(b) of the FTC Act (15 USC §53(b)) has a limited purpose and does not reflect an intent by Congress to allow the FTC to seek, or a court to grant, monetary relief such as disgorgement or restitution. See §9.9A.
The FTC announced an updated Safeguards Rule on October 27, 2021. The updated Safeguards Rule requires that financial institutions consider specific factors as a part of a risk assessment and implement additional safeguards as a part of their information security programs, including, but not limited to, access controls, authentication standards, and encryption of data in transit and at rest. The updated Safeguards Rule also requires that institutions explain their information-sharing practices and designate a qualified individual to oversee their information security program and to report to an organization’s board of directors or senior officer in charge of information security. See https://www.ftc.gov/news-events/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial. At the same time, the FTC sought comments on whether to make an additional change requiring financial institutions to report certain data breaches and other security events to the FTC. The comment period ended on February 2, 2022. See https://www.federalregister.gov/documents/2021/12/09/2021-25064/standards-for-safeguarding-customer-information. See §9.12.
In TransUnion LLC v Ramirez (2021) ___ US ___, 141 S Ct 2190, 2203, a class action involving inaccurate information in credit files, the U.S. Supreme Court reiterated the test for standing in federal courts: The plaintiff must show that (1) the plaintiff suffered an injury in fact that is concrete, particularized, and actual or imminent; (2) the injury was likely caused by the defendant; and (3) the injury would likely be redressed by judicial relief. The Court held that class members whose inaccurate credit files had been reported to third parties did have standing to sue, but class members whose inaccurate credit files had not been reported to third parties did not have standing. In TransUnion, where a damages award was at issue, the Court emphasized the difference in relief sought for purposes of standing. A plaintiff may have standing to seek future-oriented injunctive relief but lack standing to seek retrospective damages. TransUnion, 141 S Ct at 2210. See §9.16A.
Global Privacy Control (GPC) is a browser- or extension-enabled opt-out setting that allows users to opt out of sales of their personal information. In 2021, the Office of the California Attorney General’s CCPA FAQs stated that GPC “is one option for consumers” seeking to opt out of a sale and that an opt-out signal must be honored by a covered business as a valid consumer request. See https://oag.ca.gov/privacy/ccpa. It is expected that the CPRA rulemaking process will shed additional light regarding business’s obligations with respect to GPC because the issue was a primary topic in the CPRA public comments. See https://cppa.ca.gov/regulations/. See §9.18A.
In October 2021, California enacted the Genetic Information Privacy Act (GIPA) (CC §§56.18–56.186). The law requires direct-to-consumer genetic testing companies to obtain informed consent from consumers regarding the collection, use, and disclosure of their genetic testing. Companies providing commercial genetic testing services will be required to destroy a consumer’s genetic data within 30 days if that consumer revokes consent. CC §56.181(c). In addition to the law’s consent and deletion requirements, genetic testing companies will also be required to “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” CC §56.181(d). See §9.27B.
In 2021, online advertising platform OpenEx Technologies, Inc. was required to pay $2 million to settle FTC allegations that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under 13 without consent and by collecting geolocation data from users who had specifically asked to opt out of tracking. The FTC’s investigation found that OpenEx failed to flag apps as child-directed despite knowledge that the apps were intended for children under 13 and passed information from children to third parties that used it to target users of the child-directed apps. The order required OpenEx to delete all ad-requested data it collected and implement a privacy program to ensure COPPA compliance. See https://www.ftc.gov/news-events/press-releases/2021/12/advertising-platform-openx-will-pay-2-million-collecting-personal. See §9.33.
On March 9, 2022, President Biden issued an Executive Order titled Executive Order on Ensuring Responsible Development of Digital Assets, available at https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets/. The Executive Order is another signal that digital currency is going mainstream. It states that the federal government wishes to maintain technical leadership in the area, support innovation, and mitigate risks for consumers, investors, and businesses, and that all federal agencies should coordinate their efforts toward these goals. The Executive Order also directs the U.S. Department of the Treasury to research the possibility of having the Federal Reserve issue its own digital currency. See §10.5A.
On August 9, 2021, the SEC settled charges with Poloniex, the operator of a web-based platform for trading digital assets, for transacting in unregistered securities and acting as an unregistered “exchange” under applicable securities laws. See “SEC Charges Poloniex for Operating Unregistered Digital Asset Exchange,” https://www.sec.gov/news/press-release/2021-147. See §10.5D.
On August 6, 2021, the SEC settled charges against Blockchain Credit Partners and its founders for selling over $30 million of unregistered securities and for misleading investors about the company’s operations and profitability. See “SEC Charges Decentralized Finance Lender and Top Executives for Raising $30 Million Through Fraudulent Offerings,” https://www.sec.gov/news/press-release/2021-145. See §10.5D.
On October 4, 2021, California governor Gavin Newsom signed into law AB 390 (Stats 2021, ch 450), which adds new renewal reminder notice requirements and cancellation requirements effective July 1, 2022, to Bus & P C §17602. See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB390.
- Businesses selling automatic renewal plans to California consumers with an initial term of 1 year or longer must deliver reminder notices to their California subscribers 15 to 45 days before the renewal date. Bus & P C §17602(b)(2).
- Businesses offering free trial, gift, or initial discount periods lasting longer than 31 days must provide similar reminder notices to their California subscribers 3 to 21 days before the expiration of the free or discounted period. Bus & P C §17602 (b)(1)(a).
- Online sellers of automatic renewal plans will have to offer subscribers the ability to cancel automatic renewal features online “immediately” (after account authentication) by clicking on a button or link, or by sending a pre-formatted termination email message. Bus & P C §17602(d).
See §§10.16B, 17.10.
In Loomis v Amazon.com LLC (2021) 63 CA5th 466, the court held that Amazon Marketplace could be strictly liable for plaintiff’s injuries from a defective hoverboard even though the product was shipped directly to the consumer from an overseas third party vendor. Amazon had substantial ability to influence the manufacturing or distribution process through its ability to require safety certification, indemnification, and insurance before it agreed to list any product. See §10.16C.
Advertising on the Internet
In In the Matter of Fashion Nova, LLC (Jan. 25, 2022) FTC File No. 192 3138, available at https://www.ftc.gov/enforcement/cases-proceedings/192-3138/fashion-nova-llc-matter, the respondent agreed to pay the Federal Trade Commission $4,200,000 following its investigation into the respondent’s alleged deceptive practices concerning reviews on its website, including respondent’s practice of only posting four- and five-star reviews, but not thousands of lower-starred reviews. See §17.7.
The FTC has warned companies “against deploying illegal dark patterns that trick or trap consumers into subscription services. . . . The FTC’s policy statement puts companies on notice that they will face legal action if their sign-up process fails to provide clear, up-front information, obtain consumers’ informed consent, and make cancellation easy.” See https://www.ftc.gov/news-events/press-releases/2021/10/ftc-ramp-enforcement-against-illegal-dark-patterns-trick-or-trap?utm_source=govdelivery. See §17.7C.
In Greenberg v Digital Media Solutions, LLC (2021) 65 CA5th 909, the court held that a plaintiff states a claim when it alleges that the “from” names on emails consisted of generic words and the domain names failed to identify the actual senders—namely, the advertiser’s marketing partners—or to provide enough information to make them readily traceable using a publicly available online database. See §17.25.
In Facebook, Inc. v Duguid (2021) ___ US ___, 141 S Ct 1163, the U.S. Supreme Court interpreted the meaning of an automatic telephone dialing system (ATDS) in the Telephone Consumer Protection Act (TCPA) (47 USC §227), holding that “[t]o qualify as an ‘automatic telephone dialing system,’ a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator.” 141 S Ct at 1167. Based on its interpretation of ATDS, the Court held that Facebook did not violate the TCPA by maintaining a database that stored phone numbers and by sending automated text messages to those numbers each time an account was accessed by an unrecognized device because Facebook’s equipment did not use a random or sequential number generator. As interpreted by some courts, the Supreme Court’s holding in this case narrowed the meaning of ATDS. See §17.29A.
In August 2021, the National Institute of Standards and Technology (NIST) published “Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide,” intended to provide direction and guidance to organizations in any sector or community that are seeking to improve cybersecurity risk management through utilization of the NIST Framework. See https://www.nist.gov/publications/getting-started-nist-cybersecurity-framework-quick-start-guide. See §18.7.
Established in 2018, the federal Cybersecurity and Infrastructure Security Agency (CISA) was created to work across public and private sectors, challenging traditional ways of doing business by engaging with government, industry, academic, and international partners. It operates a website at CISA.gov that provides information on its work as well as advice to government and private entities. See https://www.cisa.gov/about-cisa. On January 18, 2022, it published a guide, “Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats,” which provides steps to reduce the likelihood of a cyberattack and steps to detect and respond to such attacks. See https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf. See §18.7A.
On October 22, 2021, California released Cal-Secure, the California Executive Branch’s first 5-year information security maturity roadmap. Cal-Secure is intended to outline capabilities the state must adopt to address critical gaps in the state’s information and cybersecurity programs. Although its provisions are directed toward the protection of government agencies and entities, some of its initiatives are likely to impact the private sector. The roadmap can be found here: https://cdt.ca.gov/wp-content/uploads/2021/10/Cybersecurity_Strategy_Plan_FINAL.pdf. See §18.9A.
As of March 2022, there is no federal protocol currently in effect for responding to cyberattacks. However, on March 15, 2022, as part of the Consolidated Appropriations Act, 2022 (Pub Law 117–103, 136 Stat 49), President Biden signed into law new cyberattack reporting obligations for companies with businesses involving critical infrastructure. The new law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y of the Consolidated Appropriations Act, 2022, §§101–107), will eventually require certain companies with critical infrastructure to report cyber incidents within 72 hours and ransomware payments within 24 hours. The new requirements do not go into effect immediately. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has 24 months to issue proposed rules to implement the law, although the agency may do so in advance of that deadline. See §18.11.
In February 2021, the Federal Trade Commission (FTC) released an updated helpful guide on data breach response, titled Data Breach Response, A Guide for Business, available at https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business. The guide sets forth a series of steps that a company is advised to take for a quick and appropriate response when the company suspects a data breach has occurred. See §18.14.
On June 3, 2021, the U.S. Supreme Court issued its decision in Van Buren v U.S. (2021) 593 US ___, 141 S Ct 1648. The certified question presented was whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if that person accesses the same information for an unauthorized purpose. In other words, can a defendant be criminally liable for exceeding authorized access? Although the case was intended to resolve a Circuit split between the First, Fifth, Seventh, and Eleventh Circuits (which had answered “yes”) and the Second, Fourth, Sixth, and Ninth Circuits (which had answered “no”), it provided a muddled response to the question. The Court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren, 593 US at ___, 141 S Ct at 1662. The Court, however, provided conflicting guidance regarding the meaning of “off limits.” See §18.19.
First Amendment and Other Speech-Related Liability
Merely because the statement is made in a public forum or by someone with a large social media following does not mean that the public interest element is satisfied. In Woodhill Ventures, LLC v Yang (2021) 68 CA5th 624, 633, a social media influencer with 1.5 million followers made various derogatory statements about a bakery on his social media channel. The influencer sought to argue that because he had such a large following and made the statements to a large number of people, the public interest element was satisfied, but the court disagreed, finding that he did not seek public discussion of any issue, but rather “aimed to whip up a crowd for vengeful retribution.” 68 CA5th at 632. See §20.88.
In Sugarman v Benett (2021) 73 CA5th 165, 177, the court held that statements about a public company’s financial projections made in earnings calls and in reports to the Securities and Exchange Commission were public statements relating to the company’s financial position, which could likely impact individual investors and the stock market. They therefore qualified as protected activity under the catchall provision. See §20.89.
In Neurelis, Inc. v Aquestive Therapeutics, Inc. (2021) 71 CA5th 769, the court held that the commercial speech exception applied to statements that the company made to potential investors about development of a drug because the investors were in a position to influence future buyers by investing to bring the drug to market. See also Xu v Huang (2021) 73 CA5th 802 (defamatory statements made by plaintiff’s competitors fell within commercial speech exemption because they were made for purpose of increasing the defendant’s sales). See §20.95.
Title 47 USC §230 will apply to claims arising from extraterritorial conduct if the plaintiff asserts claims in the United States. In Gonzalez v Google LLC (9th Cir 2021) 2 F4th 871, the families of several victims of ISIS terror attacks that occurred abroad sued Google, Twitter, and Facebook because ISIS used social media platforms for recruiting and propaganda purposes. The plaintiffs tried to claim that §230 did not apply because the conduct giving rise to the claims occurred abroad. The Ninth Circuit held that §230 did apply because “the statute’s focus occurs at the location associated with the imposition of liability.” 2 F4th at 888. See §§20.107, 20.110.
When the ISP is responsible for the creation or development of unlawful content, the Communications Decency Act of 1996 (CDA) (47 USC §230) will not apply. An ISP “creates or develops content by making a material contribution to its creation or development.” Gonzalez v Google LLC (9th Cir 2021) 2 F4th 871, 892; Kimzey v Yelp!, Inc. (9th Cir 2016) 836 F3d 1263, 1269. “Merely taking action that is necessary to the display of the allegedly illegal content” is insufficient to prove material contribution; rather, a material contribution requires “being responsible for what makes the displayed content allegedly unlawful.” Gonzalez, 2 F4th at 892. See §20.112A.
The EU has replaced the former Data Protection Directive with the new General Data Protection Regulation (GDPR), which became effective May 25, 2018. See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC. Although the United Kingdom left the EU effective January 1, 2021, it has implemented its own version of the GDPR, called the Data Protection Act. See https://www.gov.uk/data-protection. See §21.11A.
The European Data Protection Board adopted guidelines in November 2021, clarifying that a data transfer takes place when personal data moves from an organization subject to the GDPR to a separate organization outside of EU territory. This excludes transfers directly from individuals within the EU to organizations outside the EU. The guidelines were open to public comment through the end of January 2022. See §21.11A.
On December 31, 2021, the French Data Protection Authority (CNIL) imposed financial penalties of €90 million against Google LLC, €60 million against Google Ireland Limited, and €60 million against Facebook Ireland Limited, as well as injunctions ordering the companies to provide Internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent. This decision represents a landmark in GDPR enforcement, levying the highest fines issued to date under the GDPR in the European Union. See https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance. See §21.11A.
The European Commission has adopted measures setting out standard contract clauses (SCCs) designed to ensure appropriate safeguards for transfers of data from EU member states to countries outside the EU. These clauses are intended to offer an alternative way to obtain sufficient “adequate protection” (see §21.11) to protect the flow of data from EU member states from interruption. On June 4, 2021, the European Commission issued modernized SCCs under the GDPR for data transfers from controllers or processors in the EU (or otherwise subject to the GDPR) to controllers or processors established outside the EU (and not subject to the GDPR). These modernized SCCs replace the three sets of SCCs that were adopted under the previous data protection directive. See https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Companies relying on SCCs as a data transfer mechanism must now use the updated version for all new contracts and execute the appropriate updated version for all old contracts by December 27, 2022. See §21.13.
In August 2021, the U.S. State Department’s Directorate of Defense Trade Controls reached a $6.6 million settlement with a California-based electronics testing company, Keysight Technologies, Inc., for alleged illegal exports of software and technology. The settlement agreement stated that, between 2015 and 2018, the company exported its signal generation software to over 15 countries, including China and Russia, totaling 24 instances of alleged violations of the International Traffic in Arms Regulations (ITAR) (22 CFR §§120–130). See §21.21.