Although Spring “sprung” a month ago, it is still a good time for Spring Cleaning for certain intellectual property and privacy matters. Here is a short to-do list for Spring 2022.
- Update Enterprise Agreements and License Forms. Business plans, practices, and pricing models change over time. It is important to check your standard agreements to ensure they still reflect your business model and goals. If your agreement reflects pricing is on a capacity or bundle level but you actually charge on a per seat or user basis, your agreement needs to be updated. Similarly, agreements should be updated to reflect new general methods of doing business, for example, “facsimile” in your agreement’s notice section is antiquated and demonstrates you have not kept good housekeeping of your agreement forms. Modernize templates to add language to indicate that signatures may be obtained via electronic signature reflects how business is now typically done.
- Update Privacy Policies. Even if your company previously was not subject to certain laws, such as the EU’s General Data Protection Regulation (GDPR) or California’s California Consumer Privacy Act (CCPA), you should reevaluate at least annually. If any of your data practices have changed or any of the parameters that could bring you under the purview of certain laws that have changed, it is time to reassess and update your policies. For example, ask if any of the following have changed: the types of data you collect, revenues, your target marketing audiences, or actual customer numbers. Privacy policies are not “set it and forget it.” The policies must be seen as a living document, which must be updated to reflect reality, otherwise, you may face the risk of an enforcement action. Indeed, it is best practice to update privacy policies on any significant change and certain laws, such as the CCPA, require annual updates. Also, if you have a mobile app on iOS, do make sure your “privacy nutrition” disclosures align with what your privacy notice states. The iOS disclosures are typically filled out by developer teams, while privacy notices are generally created by legal or compliance teams, which can lead to inconsistencies. Teams should work together to ensure the company’s practices, iOS disclosures, and privacy notice(s) are consistent with one another.
- Address Employee Privacy. Although pending legislation may change how certain privacy laws apply to employees, some privacy laws that will be effective and/or enforced as of January 2023 (e.g., CCPA and CPRA) have provisions that apply to employees and contractors, in addition to the individuals companies usually consider website users and consumers. With employees having further rights to access or have data deleted, companies will need to adjust their employee handbooks, internal policies, and consider notes they take and retain for hiring and review efforts.
- Fix Dark Patterns. Dark patterns are aspects or features of a user interface designed to, or that do indeed, confuse or manipulate the user or encourage the user to take a certain action that may not be in their best interest. For example, a dark pattern may exist if you see a cookie banner with two buttons: one button in a shaded or lighter color with the option to decline cookies (or manage cookie preferences) alongside a second and more prominent or brighter button to have the user consent to all cookies. These practices deceive users and may have the effect of limiting their choices under applicable laws. The Federal Trade Commission (FTC) and State Attorneys General are watching for dark patterns and bringing enforcement actions against companies that use them.
- Consider Auto-Renewal Laws. California has had an automatic renewal law for years, but new updates to the law become effective at the start of this July. The law applies to services that are provided on an automatic renewal subscription basis that are primarily used for personal or household use, rather than for enterprise business use. Companies will need to provide additional notices on signup and reminder notices regarding automatic renewals of subscriptions and memberships. Companies will also need to provide more transparent immediate options to opt out of the renewal.
- Company Names and Trademarks. Check company and product names ahead of time, before you become wedded to them. You want to ensure there are no glaring trademark rights that may popup down the line and require you to change your company name after you branded all of those t-shirts and giveaways. It would be best to have trademark counsel closely work with your branding or marketing team from the start to identify issues earlier than later and strategize a trademark registration plan.
- Security. Make security and training personnel on security a priority. We have seen multiple data breaches – in some cases of information that is considered sensitive – because an untrained employee fell victim to a phishing scam or other malicious scheme or what looked to be an innocent download or click. Having various security measures and policies in place is a first step. But, internal policies must be circulated and enforced, and employees should be kept abreast of and periodically trained on evolving threats and changes in data security. To further mitigate risk, companies should implement a data retention policy that balances their different legal obligations to retain data with the need to minimize it. Whether it is employee, consumer, or customer data, know how long you are legally required to retain it and then destroy what should not or does not need to be retained. Many companies seem to hoard data just in case they might want to use it, without any current legal or business justification, and in doing so, they substantially increase the risks in the event of a data breach. The more data you have, the more you have to lose.
- Register Copyrights. Often overlooked, the benefits of registering the copyright in your software or product code are extremely important. In addition to certain presumptions of validity, you won’t be able to file a lawsuit for copyright infringement against another entity or individual without a registered copyright. You don’t want to have to wait a few months to get a registration with the US Copyright Office, if you wanted to file an infringement suit, if your company is faced with an infringing competitor or rogue reseller.
For more information, please contact Chiara Portner.