0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CPRA regulations finalized and effective immediately

[Update: On March 30, 2023, the California Chamber of Commerce filed suit against the California Privacy Protection Agency, arguing that the amended regulations should not enter force until once year following finalization of the regulations. The court agreed, holding that enforcement cannot occur until one year after the regulations were finalized, thereby pushing the enforcement date from March 29, 2023, to March 29, 2024. The case is being appealed, but it is not expected to be finalized until after the new enforcement date.]
On March 30, 2023, the California Privacy Protection Agency (the Agency) announced that its first rulemaking package for the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), was approved by the California Office of Administrative Law (OAL).[1] Approval by the OAL marks the completion of the rulemaking process, thereby making the regulations effective immediately. “This is a major accomplishment, and a significant step forward for Californians’ consumer privacy. I’m deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process,” CPPA Board Chair Jennifer Urban said in a statement.[2] The regulations build upon and clarify provisions within the CPRA, which amended and expanded the CCPA. For example, the regulations allow businesses to offer a “Your Privacy Choices” mechanism on a website’s homepage instead of a “Do Not Sell or Share My Personal Information” mechanism. The regulation had originally been scheduled for completion for July 1, 2022, but due to insufficient staffing and resources, the Agency announced an extended delay to the process.[3] This delay of almost a year left businesses and privacy professionals scrambling, because the CPRA came into effect on January 1, 2023, yet many of its provisions were unclear. Now, finalization begets clarity. That said, the Agency’s enforcement efforts will begin July 1, 2023, which gives little time to comply with the regulations. The Agency has indicated a soft initial approach to enforcement though. Section 7301(b) of the finalized regulation state that the Agency may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” While this leaves some breathing room, it does not alleviate non-compliance in all instances, and businesses should move to finalize compliance with these regulations. The final regulations, although effective immediately, will not be published publicly until they are processed, which is expected to happen next week. The final regulations will be made available here: https://cppa.ca.gov/regulations/consumer_privacy_act.html
[1] https://cppa.ca.gov/announcements/ (announcement on March 30, 2023) [2] Id. [3] https://iapp.org/news/a/cpra-regulations-delayed-past-july-1-deadline-expected-q3-or-q4/
0
This is the flag of Iowa, depicting an eagle holding a banner that reads, "Our liberties we prize and our rights we will maintain."

And then there were six!

On March 28, 2023, Gov. Reynolds of Iowa signed into law SF 262, a bill for an act relating to consumer data protection. By signing the bill into law, Gov. Reynolds established Iowa as the sixth state to establish a comprehensive data protection framework. “In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Gov. Reynolds. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”[1] Full text of the law: here. Iowa’s approach to data protection is similar to Utah’s approach, but it shares a basic framework with Colorado, Connecticut, and Virginia. However, California’s approach remains unique among the pack. We will continue monitoring all state legislatures for more developments.
[1] https://governor.iowa.gov/press-release/2023-03-28/gov-reynolds-signs-sf-75-and-sf-262-law
0
Logo for the European Commission.

The EU’s Digital Markets Act: Who it regulates, how to comply, and next steps

On October 12, 2022, the Digital Markets Act (DMA) was published in the Official Journal of the EU, thereby creating a new framework for regulating the European Union’s digital market.[1] The DMA seeks to prohibit certain unfair business practices by establishing rules and obligations for entities known as “gatekeepers,” which are large online platforms whose services have a significant impact on the EU internal market.[2] The DMA works in conjunction with its sibling law, the Digital Services Act (DSA), to create an online environment designed to protect the fundamental rights of users and to establish a level playing field for economic growth. However, the DMA — like the DSA and the General Data Protection Regulation (GDPR) — can apply internationally to companies based outside of the EU, so all large online platforms should be aware of what the DMA could mean for businesses that qualify as gatekeepers. Background On December 15, 2020, the DMA was proposed by the European Commission to the European Parliament and to the Council of the EU, alongside the DSA.[3] The DMA and the DSA seek to actualize Ursula von der Leyen’s call to regulate the EU’s digital market, thereby upgrading the liability, safety, and fairness of digital platforms.[4] On March 24, 2022 — after years of negotiations — the Parliament, the Council, and the Commission reached a consensus on key provisions, including the interoperability provisions for large messaging platforms and noncompliance penalties.[5] The text of the DMA was then made public on May 22, 2022.[6] From there, the DMA moved swiftly through the legislative process: on July 5, Parliament formally adopted it;[7] on July 19, the Council formally adopted it;[8] on September 14, the DMA was signed into law;[9] and on October 12, the adopted text was published in the Official Journal of the European Union, thereby setting it to come into force twenty days later.[10] To whom does the DMA apply? The DMA applies to “gatekeepers” that provide or offer “core platform services” to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. A “core platform service” is broadly defined to include a wide range of Internet infrastructure and services, including:
  • Online search engines;
  • Online social networking services;
  • Video-sharing platform services;
  • Operating systems;
  • Web browsers;
  • Cloud computer services;
  • Online advertising services;
  • And more.
Given how broadly the DMA defines core platform services, the core question for most entities is whether their services reach enough EU individuals to establish them as a gatekeeper under the law. A “gatekeeper” is an entity that meets all of the following:
Statutory criteria: Presumed satisfied if:
  1. Has a significant impact on the EU internal market.
  1. Achieves an annual EU turnover of at least EUR 7.5 billion in each of the previous financial years, or have an average market capitalization or fair market value of at least EU 75 billion in the last financial year; and
 
  1. Provides the same core platform service in at least three Member States.
  1. Provides a core platform service that is an important gateway for business users to reach end users
  1. Provides a core platform service that in the last financial year has at least 45 million monthly active end users in the EU; and
 
  1. Has at least 10,000 yearly active business users established in the EU.
  1. Currently enjoys, or will foreseeably enjoy in the near future, an entrenched and durable position, in its operations.
  1. In each of the last three financial years:
    1. has provided a core platform service that has at least 45 million monthly active end users in the EU; and
    2. has at least 10,000 yearly active business users established in the EU.
The DMA puts the onus on companies and other entities to determine for themselves whether they satisfy the above requirements to be labeled a gatekeeper under the law. If an entity makes such a determination, they must notify the European Commission within two months after the thresholds are met. However, even if an entity fails to make such a notification, the Commission can determine for itself whether an entity is a gatekeeper. Can the Digital Markets Act apply to entities outside of the EU? Yes. The DMA applies to any gatekeeper that provides or offers core platform services to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. However, providing or offering a core platform service is not sufficient in itself to establish an online platform as a covered gatekeeper. The online platform must satisfy all three of the bullet points above. And as the explanatory presumptions for each bullet demonstrate, the online platform must have a substantial number of EU users (e.g., 45 million monthly active end users in the EU). Thus, online platforms must be vigilant in monitoring the number of monthly users in the EU, because qualifying as a gatekeeper appears to hinge on the platform’s userbase reach. Of course, tracking this data must be done appropriately and with careful consideration, given that the online platform would also have to comply with the GDPR’s data minimization and purpose principles. Does the DMA treat all gatekeepers equally? No. The DMA prescribes a number of prohibitive and mandatory actions on all gatekeepers. These include:
  • Not combining personal data from the core platform service with personal data from any other core platform services, any other services provided by the gatekeeper, or with personal data from third-party services (Art. 5(2)(b)).
  • Not requiring users to sign in to other services in order to combine personal data (Art. 5(2)(d)).
  • Allowing business users, free of charge, to promote their offers and conclude contracts with customers outside the gatekeeper’s platform (Art. 5(4)).
  • Providing companies advertising on the platform with the daily information, free of charge, concerning each advertisement placed on the core platform (Art. 5(9)-(10)).
However, per Article 8, some obligations are subject to specification. The Commission, either on its own initiative or based on a submission by a gatekeeper, can open a procedure that will lead to the Commission specifying some measures that the gatekeeper must adopt in order to effectively comply with the DMA. The provisions subject to specification are found in Articles 6 and 7, and they include:
  • Allowing third parties to interoperate with the gatekeeper’s own services in certain situations (Art. 6(7)).
  • Allowing business users to access the data they generate in their use of the gatekeeper’s platform (Art. 6(10)).
  • Providing companies advertising on the platform with the tools necessary for advertisers and publishers to carry out their own independent verification of advertisements hosted by the gatekeeper (Art. 6(8)).
  • Not preventing users from uninstalling any pre-installed software or app, if they wish to (Art. 6(3)).
  • Not treating services and products offered by the gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform (Art. 6(5)).
  • Not preventing consumers from linking up to businesses outside their platforms (Art. 6(6)).
This means that, while all gatekeepers must adhere with the DMA’s obligations, some gatekeepers may have specific instructions on how to satisfy the requirements within the context of that gatekeeper’s unique situation. Are the enforcement penalties harsher than the GDPR? Yes. Under the DMA, if the gatekeeper intentionally or negligently fails to comply with certain requirements, the Commission may impose a fine of up to 10% of the gatekeeper’s worldwide turnover in the preceding financial year. By contrast, GDPR violations can result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. And it’s worth recalling that gatekeepers are, by definition, extremely large companies serving multi-millions of users, so the company’s annual worldwide turnover would presumably be large as well. What are the next steps for the DMA? Within two months of May 2023, companies providing core platform services must notify the Commission and provide all relevant information for determining whether the company qualifies as a gatekeeper. The Commission will then have two months to decide whether to make such a designation. If a company is deemed a gatekeeper, the company will have six months to comply with the DMA’s rules and obligations.
[1] https://www.skadden.com/insights/publications/2022/10/eu-digital-markets-act-enters-into-force [2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en [3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0842 [4] https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package [5] https://www.engadget.com/europe-digital-markets-act-005742387.html [6] https://www.consilium.europa.eu/en/press/press-releases/2022/03/25/council-and-european-parliament-reach-agreement-on-the-digital-markets-act/ [7] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment [8] https://www.consilium.europa.eu/en/press/press-releases/2022/07/18/dma-council-gives-final-approval-to-new-rules-for-fair-competition-online/ [9] https://twitter.com/EP_SingleMarket/status/1570062248961363969 [10] https://www.consumerprivacyworld.com/2022/10/dma-eu-publishes-the-new-digital-markets-act/
0

Metaverse Law’s Lily Li to guest star on Threat Watch podcast to discuss risks of ChatGPT, generative AI, and LLMs

Near the end of 2022, generative AI models became something of a sensation. Art-based models like Midjourney, DALL-E, and Stable Diffusion threw the art world into a panic, prompting companies to ban AI-generated art.[1] Models like ChatGPT—and its underlying GPT-3.5 and GPT-4 LLMs—seemingly invaded every social sphere, from academia[2] to big tech,[3] and prompted many to start asking, “Will AI replace us?”[4] Given all this buzz around generative AI and LLMs, it’s only natural to consider the IT and security risks stemming from these emerging technologies. Afterall, there have been numerous recorded instances of actors using ChatGPT to build malware,[5] to improve malware,[6] to send phishing emails,[7] and more. To discuss these topics, Metaverse Law’s founder Lily Li will join host Dr. Rebecca Wynn on BrightTALK’s Threat Watch podcast to discuss the many issues, risks, and concerns arising out of the use of AI. WHAT: Metaverse Law’s founder Lily Li will join host Dr. Rebecca Wynn on the Threat Watch podcast to discuss AI, chatbots, LLMs, and more. WHEN: March 30, 2023 — 12:00 pm ET WHERE: Online (with free registration) TOPICS:
  • Data leaking and misuse in the AI supply chain.
  • Data transfer issues resulting from the use of AI.
  • IT and cyber security concerns.
  • Social engineering stemming from AI.
  • And more!
Whether you are currently using or thinking about using AI in your business, you do not want to miss Lily’s discussion on the risks and issues arising from this technology.
[1] https://brushwarriors.com/art-websites-that-ban-ai/ [2] https://www.tidio.com/blog/ai-in-education/ [3] https://www.zdnet.com/article/how-to-use-chatgpt-to-write-code/ [4] https://www.forbes.com/sites/robtoews/2021/02/15/artificial-intelligence-and-the-end-of-work/?sh=75edd9c456e3 [5] https://www.hackread.com/chatgpt-blackmamba-malware-keylogger/ [6] https://blog.checkpoint.com/2023/02/07/cybercriminals-bypass-chatgpt-restrictions-to-generate-malicious-content/ [7] https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away/
0
Logo for the European Commission.

The Digital Services Act: EU’s new gold standard for regulating online services and search engines

On October 19, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, thereby triggering its entry into force.[1] The DSA creates a first-of-its-kind regulatory framework that, like the General Data Protection Regulation (GDPR), could set an international benchmark for regulating intermediary services such as search engines, e-commerce platforms, hosting services, and more. [2] To achieve these regulatory goals, the DSA creates a pyramid-like, category-based approach to applying obligations to intermediary services, with those at the bottom of the pyramid having the least obligations. If an intermediary service falls into a higher category, then the service has stricter obligations in addition to those services in the lower category. Given that the DSA could apply internationally and introduces a plethora of onerous obligations, it is important to review its scope, requirements, and what these could mean for businesses around the world. Background On March 1, 2018, the European Commission published the non-binding Commission Recommendation 2018/314, calling for the need to address “illegal online content” and its “serious negative consequences for users.”[3] On July 16, 2019, Ursula von der Leyen, then-candidate for President of the European Commission, announced her political guidelines for the 2019-2024 Commission, in which she called for a “new Digital Services Act” to upgrade liability and safety rules for digital platforms, services, and products.[4] To this end, the Commission launched a public consultation process to gather comments and evidence regarding how online platforms should be regulated.[5] Then, the Commission published the proposal for the Digital Services Act on December 15, 2020, alongside an evidence-based impact assessment.[6] On April 22, 2022, European policymakers in Brussels reached an agreement after 16 hours of negotiations,[7] and a few months later the European Parliament approved the DSA along with the Digital Markets Act.[8] And finally, four years after its conception by Ursula von der Leyen, the DSA was published in the Official Journal of the European Union on October 19, 2022, thereby marking its entry into force. To whom does the DSA apply? The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the provider of that intermediary service is established in the EU. The DSA broadly defines “intermediary service” to include a number of service categories, including:
  • Mere conduits of transmissions, such as top-level domain name registries, DNS services and resolvers, certificate authorities that issue digital certificates, and more.
  • Caching services, such as the provision of content delivery networks and reverse proxies.
  • Hosting services, such as cloud computing, web hosting, file storage, and more.
  • Online platforms, which is a subcategory of hosting services:
    • Online platforms are hosting services that are primarily used, at the request of a recipient of the service, to store and disseminate information to the public, such as e-commerce marketplaces, app stores, social media platforms, and more.
  • Search engines, such as Google, Bing, and other online services that allow users to input queries to perform searches.
  • Very large online platforms and search engines, which is a special designation given to online platforms or search engines that reach at least 45 million recipients in the EU.
Recital 29 of the DSA states that whether a specific intermediary service constitutes a mere conduit, a caching service, or a hosting service — which is the first question a business should consider — depends solely on the service’s technical functionalities and should be assessed on a case-by-case basis. And this analysis is important, because the category in which a service lands will determine the number of obligations required under the law. And there are many obligations. Can the DSA apply to companies outside of the EU? Yes. The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the intermediary service is established in the EU. However, while this scope may appear overly broad, the law clarifies in Article 3 and Recitals 7 – 8 that the intermediary service must have a “substantial connection to the Union” to be covered. Such a substantial connection results from:
  1. Having an establishment in the EU; or
  2. Having a significant number of recipients of the service in a Member State; or
  3. Targeting activities toward a Member State, which can result from:
    1. the use of a Member State’s language or currency;
    2. the possibility of EU recipients ordering products or services;
    3. the use of a relevant top-level domain;
    4. the availability of an app in a relevant national app store;
    5. advertising in a Member State or in a language used by a Member State;
    6. providing customer services in a language generally used in a Member State.
While the law requires a substantial connection, the possibility of falling into the extraterritorial scope, much like the GDPR, requires companies to take care in considering how they advertise or offer their intermediary service and whether such advertising or offerings could place them squarely in the scope of the law. Does the DSA treat all online intermediary services equally? No. The DSA uses a tiered, pyramid-like approach to impose cumulative obligations on the various categories of intermediary services.

Obligations for all providers of intermediary services

The bottom of this pyramid-like framework includes all providers of intermediary services. The DSA imposes on this category a substantial list of due diligence and transparency obligations. These include:
  1. Designating a single point of contact for communicating with Member State authorities (Article 11).
  2. Designating a single point of contact for communicating with recipients of the service (Article 12).
  3. Providing information in the terms and conditions about any policies, procedures, measures, and tools used for content moderation, algorithmic decision-making, and the handling of internal complaints (Article 14).
  4. Making publicly available a yearly content moderation report (Article 15).
  5. And for providers which do not have an establishment in the EU yet fall within the law’s extraterritorial scope: designate a legal representative in a Member State and ensure the representative can be held liable for non-compliance with obligations under the DSA (Article 13).

Additional obligations for hosting services and the subcategory of online platforms

In addition to the above obligations, providers of hosting services and providers of online platforms must satisfy the following obligations:
  1. Creating a mechanism through which any individual or entity can notify the provider about the presence of information on the service that the individual or entity considers illegal (Article 16).
  2. Providing a clear and specific statement of reasons to recipients affected by restrictions imposed on the basis of information provided by the recipient is illegal or incompatible with the provider’s terms and conditions (Article 17).
  3. Notifying law enforcement or judicial authorities if the provider becomes aware of information giving rise to certain legally-prescribed criminal offenses (Article 18).

Additional obligations just for providers of online platforms

In addition to the two lists of obligations above, providers of online platforms — the subcategory of hosting services — must also satisfy the following obligations:
  1. Creating an internal complaint-handling system through which recipients can, free of charge, lodge complaints against the provider, and provide recipients with access to the system for at least six months following certain decisions that may affect the recipient (Article 20).
  2. Allowing recipients to select any out-of-court dispute settlement body certified under the DSA to resolve disputes relating to Article 20 decisions (Article 21).
  3. Implementing technical and organizational measures to ensure notices submitted by trusted flaggers — that is, entities awarded this role by a Member State’s Digital Services Coordinator — are prioritized, processed, and decided upon without undue delay (Article 22).
  4. Suspending recipients that frequently provide manifestly illegal content (Article 23).
  5. Making publicly available a yearly content moderation report that, in addition to the Article 15 requirements, shall detail the number of disputes submitted to out-of-court dispute settlement bodies pursuant to Article 21 and the number of recipients suspended pursuant to Article 23 (Article 24).
  6. Designing, organizing, and operating the online platform’s interfaces in a way that does not deceive or manipulate recipients so as to materially distort or impair their ability to make free and informed decisions (Article 25).
  7. Ensuring that each advertisement presented to recipients via the online platform’s interface contains certain legally-prescribed disclosures (Article 26).
  8. Implementing measures to ensure a high level of privacy, safety, and security for minors, if the online platform is accessible to minors (Article 28).
It is important to note that most of these obligations do not apply to providers of online platforms that qualify as micro or small enterprises. A micro enterprise is one that employs fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. A small enterprise is one that employs fewer than 50 people and whose annual turnover and/or annual balance sheet does not exceed EUR 10 million.

Additional obligations for very large online platforms and online search engines

The DSA imposes even more obligations on providers of “very large” online platforms or search engines. To be given this designation, the online platform or search engine must have at least 45 million monthly active EU recipients and been recognized as “very large” by the European Commission. Once given such a designation, the very large online platform or search engine has four months before the following obligations apply:
  1. Conducting yearly risk assessments of its service and systems, including algorithmic systems (Article 34).
  2. Implementing mitigation measures tailored to the specific risks identified by the yearly risk assessment (Article 35).
  3. Taking actions specified by the European Commission in response to a crisis (Article 36).
  4. Paying for independent audits on a yearly basis to ensure compliance with the DSA (Article 37).
  5. Creating a searchable repository of legally-specified information relating to advertisements on the online platform or search engine (Article 39).
  6. Providing the European Commission or the Digital Services Coordinator with information necessary to monitor and assess compliance with the DSA (Article 40).
  7. Establishing a compliance function, giving it sufficient authority, statute, resources, and access to management to monitor compliance with the DSA (Article 41).
  8. Making publicly available the Article 15 content moderation report every six months (Article 42).
  9. Paying an annual supervisory fee for their designation as “very large” (Article 43).
Are the enforcement penalties harsher than the GDPR? Yes. The DSA requires Member States to lay down rules on penalties for infringements of the law by providers of intermediary services. The DSA requires Member States to ensure that the maximum amount of fines that may be imposed for a failure to comply with any obligation under the DSA shall be 6% of the annual worldwide turnover of the provider’s preceding financial year. However, less serious infringements under the DSA, such as supplying misleading information or failing to submit to an inspection, shall result in a fine of up to 1% of the provider’s annual income or worldwide turnover in the preceding financial year. By contrast, GDPR violations could result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. What are the next steps for the DSA? The bulk of the DSA’s obligations shall apply starting February 17, 2024. However, by February 17, 2023 and at least once every six months thereafter, all providers of intermediary services must publish information on the service’s average monthly active recipients in the Union.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065&qid=1666966938325 [2] https://www.euractiv.com/section/digital/news/digital-agenda-autumn-winter-policy-briefing/ [3] https://eur-lex.europa.eu/eli/reco/2018/334/oj/eng [4] https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 [5] https://techcrunch.com/2020/06/02/europe-asks-for-views-on-platform-governance-and-competition-tools/ [6] https://digital-strategy.ec.europa.eu/en/library/impact-assessment-digital-services-act [7] https://www.nytimes.com/2022/04/22/technology/european-union-social-media-law.html [8] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment
1 10 11 12 13 14 28