Although Spring "sprung" a month ago, it is still a good time for Spring Cleaning for certain intellectual property and privacy matters. Here is a short to-do list for Spring 2022.
- Update Enterprise Agreements and License
Forms. Business plans, practices, and pricing models
change over time. It is important to check your standard agreements
to ensure they still reflect your business model and goals. If your
agreement reflects pricing is on a capacity or bundle level but you
actually charge on a per seat or user basis, your agreement needs
to be updated. Similarly, agreements should be updated to reflect
new general methods of doing business, for example,
"facsimile" in your agreement's notice section is
antiquated and demonstrates you have not kept good housekeeping of
your agreement forms. Modernize templates to add language to
indicate that signatures may be obtained via electronic signature
reflects how business is now typically done.
- Update Privacy Policies. Even if your company
previously was not subject to certain laws, such as the EU's
General Data Protection Regulation (GDPR) or California's
California Consumer Privacy Act (CCPA), you should reevaluate at
least annually. If any of your data practices have changed or any
of the parameters that could bring you under the purview of certain
laws that have changed, it is time to reassess and update your
policies. For example, ask if any of the following have changed:
the types of data you collect, revenues, your target marketing
audiences, or actual customer numbers. Privacy policies are not
"set it and forget it." The policies must be seen as a
living document, which must be updated to reflect reality,
otherwise, you may face the risk of an enforcement action. Indeed,
it is best practice to update privacy policies on any significant
change and certain laws, such as the CCPA, require annual updates.
Also, if you have a mobile app on iOS, do make sure your
"privacy nutrition" disclosures align with what your
privacy notice states. The iOS disclosures are typically filled out
by developer teams, while privacy notices are generally created by
legal or compliance teams, which can lead to inconsistencies. Teams
should work together to ensure the company's practices, iOS
disclosures, and privacy notice(s) are consistent with one
another.
- Address Employee Privacy. Although pending
legislation may change how certain privacy laws apply to employees,
some privacy laws that will be effective and/or enforced as of
January 2023 (e.g., CCPA and CPRA) have provisions that apply to
employees and contractors, in addition to the individuals companies
usually consider website users and consumers. With employees having
further rights to access or have data deleted, companies will need
to adjust their employee handbooks, internal policies, and consider
notes they take and retain for hiring and review efforts.
- Fix Dark Patterns. Dark patterns are aspects
or features of a user interface designed to, or that do indeed,
confuse or manipulate the user or encourage the user to take a
certain action that may not be in their best interest. For example,
a dark pattern may exist if you see a cookie banner with two
buttons: one button in a shaded or lighter color with the option to
decline cookies (or manage cookie preferences) alongside a second
and more prominent or brighter button to have the user consent to
all cookies. These practices deceive users and may have the effect
of limiting their choices under applicable laws. The Federal Trade
Commission (FTC) and State Attorneys General are watching for dark
patterns and bringing enforcement actions against companies that
use them.
- Update User Interfaces for Terms of Use
Agreements. Cases continually demonstrate the need to have
clear legal language that matches the call for action to ensure
your terms of use, terms of service, or other similar online user
agreements are enforceable and binding. The actual action button
and its text should clearly have its counterpart in the language
explaining the binding effect of the action. For example, don't
say "By Clicking I Agree, you agree to the Terms of Use"
when your click-button is labeled as "Submit" or
"Signup." Likewise, care should be taken to ensure that
your linked terms are conspicuous, underlined, and in blue (the
most used and recognized for links) font. Although this line of
recommendations has been around for years, companies still miss
these points rendering all of their user agreements unenforceable
against the user.
- Consider Auto-Renewal Laws. California has had
an automatic renewal law for years, but new updates to the law
become effective at the start of this July. The law applies to
services that are provided on an automatic renewal subscription
basis that are primarily used for personal or household use, rather
than for enterprise business use. Companies will need to provide
additional notices on signup and reminder notices regarding
automatic renewals of subscriptions and memberships. Companies will
also need to provide more transparent immediate options to opt out
of the renewal.
- Company Names and Trademarks. Check company
and product names ahead of time, before you become wedded to them.
You want to ensure there are no glaring trademark rights that may
popup down the line and require you to change your company name
after you branded all of those t-shirts and giveaways. It would be
best to have trademark counsel closely work with your branding or
marketing team from the start to identify issues earlier than later
and strategize a trademark registration plan.
- Security. Make security and training personnel
on security a priority. We have seen multiple data breaches –
in some cases of information that is considered sensitive –
because an untrained employee fell victim to a phishing scam or
other malicious scheme or what looked to be an innocent download or
click. Having various security measures and policies in place is a
first step. But, internal policies must be circulated and enforced,
and employees should be kept abreast of and periodically trained on
evolving threats and changes in data security. To further mitigate
risk, companies should implement a data retention policy that
balances their different legal obligations to retain data with the
need to minimize it. Whether it is employee, consumer, or customer
data, know how long you are legally required to retain it and then
destroy what should not or does not need to be retained. Many
companies seem to hoard data just in case they might want to use
it, without any current legal or business justification, and in
doing so, they substantially increase the risks in the event of a
data breach. The more data you have, the more you have to
lose.
- Register Copyrights. Often overlooked, the benefits of registering the copyright in your software or product code are extremely important. In addition to certain presumptions of validity, you won't be able to file a lawsuit for copyright infringement against another entity or individual without a registered copyright. You don't want to have to wait a few months to get a registration with the US Copyright Office, if you wanted to file an infringement suit, if your company is faced with an infringing competitor or rogue reseller.
