Business Law

Selected Developments in Business Law — Internet Law and Practice in California

Courtesy of CEB, we are bringing you selected legal developments in areas of California business law that are covered by CEB’s publications.  This month’s feature is from the July 2023 update to Internet Law and Practice in California.  References are to the book’s section numbers.  The most significant legal developments since the last update include developments in such important topic areas as copyright, patent, disability accommodation, electronic contracting, privacy, cybersecurity, and First Amendment issues. 


July 2023 Update

Under 17 USC §411(b)(1), to challenge the validity of a copyright registration, the challenging party must demonstrate (1) that inaccuracies in the application were made with knowledge of the inaccuracy (the knowledge requirement); and (2) had the Register of Copyrights known of the inaccuracy, the registration would have been denied (the materiality requirement). Previously, the Ninth Circuit limited the knowledge requirement to mistakes of fact and not mistakes of law. The Supreme Court reversed and held that the knowledge requirement includes both mistakes of fact and mistakes of law. Unicolors, Inc. v H&M Hennes & Mauritz, L.P. (2022) 595 US ___, 142 S Ct 941. If the applicant has a subjective good faith belief that the contents of the application were accurate (even if they were ultimately incorrect), there will be no violation of the knowledge requirement. See §1.18A.

If a copyrighted work is “used simply to illustrate what that work already depicts,” then the use is not transformative. McGucken v Pub Ocean Ltd. (9th Cir 2022) 42 F4th 1149, 1158. Further, “adding informative captions does not necessarily transform copyright works.” 42 F4th at 1158. See also Sicre de Fontbrune v Wofsy (9th Cir 2022) 39 F4th 1214, 1225. See §1.45.

The Copyright Alternative in Small-Claims Enforcement Act of 2020 (CASE Act) (17 USC §§1501–1511) created a new venue—an administrative tribunal called the Copyright Claims Board (CCB)—to provide an alternative to federal court for certain types of copyright disputes. The CCB is a three-member board within the Copyright Office, which is intended to provide an efficient and user-friendly way to resolve certain small copyright claims (up to $30,000). See Copyright holders wishing to assert a claim before the CCB may, but need not, be represented by an attorney or a qualified law student. 17 USC §1506(d). See §1.90.


Weisner v Google, LLC (Fed Cir 2022) 51 F4th 1073 reflects a useful comparison of patent-eligible and patent-ineligible subject matter within related patents. Four patents were at issue, sharing virtually the same specification of ways to digitally record a person’s activities and ways of using the digital record. The Federal Circuit found two of the four patents were merely directed toward the abstract idea of a digital travel log, a common human activity in the form of travel logs, diaries, journals, and calendars. Because the digital travel logs were recorded using generic computer features (e.g., a processor, network, URL, and handheld mobile communications device), the Federal Circuit did not find that the claims recited anything more than the abstract idea of a travel log and therefore were directed toward patent-ineligible subject matter. In contrast, the Federal Circuit found the other two patents were directed toward patent-eligible subject matter because the claims were directed toward the use of the travel histories to improve computerized search results by using a new technique for prioritizing the results of the search. See §2.19.

Artificial Intelligence

A new chapter on the legal issues surrounding artificial intelligence has been added. See chap 3A.

Independent Contractors

In October 2022, the U.S. Department of Labor (DOL) issued proposed regulations to modify its analysis for determining employee or independent contractor classification under the Fair Labor Standards Act (FLSA) (29 USC §§201–219). See 87 Fed Reg 62218 (Oct. 13, 2022). The FLSA has been broadly construed to regulate wage and hour issues arising out of the employer-employee relationship. It applies only if an employment relationship exists. It does not apply to independent contractors. 29 USC §203(r)(1). The proposed rules are intended to provide a totality-of-the-circumstances analysis in which each economic reality factor is given full consideration. No single factor is dispositive, and the six listed factors are not exhaustive. The six factors are as follows (Proposed 29 CFR §795.105(b)):

  • Whether the worker exercises managerial skill that affects the worker’s economic success or failure in performing the work;
  • Whether any investments by a worker are capital or entrepreneurial in nature;
  • Whether the work relationship is indefinite in duration or continuous;
  • The scope of the employer’s control, including reserved control, over the performance of the work and the economic aspects of the working relationship;
  • The extent to which the work performed is an integral part of the employer’s business; and
  • Whether the worker uses specialized skills to perform the work and whether those skills contribute to business-like initiative.

If finalized, the proposed rules would make it more difficult for certain workers to qualify as independent contractors. However, the scope of the rules’ preemption of California state law tests for independent contractor status would be an issue for the courts. See §4.14B.

Disability Accommodation

In Martinez v Cot’n Wash, Inc. (2022) 81 CA5th 1026, the court conducted an extensive review of federal and state case law and the legislative history of the Americans with Disabilities Act of 1990 (ADA) (42 USC §§12101–12213), concluding that the stand-alone website at issue was not a place of public accommodation. The court found that the term “place” is consistently defined as involving a physical location. The court also said that “the state of technology when the ADA was passed in 1990 [does not] suggest that Congress was unaware that the term carried a connotation of physical space and thus could exclude certain ‘sales and retail establishments’ from the scope of [the ADA] based on a lack of connection to a physical space. ‘[T]here were countless … businesses operating outside of brick-and-mortar premises in 1990, including some that had been in operation for decades,’ such as mail order catalogs.” 81 CA5th at 1044 (citations omitted). See §5.28.

On March 18, 2022, the U.S. Department of Justice issued its Guidance on Web Accessibility and the ADA (Guidance), available at In the Guidance, the DOJ provides the following examples of barriers to website accessibility:

  • Poor color contrast;
  • Use of color alone to give information;
  • Lack of text alternatives (“alt text”) on images;
  • No captions on videos;
  • Inaccessible online forms; and
  • Mouse-only navigation (lack of keyboard navigation).

The Guidance points to the technical standards in the Web Content Accessibility Guidelines (WCAG), available at, as providing helpful guidance on how to ensure accessibility of website features. See §5.29.

Electronic Contracting

In Doe v Massage Envy Franchising, LLC (2022) 87 CA5th 23, in which the court denied enforcement of a click-wrap arbitration agreement. The court found that the contract terms, including the arbitration provision, were not presented to the plaintiff in a way that made it apparent that she was assenting to those terms. She was not on notice that clicking the website checkbox implicated any terms and conditions beyond those she had just reviewed. The court distinguished the cases that enforced click-wrap agreements in different factual circumstances, finding that the plaintiff in this case did not have reasonable notice that she was entering into any agreement with defendant, much less notice of the terms of the agreement. As in the case of browse-wrap agreements (discussed in §7.4), website design is crucial in determining whether someone has notice of the terms of an online click-wrap agreement. See §7.3.

In B.D. v Blizzard Entertainment, Inc. (2022) 76 CA5th 931, the court found that the video game’s pop-up notice provided sufficiently conspicuous notice that by clicking on the “Continue” button at the bottom of the pop-up, the user would be agreeing to all of the terms. See §7.3.

Even if the structure of the approval process for a web business’s online terms of use is set up properly and is arguably defensible for adults, it may not survive if challenged by a minor. In Doe v Roblox Corp. (ND Cal, No. 3:21-cv-03943-WHO, May 9, 2022) 2022 US Dist Lexis 83523, the terms of service for the online gaming platform Roblox were held to be invalid as to the plaintiffs in a class action, because the process was not sufficiently clear to users who were minors. 2022 US Dist Lexis 83523, at *14. The Roblox site featured the ability to make in-game purchases at its online store, such as clothing for user’s avatars. 2022 US Dist Lexis 83523, at *3. The suit alleged that Roblox did not adequately screen the content in its store. See §7.4C.

California Rule of Court 2.257 sets out detailed requirements for the validity of electronic signatures on documents signed under penalty of perjury and documents not signed under penalty of perjury. See See §7.11.

Social Networking

In NetChoice, LLC v AG, Fla. (11th Cir 2022) 34 F4th 1196, the Eleventh Circuit held that the social media companies were private actors with rights protected by the First Amendment and that the companies’ content-moderation decisions were protected exercises of editorial judgment. A petition for certiorari of the Eleventh Circuit decision to the U.S. Supreme Court has been filed, but had not yet been granted as of June 2023. See §8.30A.

Business and Professions Code §§22675–22681 (called “Content Moderation Requirements for Internet Terms of Service”) apply to “social media companies,” defined as persons or entities that own or operate one or more “social media platforms” with gross annual revenues of $100 million or more. Bus & P C §§22675(d), 22680. “Social media platforms” are defined as public or semipublic internet-based services or applications with users in California, that both substantially function to connect users socially (not including connecting solely through email or direct messages) and allow users to (1) build public or semipublic profiles; (2) populate a list of users over a shared social connection; and (3) create or post content viewable by other users. Bus & P C §22675(e). A social media company that meets the revenue threshold must post its terms of service in a way that is reasonably designed to inform all users of the existence and contents of the terms of service. Covered social media companies must provide the California Attorney General with a copy of their current terms of service and a semiannual report on content moderation. See §8.30B.

In 2022, the FTC assessed Epic Games, Inc., creator of the popular video game Fortnite, $520 million over allegations that it violated the Children’s Online Privacy Protection Act (COPPA) (15 USC §§6501–6506). The FTC required Epic to adopt strong privacy default settings for children and teens to ensure that voice and text communications are turned off by default. In addition, in response to allegations that Epic used design features, known as “dark patterns,” to trick players into making unintentional purchases, Epic was required to refund $245 million to consumers. Fortnite’s “dark patterns” included confusing button configurations that led players to incur unwanted charges, e.g., by attempting to wake the game from sleep mode, while the game was in a loading screen, or by attempting to preview an item. See See §8.32A.


In In the Matter of Drizly, LLC, and James Cory Rellas, individually, and as an officer of Drizly, LLC (Oct. 24, 2022) FTC File No. 202 3185, the FTC announced an action against Drizly and its CEO, James Cory Rellas, over allegations that the company failed to adequately secure user data, leading to a data breach that exposed the personal information of about 2.5 million consumers. The FTC’s complaint alleged that Drizly failed to use reasonable information security practices despite being aware of previous security incidents and in contradiction to its express representations regarding security. Under the FTC order, Drizly and Rellas were required to destroy unnecessary data, limit future data collection, and implement an information security program with specified controls. The FTC order was also notable as it was a rare occasion when an executive was directly penalized. See §9.9A.

In In re Chegg, Inc. (Jan. 26, 2023) FTC File No. 2023151, the FTC also took action against education technology provider Chegg, Inc. over its security practices, which exposed sensitive user information including Social Security numbers, emails, and passwords. The FTC alleged that Chegg’s lax security practices, including a failure to implement reasonable security measures, insecure storage methods, and failure to develop adequate security policies and training, resulted in four data breaches that exposed user personal information. The consent order required that Chegg detail and limit data collection, provide consumer access to data, implement multifactor authentication, and implement a security program to address flaws with its security practices, including data encryption. See §9.9A.

In August 2022, the California Office of the Attorney General (OAG) announced a settlement with cosmetics company, Sephora, Inc., for violations of the California Consumer Privacy Act of 2018 (CCPA) (CC §§1798.100–1798.199.100). This settlement marks the first enforcement action of the CCPA by the California OAG since the CCPA was first passed in 2020. According to the OAG’s announcement, Sephora will pay a fine of $1.2 million and must comply with several injunctive terms. The OAG alleged in its complaint that Sephora failed to disclose to consumers that it was selling their personal information and subsequently failed to process consumer requests to opt out of the sale via user-enabled global privacy controls. See §9.18A.

In September 2022, California enacted the Age-Appropriate Design Code Act (AADC) (CC §§1798.99.28–1798.99.40), which takes effect July 1, 2024. The AADC is a landmark privacy bill modeled after the United Kingdom’s Age-Appropriate Design Code Act (see §9.37B) that imposes certain requirements relating to children’s data privacy. In general, the AADC applies to businesses that provide online products and services that are “likely to be accessed” by a child. CC §1798.99.30(b)(4). Businesses must (1) complete Data Protection Impact Assessments (DPIAs) before offering any new online product or service to the public when that product or service is likely to be accessed by a child; (2) document any risks of “material detriment to children” that may be identified in the DPIA; and (3) create a plan to eliminate or mitigate such risks to children before the online product or service is actually accessed by a child. CC §1798.99.31(a)(1)(A)–(B), (a)(2). See §9.36D.


Building on President Biden’s Executive Order, California Governor Gavin Newsom issued an Executive Order on May 4, 2022 (1) to create a regulatory approach that would encourage responsible innovation in blockchain and cryptocurrenty technologies, while protecting California consumers; (2) to assess how to deploy blockchain technology for state and public institutions; and (3) to build research and workforce development pathways to prepare Californians for success in these markets. See The Order outlines seven priorities for relevant state agencies. See §10.5A.

In Wildes v BitConnect Int’l PLC (11th Cir 2022) 25 F4th 1341, the court addressed the applicability of the federal securities laws to videos posted on YouTube and other social media websites promoting cryptocurrency. Investors who sustained losses filed a class action alleging the defendants violated §§5 and 12 of the Securities Act of 1933 (15 USC §§77e(a)(1), 77l(a)(1)) by soliciting the purchase of unregistered securities. The Eleventh Circuit held that offers of securities under the securities laws include promotions using mass communication media such as YouTube, and are not limited to individualized offers to specific persons. See §10.5A.

On March 22, 2023, the SEC announced charges against crypto asset entrepreneur Justin Sun and three of his wholly-owned companies, Tron Foundation Limited, BitTorrent Foundation Ltd., and Rainberry Inc. (formerly BitTorrent), for the unregistered offer and sale of crypto asset securities Tronix (TRX) and BitTorrent (BTT). The SEC also charged Sun and his companies with fraudulently manipulating the secondary market for TRX through extensive wash trading, which involves the simultaneous or near-simultaneous purchase and sale of a security to make it appear actively traded without an actual change in beneficial ownership, and for orchestrating a scheme to pay celebrities to tout TRX and BTT without disclosing their compensation. The SEC simultaneously charged eight celebrities for illegally touting TRX or BTT without disclosing that they were compensated for doing so and the amount of their compensation. See See §10.5D.

Hermès Int’l v Rothschild (SD NY, May 18, 2023, No. 22-cv-384 (JSR)) 2022 US Dist Lexis 89799, one of the first trademark infringement actions involving NFTs, is an ongoing dispute between the international luxury fashion house Hermès and an artist using the name Mason Rothschild, involving the artist’s line of non-fungible tokens (NFTs) depicting fur-covered Birkin handbags, called “MetaBirkins.” In this round of the lawsuit, the court denied the artist’s motion to dismiss the trademark infringement claims, stating that the amended complaint includes sufficient allegations of explicit misleadingness either as a function of likelihood of confusion or under Rothschild’s own theory of explicitly misleading analysis. 2022 US Dist Lexis 89799, *17. See §10.5C.

The Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act (INFORM Consumers Act), §301 of the Consolidated Appropriations Act, 2023 (Pub L 117–328, 136 Stat 4459), enacted December 29, 2022, is intended to increase the transparency of third party sellers in online retail marketplaces. Effective in June 2023, the Act requires online marketplaces to collect, verify, and disclose certain information from high-volume, third party sellers. High-volume, third party sellers include online marketplace participants that conduct 200 or more transactions resulting in total revenues of $5,000 or more during a continuous 12-month period. Online marketplaces must obtain these sellers’ (1) bank account numbers; (2) government-issued identification; (3) tax identification numbers; and (4) contact information. Online marketplaces must verify this information and annually certify any changes to it. Further, online marketplaces must make certain information (e.g., sellers’ names and contact information) available to consumers through the sellers’ product listings and provide consumers with methods to report electronically and by telephone any suspicious activity on the marketplace. The Act provides the Federal Trade Commission with the authority to enforce these requirements. See §10.16E.


On March 15, 2022, as part of the Consolidated Appropriations Act, 2022 (Pub L 117–103, 136 Stat 49), President Biden signed into law new cyberattack reporting obligations for companies with businesses involving critical infrastructure. The new law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y of the Consolidated Appropriations Act, 2022, §§101–107), will eventually require certain companies with critical infrastructure to report cyber incidents within 72 hours and ransomware payments within 24 hours. The new requirements do not go into effect immediately. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has 24 months to issue proposed rules to implement the law, although the agency may do so in advance of that deadline. See §18.22.

In hiQ Labs, Inc. v LinkedIn Corp. (9th Cir, Apr. 18, 2022, No. 17-16783) 2022 US App Lexis 10349, the Ninth Circuit reaffirmed its prior ruling that wholesale scraping of data from public LinkedIn profiles does not breach the Computer Fraud and Abuse Act (CFAA) (18 USC §1030). Ruling in favor of hiQ Labs, the court confirmed that its decision was reinforced by Van Buren v U.S. (2021) 593 US ___, 141 S Ct 1648, which bolstered hiQ Lab’s case that it did not breach the CFAA by continuing to scrape LinkedIn profile data in order to build a data analytics product despite having received a cease-and-desist letter. See §18.31.

In Casillas v Berkshire Hathaway Homestate Ins. Co. (2022) 79 CA5th 755, plaintiffs alleged that defendants, three insurance companies and two investigators, copied their electronic litigation files from a third party computer system, in violation of their interests in privacy and confidentiality. The court of appeal affirmed the action of the trial court dismissing the claim of trespass to chattels. The court held that plaintiffs’ allegations did not state a claim for trespass to chattels because plaintiffs conceded that the copying did not cause any damage or disruption to their computer system and they failed to allege any actionable injury to the copied files or their asserted property interests therein. They conceded the files had not been corrupted, and their own access to the files had not been impaired. The court also rejected plaintiffs’ reliance on their interests in privacy and confidentiality. See §18.54.


In Will Co. v Ka Yeung Lee (9th Cir 2022) 47 F4th 917, a copyright suit, the Ninth Circuit found that the following factors were sufficient for personal jurisdiction over a Hong Kong-based video-hosting website: (1) the defendants chose to host the website in Utah and to purchase content delivery network services for North America, which reduced the time it took for the site to load in the United States; (2) the webpages that addressed legal compliance were in English and were relevant almost exclusively to viewers in the United States; and (3) the advertising structure employed by the defendants demonstrated that they profited from United States viewers. See §§19.6, 19.10.

First Amendment and Other Speech-Related Liability

In Serova v Sony Music Entertainment (2022) 13 C5th 859, the California Supreme Court addressed whether promotional materials for expressive works constitute commercial speech or are entitled to higher protection. At issue in that case were promotional materials for a posthumous Michael Jackson album. The album was promoted as containing unreleased tracks by Michael Jackson. The plaintiff in a class action alleged that three of the tracks did not contain Michael Jackson’s voice but a person impersonating Michael Jackson. Applying the test from Kasky, the California Supreme Court found (1) the speaker and audience weighed in favor of finding commercial speech because the statements were made to promote the album to potential consumers; (2) the content of the speech involved characteristics of the product (i.e., the album); and (3) the album was a commercial product (and there is a long history of regulating promotional statements about expressive works). 13 C5th at 874–880. See §20.7.

Twitter, Inc. v Garland (9th Cir, Mar. 6, 2023, No. 20-16174) 2023 US App Lexis 5272, was an action by Twitter alleging First Amendment violations arising from FBI restrictions on Twitter’s publication of a report in which Twitter wished to publicly disclose certain information about governmental requests that Twitter received in 2013. The FBI determined that the number of its requests, including subpoenas, orders, and related information, was classified, and that Twitter’s disclosure of this information would harm national security. As a result, the FBI allowed Twitter to release its report only in a partially redacted form. The Ninth Circuit held that strict scrutiny applied because the restriction on Twitter’s speech was content-based. The panel acknowledged that Twitter had a First Amendment interest in commenting on matters of public concern involving national security subpoenas. Nevertheless, based on a careful review of classified and unclassified information, the panel held that the government’s redactions of Twitter’s report were narrowly tailored in support of the compelling government interest in national security and thus did not violate the First Amendment. See §20.19E.


In Red Wolf Energy Trading, LLC v BIA Capital Mgmt., LLC (D Mass, Sept. 8, 2022, No. 19-10119-MLW) 2022 US Dist Lexis 162470, a trade secret misappropriation case, the U.S. District Court for the District of Massachusetts held that new instant messaging technologies such as the increasingly popular tool, Slack, owned by, cannot be exempt from document production requirements simply because they are new. The court held that counsel must stay abreast of new messaging technologies, and that, if they cannot do so, they must associate someone with expertise on the platform at issue into the case to assist. The “dog ate my homework” excuse is no longer valid in e-discovery disputes. See §20A.5.

In Fast v LLC (D Ariz 2022) 340 FRD 326, the defendant was awarded sanctions on account of the plaintiff’s deletion of her Facebook messages concerning her emotional and medical condition, her job, and her termination from employment, all of which likely would have been relevant to her sex and disability discrimination and retaliation claims. The plaintiff was also ordered to pay opposing counsel’s fees and costs, and the defendant was allowed to conduct further forensic review of the plaintiff’s electronic devices to determine whether additional deleted information would be recoverable. See §20A.25.

In Hollis v Ceva Logistics U.S., Inc. (ND Ill, May 19, 2022, No. 19 CV 50135) 2022 US Dist Lexis 90234, an Illinois federal district court found that a defendant’s action in allowing video camera footage to overwrite itself (after the opposing party mentioned that the footage could be relevant in pretrial statements) constituted sanctionable spoliation. The court found that by allowing the video camera to record over itself (which the camera does by default) constituted a failure to take reasonable steps to preserve relevant electronic evidence. The court also found that, unlike email and other digital evidence, the video evidence was lost forever once it was recorded over. The judge issued an adverse inference instruction to the jury, finding that defendant’s action was intentional. See §20A.28.


In October 2022, the European Data Processing Board, an independent body bringing together the EU’s national data protection authorities from across the EU, approved the first European Data Protection Seal. See This certification mechanism encompasses a wide range of data processing operations in many sectors. Data controllers, the companies and services who decide why and how personal data is processed, as well as data processors, third parties, and employees who process personal data on behalf of a controller, perform these operations. The Europrivacy certification can help data controllers and data processors certify their data processes are valid in all member states. See See §21.13A.

In 2022, the Digital Services Act (Regulation (EU) 2022/2065) (DSA) and the Digital Markets Act (Regulation (EU) 2022/1925) (DMA) became law in the EU to update the Electronic Commerce Directive 2000 discussed in §21.15. See and Internet intermediaries subject to the DSA have until January 1, 2024 to comply with its requirements. The DSA is intended to improve content moderation on social media platforms in order to address concerns about illegal content. It includes chapters regulating the obligations and liability exemptions of intermediaries and the enforcement framework. The DSA has a conditional liability exemption under which companies that host third party content are not liable for the content unless they actually know it is illegal and, once obtaining such knowledge, do not act to remove it. The Digital Markets Act (DMA) establishes a set of criteria for qualifying large online platforms as so-called “gatekeepers.” It is intended to provide businesses who depend on gatekeepers with a fairer business environment, without unfair terms and conditions that limit their development. It is also intended to provide consumers with better services to choose from, more opportunities to switch their provider if they wish, direct access to services, and fairer prices. Gatekeepers are not allowed to use unfair practices toward the business users and customers that depend on them to gain an undue advantage. See §21.15.

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.