0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California: New AI laws in California – roundup of the 2025 legislative session

AI & Algorithms, California, Children, Employment Law, Healthcare, Social Media , , , , , , , ,
This article was originally published by OneTrust DataGuidance on November 24, 2025 and can be found on the DataGuidance website here.

California introduces comprehensive AI laws focusing on transparency, children’s safety, healthcare, antitrust, and law enforcement.

California has taken an aggressive stance towards artificial intelligence (AI) legislation and will likely set the standard for other US states. Back in 2024, Governor Newsom vetoed comprehensive AI safety legislation under bill SB 1047 and advised caution on regulations for this nascent and important technology. This year, Governor Newsom pressed ahead with a full slate of new AI laws. The reasons for this change in approach are many, including but not limited to the lack of federal AI legislation, the growing concern over children’s interactions with AI, especially sexualized content, and harmonization with more stringent requirements in the EU and elsewhere.

This year’s legislative session set records for the number and scope of new AI laws. For the roundup this year, Lily Li, of Metaverse Law Corporation, breaks down the new AI laws by scope and sector, noting where this may add on to existing California legislation and rulemaking from 2024-2025.

General AI safety, transparency, and risk assessments

  • SB 53: Transparency in Frontier Artificial Intelligence Act (Wiener) – Starting in January 2026, California will require large frontier AI developers to publish a framework detailing how they incorporate safety, security, and testing standards into their AI models. SB 53 also creates a mechanism for AI developers and the public to report critical safety incidents, and protects internal whistleblowers who report risks posed by frontier AI models. The law establishes significant penalties for companies that fail to comply, with fines of up to $1 million per violation.
  • AB 316: Artificial Intelligence defenses (Krell) – This amends California’s Civil Code. If a party to a lawsuit develops, modifies, or uses AI, this law prohibits them from asserting as a defense that the AI autonomously caused the harm.
  • AB 853: California AI Transparency Act (Wicks) – This bill expands the existing AI Transparency Act and modifies the effective date from January 1, 2026, to August 2, 2026. The California AI Transparency Act requires covered generative AI developers to provide an AI-detection tool to assess whether image, video, or audio content is created or altered by generative AI. This bill adds to the existing law by requiring large online platforms to embed provenance data into generated content. Starting January 1, 2028, users will also have the option to include latent disclosures on ‘capture devices’ such as cameras, video recorders, and other recorders.

This new California approach to AI transparency and safety legislation needs to be read in conjunction with the following existing laws.

  • California Privacy Protection Agency’s (CPPA’s) recently approved Cyber, Risk, ADMT, and Insurance Regulations – The CPPA’s most recently updated 127-page regulation package contains requirements governing cybersecurity audits, risk assessments, and automated decision-making technology. AI developers and systems that process personal information and meet certain California privacy thresholds will now face new cybersecurity audit and risk assessment requirements. In addition, automated and significant decisions concerning the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services will trigger significant notice, opt-out, and risk assessment requirements.
  • AB 2013: AI Training Data Transparency Act (Irwin-2024) – Passed last year, this law will require covered generative AI developers to publish online a high-level summary of the datasets used in the development of the generative AI system or service, including but not limited to whether personal information or copyrighted information is included in the training data. The law is scheduled to go into effect on January 1, 2026.

Children’s safety, age verifications, and companion chatbots

  • SB243: Companion Chatbots (Padilla) – This law applies to chatbots that provide human-like interactions and are capable of sustaining relationships across multiple interactions. Beginning July 1, 2027, developers of these ‘companion chatbots’ will need to develop and report protocols addressing suicidal ideation and self-harm to regulators and the public. The law requires AI disclosures, referrals to suicide hotlines or crisis text lines, and break reminders. SB 243 further requires developers to institute reasonable measures to prevent the chatbot from producing visual material of sexually explicit conduct or directly stating that the minor should engage in sexually explicit conduct. The legislation includes a private right of action to individuals who suffer ‘an injury in fact’ with statutory damages of $1,000 per violation, or actual damages if greater.
  • AB 1043 – Digital Age Assurance Act (Wicks) – Starting January 1, 2027, operating systems and covered application stores will be required to obtain age data from users and pass on age bracket data to developers when users download and launch an application.
  • AB 56: Social Media Warning Law (Bauer-Kahan) – Starting January 1, 2027, covered social media platforms will need to display a warning label to minors the first time a user accesses the platform each day, after three hours of active use, as well as once per hour of cumulative active use after that. The warning label must say ‘The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.’
  • AB 621: Deepfake pornography (Bauer-Kahan) – This amends California’s Civil Code and expands protections against deepfake pornography. The law explicitly provides a cause of action against individuals who create or disclose deepfake pornography if they know, or reasonably should know, that the depicted individual was a minor and also provides a cause of action against individuals who knowingly facilitate or recklessly aid or abet the creation or disclosure of such nonconsensual deepfake pornography. The bill confirms that a minor cannot consent to the creation or distribution of deepfake pornography.

California’s approach to AI and children has a long and complicated history, and these new laws should be read in conjunction with the following laws on the books.

  • California Age Appropriate Design Code (Wicks) – This law was signed on September 15, 2022, and was scheduled to go into effect on July 1, 2024. Modeled after the UK Age Appropriate Design Code, this law requires businesses to conduct impact assessments, provide Privacy by Default, estimate the age of all users, and restrict dark patterns. The law was enjoined in March 2025, but is being appealed by the California Attorney General.
  • Protecting Our Kids from Social Media Addiction Act (Skinner-2024) – This law is scheduled to go into effect on January 1, 2027, and prohibits covered social media platforms from providing addictive feeds to minors without verifiable parental consent. The law has so far escaped a constitutional challenge, but may face other court challenges prior to the effective date.

Healthcare AI and chatbots

  • AB 489: Health care professions: deceptive terms or letters: artificial intelligence (Bonta) – This law prohibits AI systems from falsely indicating or implying possession of a medical license or certificate through advertising, marketing, or other functionality. AB 489 also makes AI developers directly subject to the healthcare professional licensing board or enforcement agency if they develop such a system. Each use of a prohibited term, letter, or phrase shall constitute a separate violation.

California’s approach to AI in healthcare also needs to be read in conjunction with the following laws and guidance.

  • Legal Advisory on the Application of Existing California Law to Artificial Intelligence in Healthcare – In January 2025, California Attorney General Rob Bonta issued this advisory, setting forth California’s existing consumer protection, civil rights, competition, and data privacy laws governing healthcare AI.
  • SB 1120: Physicians Make Decisions Act (Becker-2024) – This law prohibits covered healthcare service plans from denying, delaying, or changing healthcare services based, in whole or in part, on medical necessity using AI, algorithms, or other software tools. Such determinations shall require a physician or licensed healthcare professional and review of individual circumstances. This law also requires written policies and procedures governing such determinations.
  • AB 3030: Artificial Intelligence in Health Care Services (Calderon – 2024) – This law applies to health facilities, clinics, physicians’ offices, or other health group practices that use generative AI for communications about patient clinical information. Under this bill, generative AI, which pertains to clinical information, must include:
    • a disclaimer that indicates the communication was generated by AI at the beginning of the interaction; and
    • clear instructions on how the patient can contact the appropriate person.

Antitrust and pricing discrimination

  • AB 325: Cartwright Act violations (Aguiar-Curry)  This amends California’s existing antitrust law, the Cartwright Act, to explicitly cover ‘common pricing algorithms.’ The law prohibits:
    • the use or distribution of a ‘common pricing algorithm’ as part of a contract, combination in the form of a trust, or conspiracy to restrain trade or commerce; or
    • coercion to set or adopt a recommended price or term, recommended by the common pricing algorithm for the same or similar products or services.

Complaints shall not be required to allege facts tending to exclude the possibility of independent action.

Law enforcement use of AI

  • SB 524 Law Enforcement Agencies (Arreguín) – SB 524 requires law enforcement to disclose if an official report was written either fully or in part using AI, as well as retain the first draft created by AI and an associated audit trail that, at minimum, identifies both the officer who used AI to create a report and the video and audio footage used to create a report, if any. SB 524 also prohibits AI vendors from sharing, selling, or otherwise using information, except as provided in the bill (e.g., troubleshooting, bias mitigation, quality control, legal purposes, etc.).

Employment and bias

While Governor Newsom vetoed SB 7, the No Robo Bosses Act, the Governor’s veto letter pointed to the CPPA’s ADMT regulations as addressing some of the bill’s requirements. Per Governor Newsom, SB 7 is ‘partially covered’ by these regulations, as they ‘allow employees and independent contractors to better understand how their personal data is used by automated decision technology.’ In addition, the California Civil Rights Council’s recently promulgated regulations state that California’s antidiscrimination laws apply to AI workplace tools. These regulations address another concern raised in SB 7, which sought to prohibit ADS systems from inferring a worker’s protected status.

0
Image of a computer circuit board with "AI" written on one of the chips.

OCBA AI Symposium 2024

AI & Algorithms, Social Media , ,

This summer, the University of California, Irvine School of Law hosted the Orange County Bar Association’s first ever Artificial Intelligence Symposium.

 

Metaverse Law was a sponsor for the event and Founder Lily Li was one of the speakers. Lily’s presentation was titled: “Securing Your Office Against Deepfakes: Understanding Your Ethical Obligations of Attorney Competency and Confidentiality.”

 

If you would like a copy of the presentation, reach out to us at Info@metaverselaw.com

 

Be sure to check the Orange County Bar Association’s website for information on next year’s AI Symposium.

0
Orange County Lawyer Magazine Logo

Metaverse Law featured in OC Lawyer Magazine

AI & Algorithms, Biometrics, Data / Web Scraping, GDPR, Social Media

The Orange County Bar Association recently released the January 2024 issue of Orange County Lawyer magazine. This month, Orange County Lawyer includes an article written by Metaverse Law’s Lily Li.

Read “AI Generated Deepfakes: Potential Liability and Remedies” below or in Orange County Lawyer magazine.

 

[Originally published as a Feature Article: AI-Generated Deepfakes: Potential Liability and Remedies, by Lily Li, in Orange County Lawyer Magazine, January 2024, Vol. 66 No.1, page 26.]

AI-Generated Deepfakes: Potential Liability and Remedies

 

by Lily Li

 

Almost ten years ago, in Netflix’s hit series House of Cards, the Underwoods’ presidential bid is almost derailed by a leaked picture of an affair, nude shower scene and all. While the picture was real, the Underwoods were able to undermine the credibility of the leaked image by claiming it was fake—going so far as to recreate the image using a hired model, to show how “easy” it was to fabricate photos.

This episode, aptly named “The Road to Power,” highlights one of the greatest risks of disinformation and fake or synthetic media. It is not through the public’s gullibility to doctored images; it is the watering down of trust in online media, leading individuals to rely solely on friends, family, and other sources of information that echo their own beliefs and values.

Fast forward a decade, and synthetic media—also known as “deepfakes” –-are now pervasive. In early 2022, for example, a fake video of Ukrainian President Volodymyr Zelensky circulated on social media, calling for his soldiers to lay down their arms and surrender to Russia.[1] At the corporate level, deepfakes have been used to mimic a CEO’s voice to fraudulently transfer $243,000.[2] Just as troubling, and even more creepy, a “sophisticated hacking team” impersonated the CEO of cryptocurrency company Binance by using “video footage of his past TV appearances and digitally alter[ing] it to make an ‘AI hologram’ of him and trick people into meetings.”[3] At home, scammers can use deepfaked voices to mimic loved ones, or AI-powered chatbots to engage in romance scams via text messages and phone calls. This is just a front to ask the victim to wire money, send gift cards, or reveal personal information to engage in identity theft. The problem has become so severe that both the FTC and the FCC have released consumer alerts in early 2023 regarding these AI-generated scams.[4]

The ease in which generative AI can create realistic videos, voice, and text will only aggravate these concerns. Deepfakes have long relied on machine learning to iterate and become more realistic with training, but in the past, this type of technology required significant computing resources and time. Now, almost every tech product is incorporating generative AI or machine learning in some form, making this accessible to every novice programmer or script kiddie.

Given these growing risks, this article will focus on the potential liability that creators, platforms, and publishers face in creating and spreading deepfakes, as well as the challenges of pursuing remedies under existing laws. In addition, this article will discuss pending rulemaking governing deepfakes and potential steps forward.

 

Privacy Liability for Deepfakes

Biometrics: If deepfakes rely on scans of faceprints, facial geometry, or voiceprints to make the false video or audio, or even to train their algorithms, then biometric privacy laws may apply. The Illinois Biometric Information Privacy Act (BIPA) is one of the strictest data privacy laws in the country. It requires express written consent and meaningful disclosures prior to any use and disclosure of Illinois resident biometric data. The collection of biometric data is interpreted broadly to include faceprints and voiceprints. It provides a private right of action, up to $5,000 in statutory damages per violation, and does not require a showing of harm.[5] Earlier this year, in Cothron v. White Castle Systems, Inc.,[6] the Illinois Supreme Court went even further, confirming that each scan in violation of BIPA counts as an ongoing violation—adding further teeth to this law.

Revenge Porn Laws: To the extent the deepfakes include pornographic images, several states, like Virginia,[7] have explicitly included deepfakes within “revenge porn” laws, while other victims have pursued claims under existing revenge porn laws by claiming that the deepfakes amount to non-consensual pornography. The legal consequences vary by jurisdiction, ranging from misdemeanors to felonies with fines and jail time. New York and California also provide a private right of action for deepfake pornography.

General Data Protection Regulation (GDPR): The EU has a broad privacy law that governs use of personal data. Unlike U.S. state privacy laws, which generally allow free use of publicly available data (except for biometric processing), the EU requires all individuals, companies, and non-profits to have a lawful basis for processing any personal data—with limited exclusions for personal data “manifestly made public by the data subject.” Thus, indiscriminate scraping of social media data for deepfakes, especially where the users have limited the audience for their data, would likely violate the GDPR and be subject to fines and regulatory scrutiny.

 

IP, Torts, and other Remedies

Defamation: Traditional defamation claims are also applicable to deepfakes, if the plaintiff can show that the deepfake is communicated to third parties and makes false assertions that harms the plaintiff’s reputation. For public figures, plaintiffs must also show malice.

Rights of Publicity: Many states recognize a “right of publicity” to an individual’s voice or image. The damages or royalties from a right to publicity claim are proportionate to the value associated with licensing one’s image, so these types of claims are more appropriate for celebrities that ordinarily profit from licensing their image.

Copyright and Trademark: To the extent deepfakes use existing logos, photos, music, or even unique website designs to make them seem official or legitimate, this may support multiple claims of copyright and trademark infringement. Copyright holders may also send copyright takedown notices under the DMCA for infringing conduct.

Breach of Contract: If deepfakes rely on scraped content from existing sites or platforms, this may also support a breach of contract claim against the offending party (to the extent they’ve signed up and agreed to the platform’s rules). For example, in the widely publicized case, hiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit found that hiQ breached LinkedIn’s User Agreement both through its own scraping of LinkedIn’s site and through its use of independent contractors to log into LinkedIn and do quality control of the data.[8] The Ninth Circuit noted, however, that LinkedIn was estopped from pursuing certain claims due to how much time had elapsed since its initial awareness of data scraping. Consequently, platforms that wish to rely on breach of contract claims to combat data scrapers, and potential misuse of their platforms for generative AI and deepfakes, must act swiftly and definitively. This is likely the impetus for X Corp’s (formerly Twitter) recent slew of crackdown on data scrapers, through a series of lawsuits filed in August.[9]

State Deepfake Laws: California, Texas, and Virginia have also enacted deepfake laws specific to political deepfakes, but these laws are limited in application and remedy. Texas SB 751, for instance, prohibits deepfake videos created “with intent to injure a candidate or influence the result of an election” and which are “published and distributed within thirty days of an election.” This law makes violations a Class A misdemeanor punishable by up to a year in jail and fines up to $4,000. More recently, Washington State passed a law requiring clear and transparent notices on any synthetic video or audio concerning candidates if it is related to an election. Senate Bill 5152 gives candidates a private right of action, including attorney’s fees for the prevailing party.

 

Limitations of Existing Remedies; Section 230 of the Communication Decency Act

There are several hurdles that would-be plaintiffs face in pursuing deepfake claims. For many torts like defamation and right of publicity, the amount of damages may be limited compared to the cost of litigation, and important First Amendment rights protect non-commercial speech that is satirical or political commentary. In addition, deepfake content can easily cross borders, so it may be difficult to find a defendant to penalize or enjoin. Consequently, instead of pursuing traditional claims, many victims rely solely on IP takedown notices, or a social media platform’s own processes to flag and remove deepfake content.

At present, Section 230 of the Communications Decency Act also shields platforms from liability for the content users upload and distribute on their platforms, as platforms generally do not constitute the “speaker” or “publisher” of such content. The line between acting as a pure platform, and contributing or generating harmful content, is increasingly blurred, however. In the recent Supreme Court case, Twitter, Inc. v. Taamneh et al,[10] plaintiffs alleged that social media platforms profited from ISIS recruitment videos and allowed ISIS to take advantage of the social media platforms’ “recommendation” algorithms that match content. While the Supreme Court declined to address the scope of 230 protections for these types of “recommendation” algorithms—the Supreme court noted that Section 230 may not protect platforms that create text, audio, or video through generative AI. In oral arguments to Google v. Gonzales, a companion case to Taamneh, Justice Gorsuch strongly implied that generative AI would fall outside of Section 230’s protections, stating: “I mean, artificial intelligence generates poetry, it generates polemics today. That—that would be content that goes beyond picking, choosing, analyzing, or digesting content. And that is not protected. Let’s—let’s assume that’s right, okay?”[11]

Going forward, we anticipate that the Illinois Biometric Information Privacy Act, and pending bills on biometric data, will likely be a more promising and lucrative way to attack platforms that explicitly use biometric data to generate or share deepfakes. In addition, as noted above, plaintiffs may have more luck pursuing claims against platforms that help create deepfake content or media using generative AI rather than solely relying on user content.

 

Do We Need Additional Laws?

As we can see from the patchwork of common law and statutory rights, the potential risks for creating and publishing deepfakes is many, but the best avenue for plaintiffs to pursue a remedy is unclear. Even some regulators are scratching their heads as to whether existing rules apply to deepfakes. For example, in July 2023, Public Citizen filed a petition with the Federal Election Commission (FEC), asking the FEC to amend its regulation on “fraudulent misrepresentation” at 11 C.F.R. § 110.16[12] to clarify that “the restrictions and penalties of the law and the Code of Regulations are applicable” should “candidates or their agents fraudulently misrepresent other candidates or political parties through deliberately false [AI]-generated content in campaign ads or other communications.”[13] In response, the FEC submitted a notice, soliciting public comment on this issue before making a decision on the merits of the petition.

The FTC has taken a firmer stance, stating that it does have authority to regulate AI generally, and deepfakes more specifically. In a March 2023 blog post titled “Chatbots, deepfakes, and voice clones: AI deception for sale,” the FTC noted that the “FTC Act’s prohibition on deceptive or unfair conduct can apply if you make, sell, or use a tool that is effectively designed to deceive—even if that’s not its intended or sole purpose.”[14]

Abroad, the European Union is taking an entirely different approach, developing a comprehensive law (the EU “AI Act”) that would govern artificial intelligence as a whole. The law, as drafted, requires all high-risk AI processing to undergo risk assessments for bias, safety, accuracy, and other risks. In addition, the AI Act would require transparency obligations for deepfakes, defined as “AI systems that generate or manipulate image, audio or video content.”[15] While the AI Act is still in draft form, it is likely to have as large and wide sweeping of an impact as the General Data Privacy Regulation, once it goes into effect.

Given the existing plethora of rights and remedies under the law, and the potential impact of the EU AI Act, this author does not believe that this is the right time to pursue a federal law specific to deepfakes—even though they present serious threats. In the current divisive political climate, it is likely that any proposed law will either get blocked, watered down, or if passed—fail to strike the right balance between free speech and misleading content. Instead, courts and regulators should strictly enforce existing laws that protect individual privacy and image rights, and the right to be free from false and deceptive practices. Attorneys should advise their tech clients on the risks of generative AI technologies and the potential gaps in Section 230 coverage. Finally, as private citizens, let’s remain diligent in what we read and share—and not be afraid to call out anyone who seeks to deceive.

 

ENDNOTES

(1) Bobby Allyn, Deepfake video of Zelenskyy could be ’tip of the iceberg’ in info war, experts warn, NPR (Mar. 16, 2022, 8:26 PM), https://www.npr.org/2022/03/16/1087062648/deepfake-video-zelenskyy-experts-war-manipulation-ukraine-russia.

(2) Catherine Stupp, Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case, Wallstreet Journal (Aug. 30, 2019, 12:52 PM),  https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402.

(3) Luke Hurst, Binance executive says scammers created deepfake ’hologram’ of him to trick crypto developers, Euronews (Aug. 24, 2022, 2:47 PM), https://www.euronews.com/next/2022/08/24/binance-executive-says-scammers-created-deepfake-hologram-of-him-to-trick-crypto-developer.

(4) Alvaro Puig, Scammers use AI to enhance their family emergency schemes, Federal Trade Commission (Mar. 20, 2023), https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes; ’Grandparent’ Scams Get More Sophisticated, Federal Communications Commission, https://www.fcc.gov/grandparent-scams-get-more-sophisticated (last visited Nov. 29, 2023).

(5) See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019).

(6) 2023 IL 128004 (Feb. 17, 2023).

(7) Va. Code Ann. § 18.2-386.2.

(8) No. 17-3301 (N.D. Cal. Nov. 4, 2022).

(9) Blair Robinson, X Corp Lawsuits Target Data Scraping, National Law Review (Aug. 17, 2023), https://www.natlawreview.com/article/x-corp-lawsuits-target-data-scraping.

(10) 598 U.S. 471 (May 18, 2023).

(11) Transcript of Oral Argument at 49, Google v. Gonzales, 598 U.S. 617 (2023) (No. 21-1333).

(12) Available at https://www.ecfr.gov/current/title-11/section-110.16.

(13) Artificial Intelligence in Campaign Ads, 88 Fed. Reg. 55606 (proposed Aug. 16, 2023), https://www.federalregister.gov/documents/2023/08/16/2023-17547/artificial-intelligence-in-campaign-ads.

(14) Michael Atleson, Chatbots, deepfakes, and voice clones: AI deception for sale, Federal Trade Commission (Mar. 20, 2023), https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale.

(15) Tambiama Madiega, Artificial intelligence act, EU Legislation in Progress, European Parliament (June 2023), https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/698792/EPRS_BRI(2021)698792_EN.pdf.

 

Lily Li is a data privacy, AI, and cybersecurity lawyer and founder of Metaverse Law. She is a certified information privacy professional for the United States and Europe and is a GIAC Certified Forensic Analyst for advanced incident response and computer forensics.

0
Logo for the European Commission.

The Digital Services Act: EU’s new gold standard for regulating online services and search engines

EEA & UK, GDPR, Resource, Social Media
On October 19, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, thereby triggering its entry into force.[1] The DSA creates a first-of-its-kind regulatory framework that, like the General Data Protection Regulation (GDPR), could set an international benchmark for regulating intermediary services such as search engines, e-commerce platforms, hosting services, and more. [2] To achieve these regulatory goals, the DSA creates a pyramid-like, category-based approach to applying obligations to intermediary services, with those at the bottom of the pyramid having the least obligations. If an intermediary service falls into a higher category, then the service has stricter obligations in addition to those services in the lower category. Given that the DSA could apply internationally and introduces a plethora of onerous obligations, it is important to review its scope, requirements, and what these could mean for businesses around the world. Background On March 1, 2018, the European Commission published the non-binding Commission Recommendation 2018/314, calling for the need to address “illegal online content” and its “serious negative consequences for users.”[3] On July 16, 2019, Ursula von der Leyen, then-candidate for President of the European Commission, announced her political guidelines for the 2019-2024 Commission, in which she called for a “new Digital Services Act” to upgrade liability and safety rules for digital platforms, services, and products.[4] To this end, the Commission launched a public consultation process to gather comments and evidence regarding how online platforms should be regulated.[5] Then, the Commission published the proposal for the Digital Services Act on December 15, 2020, alongside an evidence-based impact assessment.[6] On April 22, 2022, European policymakers in Brussels reached an agreement after 16 hours of negotiations,[7] and a few months later the European Parliament approved the DSA along with the Digital Markets Act.[8] And finally, four years after its conception by Ursula von der Leyen, the DSA was published in the Official Journal of the European Union on October 19, 2022, thereby marking its entry into force. To whom does the DSA apply? The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the provider of that intermediary service is established in the EU. The DSA broadly defines “intermediary service” to include a number of service categories, including:
  • Mere conduits of transmissions, such as top-level domain name registries, DNS services and resolvers, certificate authorities that issue digital certificates, and more.
  • Caching services, such as the provision of content delivery networks and reverse proxies.
  • Hosting services, such as cloud computing, web hosting, file storage, and more.
  • Online platforms, which is a subcategory of hosting services:
    • Online platforms are hosting services that are primarily used, at the request of a recipient of the service, to store and disseminate information to the public, such as e-commerce marketplaces, app stores, social media platforms, and more.
  • Search engines, such as Google, Bing, and other online services that allow users to input queries to perform searches.
  • Very large online platforms and search engines, which is a special designation given to online platforms or search engines that reach at least 45 million recipients in the EU.
Recital 29 of the DSA states that whether a specific intermediary service constitutes a mere conduit, a caching service, or a hosting service — which is the first question a business should consider — depends solely on the service’s technical functionalities and should be assessed on a case-by-case basis. And this analysis is important, because the category in which a service lands will determine the number of obligations required under the law. And there are many obligations. Can the DSA apply to companies outside of the EU? Yes. The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the intermediary service is established in the EU. However, while this scope may appear overly broad, the law clarifies in Article 3 and Recitals 7 – 8 that the intermediary service must have a “substantial connection to the Union” to be covered. Such a substantial connection results from:
  1. Having an establishment in the EU; or
  2. Having a significant number of recipients of the service in a Member State; or
  3. Targeting activities toward a Member State, which can result from:
    1. the use of a Member State’s language or currency;
    2. the possibility of EU recipients ordering products or services;
    3. the use of a relevant top-level domain;
    4. the availability of an app in a relevant national app store;
    5. advertising in a Member State or in a language used by a Member State;
    6. providing customer services in a language generally used in a Member State.
While the law requires a substantial connection, the possibility of falling into the extraterritorial scope, much like the GDPR, requires companies to take care in considering how they advertise or offer their intermediary service and whether such advertising or offerings could place them squarely in the scope of the law. Does the DSA treat all online intermediary services equally? No. The DSA uses a tiered, pyramid-like approach to impose cumulative obligations on the various categories of intermediary services.

Obligations for all providers of intermediary services

The bottom of this pyramid-like framework includes all providers of intermediary services. The DSA imposes on this category a substantial list of due diligence and transparency obligations. These include:
  1. Designating a single point of contact for communicating with Member State authorities (Article 11).
  2. Designating a single point of contact for communicating with recipients of the service (Article 12).
  3. Providing information in the terms and conditions about any policies, procedures, measures, and tools used for content moderation, algorithmic decision-making, and the handling of internal complaints (Article 14).
  4. Making publicly available a yearly content moderation report (Article 15).
  5. And for providers which do not have an establishment in the EU yet fall within the law’s extraterritorial scope: designate a legal representative in a Member State and ensure the representative can be held liable for non-compliance with obligations under the DSA (Article 13).

Additional obligations for hosting services and the subcategory of online platforms

In addition to the above obligations, providers of hosting services and providers of online platforms must satisfy the following obligations:
  1. Creating a mechanism through which any individual or entity can notify the provider about the presence of information on the service that the individual or entity considers illegal (Article 16).
  2. Providing a clear and specific statement of reasons to recipients affected by restrictions imposed on the basis of information provided by the recipient is illegal or incompatible with the provider’s terms and conditions (Article 17).
  3. Notifying law enforcement or judicial authorities if the provider becomes aware of information giving rise to certain legally-prescribed criminal offenses (Article 18).

Additional obligations just for providers of online platforms

In addition to the two lists of obligations above, providers of online platforms — the subcategory of hosting services — must also satisfy the following obligations:
  1. Creating an internal complaint-handling system through which recipients can, free of charge, lodge complaints against the provider, and provide recipients with access to the system for at least six months following certain decisions that may affect the recipient (Article 20).
  2. Allowing recipients to select any out-of-court dispute settlement body certified under the DSA to resolve disputes relating to Article 20 decisions (Article 21).
  3. Implementing technical and organizational measures to ensure notices submitted by trusted flaggers — that is, entities awarded this role by a Member State’s Digital Services Coordinator — are prioritized, processed, and decided upon without undue delay (Article 22).
  4. Suspending recipients that frequently provide manifestly illegal content (Article 23).
  5. Making publicly available a yearly content moderation report that, in addition to the Article 15 requirements, shall detail the number of disputes submitted to out-of-court dispute settlement bodies pursuant to Article 21 and the number of recipients suspended pursuant to Article 23 (Article 24).
  6. Designing, organizing, and operating the online platform’s interfaces in a way that does not deceive or manipulate recipients so as to materially distort or impair their ability to make free and informed decisions (Article 25).
  7. Ensuring that each advertisement presented to recipients via the online platform’s interface contains certain legally-prescribed disclosures (Article 26).
  8. Implementing measures to ensure a high level of privacy, safety, and security for minors, if the online platform is accessible to minors (Article 28).
It is important to note that most of these obligations do not apply to providers of online platforms that qualify as micro or small enterprises. A micro enterprise is one that employs fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. A small enterprise is one that employs fewer than 50 people and whose annual turnover and/or annual balance sheet does not exceed EUR 10 million.

Additional obligations for very large online platforms and online search engines

The DSA imposes even more obligations on providers of “very large” online platforms or search engines. To be given this designation, the online platform or search engine must have at least 45 million monthly active EU recipients and been recognized as “very large” by the European Commission. Once given such a designation, the very large online platform or search engine has four months before the following obligations apply:
  1. Conducting yearly risk assessments of its service and systems, including algorithmic systems (Article 34).
  2. Implementing mitigation measures tailored to the specific risks identified by the yearly risk assessment (Article 35).
  3. Taking actions specified by the European Commission in response to a crisis (Article 36).
  4. Paying for independent audits on a yearly basis to ensure compliance with the DSA (Article 37).
  5. Creating a searchable repository of legally-specified information relating to advertisements on the online platform or search engine (Article 39).
  6. Providing the European Commission or the Digital Services Coordinator with information necessary to monitor and assess compliance with the DSA (Article 40).
  7. Establishing a compliance function, giving it sufficient authority, statute, resources, and access to management to monitor compliance with the DSA (Article 41).
  8. Making publicly available the Article 15 content moderation report every six months (Article 42).
  9. Paying an annual supervisory fee for their designation as “very large” (Article 43).
Are the enforcement penalties harsher than the GDPR? Yes. The DSA requires Member States to lay down rules on penalties for infringements of the law by providers of intermediary services. The DSA requires Member States to ensure that the maximum amount of fines that may be imposed for a failure to comply with any obligation under the DSA shall be 6% of the annual worldwide turnover of the provider’s preceding financial year. However, less serious infringements under the DSA, such as supplying misleading information or failing to submit to an inspection, shall result in a fine of up to 1% of the provider’s annual income or worldwide turnover in the preceding financial year. By contrast, GDPR violations could result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. What are the next steps for the DSA? The bulk of the DSA’s obligations shall apply starting February 17, 2024. However, by February 17, 2023 and at least once every six months thereafter, all providers of intermediary services must publish information on the service’s average monthly active recipients in the Union.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065&qid=1666966938325 [2] https://www.euractiv.com/section/digital/news/digital-agenda-autumn-winter-policy-briefing/ [3] https://eur-lex.europa.eu/eli/reco/2018/334/oj/eng [4] https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 [5] https://techcrunch.com/2020/06/02/europe-asks-for-views-on-platform-governance-and-competition-tools/ [6] https://digital-strategy.ec.europa.eu/en/library/impact-assessment-digital-services-act [7] https://www.nytimes.com/2022/04/22/technology/european-union-social-media-law.html [8] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment
0
An image of the logo for LinkedIn, which is black text reading "Linked," followed by white text reading, "In," in a blue bow.

hiQ v. LinkedIn: User Agreements in the Age of Data Scraping

Contract, Data / Web Scraping, Social Media, United States
On November 4, 2022, LinkedIn announced a “significant win” for the platform and its members against “personal data scraping.” The win resulted from a 6-year legal battle that asked, in part, whether LinkedIn must allow hiQ Labs to scrape data from the public profiles of LinkedIn members. Last Friday, the U.S. District Court for the Northern District of California answered that question by ruling that LinkedIn’s User Agreement “unambiguously prohibits hiQ’s scraping and unauthorized use of the scraped data.” And as such, hiQ breached LinkedIn’s User Agreement “through its own scraping of LinkedIn’s site and using scraped data.”[1] An Overview of Data Scraping Data scraping is a technique by which a computer program extracts data from another program or source. The technique typically uses scraper bots, which send a request to a specific website and, when the site responds, the bots parse and extract specific data from the site in accordance with their creators’ wishes. Scraper bots can be built for a multitude of purposes, including:
  • Content scraping – pulling content from a site to replicate it elsewhere.
  • Price scraping – extracting prices from a competitor.
  • Contact scraping – compiling email, phone number, and other contact information.
In today’s economy, data is key, and data scraping is an efficient means of acquiring huge amounts of specific data. Yet, this court ruling signals that companies may need to be more cautious about how and where they use data scraping bots. hiQ’s Data Scraping Violates LinkedIn’s User Agreement Founded in 2012 as a “people analytics” company, hiQ Labs provides information to businesses about their workforces. To do this, hiQ extensively relied on using automated software to scrape data from LinkedIn’s public profiles. hiQ then aggregated, analyzed, and summarized that data to create two products, “Keeper” and “Skill Mapper,” which allowed businesses to improve their employee engagement and reduce costs associated with external talent acquisition. However, in 2017, LinkedIn sent a cease-and-desist letter threatening legal action against hiQ, arguing that LinkedIn’s User Agreement prohibits data scraping. Specifically, the User Agreement states: You agree that you will not:
  • Scrape or copy profiles and information of others through any means (including crawlers, browser plugins and add-ons, and any other technology or manual work);
. . .
  • Use manual or automated software, devices, scripts[,] robots, other means or processes to access, ‘scrape,’ ‘crawl’ or ‘spider’ the Services or any related data or information;
  • Use bots or other automated methods to access the Services, add or download contracts, send, or redirect messages.
Court records indicate that hiQ knew about this prohibition since 2015 yet continued scraping data from LinkedIn’s public profiles and even “attempted to reverse engineer LinkedIn’s systems . . . to avoid detection by simulating human site-access behaviors.” Based on these facts, LinkedIn sought a partial summary judgment finding hiQ liable for breach of contract. From hiQ Labs’ perspective, while the above User Agreement language may appear clear, language elsewhere in the User Agreement seemed to provide users and members with a right to scrape data from public profiles. Specifically, the User Agreement provides the following when delineating members’ rights and obligations: 2. Obligations . . . When you share information, others can see, copy and use that information. . . . 3.1 Your License to LinkedIn . . .

c. We will get your consent if we want to give others the right to publish your posts beyond the Service. However, other Members and/or Visitors may access and share your content and information, consistent with your settings and degree of connection with them.

hiQ argued that the User Agreement’s statements that “Visitors may access and share your content and information consistent with your settings” and that “[w]hen you share information, others can see, copy and use that information” are inconsistent with the prohibition of scraping data. And that, as a user and member of LinkedIn who agreed to the User Agreement, hiQ read this inconsistency to mean that hiQ had the right to scrape data from public profiles. Unfortunately for hiQ, this argument failed. The court concluded that informing users that their data may be copied and used does not contradict LinkedIn’s prohibition against scraping, crawling, or spidering. “The two concepts are not mutually exclusive – a warning to members that a third party may collect their public-facing data is not a blessing for third parties to do so through expressly prohibited means.” Thus, hiQ breached LinkedIn’s User Agreement, which “clear[ly]” prohibits data scraping, by scraping LinkedIn’s site and using that scraped data. LinkedIn May Lose Despite This Victory It is important to note that, although LinkedIn considered this a victory, the court only granted partial summary judgment in favor of LinkedIn on its breach of contract claim. hiQ raised numerous defenses to LinkedIn’s breach of contract claim, including waiver and estoppel, arguing that LinkedIn knew about hiQ’s data scraping as early as 2014 yet failed to act until the cease-and-desist letter in 2017. hiQ’s argument goes, in short, that because LinkedIn knew about hiQ’s data scraping but delayed in taking legal steps to prevent it, LinkedIn either waived its right to enforce the breach of contract claim or should be estopped because hiQ reasonably relied on LinkedIn’s acquiescence to the data scraping. The court concluded that there is at least a genuine dispute of material fact as to whether LinkedIn knew about hiQ’s data scraping as early as 2014, which – if sufficiently proven – could provide grounds for hiQ to raise the defenses of waiver and estoppel. These arguments remain unresolved, and it is not clear at this time whether hiQ and LinkedIn will continue battling in court – especially given that hiQ has gone dormant since 2019 – but we will continue monitoring for further developments. Further Privacy Concerns Lastly, this case brings to mind broader legal issues regarding publicly available personal information. Under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), businesses must satisfy numerous obligations when processing personal information. However, the definition of “personal information” does not include “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” Similarly, under the EU’s General Data Protection Regulation (GDPR), the law’s prohibition against the processing of special data categories (e.g., race, ethnicity, religion, health, etc.) does not apply if the “processing relates to personal data which are manifestly made public by the data subject.” These exceptions are reminiscent of hiQ’s argument in this case: that LinkedIn’s User Agreement expressly said that “[v]isitors [of LinkedIn] may access and share your content and information consistent with your settings.” Meaning, the users themselves provided their information to LinkedIn and purposefully, via their settings choices, made their information available to the public. Putting aside that LinkedIn’s User Agreement prohibited data scraping, hiQ’s argument raises the question: was hiQ scraping publicly available personal information, as it is understood under the GDPR and CCPA / CPRA? And if so, does that mean that hiQ would not have to comply with some requirements imposed by applicable general data protection laws? The answer will likely depend on a fact-specific inquiry on the circumstances surrounding the user content, such as (i) which data protection law applies to the data subjects in question; (ii) whether privacy settings were readily apparent to users when they initially posted their profiles/content; and (iii) whether users took affirmative actions to publicly post their information. In the meantime, businesses should remain aware that scraping personal information, even publicly available information, requires proper planning and due diligence. Key Takeaways
  1. Data scraping remains a prevalent data collection practice, but individuals and companies may be liable for breach of contract claims stemming from data scraping practices in violation of a User Agreement.
  2. On the other hand, if a business wants to quash a company’s known data scraping practices that violate the User Agreement, waiting too long to take legal steps may result in the business forfeiting a breach of contract claim.
  3. Either way, this ruling indicates that companies must take User Agreements seriously, both their own (if they want to prevent data scraping) and those belonging to others (if they want to scrape data).
  4. Lastly, a question remains as to whether the data in this case was made publicly available, as the term is understood under US and EU data regulation laws.
[1] Note: The court also concluded that hiQ separately breached LinkedIn’s User Agreement by hiring independent contractors to create fake LinkedIn accounts to conduct “quality assurance” while logged into LinkedIn by “viewing and confirming hiQ customers’ employees’ identities manually.” LinkedIn’s User Agreement expressly prohibits creating false identities.
1 2