Worldwide: AdTech & Digital Media Newsletter

Welcome to the September 2022 newsletter prepared by Arnold & Porter's AdTech and Digital Media group. This newsletter includes legal and regulatory developments relevant to the AdTech and Digital Media industries, the state of venture investment activity in the AdTech industry, and updates regarding Arnold & Porter's activity in the space.

New Law

California Passes Children's Online Safety Bill: The California Age-Appropriate Design Code Act (CAADCA) was signed into law on November 15, 2022. Building on the California Privacy Rights Act of 2020, and the Parent's Accountability and Child Protection Act passed in May of this year, CAADCA promotes online privacy protection for minors through a number of means. It requires businesses that provide "an online service, product, or feature likely to be accessed by children" to take a number of actions, and defines "children" as consumers under the age of 18 (in contrast to the federal Children's Online Privacy Protection Act (COPPA), which protects the privacy of children under age 13). Businesses regulated under the CAADCA must, among other things:

• Complete a Data Protection Impact Assessment (DPIA) before offering new online services, products or features to the public that are likely to be accessed by children. The DPIA must include information relating to matters such as the purpose of the services, product or feature; use of children's personal information; risk of material detriment to children from the data management practices; possibility of various types of harm to children; whether algorithms or targeted advertising used could harm children; system design features to extend use of the online service, product or feature by children; and collection or processing of sensitive personal information of children.
• Configure default privacy settings provided to children to settings that offer a high level of privacy, absent showing a compelling reason that another setting is in the best interests of children.
• Provide privacy information, terms of service, policies and community standards concisely, prominently and using clear language suitable to the age of children likely to access the service, product or feature.

The business must refrain from a number of actions, such as the following:

• Using personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the physical or mental health, or well-being, of a child.
• Profiling a child by default, unless certain criteria are satisfied.
• Collecting, sharing or retaining certain personal information.
• Collecting, selling or sharing precise geolocation information of children by default, subject to exceptions.

The above-described provisions generally become operative on July 1, 2024, although there is an obligation for businesses to complete a DPIA on or before that date for online services, products or features likely to be accessed by children and offered to the public before that date (unless they won't be offered after that date). CAADCA provides for the creation of a California Children's Data Protection Working Group to deliver associated reports to the legislature and make recommendations on best practices. CAADCA provides for injunctions and civil penalties of up to $2,500 per affected child for each negligent violation and $7,500 per affected child for each intentional violation. These remedies can only be assessed in actions brought by the California Attorney General. There is no private right of action under the law.

FTC Developments

FTC Provides guidance on Digital Dark Patterns: On September 15, 2022, the FTC issued a report on its findings regarding digital "dark patterns," which are deceptive design practices that trick or manipulate consumers into actions such as making a purchase or giving up their privacy. The FTC provided examples of enforcement actions against companies like Credit Karma, LendingClub, Amazon, and Vizio/Smart TV. The FTC noted that Digital dark patterns may violate not only the FTC Act, but also other laws such as the Restore Online Shoppers Confidence Act (ROSCA), 15 USC §§8401 - 8405, or laws that prevent discrimination against protected classes. The FTC report provides a description of 32 types of dark patterns. Companies engaged in digital marketing or advertising would be well advised to take a look at the FTC's report.

FTC Targets Fake Online Reviews: On August 30, 2022, the FTC brought an enforcement action against Roomster, a room rental website, alleging that the site posted and solicited fake reviews and apartment listings. This is one of several FTC enforcement actions and private litigations targeting fake reviews. The FTC also sought comments earlier this year on updates to its Endorsement Guidelines to address fake reviews.

FTC Announces Event Focused on Digital Advertising for Children: On September 21, 2022, the FTC announced the agenda for an event on October 19th that will "explore how best to protect children from a growing array of marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media."

Case Law Development

Third Circuit Decision in Popa v. Harrier Carter Gifts, Inc. Creates Exposure for MarTech: This appellate decision from a summary judgment ruling addresses whether the prohibition of intercepting electronic messages under Pennsylvania's Wiretapping and Electronic Surveillance Control Act (WESCA) applies to tracking activities of NaviStone, a marketing tech company retained by the retailer Harriet Carter. As described in the Third Circuit's decision, on visiting the Harrier Carter website, a visitor's browser sends a "GET request" to the Harrier Carter server, which then sends HTML text to the visitor's browser, including some JavaScript instructing the browser to send another GET request to NaviStone's server. NaviStone's server responds to this GET request by sending code which places cookies on the visitor's browser and causes the browser to send information to NaviStone that tracks the visitor's activity on the Harrier Carter website. Plaintiff, Ashley Popa, a visitor to the site, claimed that NaviStone was intercepting her communications with the website in violation of WESCA. The District Court granted summary judgment in favor of NaviStone and Harriet Carter based on prior case law that indicated that NaviStone could not have "intercepted" the electronic communications because it was a party to them (regardless of whether plaintiff herself knew of NaviStone's identity). The Third Circuit reversed, in light of a 2012 amendment to WESCA that expressly carved out from the definition of "intercept" acquisition of the content of electronic communications by an investigative or law enforcement officer. Applying the canon of statutory interpretation that the expression of one thing is the exclusion of the other (expressio unius est exclusio alterius), the Third Circuit held that the 2012 amendment indicated that the exception to "intercept" where the recipient of the electronic communication was an actual party to the communication should only apply where the recipient was an investigative or law enforcement officer. The Third Circuit noted that WESCA includes another exception where all parties to the communication consent. The court noted that Popa could have given implied consent to appropriate language in the website's privacy policy, although that issue was not considered in the District Court's summary judgment ruling.

On August 30, 2022, the defendants filed a petition for rehearing, on the basis of a 2015 Pennsylvania Superior court decision that was overlooked by the Third Circuit, and concerns that the decision "transforms WESCA into a super-regulatory authority over the internet, subjecting all website operators and their service providers to potential criminal and civil penalties simply because their websites are accessible from Pennsylvania." In a September 23rd letter to the court, the defendants noted that at least 10 such decisions had been filed in federal courts in Pennsylvania after the Third Circuit's decision.

As indicated by the defendants, the case has potentially significant consequences for the MarTech industry. Pending any reversal of the Third Circuit's decision, companies using this sort of MarTech technology should check their privacy policies and disclosure on their websites to verify they have language they can rely on to argue that site visitors have consented to the MarTech service provider's data sharing with the visitors' browsers.

Markets

Based on data provided by PitchBook, AdTech venture investments in the US (see Figure 1 below, which shows both deal count and deal value) peaked by deal number in Q3 of 2021, and both deal count and deal value for the three months from June through August this year are quite a bit lower than for the same period in 2021. Figure 2 shows AdTech venture investments for the US, EU and Asia combined. It shows activity by deal count and deal value peaking in October 2021. Deal count is down for the three months from June through August this year as compared to the same period in 2021, but deal value does not appear to be significantly down, given a busy month of July this year.

Annex A (US Only)

Annex B (US, Europe, Asia)

Arnold & Porter Updates

• See our recent article on Section 230 of the Communications Decency Act of 1996, which provides an overview of Section 230, a brief comparison of the liability standards and regulatory oversight for online content, television and print, and a brief description of the regulatory approaches for online content in the European Union (EU) and United Kingdom (UK). It also includes information about various regulatory and legislative reform initiatives in the US.
• See our alert on the California AG's imposition of a $1.2 million fine in its first settlement under the California Consumer Privacy Act.
• See our alert on the FTC's Advance Notice of Proposed Rulemaking to address commercial surveillance and data security, which presages rules that could potentially have a significant impact on the AdTech industry.