The Social Media & Games Law Blog addresses business and legal issues that affect the social media and game industries. Contributors are members of a legal team ranked top three in the country for video game law by Interactive Age. Published by Pillsbury Winthrop Shaw Pittman LLP
It’s an incredible time to be alive. The Digital Age has helped us reached levels of efficiency and connectivity that were unimaginable just a few decades ago. In his award-winning novel, Ready Player One, Ernest Cline, paints a picture of a not-so distant future where people spend the majority of their time experiencing life in the “Oasis,” a realistic virtual world where users interact with one another in amazing virtual environments that mimic reality in many ways, but where the rules of physics and nature are malleable, allowing the game publisher to create wildly entertaining games where virtually anything can happen. While we may not have the Oasis yet, today’s video games are rapidly evolving into similar immersive social platforms where users can play, compete and express themselves in settings that seem to be inevitably headed towards something that looks increasingly like Cline’s Oasis. One way that video game makers are able to make game backdrops more realistic and thus enrich the overall user experience is to incorporate real-world ideas and content to more closely emulate reality in the game. In response, an increasing number of intellectual property owners who object when their “property” gets incorporated into video games are bringing lawsuits that will help define the boundaries of intellectual property law in this new arena.
(Note, this post has spoilers for Avengers: Endgame.)
Perhaps one of the most mesmerizing scenes in Avengers: Endgame is where all the MCU superheroes (including those on Titan) come through Dr. Strange’s portals to enter the battle against Thanos. In Avengers: Infinity War, Dr. Strange didn’t use these portals to send Iron Man and the others on Titan back to Earth before everyone got dusted, but that alternative storyline certainly may have been one that fans would have enjoyed. Understandably, one enormous limiting factor to alternative storylines is cost—especially when $600-800 million was spent to create the two movies as they are. Future advances in artificial intelligence technologies may change that. Indeed, a number of large tech companies are already interested in creating interactive content to personalize storytelling (e.g., Black Mirror’s “Bandersnatch” episode), and recent developments in machine learning algorithms (including those fueling the creation of photorealistic images) may bring us closer to that reality sooner than later. If so, under what circumstances will companies own and get to collect on the copyright?
When it comes to photos destined for the web, I’d rather be behind the camera than in front of it. However, on a recent trip to Tokyo I was reminded that photos of me, and specifically my face, are often being captured and processed by systems that are increasingly being embedded in our modern life.
We’ve previously written about “tweet-less, picture-less,” computer-operated accounts or bots, that make one appear more popular—a.k.a. influential on social media—than one actually is. Recently, legislators and law enforcement agencies have moved to crack down on bots, their evil cousins known as sock puppets, and other deceptive social engagement practices. Specifically, California passed a law that goes into effect in July 2019 banning the undisclosed use of bots to communicate or interact with a person for knowingly deceiving that person to influence commercial transactions or vote in an election. Meanwhile, New York and Florida announced settlements with Devumi LLC, a company that grossed over $15 million in revenue by creating, packaging and selling fake social media likes, followers and posts after the media exposed Devumi’s deceptive activities. The Devumi settlements mark the first of their kind indicating that such activity constitutes illegal deception of the public and, to the extent Devumi used stolen identities for its online activities, illegal impersonation.
Protecting consumer data privacy in the age of artificial intelligence and increased digital commerce is a growing concern. In June 2018, the California Consumer Privacy Act (CCPA) introduced provisions to protect consumers and became the first U.S. law that can be viewed as a response to GDPR. Going into effect on January 1, 2020, legislation of this scope has far-reaching tendrils that may breed unintentional consequences.
Let’s explore some of the implications of this law in the context of a recent letter sent by Clark Kent to a large internet company.
Mr. Clark Kent
1938 Comicbook Ln.
Metropolis, CA 90999
January 1, 2020
Chief Information Officer
Totally Not Evil Internet Corp.
Dear sir or madam,
I write this letter to exercise my rights under the California Consumer Privacy Act (CCPA). As you are no doubt aware, the CCPA became effective today. I would like to be honest with you. You’ve probably guessed why I’m writing this. I have read about the advances of your company’s facial recognition algorithms and machine learning research. I expect it was a shock when your software figured out what I look like without glasses.
Since your company meets all three of the thresholds outlined in the CCPA (even though your company only needs to meet one), I hope that you will take my letter seriously. Specifically, from my cursory research, your company (1) has annual gross revenue over $25 million; (2) annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices for commercial purposes; and (3) derives 50% or more of your annual revenue from selling consumer personal information.
Now that we have that out of the way, I want to voice my concerns. A surprisingly broad array of information is covered by the CCPA. For example, “personal information” is defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (And, as a “consumer” under the CCPA is merely a natural person who is a resident of California—that means me.) I note that the definition of personal information specifically includes biometric information, as well as audio, electronic, visual, thermal, olfactory or other similar information. It sure seems that any photos, videos, audio recordings, etc., of Superman in your possession could reasonably be indirectly linked to myself and should therefore be considered my personal information. Because the CCPA covers information that could be reasonably indirectly linked to my entire household, I think you should also include such information or data pertaining to my dog, Krypto, in this request.
Please consider yourself lucky if you do not have any olfactory information obtained from Krypto, but, if you do, please include it in this request as well.
Before you object on the grounds that photos of Superman (and Krypto) are publicly available information (and therefore not covered by the CCPA), I should point out that the drafters of the CCPA saw fit to define the term “publicly available” very narrowly: “For these purposes, ‘publicly available’ means information that is lawfully made available from federal, state, or local government records.” So, for instance, it seems to me that when one of your users takes a selfie with Superman after being rescued from a burning building, collapsing bridge, or the like, and that user’s smartphone automatically uploads that photo to your cloud storage service, I think I have a colorable argument that such selfie contains personal information about me and your company must disclose to me if it subsequently uses that photo for business or commercial purposes, such as including it in a training set for your facial recognition software .
Perhaps you disagree. I can see where you might think the CCPA is unclear. But the real question is whether you want to spend the resources necessary to fight the lawsuit that I am able to bring against Totally Not Evil Internet Corp. in the event that you do not encrypt a photo like that and there is any unauthorized access and exfiltration, theft or disclosure of that photo. The nature of my secrets being as delicate as they are, I would be interested to see how a court views “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” How secure is your data security? Please remember that under the CCPA, I could seek recovery of actual damages. Considering the last time someone found out my secret identity it resulted in several city blocks being reduced to rubble, you might want to remember that actual damages in my case exist on a considerable scale.
Accordingly, I would like to request the following:
That, per Cal. Civ. Code section 1798.100, you reveal to me all categories of personal information that you have collected in relation to me or my household (please include Krypto, Superman, and, as things have been going very well lately, Lois Lane), as well as the specific pieces of information you have collected (yes, including olfactory information).
That, per Cal. Civ. Code section 1798.105, you delete all such information.
That, per Cal. Civ. Code section 1798.110, you disclose to me the categories of sources from which my personal information was collected and the categories of third parties with whom you share my personal information.
That, per Cal. Civ. Code section 1798.110, you disclose to me the business or commercial purposes for collecting or sharing my personal information.
That, per Cal. Civ. Code section 1798.115, you disclose whether or not you have sold or disclosed my personal information to third parties, and if so, the categories of my personal information that Totally Not Evil Internet Corp. has sold or disclosed to third parties.
And lastly, that, per Cal. Civ. Code section 1798.120, you cease selling my personal information to third parties.
As provided by Cal. Civ. Code section 1798.130, I shall await your complete response to the above requests within 45 days. And should you try to hide the full extent to which you have collected and used my personal information, I will remind you that, in addition to risking significant penalties that the California Attorney General can seek against you, I work with the best investigative reporter in the business.
Clark J. Kent
(P.S. I expect you will shortly receive similar letters from my friends, Diana, Hal and Oliver.)
As you can see from Mr. Kent’s letter, the CCPA is complex legislation that impacts many aspects of today’s consumer-facing commerce. Under the CCPA, consumers are entitled to seek broad categories of information from businesses—requiring businesses to let a requesting consumer know what personal information is collected from that consumer, the sources from which that information is collected and the business purposes for collecting or selling the information and third parties with which the information is shared. There is no question that this law is forcing businesses to change how they handle data. What businesses should ask themselves is whether they are implementing necessary changes fast enough to avoid the expensive fines, class action suits and injunctions that can result from non-compliance with the CCPA.
In another case of the law trying to keep pace with evolving technology, legislators are introducing bills to punish those who attempt to create false images that purport to be real. Targeting the rise of automated computer-generated imagery that has become increasingly accessible to the public, on February 14, 2019, California Assemblyman Marc Berman introduced a bill to create a criminal cause of action for making or distributing a “deepfake.” Deepfakes are multimedia, often audiovisual recordings, that seem real but that are generated by computers, often utilizing artificial intelligence-enhanced algorithms.
The Committee on Foreign Investment in the U.S. (CFIUS) has effectively ordered the divestiture of Beijing Kunlun’s ownership of the online dating site, Grindr, just as the company was preparing for an IPO. The case is important for three reasons. It emphasizes the importance of a CFIUS risk assessment before an investment or acquisition is negotiated. It highlights the risks of deciding not to make a voluntary CFIUS filing before the deal closes. And it sends a message to parties who have already closed: the U.S. government is watching, so assess your CFIUS exposure now.
Given the growth of investments in and shift of regulatory views regarding cannabis-related products, many companies in industries like medicine, lifestyle and foods/beverages are looking to carve out niches and be leaders in the relatively new space. As with any new technology space, it is essential to have a robust intellectual property protection strategy to both establish and preserve one’s position as a dominant player in an emerging market. One important step that a company may take when creating such a strategy is applying for patents.
Back in September, we looked at the concerns and implications surrounding a proposed new copyright law being considered by EU legislators. Yesterday, perhaps faster than many expected, the European Parliament passed the new law. Many tech companies, digital rights activists and academic researchers found common ground in opposing the legislation, which they claim will stifle information sharing and enable censorship. Supporters of the law see it as a means to protect creative content. As written, the legislation is not quite as restrictive in all areas as initially feared—memes and gifs are “safe,” as are uploads to noncommercial and open-source sites—but nonetheless, now that it has been passed, and after inevitable legal challenges lead to further adjustments in the language, we’ll see who was right.
Over the past several years, cannabis has been one of the hottest areas of investment and innovation, with many states introducing legislation to legalize cannabis use in some form. Correspondingly, many companies have entered the U.S. market and are even listed on the Nasdaq or the New York Stock Exchange, leading to much interest on Wall Street. Many nascent industries have budded in the cannabis space, ranging from growing the cannabis plant itself to extraction processes to consumer products like vapes.