Internet Law in Ten Minutes

A non-lawyer tech exec friend asked for a doc to help his team look out for legal issues. This is what I came up with.

Internet Law in Ten Minutes

Disclaimer: Reading legal articles on the Internet and applying it to your situation would be silly. What follows isn't legal advice, it's general legal information. If you aren't an attorney, consult with one.

A non-lawyer tech exec friend asked for a doc to help his team look out for legal issues. This is what I came up with.

Privacy Law Generally

There are two ways to violate privacy laws:

  1. Using or disclosing personal data in a significant and unexpected way
  2. Failing to comply with a regulatory requirement like the GDPR, the CCPA, COPPA, SOPIPA, VPPA, HIPAA, etc.

The GDPR Isn't So Bad

The GDPR heavily regulates the use and disclosure of “personal information”, which is all information about an identifiable person in Europe.

So long as you aren’t using personal information for advertising, complying with the GDPR isn’t a big hassle. Essentially, you have to use personal information in reasonable, transparent ways and have to do some extra contractual paperwork.

Privacy Policies Are Necessary But Not Sufficient

You should describe what you’re doing with people’s personal information in your privacy policy. But, just because you’ve disclosed it, that doesn’t mean it’s definitely OK. It could still be unexpected or extreme enough that you had to be more up-front about it, or it just isn't allowed.

Save the Children

If you know a user is a "child", or should have known, you can’t use their data without proven parental consent. Each country has its own definition of “child.”

Schools Data Is Special

Certain states impose extra privacy-related obligations if you’re providing services to schools. Schools, similarly, are only allowed to use service-providers that comply with certain privacy restrictions.

So Is Health and Financial Services Data

It’s heavily, heavily regulated. You're gonna need more than ten minutes.

Intellectual Property and Publicity Rights

Don’t:

  • Use someone else’s intellectual property or name/likeness without permission (there are some exceptions to this);
  • Promote the infringement of someone else’s intellectual property; or
  • Fail to take down copyrighted content.

User-Generated Content

In the United States, platforms are generally not responsible for the actions or words of its users. However, there are some exceptions. Platforms will be liable if they:

  • Create a system which encourages illegal or tortious conduct;
  • Promise to address tortious or illegal conduct in such a way that someone reasonably relies on that promise; or
  • Create a platform which permits online sex-trafficking.

The rules around user-generated content in the rest of the world generally depend on what kind of platform you’re running and how big you are. If you’re Google or Facebook, then you fortunately have a bajillion lawyers to help you sort it out.

Security

There are two ways to violate legal security obligations:

  1. failing to implement “reasonable” security; and
  2. failing to live up to your public statements about security.

Many, many, many (etc.) companies get into legal trouble for security violations.

Responding to Data Breaches

Incident response requirements are a particular instance of a company’s security obligations. Failing to adequately respond to a data breach--by taking steps to investigate, mitigate, and notify--can lead to legal liability beyond the liability for the underlying security breach.

Marketing

Don’t lie. Don’t omit important details. Don’t be sneaky. Don’t text message people without consent. Don’t run a sweepstakes. Don’t use third-party content without consent. Go through a checklist.

Subscription Payments

You have to disclose certain things if you are going to charge users on a recurring basis. Also, don't take money from people against whom the United States has economic sanctions or are on a don’t-do-business-with-them list.

Bug Bounty Program

Have one. If you have one, don’t use it to cover up a data breach.

Failing to Protect Against Product Abuse

Creating a product that leads to easily-avoidable harm (like, say, allowing users to impersonate other users by claiming their phone numbers) is illegal.

Integrating with Other Companies’ Products and Services

If you do this, you need to comply with the other company’s terms of service, privacy policy, and usage guidelines. For example, using YouTube’s API to stream music through your product would be against YouTube’s terms.  

Open Source

If you use open source code code in the product, check the license. You will likely need to, at the very list, add an attribution.

Last updated: April 12, 2020