We’ve previously written about “tweet-less, picture-less,” computer-operated accounts or bots, that make one appear more popular—a.k.a. influential on social media—than one actually is. Recently, legislators and law enforcement agencies have moved to crack down on bots, their evil cousins known as sock puppets, and other deceptive social engagement practices. Specifically, California passed a law that goes into effect in July 2019 banning the undisclosed use of bots to communicate or interact with a person for knowingly deceiving that person to influence commercial transactions or vote in an election. Meanwhile, New York and Florida announced settlements with Devumi LLC, a company that grossed over $15 million in revenue by creating, packaging and selling fake social media likes, followers and posts after the media exposed Devumi’s deceptive activities. The Devumi settlements mark the first of their kind indicating that such activity constitutes illegal deception of the public and, to the extent Devumi used stolen identities for its online activities, illegal impersonation.
Protecting consumer data privacy in the age of artificial intelligence and increased digital commerce is a growing concern. In June 2018, the California Consumer Privacy Act (CCPA) introduced provisions to protect consumers and became the first U.S. law that can be viewed as a response to GDPR. Going into effect on January 1, 2020, legislation of this scope has far-reaching tendrils that may breed unintentional consequences.
Let’s explore some of the implications of this law in the context of a recent letter sent by Clark Kent to a large internet company.
Mr. Clark Kent
1938 Comicbook Ln.
Metropolis, CA 90999
January 1, 2020
Chief Information Officer
Totally Not Evil Internet Corp.
Dear sir or madam,
I write this letter to exercise my rights under the California Consumer Privacy Act (CCPA). As you are no doubt aware, the CCPA became effective today. I would like to be honest with you. You’ve probably guessed why I’m writing this. I have read about the advances of your company’s facial recognition algorithms and machine learning research. I expect it was a shock when your software figured out what I look like without glasses.
Since your company meets all three of the thresholds outlined in the CCPA (even though your company only needs to meet one), I hope that you will take my letter seriously. Specifically, from my cursory research, your company (1) has annual gross revenue over $25 million; (2) annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices for commercial purposes; and (3) derives 50% or more of your annual revenue from selling consumer personal information.
Now that we have that out of the way, I want to voice my concerns. A surprisingly broad array of information is covered by the CCPA. For example, “personal information” is defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (And, as a “consumer” under the CCPA is merely a natural person who is a resident of California—that means me.) I note that the definition of personal information specifically includes biometric information, as well as audio, electronic, visual, thermal, olfactory or other similar information. It sure seems that any photos, videos, audio recordings, etc., of Superman in your possession could reasonably be indirectly linked to myself and should therefore be considered my personal information. Because the CCPA covers information that could be reasonably indirectly linked to my entire household, I think you should also include such information or data pertaining to my dog, Krypto, in this request.
Please consider yourself lucky if you do not have any olfactory information obtained from Krypto, but, if you do, please include it in this request as well.
Before you object on the grounds that photos of Superman (and Krypto) are publicly available information (and therefore not covered by the CCPA), I should point out that the drafters of the CCPA saw fit to define the term “publicly available” very narrowly: “For these purposes, ‘publicly available’ means information that is lawfully made available from federal, state, or local government records.” So, for instance, it seems to me that when one of your users takes a selfie with Superman after being rescued from a burning building, collapsing bridge, or the like, and that user’s smartphone automatically uploads that photo to your cloud storage service, I think I have a colorable argument that such selfie contains personal information about me and your company must disclose to me if it subsequently uses that photo for business or commercial purposes, such as including it in a training set for your facial recognition software .
Perhaps you disagree. I can see where you might think the CCPA is unclear. But the real question is whether you want to spend the resources necessary to fight the lawsuit that I am able to bring against Totally Not Evil Internet Corp. in the event that you do not encrypt a photo like that and there is any unauthorized access and exfiltration, theft or disclosure of that photo. The nature of my secrets being as delicate as they are, I would be interested to see how a court views “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” How secure is your data security? Please remember that under the CCPA, I could seek recovery of actual damages. Considering the last time someone found out my secret identity it resulted in several city blocks being reduced to rubble, you might want to remember that actual damages in my case exist on a considerable scale.
Accordingly, I would like to request the following:
- That, per Cal. Civ. Code section 1798.100, you reveal to me all categories of personal information that you have collected in relation to me or my household (please include Krypto, Superman, and, as things have been going very well lately, Lois Lane), as well as the specific pieces of information you have collected (yes, including olfactory information).
- That, per Cal. Civ. Code section 1798.105, you delete all such information.
- That, per Cal. Civ. Code section 1798.110, you disclose to me the categories of sources from which my personal information was collected and the categories of third parties with whom you share my personal information.
- That, per Cal. Civ. Code section 1798.110, you disclose to me the business or commercial purposes for collecting or sharing my personal information.
- That, per Cal. Civ. Code section 1798.115, you disclose whether or not you have sold or disclosed my personal information to third parties, and if so, the categories of my personal information that Totally Not Evil Internet Corp. has sold or disclosed to third parties.
- And lastly, that, per Cal. Civ. Code section 1798.120, you cease selling my personal information to third parties.
As provided by Cal. Civ. Code section 1798.130, I shall await your complete response to the above requests within 45 days. And should you try to hide the full extent to which you have collected and used my personal information, I will remind you that, in addition to risking significant penalties that the California Attorney General can seek against you, I work with the best investigative reporter in the business.
Clark J. Kent
(P.S. I expect you will shortly receive similar letters from my friends, Diana, Hal and Oliver.)
As you can see from Mr. Kent’s letter, the CCPA is complex legislation that impacts many aspects of today’s consumer-facing commerce. Under the CCPA, consumers are entitled to seek broad categories of information from businesses—requiring businesses to let a requesting consumer know what personal information is collected from that consumer, the sources from which that information is collected and the business purposes for collecting or selling the information and third parties with which the information is shared. There is no question that this law is forcing businesses to change how they handle data. What businesses should ask themselves is whether they are implementing necessary changes fast enough to avoid the expensive fines, class action suits and injunctions that can result from non-compliance with the CCPA.
In another case of the law trying to keep pace with evolving technology, legislators are introducing bills to punish those who attempt to create false images that purport to be real. Targeting the rise of automated computer-generated imagery that has become increasingly accessible to the public, on February 14, 2019, California Assemblyman Marc Berman introduced a bill to create a criminal cause of action for making or distributing a “deepfake.” Deepfakes are multimedia, often audiovisual recordings, that seem real but that are generated by computers, often utilizing artificial intelligence-enhanced algorithms.
The Committee on Foreign Investment in the U.S. (CFIUS) has effectively ordered the divestiture of Beijing Kunlun’s ownership of the online dating site, Grindr, just as the company was preparing for an IPO. The case is important for three reasons. It emphasizes the importance of a CFIUS risk assessment before an investment or acquisition is negotiated. It highlights the risks of deciding not to make a voluntary CFIUS filing before the deal closes. And it sends a message to parties who have already closed: the U.S. government is watching, so assess your CFIUS exposure now.
Given the growth of investments in and shift of regulatory views regarding cannabis-related products, many companies in industries like medicine, lifestyle and foods/beverages are looking to carve out niches and be leaders in the relatively new space. As with any new technology space, it is essential to have a robust intellectual property protection strategy to both establish and preserve one’s position as a dominant player in an emerging market. One important step that a company may take when creating such a strategy is applying for patents.
Back in September, we looked at the concerns and implications surrounding a proposed new copyright law being considered by EU legislators. Yesterday, perhaps faster than many expected, the European Parliament passed the new law. Many tech companies, digital rights activists and academic researchers found common ground in opposing the legislation, which they claim will stifle information sharing and enable censorship. Supporters of the law see it as a means to protect creative content. As written, the legislation is not quite as restrictive in all areas as initially feared—memes and gifs are “safe,” as are uploads to noncommercial and open-source sites—but nonetheless, now that it has been passed, and after inevitable legal challenges lead to further adjustments in the language, we’ll see who was right.
Over the past several years, cannabis has been one of the hottest areas of investment and innovation, with many states introducing legislation to legalize cannabis use in some form. Correspondingly, many companies have entered the U.S. market and are even listed on the Nasdaq or the New York Stock Exchange, leading to much interest on Wall Street. Many nascent industries have budded in the cannabis space, ranging from growing the cannabis plant itself to extraction processes to consumer products like vapes.
No one knows your face as well as your iPhone does. All the unique variances of your face that make it yours and yours alone, these are all data points that your iPhone uses to unlock your phone using a face in place of a thumbprint. This same data that the iPhone collects can be used by the underlying tech—facial recognition technology—in a vast array of applications, from border control to photo tagging to law enforcement. But is this data (the measurement of the space between the eyes, the texture of the skin, etc.) open data? Or do individuals have a right to protection of an image of their face?
On the heels of a January 2019 announcement that it was charging nine persons with participation in a scheme that allowed them to hack into the SEC’s confidential database of public filings, commonly known as EDGAR. On February 28, the SEC named Gabriel Benincasa as its first-ever Chief Risk Officer (CRO). Although the two events have no direct causal link, they serve as useful reminders that the SEC is determined to re-emphasize its mission to ensure the smooth operation of the U.S. securities markets and to root out and punish instances of fraud and market manipulation, be it by traditional methods or where digital tools are implicated and databases are compromised. The position of CRO is a new one at the SEC. Created by SEC Chairman Jay Clayton to strengthen the agency’s risk management and cybersecurity efforts, Benincasa’s office will help to coordinate efforts to identify, monitor and address risks facing the agency.
Fortnite is the most popular video game in the world. So popular that it was last year’s highest earning video game, grossing more than $2.4 billion in 2018 alone. So popular, in fact, that its fans successfully convinced Sony to reverse its longstanding policy against cross-platform gaming, thus allowing PlayStation Fortniters to play with their PC, mobile and other console-owning friends. Fortnite is also free.