TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Unmanned aerial vehicles (UAVs)—popularly known as drones—have enormous possibilities for use in the business world. In fact, the drone market is expected to exceed $12 billion by 2021. The small size, maneuverability, and ability to carry various types of recording or sensory devices makes drones attractive for many types of commercial use from delivery services, such as Amazon’s First Prime Air Delivery service  to managing inventory by using drones with RFID sensors and managing agriculture. However, any company considering the commercial use of drones should be aware of the evolving legal landscape regarding their use. How a company plans to use a drone will help determine the legal requirements that must be met.

California was one of the first states to allow autonomous vehicles (self-driving cars) to be tested on public roads. On April 2, 2018, the state began allowing self-driving cars without a driver in the vehicle to be tested on public roads. Before these new regulations, California only allowed autonomous vehicles to be tested on public roads with an approved driver.

Senators Edward Markey and Richard Blumenthal introduced a new privacy rights bill on April 10 titled “Customer Online Notification for Stopping Edge-provider Network Transgressions” (CONSENT Act). The CONSENT Act’s obligations would apply to entities known as edge providers who provide services through a software program (including a mobile application) or over the internet (1) that require its customers to subscribe to or maintain an account to obtain services; (2) that require a customer to purchase services; (3) through which a customer performs searches; or (4) through which a customer provides sensitive customer proprietary information.

The CONSENT Act would require the Federal Trade Commission (FTC) to promulgate regulations to protect the privacy of customers of edge providers within one year of passage of the CONSENT Act that would take effect within 180 days of such promulgation. Specifically, the CONSENT Act stipulates that such FTC regulations must

April showers bring…Morgan Lewis’s Annual Technology May-rathon. Our annual series of presentations and webcasts, known as the Technology May-rathon, runs the entire month of May. Industry leaders from a variety of technology-focused practices will present on certain technologies, providing lawyers with critical understanding of the technologies that impact our work. The presentations and webcasts will also focus on legal developments and key topics resulting from innovative technologies.

Below are just a few examples of the presentations that are part of the 2018 Technology May-rathon. Be sure to check back for the most up-to-date information as more events are added.

For more information or to register, visit the full listing of events here.

On March 23, US President Donald Trump signed the omnibus spending bill, a portion of which contained the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The CLOUD Act’s main goal is to offer guidance to providers of electronic communication and remote computing services when they receive orders to disclose data from the United States or foreign governments that are not located in the country from which the order came (e.g., where the FBI issues a search warrant to a US cloud service provider to provide email data located on a server in the European Union over which the cloud service provider has custody or control).

In addition to other requirements, the CLOUD Act states that providers of electronic communication or remote computing services must comply with the obligations of the Stored Communications Act involving the preservation, storage, and disclosure of certain stored communications and records—whether or not such communications and records are located in the United States. The CLOUD Act also presents a new review process before a US judge for providers of electronic communication or remote computing services to push back on orders to disclose customer communications or records under the Stored Communications Act, among other governmental orders.

Join Morgan Lewis at our Philadelphia office on Thursday, April 26, for a discussion on cybersecurity topics and their effects on outsourcing and commercial contracts. Morgan Lewis partners Barbara Melby, Greg Parks, and Michael Pillion and associates Christopher Archer and Katherine O’Keefe will speak at the event, which will include an ethics session for CLE credit.

Topics will include:

  • The benefits and risks of using technology, walking the line between legal and business advice, and ethical considerations for supervising nonlawyers
  • The changing privacy regulatory landscape and privacy developments, including the EU General Data Protection Regulation (GDPR)
  • Security and the cloud
  • Drafting privacy and security-related provisions in services contracts

A networking reception will follow the discussions. We hope you can join us!

Register for the event.

The UK government recently released a policy paper outlining proposed requirements for makers of Internet of Things (IoT) devices to take certain actions to better protect IoT devices from growing cybersecurity threats. Secure by Design: Improving the cyber security of consumer Internet of Things Report was released by the UK’s Department for Digital, Culture, Media & Sport and contains a draft Code of Practice for manufacturers of consumer IoT devices and services.

Earlier this week, the US Federal Trade Commission (FTC) settled a complaint against the operator of an online talent search company, asserting that the talent search company’s collection and disclosure of children’s personal information violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent, failing to provide adequate notices, and failing to implement the appropriate restrictions in compliance with COPPA. Under the terms of the settlement, the company agreed to pay $235,000.

The FTC’s complaint asserted that the company collected the information of more than 100,000 children under age 13, but failed to disclose to parents or the public how that data was collected, used, or disclosed. Though the website privacy policy stated that the company would not knowingly collect personal information from children under 13, according to the FTC’s complaint, the company imposed no restrictions on users who indicated they were under the age of 13 and did not take steps to verify whether legal guardians were creating the children’s accounts. According to the complaint, much of the information collected was available on publicly visible user profiles.

If you’re like most business leaders, according to a recent survey conducted by Ernst & Young, the privacy compliance elephant in the room should no longer be ignored.

As we previously discussed, the General Data Protection Regulation (GDPR) will take effect in May 2018, significantly changing how companies may collect and use personal data about web users in Europe. Although the May deadline is rapidly approaching and the penalties for GDPR violations—up to the greater of 4% of the company’s global revenue or 20 million Euros—are by no means trivial, it seems that executives around the world are perfecting their ostrich impersonations. Survey findings include that only one-third of respondents have GDPR compliance plans in place. In the Americas and the Asia Pacific, where less than 15% of respondents indicated their GDPR readiness, procrastination is astoundingly acute.

Galvanized by a confluence of charged factors—like privacy, cybersecurity, children, and the Internet of Things (IoT)—and sparked by recent assertions of Children’s Online Privacy Protection Act (COPPA) regulatory power, the US Federal Trade Commission (FTC) entered into a pioneering settlement with electronic toy manufacturer VTech regarding a breach of children’s personal information. The FTC’s message to companies is crystal clear: when it comes to kids’ data, transparency and security are elemental.

Scarce Insulation from COPPA

The COPPA Rule explains what operators of websites and online services must do to protect children’s privacy and safety online, and the FTC serves as the enforcer. As we previously discussed, the FTC released updated guidance in response to concerns about the security of data collected and used by internet-connected products geared toward children. The FTC noted that COPPA defines “website or online service” broadly and specifically listed connected toys and IoT devices within the COPPA Rule’s purview. Although the FTC released a policy that permits collecting a recording of a child’s voice without parental consent in certain situations, such circumstances are narrowly limited to the sole and limited purpose of replacing written words—say, an instruction—and the recording must be immediately destroyed.