The current survey covers developments in cyberlaw that occurred in the year ending May 2022.
Privacy and data security. In her review of developments in state privacy law, Lakshmi Gopal offers a detailed description and comparison of the three most recent comprehensive state privacy statutes, enacted in Colorado, Connecticut, and Utah, and reviews updates of the California and Virginia laws. A brief discussion of the Uniform Personal Data Protection Act is followed by a review of litigation under the Illinois Biometric Information Privacy Act and a discussion of two new biometric privacy laws in New York City.
Meg Strickler covers a different swath of the privacy landscape, focusing on federal law developments. As she explains, the Federal Trade Commission (“FTC”) has directed particular attention to children’s privacy, issuing a policy statement on the Children’s Online Privacy Protection Act (“COPPA”) and settling several enforcement actions under the COPPA Rule. The FTC also settled actions involving misrepresentations about privacy made to consumers, and issued a staff report about the privacy practices of Internet service providers. Finally, her survey discusses a policy change by Apple that makes it harder for the deployers of apps to track their users online.
Cybersecurity. Roland L. Trope reviews two cases in which a party has relied on a security paradigm that is no longer valid. In the first, an employee overseeing robots working on a factory floor was tragically killed due to failure of the assumption that robots can safely operate in close proximity to humans. In the second, the issuer of an “all risks” insurance policy invoked the policy’s exclusion for “warlike” actions in an effort to avoid paying the insured’s claims for its losses resulting from a malware attack, but was unsuccessful due to its failure to inform the insured that cyberattacks had become a means by which nations conduct war and that it would construe the exclusion accordingly.
Sasha Hondagneu-Messner describes some recent initiatives by the Securities and Exchange Commission aimed at enhancing cybersecurity in connection with investment markets. The agency has increased staffing in its unit dealing with cryptocurrency and cyberthreats, settled several actions against public companies in which it alleged cybersecurity violations, and proposed new cybersecurity rules applying to investment advisors and public companies.
Contracts. Nancy S. Kim reviews the newest cases dealing with online contracting. She notes that courts are maintaining their recent focus on website design and the specific context in which online contracting occurs. The cases she discusses deal with the requirement that notice of terms be clear and conspicuous; what actions by the consumer will constitute a manifestation of assent to the terms; and the enforceability of “sign-in wrap” agreements and other contracting paradigms ranging from browsewraps to clickwraps.
Intermediary liability. Chase J. Edwards reviews some of the most important developments relating to the liability of online intermediaries based on activities of their subscribers. In two cases against the makers of Snapchat predicated on its provision of a feature that allegedly resulted in high-speed car crashes with deadly results, both courts denied Snapchat the immunity conferred by Section 230, and one of the two allowed the case to proceed after finding plaintiffs had sufficiently alleged a claim for negligent design of the feature. Two courts addressed the applicability of Section 230 to retweets, arriving at different results depending on whether the retweeter added his own commentary. Two courts diverged from previous rulings in holding that an online gun marketplace is not entitled to Section 230 immunity, but ruled in favor of the defendant on the merits. The essay concludes with a review of Florida and Texas laws that forbid social media platforms from banning certain speakers or viewpoints.
Electronic payments and financial services. Stephen T. Middlebrook, Sarah Jane Hughes, and Tom Kierner present a masterful tour through a multitude of developments in electronic payments and financial services. They discuss regulation of earned wage access products; enforcement actions relating to government benefit cards; new regulations for payroll cards; efforts by the Consumer Financial Protection Bureau to expand its regulatory authority; warnings from regulators about potential unfair and deceptive practices; and enforcement actions relating to garnishment practices, remittance services, Internet lenders, and cryptocurrency exchanges.
Advertising and consumer protection. Richik Sarkar’s contribution addresses several developments at the FTC. These include settlements involving in-game advertising and online product reviews and ongoing revisions to two FTC guidance documents. The essay continues with a discussion of developments relating to telemarketing: new Federal Communications Commission rules about international robocalls, a proposed FTC rule on recordkeeping by telemarketers, and several court decisions under the Telephone Consumer Protection Act. The essay closes with discussion of a new Department of Justice charging policy and a new court case under the Computer Fraud and Abuse Act.
Artificial intelligence. Michael Simon and Andrew Pery survey recent developments relating to regulation of artificial intelligence. They begin by reviewing the newest national regulations from China and the European Union, and then move to regulatory efforts by the U.S. Congress and several federal agencies. They conclude with a tour of regulations issuing from several states and municipalities.