TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.

In this month’s Contract Corner, we are highlighting considerations for drafting an up-to-date privacy policy. In Part 1 of this series, we provided background on the general legal landscape for privacy policies in the United States and general issues that need to be addressed for an up-to-date policy. In this Part 2, we will provide some specific pointers on drafting, updating, and disclosing such policies.

Additional Information to Include

In addition to the list of items that should generally be covered in every privacy policy we provided in Part 1, the following are additional items you may need to set out in your specific privacy policy:

  • Directions for customers to access and update data (e.g., password resets, contact information updates, and mechanisms for unsubscribing)
  • Contact details or other means of reaching persons in your organization that can address user queries or concerns
  • Information regarding notifications when the privacy policy is updated (see below for considerations when reviewing and updating your policy)
  • Mechanisms for users to agree to and accept the terms of the privacy policy, as well as means for users to opt out

Drafting and posting a clear, concise, and accurate privacy policy is one of the most important tasks when creating a company’s website, particularly given today’s legal and regulatory environment. Privacy policy legal requirements are becoming more stringent and shortcomings less tolerated, and consumer sensitivity to privacy concerns are at an all-time high.

Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.

In this month’s Contract Corner, we will highlight considerations for drafting an up-to-date privacy policy. Part 1 of this month’s Contract Corner will provide background on the current legal landscape for privacy policies in the United States and general issues that need to be addressed.

Join Morgan Lewis at our Philadelphia office on April 11 for a discussion on hot topics impacting services contracts in the digital economy. Morgan Lewis labor and employment partner Sarah Bouchard, litigation partner Greg Parks, together with technology, outsourcing, and commercial contracts partners Barbara Melby and Michael Pillion, and associates Christopher Archer and Katherine O’Keefe will speak at the event.

Topics will include:

  • Ethical considerations for lawyers working in a digital world
  • Common issues to consider when using vendor cloud agreements
  • Industry updates
  • Contracting for automation solutions

A networking reception will follow the discussions. We hope you can join us!

Register here.

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

The Federal Trade Commission (FTC) is requesting comments on proposed amendments to two rules addressing the privacy and security of customer information under the Gramm-Leach-Bliley Act. The FTC plans to publish the notices in the Federal Register in the near future.

Reece Hirsch, Morgan Lewis partner and editor of the Bloomberg Law California Domestic Privacy Profile, is hosting a webinar, California Privacy Law Update: The California Consumer Privacy Act and More, during which he will review some of the latest developments in California privacy legislation.

California has long taken an innovative approach to privacy legislation and there were many developments in the state in 2018 and going into 2019. Webinar topics will include the following:

  • Continuing evolution of the California Consumer Privacy Act, including insights from the Department of Justice’s January public forums
  • Internet of Things security law
  • Bot transparency law
  • Endorsement of the 23 Asilomar AI Principles
  • Lodging and common carrier privacy law
  • Consumer reporting agency security law

The webinar will take place on Wednesday, February 13, from 1:00 pm to 2:00 pm ET.

Register for the webinar >

Does your website or application collect user data? Does your company sell that user data to other third parties, such as advertisers? Does your company disclose this practice to your users in a privacy policy or terms or use? If you answered yes to these questions, you are most certainly not alone. But is your disclosure sufficient? That is the question a new challenge is poised to answer.

The process of “going digital” has drastically affected the outsourcing market in recent years. During their webinar, Outsourcing Across the Globe—Going Digital, Ed Hansen, Simon Lightman, Barbara Melby, and Mike Pierides will discuss how to prepare for the future of outsourcing and leading trends that will impact outsourcing transactions globally in 2019. Topics will include the following:

  • Privacy considerations for Europe, China, and beyond
  • The increasing impact of automation
  • Using the contract to mitigate risk

The webinar will be held on Wednesday, January 23, 2019, from 12:00 pm to 1:00 pm ET (5:00 to 6:00 pm GMT).

Register for the webinar.