We also encourage you to review periodically the IAPPs useful tracker on state-by-state developments. 

The post Ready, Set, Go: More States Adopt Privacy Laws appeared first on IFRAH Law.

    

Related Stories

• For the Children!: Children’s Online Safety Becomes Focus of State and Federal Law
• Artificial Intelligence Poses Threat to Business Data Privacy and Confidential Information
• New California Law Establishes Broad Protections for Children’s Online Privacy – Exceeding Federal Requirements

 

“Endorsements” under the Guides include “any advertising, marketing, or promotional message for a product that consumers are likely to believe reflects the opinions, beliefs, findings, or experience of a party other than the sponsoring advertiser.” This includes verbal statements, tags in social media posts, demonstrations, name, image and likeness of an individual, and the name or seal of an organization.

Companies and product endorsers are required to disclose material connections (such as when a social media influencer promotes a product and is paid for the post or given free products or services). Over the past several years, the FTC has taken several actions against companies for endorsers’ failure to disclose their connection to the advertised product or service, or the use of fake reviews, among other .[1]

The FTC also issued an updated version of its “Q and A” guidance document (last revised in 2017) that covers key areas such as when and how to disclose material connections, online reviews, and negative feedback. The Q and A remains a useful resource to organizations and endorsers. The FTC has added 40 additional questions.  https://www.ftc.gov/business-guidance/resources/ftcs-endorsement-guides-what-people-are-asking.

Key Highlights from the New Guides

• A material connection needs to be disclosed when a significant minority of the audience for the endorsement does not understand or expect the connection. In some circumstances, well-known influencers may be so closely identified with a particular brand that they do not need to be disclosed. However, this would typically involve a fact-based analysis. The agency declined to specifically identify any particular endorsers meeting this exception.
  • The FTC recognizes that even where many people in an industry (such as video game players) may be aware that influencers have received some sort of incentive (like early access) when the influencers are reviewing or showcasing certain types of products – “an audience knowing generally about such early access is not the same as knowing what a given influencer may have received— whether it’s merely early access or a large monetary payment—in connection with a given game”
• In terms of what constitutes a “clear and conspicuous” disclosure, the FTC states that online disclosures must be “unavoidable” in order to be effective. Specifically, “a disclosure is difficult to miss (e., easily noticeable) and easily understandable by ordinary consumers.” The FTC reiterated that the Guides’ principles and examples, together with staff guidance on use, language, and placement of disclosures of material connections, will continue to apply to disclosures.
• The FTC disfavors disclosing material connections in links, stating “if the endorsement is visible without having to click on the link labeled ‘more,’ but the disclosure is not visible without the viewer doing so, the disclosure is not unavoidable and this is not clear and conspicuous.”
• The New Guides clarify that “tags” and “likes” can be endorsements, as can fake positive reviews used to promote a product. Bots and other entities can be considered endorsers. A fake positive consumer review published on a third-party review website can be an endorsement. Purchasing “likes” and misrepresenting them in advertising can constitute a deceptive practice.
• Advertisements targeting particular groups (g., Spanish language ads) require that the disclosure be in the same language as the ad.
• Endorsements in advertisements addressed to children may be of special concern; the FTC will continue to review this area.
• Regarding the liability of advertisers, the FTC states that it continues to expect “advertisers to be responsible for and monitor the actions of their endorsers.” Advertisers should provide guidance to their endorsers regarding disclosing material connections and not being misleading, monitor their endorsers’ compliance, and take action to remedy non-compliance.
• Endorsers may be liable for statements, such as deceptive representations, or stating they use a product when they do not use it. Endorsers can also be liable for failing to disclose material connections between themselves and an advertiser.
  • In one example, the FTC addressed a video game influencer who is paid to play and live stream a game and appears to enjoy playing it. The FTC modifies its earlier language to clarify that the player’s apparent enjoyment is implicitly a recommendation.
• Similarly, ad agencies, public relations firms, review brokers, and other “intermediaries” may be liable for actions similar to advertisers and endorsers where they create ads containing endorsements that they know or should know are deceptive.
• Advertisers should not distort or misrepresent what consumers think of their products through “upvoting,” “downvoting, or editing consumer reviews of their products.

New Proceeding Targets Fake Reviews

The FTC also launched a proceeding directed at fake reviews and testimonials. We will cover the FTC’s proposals in a future blog. In summary, the FTC seeks to prohibit businesses from procuring reviews by someone who does not exist, did not have experience with the product, or who misrepresented their experience. Businesses would also be barred from offering compensation conditioned upon the writing of a review with a particular sentiment (whether positive or negative). The proposed rule would  prohibit businesses from buying or selling false indicators of social media influence (like fake followers or views).

The FTC’s publication of the updated Guides, Q & As, and the new rulemaking signal that the agency will continue to closely monitor endorsements, particularly on social media and through evolving practices. Many of the requirements track traditional FTC mandates, such as the obligation that advertisements be truthful and not-misleading and that endorsers disclose their material connections.  The agency is applying these “traditional” principles to the explosive use of influencers and other endorsers, and has signaled that advertisers, endorsers, and even ad networks can face liability under the FTC Act for failure to make required disclosures or misrepresenting endorsement.

[1] https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3174-teami-llc

https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3008-sunday-riley-modern-skincare-llc-matter

The post Got Endorsers? Federal Trade Commission Issues Updated Advertising Guides appeared first on IFRAH Law.

    

Related Stories

• CFTC Wins Suit Against DAO, With Potential Broad Implications for DAO Ecosystem
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?
• Appeals Court Tells Elon Musk –A Deal Is A Deal: Sec Consent Decree Sticks

 

On June 8th, 2023, U.S. District Judge William H. Orrick granted the CFTC default judgment, ruling that Ooki DAO acted unlawfully as an unregistered futures commission merchant, or FCM. Alongside the payment of a civil monetary penalty and a permanent ban from trading and registration, Ooki Dao, and any third-party web-hosting provider or domain-name registration service, were ordered to shut down the Ooki DAO website and remove its content from the Internet.

The case is significant in a few ways. The most critical consequence is that it establishes that DAOs may face legal consequences for their activities, in spite of commonly held notions to the contrary in the decentralized finance industry. Further, while the court order does not necessitate shutting down of the blockchain protocol, which is technically quite cumbersome, the ruling orders third-parties to remove all Ooki or Ooki-related contents from the Internet within their control, potentially making it more difficult for DAOs to receive services in the future.

CFTC v. Ooki DAO

While some DAOs are incorporated legal entities within which directors and members use various mechanisms on public block-chain systems to govern entity decision-making, as far as regulators are concerned, many digital asset organizations structure themselves as DAOs without legal incorporation in an attempt to evade regulatory oversight, especially when such groups remain unincorporated.^[2] The thought behind this is that, because the group is decentralized and thus no single person or entity responsible for operations or outcomes, then DAOs are not capable of being held liable (and thus enforcement proof) as they operate only as a loose collection of individuals coordinating amongst each other. Crucially, in the case of Ooki DAO, neither the entity itself nor any member of it responded to or defended the DAO from the allegations, likely in an attempt to avoid being presumed the DAO’s spokesperson and any concomitant personal repercussions that would follow.

As an aside, generally speaking, DAOs make decisions by means of governance tokens whereby holders of the tokens deliberate collectively with individual votes apportioned in some proportion to the individual’s holdings.

Regulatory evasion is not so simple, however, as has been illustrated by Ooki DAO, whereby the CFTC initially established its potential regulatory authority over DAOs by means of a judge’s holding in December 2022. In this effort, the Commission filed two original orders.

First, the CFTC issued a settlement order against bZeroX, LLC (“bZeroX”) and its founders Tom Bean and Kyle Kistner “for illegally offering leveraged and margined retail commodity transactions in digital assets; engaging in activities only registered futures commission merchants (FCM) can perform; and failing to adopt a customer identification program as part of a Bank Secrecy Act compliance program, as required of FCMs.” Bean and Kistner settled for a $250,000 civil monetary penalty and a promise not to violate the Commodity Exchange Act (“CEA”) or other CFTC regulations again.^[3]

Second, and most notably, the CFTC filed its enforcement action in federal court against Ooki DAO, bZeroX’s successor, for the same violations.^[4] To do so, the CFTC classified Ooki DAO as an “unincorporated association” under federal law, which is defined as a voluntary group of persons, without a charter, formed by mutual consent for the purpose of promoting a common objective.^[5] The original CFTC Order stated:

“An unambiguous way that individuals join together to govern the Ooki Protocol is by voting their Ooki Tokens. Once an Ooki Token holder votes his or her Ooki Tokens to affect the outcome of an Ooki DAO governance vote, that person has voluntarily participated in the group formed to promote the common objective of governing the Ooki Protocol and is thus a member of the Ooki DAO unincorporated association.”^[6]

The federal court agreed with the Commission on this fact, finding that the DAO could be sued for the alleged violations of the law. This initial holding chipped away at any illusions about the nature of DAOs and their capacity to evade regulatory oversight before the final ruling eroded the notion entirely.

In its precedent-setting decision, the court held that Ooki DAO is a person under the CEA and therefore can be held liable for violations of the law, violations which the court also affirmed Ooki DAO had committed as charged.

Reflecting on the decision, the CFTC Division of Enforcement Director Ian McGinley issued a warning to DAOs:

“The founders created the Ooki DAO with an evasive purpose, and with the explicit goal of operating an illegal trading platform without legal accountability…This decision should serve as a wake-up call to anyone who believes they can circumvent the law by adopting a DAO structure, intending to insulate themselves from law enforcement and ultimately putting the public at risk.”^[7]

^[1] https://www.cftc.gov/PressRoom/SpeechesTestimony/opabehnam31#_ftn47

^[2] Notably, in 2021, Wyoming became the first state to allow DAOs to register and operate in the state as limited liability companies, thereby affording DAO’s the same legal rights and protections as those of traditional business entities.

^[3] https://www.coindesk.com/policy/2022/09/26/cftcs-ooki-dao-action-shatters-illusion-of-regulator-proof-protocol/

^[4] Complaint: Ooki, et al. (Click to download the CFTC’s Complaint.)

^[5] Order: BZeroX, LLC, et al. (Click to download the CFTC’s Order.)

^[6] Ibid.

^[7] https://www.cftc.gov/PressRoom/PressReleases/8715-23

The post CFTC Wins Suit Against DAO, With Potential Broad Implications for DAO Ecosystem appeared first on IFRAH Law.

    

Related Stories

• Got Endorsers? Federal Trade Commission Issues Updated Advertising Guides
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?
• Appeals Court Tells Elon Musk –A Deal Is A Deal: Sec Consent Decree Sticks

 

Who is Covered?

In summary, the law defines “online marketplaces” as a person or entity operating “a consumer-directed electronically based or accessed platform” that allows third party sellers to engage in the sale, purchase, payment, storage, shipping or delivery of a consumer product in the U.S., and “has a contractual or similar relationship with consumers governing their use of the platform to purchase consumer products.” (Website terms of service presumably qualify as a contractual relationship). “Consumer products” follows a standard definition used under several other laws, meaning products normally used for personal, family, or household purposes (versus business items).

The ”high-volume third party sellers” from which online marketplaces need to collect information are sellers in an online marketplace that, in any continuous 12-month period, during the past 24 months, has had on that platform 200 or more separate sales or transactions of new or unused consumer products, and $5,000 or more in gross revenues. In determining whether a seller meets these thresholds, the focus is on sales on the particular online marketplace. Thus, a seller could meet the threshold on one marketplace (e.g., Amazon), but not meet the threshold on another marketplace (e.g., eBay).

What is an Online Marketplace Required to Do?

First, online marketplaces must conduct due diligence of covered sellers. This requires collecting the following (within 10 days of a business meeting the definition of “high-volume third party seller”):

• Bank account number (if no bank account, the name of the payee for payments issued by the marketplace to the seller)
• Contact information
• Business ID/tax ID number
• Working telephone and email address
• Copy of valid government-issued identification for an individual acting on behalf of the seller or a government-issued record or tax document that includes the business name and physical address of the seller

The online marketplace then has 10 days to verify this information. In fact, some online marketplaces have already put these requirements in place. The Act does not specify requirements for verification. (The FTC has authority to issue regulations under the Act that could set mandates).

Online marketplaces must obtain an annual certification of this information from each covered seller. They are also required to suspend high-volume third party sellers that do not provide the required information within the required 10 day period. As an example, Amazon requires the data listed above, and warns that if a covered seller has not provided its information, Amazon can deactivate its account and hold disbursements (https://sellercentral.amazon.com/seller-forums/discussions/t/3f397093-fc95-478f-835b-8f80752600e8). eBay has similar requirements (https://www.ebay.com/sellercenter/resources/inform-consumers-act).

What are the Special Requirements for High Volume Sellers?

For high volume sellers of $20,000 or more in annual gross revenues, certain information must be provided to the online marketplace so it can be disclosed to consumers in a clear and conspicuous manner.  This means the disclosure should be made on the product listing page or in the order confirmation message  (or similar document) issued to the consumer following the purchase. The information must include:

• Seller’s full name
• Physical address
• Contact information of seller that allows “direct, unhindered communication” with the seller, including a working phone number, email address, or other means of direct electronic messaging
• If the seller used a different business to supply the product, the online marketplace must (at the consumer’s request), provide the name, address, and contact information for that business

What are the Exemptions?

The Act contains several exemptions, including for those businesses that make their name, business address, and contact information available to the general public, provided they have contractual arrangements with an online marketplace to manufacture, distribute, wholesale, or fulfill shipments of consumer products – and, they provide the marketplace with identifying information and the marketplace verified that information. The law’s data collection and verification requirements do not apply to the online marketplace itself

Who Enforces the New Law?

The Federal Trade Commission and state attorneys general enforce the law.  The FTC recently sent to 50 (unnamed) online marketplaces, warning them that noncompliance with the Act can be treated as an FTC rule violation, resulting in civil penalties of $50,120 per violation. Other actions by the FTC and state authorities can include enjoining further violations, and states may obtain damages and restitution for state residents. The Act preempts any inconsistent state law.

The FTC directs consumers and others to report suspected violations of the Act to www.reportfrraud.ft.gov.  The Act also authorizes the FTC to issue implementing regulations (although, to date, the agency has not undertaken a proceeding).

How is Personal and Business Data Protected?

                The Act requires online marketplaces to “implement and maintain reasonable security procedures and practices “ to protect the information that marketplaces are now required to collect. This includes having administrative, physical, and technical safeguards in place. The data collected to comply with the new law may not be used for other purposes, unless required by law.  This provision provides the FTC with specific, statutory data security authority in the event an online marketplace has a data breach incident.

What Can We Expect to see from the FTC

                The FTC will be monitoring online marketplaces’ compliance with the new law. As marketplaces have had several months to prepare for the June 27 effective date, we expect to see the agency take action against noncomplying entities within the first six to eight months. Online marketplaces must ensure they are collecting and verifying the required information. In addition, while not expressly required, it would be prudent to monitor and remain vigilant over repeated customers complaints concerning non-responsive, or “phantom” sellers. The FTC and state attorney generals will be monitoring online marketplaces to ensure they are collecting, verifying and suspending seller accounts that do not meet the INFORM Act’s requirements.

The post INFORM Consumers Act – Is Your Company Ready for June 27 Compliance? appeared first on IFRAH Law.

    

Related Stories

• Liar, Liar Robot on Fire – Can You Seek Legal Relief if a Chatbot Defames You?
• New California Law Establishes Broad Protections for Children’s Online Privacy – Exceeding Federal Requirements
• Ready, Set, Go: More States Adopt Privacy Laws

 

The world may soon find out.

In early April, Reuters reported that a regional Australian Mayor, Brian Hood, was threatening to sue OpenAI for defamation stemming from false statements produced by the company’s chatbot, ChatGPT. Hood alleged that, in response to user prompts, ChatGPT produced content that falsely stated Hood had gone to prison for his role in a government bribery scheme involving a subsidiary of the Reserve Bank of Australia in the early 2000’s. Although Hood had worked at the subsidiary, he had neither taken part in the bribery scheme nor gone to prison. To the contrary, Hood had been the whistleblower to report the bribery scheme to government authorities. Hood’s lawyers sent a letter of concern to OpenAI, demanding that the company fix the software’s erroneous content within twenty-eight days.  Failure to do so, the letter warned, could result in a potential lawsuit for defamation. As of the publication of this blog, Hood has not yet followed through on the threat of litigation.

This is the not the first time that ChatGPT has reportedly produced defamatory content.

Jonathan Turley, a professor at GW University, recently blogged about his own experiences with ChatGPT-based defamation.  In his case, the Chatbot was prompted to cite five examples of sexual harassment by U.S. law professors with citation to supporting news articles. In response to this prompt, ChatGPT responded that Turley had been accused of groping a law student on a trip to Alaska and cited a 2018 Washington Post article reporting the same. The problem? Neither the trip nor the article was real. In a column for USA Today, Turley wrote about the experience:

It was a surprise to me since I have never gone to Alaska with students, The Post never published such an article, and I have never been accused of sexual harassment or assault by anyone.

The bot’s proclivity for producing factually incorrect content – called AI hallucinations – occurs when AI algorithms and deep learning networks create results that are not real, do not match the data the algorithm has been trained on, or do not follow any other discernable pattern.[1] The result? The chatbot provides a seemingly realistic, but completely made-up answer.

Companies like OpenAI have acknowledged the problem by providing disclaimers in their terms of service and elsewhere on their products’ website. For example, OpenAI’s product page warns that its technology “still has many known limitations,” such as “social biases, hallucinations, and adversarial prompts.” Similarly, Google’s senior vice president, Prabhakar Raghavan, cautioned that Google’s AI “can sometimes lead to something [called] hallucinations. . . This then expresses itself in such a way that a machine provides a convincing but completely made-up answer.” However, these disclaimers likely offer little solace to those individuals whose reputations have been harmed by the AI’s hallucinations.

The issue raises the question: what remedies are available when an AI Chatbot defames you?

A. The Legal Framework of Defamation

One potential remedy available to those whose reputations have been harmed by false content produced by AI is a defamation suit. Generally, to bring a cause of action for defamation, the plaintiff must establish the following:

• A false statement purporting to be fact;
• Publication or communication of that statement to a third person;
• Fault amounting to at least negligence; and
• Damages or some harm caused to the reputation of the person or entity who was the subject of the statement.[2]

A more stringent standard applies to public figures suing for defamation. Pursuant to New York Times v. Sullivan, public figures – such as actors, celebrities, politicians – must establish that the defendant published the defamatory statement with actual malice.[3] A defendant acts with actual malice when he, she, or in this case, it, acts with knowledge that the publication was false or with reckless disregard of whether it was false or not.[4]

The first question that arises is to whom should the blame be directed? Assuming AI robots don’t possess intent in the legal sense, suing the robot itself isn’t a viable option.  Simply put at this stage in technology’s development, it would be nearly impossible to show that a robot such as ChatGPT acted with negligence or actual malice given that the machine operates based on the training sets provided to it by its programmers. Thus, the liability would most logically fall on the creator of the AI technology. For example, the Australian Mayor’s prospective defamation suit is directed toward OpenAI – the company that owns and trained the ChatGPT algorithms.

The average defamation plaintiff would be required to establish fault “amounting to at least negligence,” on the part of the tech programmer. In theory, this could be proven by evaluating the training sets used to program the AI and the guardrails put in place to identify and correct disinformation produced by the machine. For example, were there fact-checking processes integrated into the technology’s algorithm? If not, a plaintiff could argue that the content created via AI algorithm was published in a negligent manner.

It would be far more challenging for a public figure – such as a mayor – to establish fault under the more stringent actual malice standard. Courts recognize that establishing the actual malice of any defendant is “no easy task.”[5] Circumstantial evidence of a defendant’s actions, statements,[6] or motivations[7] may all be used to establish proof of actual malice.  Given the vast scope of data that programmers use to train their AI technology, it would be challenging to prove that the programmer intentionally or recklessly allowed its algorithm to generate defamatory content or knew that the content produced would be false.  This is because language-based AI models generate content by scraping information from data sets that contain millions of pieces of data, thereby making it seemingly impossible for any programmer to predict with specificity how the AI will respond to any given prompt. Given these circumstances, any public figure seeking to sue creators or programmers of artificial intelligence for defamation will undoubtedly face lofty obstacles to success.

B. Protection under the Communications Decency Act

Adding yet another barrier to relief, AI technology providers may be permitted to seek immunity from defamation suits under Section 230 of the Communications Decency Act, which shields providers of interactive computer services from liability stemming from tortious content posted by third parties on their sites.[8] To be entitled to immunity, a provider of an interactive computer service must not have contributed to the creation or development of the content at issue.[9] For example, in a case called Jones v. Dirty World Entertainment Recordings LLC, a plaintiff brought a defamation suit against a popular website known as Dirty World and its manager, an individual named Nik Lamas-Richie.[10] The plaintiff was the subject of several defamatory posts uploaded to the website by anonymous users.[11] The Court held that the website and Richie were immune from liability under Section 230 because neither “materially contributed to the tortious content.”[12] Instead, Dirty World and Richie merely provided a forum through which other anonymous users uploaded defamatory content.[13]

At this stage, it is unclear whether an AI provider would be provided with immunity under Section 230 for false statements generated by its AI chabot. Using ChatGPT and OpenAI as an example, it could be argued that although OpenAI trained the artificial intelligence, the content created and produced in response to user prompts is unique content created by the chatbot rather than content created or contributed by the software engineers at OpenAI. Simply put, ChatGPT is merely a tool provided to users that allows the users (not OpenAI) to create content. As in Dirty World, a court may find that the chatbots provided by ChatGPT are merely a forum through which online users can generate their own content.

On the other hand, it could be argued that OpenAI should not be provided with immunity, given that the company trained the ChatGPT bots and, therefore, materially contributed to the development of the technology that produced the content at issue. Or, more simply, that the content generated by the AI technology is effectively content generated by the website/company that provides the technology to users. This was the position adopted by Justice Neil Gorsuch during oral arguments for Gonzalez v. Google, LLC, case addressing Section 230 Immunity of algorithmic suggestions produced by websites such as Google and YouTube. There, the Justice suggested that a recommendation generated by YouTube’s algorithm constitutes content created by the internet service provider’s artificial intelligence. However, the question remains unanswered even after the Supreme Court’s decision in that case, which was ultimately dismissed on other, non-Section 230, grounds.

C. Products Liability

If defamation isn’t an option, are there any other forms of relief available to those who have been harmed by misinformation produced by AI technology? Given that the harm is being created by a machine, some legal scholars have argued that plaintiffs could pursue a products liability lawsuit to recover for harm caused by AI algorithms. Simply put, the plaintiff would argue that they were harmed as a result of defective AI technology.

A products liability lawsuit alleging a design defect focuses on the flaws in the product’s design that make it dangerous to consumers.[14]  A product is defective in design when the foreseeable risks of harm posed by the product could have been reduced or avoided by the adoption of a reasonable alternative design by the seller, and the omission of the alternative design renders the product not reasonably safe.[15] Generally, to prove a products liability claim under a theory of negligent design, the plaintiff must establish that the product’s manufacturer failed to use reasonable care to safeguard against foreseeable dangers caused by the product’s design.[16]

Arguably, a products liability suit may be better suited for AI technology used in products such as cars and medical devices than language-based models that generate content in response to user prompts. However, the claim could still be adapted to the context of language-model AI systems. To this end, Plaintiffs could sue tech companies for negligently designing their algorithms. The arguments made in support of such a claim would likely be similar to those discussed above with regard to a non-public figure defamation claim. Specifically, the plaintiff would assert that the AI tech developer negligently designed the algorithm by failing to program appropriate safeguards, fact-checking, etc.

Many states require a product liability plaintiff to show that the risk presented by the product could have been reduced or avoided through the adoption of a feasible, alternative design. This requirement could either aid or cut against a plaintiff’s AI lawsuit. For example, as discussed above, the plaintiff could argue that the AI tech developer should have implemented safeguards to prevent the creation of false and/or defamatory content. To this end, it could be argued that AI developers can and should ensure that the content used to train the artificial intelligence is truthful and verifiable. However, these arguments may fall flat given the vast amounts of data used to train the AI technology. Arguably, it simply isn’t feasible to ensure that the AI’s training sets – made up of millions of pieces of data – only contain truthful or verifiable information.  Further, it may be difficult to prove that an alternative algorithm or training set would be less harmful to consumers given that we simply don’t know how some AI algorithms operate – i.e., the “Black Box” problem. Without knowledge of how AI technology creates certain content, it may be impossible to argue that an alternative design would generate a better outcome.

Conclusion

Individuals who are defamed by AI chatbots will face several hurdles in their quest to obtain relief – proving negligent or reckless intent, combatting the immunity potentially provided by Section 230, or arguing that the technology could have and should have been designed in a safer way. Indeed, it seems that the law, as it currently stands, is ill-suited to provide legal remedy to those who have been harmed by the words of a chatbot. These deficiencies emphasize that as artificial intelligence technology develops, the law must also evolve.

Evolution is not impossible. Indeed, thirty years ago, scholars pondered how to mitigate the harms created by the Internet without impinging on the technology’s beneficial development.  Just as the law evolved to respond to the needs of the modern internet era, it must also be adapted to address the needs of a society in which AI technology continues to become a part of everyday life.

[1]  Dhanshree Shripad Shenwai, What is AI Hallucination? What Goes Wrong with AI Chatbots? How to Spot a Hallucinating Artificial Intelligence?, Marktechpost (Apr. 2, 2023), https://www.marktechpost.com/2023/04/02/what-is-ai-hallucination-what-goes-wrong-with-ai-chatbots-how-to-spot-a-hallucinating-artificial-intelligence/.

[2] See Restatement Second, Torts § 558.

[3] 376 U.S. 254, 280 (1964).

[4] Id.

[5] Carr v. Forbes, Inc., 259 F.3d 273, 282 (4th Cir. 2001).

[6] Celle v. Filipino Reporter Entreprises Inc., 209 F.3d 163, 183 (2d Cir. 2000).

[7] Herbert v. Lando, 441 U.S. 153, 160 (1979) (“New York Times [v. Sullivan] and its progeny made it essential to proving liability that the plaintiff focus on the conduct and state of mind of the defendant.”).

[8] 47 U.S.C. § 230(c).

[9] Goddard v. Google, Inc., 640 F.Supp.2d 1193,1196 (N.D. Cal. 2009) (under section 230, a website will be liable only if it “contribute[s] materially” to the alleged unlawfulness, not when it “merely provides third parties with neutral tools to create web content.”).

[10] 755 F.3d 398, 402 (6th Cir. 2014).

[11] Id.

[12] Id.

[13] Id.

[14] See 12 Am. Jur. Trials 1 (Originally published in 1966).

[15] Restatement (Third) of Torts: Prod. Liab. § 2 (1998).

[16] See, e.g., Trejo v. Johnson & Johnson, 220 Cal.Rptr.3d 127, 142 (Cal. Ct. App. 2017) (“A design defect exists when the product is built in accordance with its intended specifications, but the design itself is inherently defective.”); Burgett v. Troy Bilt LLC, 970 F. Supp. 2d 676 (E.D. Ky. 2013) (plaintiff bringing a design defect claim must demonstrate the product’s manufacturer breached its duty to use reasonable care to guard against foreseeable dangers.”); Bryant v. BGHA, Inc., 9 F. Supp.3d 1374, PAGE (M.D. Ga. 2014) (in Georgia manufacturers must exercise reasonable care in manufacturing products so as to make products that are reasonable safe for intended or foreseeable uses).

The post Liar, Liar Robot on Fire – Can You Seek Legal Relief if a Chatbot Defames You? appeared first on IFRAH Law.

    

Related Stories

• New California Law Establishes Broad Protections for Children’s Online Privacy – Exceeding Federal Requirements
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?
• Ready, Set, Go: More States Adopt Privacy Laws

 

Background

Musk Enters into Consent Decree, then Challenges Consent Decree in Federal Court

In 2018, the SEC charged Musk with violating Section 10(b)(5) of the Securities Exchange Act of 1934 and SEC regulations. The case stemmed from Musk’s tweets on the Twitter social media platform (which he since purchased). In those now famous tweets, Musk stated to his over 20 million followers that he could take Tesla private at $420 per share (a huge premium to its then trading price) and that funding for the transaction had been secured and only needed a shareholder vote. The SEC asserted that Musk’s tweet was false in several ways, and caused Tesla’s stock to jump over six percent, with resulting market chaos.  

Instead of litigating the claims in court, Musk and Tesla settled with the FTC. The court entered a final judgment based upon the SEC consent decree. Musk was ordered to pay a $20 million penalty and comply with several undertakings. These requirements included the pre-approval of any written communications that contain, or reasonably could contain, information about Tesla or its shareholders. Tesla agreed to implement mandatory procedures to oversee and pre-approve Musk’s’ Tesla-related written communications, including Twitter posts. The consent decree also permitted the SEC to make “reasonable requests” of Musk to investigate his compliance.  

Musk’s compliance with the consent decree did not go smoothly. In November 2021, he tweeted about a potential sale of a large portion of his Tesla holdings, allegedly without obtaining the required pre-approval. The SEC promptly subpoenaed Musk and Tesla officials about the pre-approval process (or lack thereof). Musk filed a motion to quash certain parts of the SEC subpoena and to terminate the consent decree.  

The federal district court denied Musk’s motion to quash. The court held that as the SEC had not commenced a proceeding to compel Musk’s compliance with the subpoena, the doctrine of sovereign immunity barred Musk from bringing his own action against the SEC. The court also noted that the SEC  was entitled by the consent decree to probe the issue of whether Musk bypassed the required pre-approval procedures.  

Regarding Musk’s request to modify the consent order to remove the approval requirement (asserting his First Amendment rights), the court observed that “’a party seeking modification of a consent decree bears the burden of establishing that a significant change in circumstances warrants revision of the decree.’”1 This means either a significant change in factual conditions or in law. The court highlighted Second Circuit precedent that parties can waive their First Amendment rights in consent decrees and other settlements. Since Musk entered into the consent decree agreeing to the pre-approval requirement, he could not now complain about his First Amendment rights being violated. The district court also noted that the SEC had only made limited requests following up on the consent decree. 

Musk Appeals to the Second Circuit

Musk argued that the consent decree warranted modification due to changed circumstances and because the decree contained a prior restraint violating the First Amendment (which he claimed he did not validly waive). The Second Circuit rejected Musk’s claims, as he did not show either a significant change in factual conditions or in law.2 Further, contrary to Musk’s claims, the SEC did not use the consent decree in a harassing manner; in fact, the agency had only opened three inquiries to Musk’s tweets since the 2018 consent decree. The Second Circuit also recognized a line of cases establishing the strong federal policy favoring the enforcement of consent decrees. 

As to the waiver of Musk’s First Amendment rights, the court held that parties entering into consent decrees may waive their First Amendment and other rights. For instance, every consent decree involves waiving the right to trial. Thus, Musk remains subject to the 2018 consent decree, including the pre-approval requirements for his tweets and other social media postings or other written communications relating to Tesla or its shareholders.  

What We Can Learn from Mr. Musk

Musk’s losses in the trial and appellate courts reinforce the principal that a deal with the federal government is a deal. The standard for modifying or cancelling a consent decree requires a significant change in facts or the law. Therefore, individuals and organizations contemplating entering into settlements with federal agencies (through consent decrees or otherwise) should carefully negotiate the terms of the agreements. It is important to recognize, whether it is the SEC, the FTC, the FCC, the CFTC, or another agency, the terms of the consent decree will likely require commitments in furtherance of compliance, and in many cases, bar certain activities.  Agency personnel will scrutinize a company and/or individual’s adherence to the myriad requirements of the consent decree, which can last decades. Remember, a deal is a deal, even if you are Elon Musk. 

1 U.S. Sec. and Exchange Comm’n v. Musk, 18-cv-8865 (LJL), 2022 WL 123952, at *7 (S.D.N.Y. Apr. 27, 2022) (internal quotation marks omitted) (quoting Rufo v. Inmates of Suffolk County Jail, 502 U.S. 367, 383 (1992)).  

2 Sec. and Exchange Comm’n v. Musk, No.22-1291, 2023 WL3451402, at *3 (2d Cir. May 15, 2023).  

The post Appeals Court Tells Elon Musk –A Deal Is A Deal: SEC Consent Decree Sticks appeared first on IFRAH Law.

    

Related Stories

• Got Endorsers? Federal Trade Commission Issues Updated Advertising Guides
• CFTC Wins Suit Against DAO, With Potential Broad Implications for DAO Ecosystem
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?

 

Because so many parents have made technology their babysitting choice, the job to protect children online—from online predators, to age-inappropriate content, to unauthorized use of children’s personal information—has fallen on the backs of lawmakers and has become a very hot topic among legislators, regulators, and consumer advocates. The result is new legal frameworks and new compliance obligations for companies who collect and process children’s data. If you are such a company, be aware of these legal developments. Read further for some background and a cautionary tale of what can happen if you—like so many parents—don’t pay attention. While parents face long term consequences of adverse health effects on their children, companies may face their own unwanted babysitters.

Several states have passed laws to enhance protections for children online. These include Arkansas, California, and Utah. Other states, including Maryland, Minnesota, Nevada, New Mexico, and Oregon, are deliberating legislation. California’s most recent law, the Age-Appropriate Design Code Act, dramatically expands on existing child protection laws and will require impacted companies to, (1) develop data protection impact assessments, (2) institute privacy by default practices, (3) tailor products based upon age, and (4) provide clear policy and terms that outline consumer rights and how those rights may be exercised. The California law takes effect July 1, 2024, so companies have a little over a year to assess and to prepare.

At the federal level, several bills have been introduced in recent months. The proposed measures address a number of different aspects of children’s online safety: limits to children’s social media presence, more robust age verification, expanded scope for the 1996 Children’s Online Privacy Protection Act (COPPA).

Meanwhile, regulators at the FTC (the agency charged with COPPA oversight and enforcement) have been busy furthering child-safety initiatives one company at a time, with a keen focus on Facebook (owner of the popular platforms Instagram and WhatsApp). Earlier this month, the FTC announced proposed changes to the agency’s 2020 consent order with the company. The proposed order would, among other things, expand protections for children using the platform.

The FTC’s proposed order would be the third iteration of such an order by the agency and against Facebook, each one re-opening the former order, accusing Facebook of violating the prior, and adding further requirements that go beyond statutory and regulatory mandates. In a press statement published May 3, 2023, the agency alleged that the company “misled parents about their ability to control with whom their children communicated through its Messenger Kids app.” Alleging violations of COPPA, the proposed order would impose strict limitations on Facebook’s ability to use information it collects from children and teens “(i.e. users under the age of 18).” Facebook would be permitted to use minors’ information only to provide the service and for security purposes. The company would be prohibited from monetizing any information, or using for its own commercial gain, children’s information, even after the reach the age of majority.

Note that the FTC defines “child” in the proposed order as “under the age of 18.” The definition of “child” in COPPA, the law on which the FTC’s authority is based, is “under 13 years of age.” Moreover, the contemplated restrictions exceed current federal legal requirements. Unless and until amended, COPPA does not prohibit the use or disclosure of children’s data. Instead, it generally requires parental notice and consent. The FTC is effectively expanding the scope of child protections by decree.

While few people are going to balk at an agency’s overreach when the purpose is to protect children, the thrice-hit Facebook provides a cautionary tale: Facebook was initially tagged in 2012 by the FTC for its failure to honor its privacy policies. A decade later, the company faces strict oversight and restrictions that go beyond the letter of the law. If you get within the sights of an enforcement agency, be prepared to be at the end of a very short leash… indefinitely (or a very tough Nanny McPhee).

Companies who collect and process children’s data — and by that we mean individuals under 18 years old — should look carefully at their data collection practices. If you collect data from children located in states with enacted, or pending legislation, you should track your policies and practices for legal compliance. If you turn a blind eye to whose data you collect (and we as a society continue to abdicate our own social responsibilities such as parental duties), you may find yourself in a long term relationship with state or federal regulators, one you won’t love but you cannot leave.

The post For the Children!: Children’s Online Safety Becomes Focus of State and Federal Law appeared first on IFRAH Law.

    

Related Stories

• The California Consumer Privacy Act: The Who, What, When, Why…and How.
• Ready, Set, Go: More States Adopt Privacy Laws
• Artificial Intelligence Poses Threat to Business Data Privacy and Confidential Information

 

The White House is accordingly delving into AI’s role in the workplace, recently announcing that the White House Office of Science and Technology Policy will release a Request for Information (“RFI”) to learn more about automated tools used by employers to “surveil, monitor, evaluate, and manage workers.” This data will be used to create policy, standards, and best practices surrounding the use of AI in the workplace. [1] 

While a variety of companies have announced plans to integrate AI generative tools into their workflow, many employees may have already capitalized on the technology – without company knowledge or support – for a potential productivity boost. In such cases, the risk to sensitive business information and overall data privacy could be immense, as AI tools rely on user-input not only to train their models but also for information to share with end-users, potentially exposing confidential data to the public. Without robust security measures and protocols for using AI tools, employees may expose both individuals and organizations to risks such as loss of competitive advantage, reputational damage, and even legal consequences. 

Illustrating these risks, a recent study by cybersecurity company, Cyberhaven, found that 11% of data that employees paste into OpenAI’s ChatGPT is confidential and at least 4% of employees have pasted confidential data into ChatGPT. [2] Additional data points show that the average company leaks sensitive data to ChatGPT hundreds of times each week. 

As a result, companies have been restricting employees’ use of AI in the workplace or for work-related matters in an effort to combat internal information leaks. Joining companies like Amazon, Bank of America, and Wells Fargo, Samsung recently imposed restrictions on its employees’ use of OpenAI’s ChatGPT. [3] The change in policy stemmed from an accidental leak of sensitive internal source code. Samsung’s rule was communicated to staff in a memo, describing the restriction as temporary while Samsung works to “create a secure environment” to responsibly use AI tools. 

Basic Anatomy of AI Data Leaks 

Generative AI tools, such as OpenAI’s “ChatGPT,” rely on extensive datasets to hone their algorithms, frequently processing vast quantities of user-generated content to develop the capacity to produce human-like responses. As users—in this case, workers—interact with these AI systems for tasks that may require inputting sensitive or proprietary information to accomplish their work, there is an inherent risk that the AI model might inadvertently integrate or refer to this confidential data in subsequent interactions with different users. The risk of a data leak is especially apparent, however, when workers unwittingly provide the AI with access to sensitive data, which could then be absorbed into the AI’s training set or even be utilized inappropriately in future exchanges. Furthermore, as multiple users engage with the AI tool, the likelihood of such data leaks increases, potentially creating a chain reaction of information breaches. 

For example, consider a hypothetical employee who copies and pastes key points from the organization’s internal strategy documents into ChatGPT, requesting it to reformat the content as a PowerPoint slide deck. If an external party inquires about the strategic priorities of the company for the current year, ChatGPT would likely respond based on the information supplied by the executive, especially if that information was not yet publicly available, as ChatGPT would have no other substantial references. [4] 

However, these risks can be mitigated if the data is properly handled and secured by the user before being handed to the AI model. Responsible employees, for instance, will implement data anonymization whenever possible, by modifying or transforming data to remove or obscure personally identifiable information (PII) and other sensitive details, ensuring that individuals or entities cannot be identified from the data. 

Company Solutions 

Beyond barring the use of generative AI tools entirely, companies presently have few easily accessible solutions to protect confidential data from being leaked by employees  through AI. This issue is illustrated by the manner in which information is typically input into AI models like ChatGPT. Presently, ChatGPT only processes text input – i.e., content pasted from users’ clipboards (the name for the location where copied values are held to be pasted on a computer) or keyboard entries. This means that common protective measures typically applied to email communications – such as preventing documents flagged as confidential from being sent out-of-organization – are inapplicable and insufficient to protect company data in the context of ChatGPT. 

Further, although companies can train their employees to be aware of the consequences of leaking confidential information to AI systems, the potential repercussions may be too downstream for workers to forgo the incentive of increased productivity – especially if there’s no risk of discipline. Additionally, depending on the particulars of the data leaked and other security measures implemented, companies may have a difficult time tracking down the offending employee, especially in a timely manner. 

As AI becomes more integrated into the workplace, current monitoring systems will become increasingly ineffective. When AI is not allowed by company policy, a monitoring system can easily catch an offender, just by flagging when they visited the URL. But when entire workflows commonly depend on the use of AI, distinguishing between proper and improper uses of data in AI prompting becomes increasingly difficult given that not all data is confidential or improperly secured by the user. 

This is not to say, however, that such efforts are worthless. Regularly reviewing logs and reports from monitoring systems that audit the use of AI in the workplace can significantly bolster policies instructing employees on how best to handle data by flagging potential offenses and making employees aware of the consequences for violation of company policy. To this end, data security policies should also be strictly enforced and updated as the technology advances or the workflow changes. 

Even if companies may not be able to mitigate the risk of information leak entirely, they should establish robust security measures and protocols for employees’ use of AI tools, as well as provide training and guidance to employees on the responsible and appropriate use of such tools. In so doing, companies may better safeguard confidential and proprietary information while capitalizing on the productivity benefits offered by generative AI tools. 

[1] https://www.whitehouse.gov/wp-content/uploads/2023/05/050123_OSTP_RFI_PREPUBLISH_.pdf 

[2] https://www.cyberhaven.com/blog/4-2-of-workers-have-pasted-company-data-into-chatgpt/ 

[3] https://www.forbes.com/sites/siladityaray/2023/05/02/samsung-bans-chatgpt-and-other-chatbots-for-employees-after-sensitive-code-leak/?sh=34b244c26078 

[4] https://www.cyberhaven.com/blog/4-2-of-workers-have-pasted-company-data-into-chatgpt/  

The post Artificial Intelligence Poses Threat to Business Data Privacy and Confidential Information appeared first on IFRAH Law.

    

Related Stories

• Ready, Set, Go: More States Adopt Privacy Laws
• For the Children!: Children’s Online Safety Becomes Focus of State and Federal Law
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?

 

The last few years have seen several of the largest and most prominent mass-tort bankruptcies ever, including Purdue Pharma, LTL/Johnson & Johnson, USA Gymnastics, and several Catholic Dioceses. None of these cases have been a straightforward asbestos bankruptcy, even though some of them have involved asbestos. In practice, that has meant the involvement of new counsel for the plaintiff groups. Some of these counsel, particularly in the abuse-driven bankruptcies, have publicly stated that they intend to drive up the average value of the claims involved. That plaintiff driven desire to increase claim values has caused hotly disputed cases in which the debtor and the plaintiffs are the primary litigants. The other driving force is similar, debtors have sought protection for large, solvent parent companies. Prominent plaintiffs’ attorneys have judged that they would rather take the gamble that they will recover more from judgments against those companies, even if most claimant are left with nothing.

This new reality has lengthened bankruptcies. While most bankruptcy case are settled by agreement, the mediations ordered in many recent cases have lasted for years with little progress. Courts have been slow to recognize that the claimant constituencies are intentionally holding up cases and have relatively little leverage over obstreperous plaintiffs’ groups.

Another major factor has been the desire of the debtors in these cases to protect parent or affiliate companies. While that protection has always been something that the plaintiff groups have been willing to offer in exchange for bankruptcy protection, apparently the price is higher when the bankruptcy is the debtor’s idea. More to the point, several of the large recent cases have involved the so-called Texas Two Step. In the Two Step, the pre-petition debtor undergoes a “divisive merger” under Texas’ corporate merger statute (Tex. Bus. Orgs. Code § 1.002(55)(A)) to spin off the company’s liabilities to a new subsidiary. To date, plaintiffs have sought dismissal of and have refused to confirm any bankruptcy case that has employed that pre-petition maneuvering¹.  Nonetheless, the Texas Two Step has been a reaction, in part, to the first factor. Debtors are seeking ways to bring pressure to bear on a plaintiffs’ bar that is seeking increasingly larger payouts on untested or difficult to try torts.

To be sure, the ultimate goal is a deal, which means that debtor and claimants may eventually reach a deal and turn on insurers as a target. That’s exactly what happened in the Boy Scouts bankruptcy. There, the claimants could not even agree among themselves for years, with one faction creating an “coalition” of claimants to counter the official committee appointed by the court. But when a deal was reached with the BSA, the claimants shifted targets to the insurers. One plaintiff lawyer admitted incorrespondence that they were seeking the “holy grail” of trust distribution procedures that would be binding on insurers. As a result, despite the eventual agreement between claimants and the debtor, the BSA underwent a weeks long confirmation process and the plan that was eventually confirmed is still on appeal (with appeals filed by insurers and dissenting plaintiff groups).

These new developments have been good for lawyers. The fees in the LTL, Imerys, USA Gymnastics, Aearo Technologies, and other cases have been massive – exceeding $100 million in many cases. But its less clear that justice or claimants are being well served. If nothing else, the recent mass tort bankruptcy experience demonstrates that the bankruptcy process is not well designed to handle mass torts. Because the Supreme Court has prohibited class settlements in such cases, however, the bankruptcy courts are the only game in town. Congress has expressed interest in the scope of available third-party releases, but there hasn’t been meaningful movement towards real reform. The time is right for a fresh look at the Bankruptcy Code – even if the current Congress seems unlikely to agree on anything. In particular, two reforms are long overdue: (1) rules expressly addressing mass tort claims other than asbestos, and (2) the imbalance of leverage created by the super-majority vote requirement combined with the bankruptcy court’s inability to substantively address the merits of tort claims. Until those issues are addressed, mass tort bankruptcy will continue to be an expensive quagmire for all parties.

[1] Examples include In re LTL Management LLC, In re Bestwall LLC, In re DBMP LLC, and In re Aldrich Pump LLC among others.

The post A New Paradigm: Claimant Opposition to Mass Tort Bankruptcy and Needed Reform appeared first on IFRAH Law.

    

Related Stories

• Got Endorsers? Federal Trade Commission Issues Updated Advertising Guides
• CFTC Wins Suit Against DAO, With Potential Broad Implications for DAO Ecosystem
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?

 

While privacy experts are prognosticating about how regulators are going to handle AI, Bedoya said that existing law already has it covered: “The reality is AI is regulated (in the U.S.). Unfair and deceptive trade practices laws apply to AI…If a company makes a deceptive claim using or about AI, that company can be held accountable.”  He was referring to Section 5 of the FTC Act, which gives the FTC enforcement authority over companies that make false or deceptive claims (specifically, “unfair or deceptive acts or practices.”).  The FTC has long held—and enforced—that companies’ privacy policies must match their practices.

There is a twist, however, in the context of AI: In order to provide individuals effective notice, you have to have a reasonable understanding of the technology.  In this vein, Bedoya called on companies to be proactive, transparent, and weed out potential risks when using AI.  With new technologies, perhaps especially AI, this means thoughtful adoption and use.  Afterall, if you do not know what the technology can or is likely to do, you cannot provide adequate notice to people.

Perhaps AI skeptics were frustrated that Bedoya did not announce plans for a new and rigorous framework… or perhaps AI adopters felt some sense of relief.  But we would urge companies that are using or exploring AI in their products and services to proceed cautiously and thoughtfully.  As we wrote recently, the FTC has put companies on notice to keep their AI claims in check or potentially face an investigation.  We anticipate an even more careful look at generative AI adoption in the sports betting industry – from federal and state regulators.

AI or no, we further urge companies to give a fresh look at their privacy policies to ensure they are up to date.  If things have changed to your practices, e.g., you have adopted new APIs, started to do data analytics, offer new services that require you to collect new pieces of personal data, your privacy policy should be updated to reflect these developments.  This practice is also a good starting point for compliance with new state privacy laws as they come into effect.  California and Virginia both have privacy laws that impact businesses serving consumers in their states.  Colorado, Connecticut, and Utah privacy laws will take effect in July and December.  And Iowa just passed legislation that will become effective in 2025.  Each of these states has notice and consent requirements, among other compliance obligations.  But all of them require our step one: have a privacy policy in place that clearly and accurately reflects your personal data practices.

[1] See e.g., our blogs at https://www.ifrahlaw.com/ftc-beat/international-data-privacy-day-our-top-10-data-privacy-tips/; https://www.ifrahlaw.com/ftc-beat/ftc-enforcement-reminds-companies-to-live-up-their-promises/; https://www.ifrahlaw.com/ftc-beat/keeping-your-privacy-promises-retail-tracking-and-opt-out-choices/; and https://www.ifrahlaw.com/ftc-beat/facebook-and-the-ftc-a-wake-up-call-for-companies-collecting-personal-data/.

The post Basic Data Privacy Hygiene and AI: Do What You Say and Say What You Do appeared first on IFRAH Law.

    

Related Stories

• Ready, Set, Go: More States Adopt Privacy Laws
• INFORM Consumers Act – Is Your Company Ready for June 27 Compliance?
• Liar, Liar Robot on Fire – Can You Seek Legal Relief if a Chatbot Defames You?