intellectual property technology due diligence · intellectual property and technology due...

INTELLECTUAL PROPERTY AND

TECHNOLOGY DUE DILIGENCE

IPTechDueDiligence_HALFTP.indd 1 5/4/18 10:53 AM9781641051248_FM.indd 1 16/05/18 2:59 pm

©2018 by the American Bar Association. Reprinted with permission. All rights reserved. This information any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

355

I. Introduction

For proper intellectual property due diligence, data and online services must be carefully surveyed. Following the steps in this chapter will help you avoid value erosion and increase your value creation opportunities.

The due diligence process for any transaction involving a target that holds intellectual property (IP) assets should include a review of the technology assets and information technology (IT) infrastruc-ture used to host and store those assets. Section II explains the IT due diligence process, from the identification of key personnel at the target organization to the surveying of IT systems and the determi-nation of third-party licensors of software or vendors of IT software.

Section III covers cloud computing services and investigates why relying on shared computing resources instead of local serv-ers can help a company avoid large expenditures. It explains how

Chapter

Technology, Data, and Online Services Due DiligenceBy Edward Klaris*

8

*I would like to thank Cindy Hong, Luke Budiardjo, and Emily Borich for their remarkable, diligent, and intelligent contributions to the copyright, trademark, and technology chapters of this book. In particular, Cindy Hong led the writing and re-searching team, staying on schedule, and drafting and redrafting where appropriate, all while holding down a rigorous federal clerkship. I am forever grateful to Cindy, Luke, and Emily for their contributions.

9781641051248_Ch_08.indd 355 04/05/18 2:31 pm

356 CHAPTER 8

to identify the role cloud computing plays in the target’s current organization of its IT.

Section IV, “Data, Aggregated Data, and Analytics Tools” covers a range of important issues, as its title suggests. It begins by high-lighting that the data the target has collected from its employees and customers can be a valuable asset and explains how this data should be surveyed. Section IV.B then explains what aggregated data is and how it differs from raw data because of its potential to be protected by copyright.

Once you have mapped out the target’s data (both raw and aggregate), you can maximize its potential by doing two things. First, you can license it. Section IV.B.3 provides a list of terms and conditions that you should note when reviewing the target’s data licenses, or when granting new ones. Second, by employing data analytics—the process of examining data sets to draw conclusions that will enhance business gain—you can identify patterns of con-sumer behavior. Section IV explains how to map out the target’s current use of data analytics.

Finally, Section V covers the policies that a target has, or should, put in place regarding the collection and protection of data it might collect online. If the target is involved in payment card processing, you will find the Payment Card Industry Data Security Standards that are reproduced in Section V to be helpful. Section V also sets out the Federal Trade Commission (FTC) guidelines on the collec-tion of sensitive personal information, which are applicable to any company retaining such data. Section V covers the FTC guidelines for the collection of information relating to children, website privacy policies, and California privacy law. California law is highlighted because any media company conducting business in California must comply with California’s Online Privacy Protection Act (CalOPPA).

II. Technology Assets and Infrastructure

The due diligence process for any transaction involving a target company that holds intellectual property assets should include a review of the technology assets and information technology

9781641051248_Ch_08.indd 356 04/05/18 2:31 pm

Technology Assets and Infrastructure 357

infrastructure used to host and store those assets. Today, many due diligence teams tend to overlook information technology due diligence during transactions, and many senior corporate and private equity executives claim that this oversight tends to lead to value erosion and missed value creation opportunities.1 A thorough understanding of the systems used by both the target and buyer can help avoid unknown risks and costs and uncover synergies and potential cost savings that may result from the elimination of posttransaction redundancies.

The IT due diligence process should begin with the identifica-tion of key personnel at the target organization who have knowl-edge of the broad framework of IT systems employed within the organization. The practitioner should seek out a chief informa-tion officer (CIO); chief technology officer (CTO); any outside IT, IP, technology, or privacy counsel; and/or any outside technical experts.2 After identifying key personnel, the practitioner should seek to gather all relevant information and documents regarding the use, maintenance, ownership, security, and ownership status of these systems.

Ownership of Assets. One of the first steps in the informa-tion technology due diligence process is to survey the IT systems (including both software and hardware) used by the target com-pany. The buyer/practitioner should request disclosure sched-ules from the target/seller to identify and locate these systems. The practitioner should also speak to employees within the tar-get organization to understand the importance of each system to the operations of the business. It is crucial to understand not only which systems the business relies on to manage its intellectual

1. Half of All Businesses Overlook IT Due Diligence in Mergers and Acquisi-tions, ComputerWeekly.Com (12 Mar. 2012, 13:43), http://www.computerweekly.com/news/2240146667/IT-too-often-overlooked-in-MAs (citing an Ernst & Young survey of 220 senior corporate and private equity executives in Europe that found that only half conducted separate IT due diligence, and that nearly half of respondents said that “more detailed IT due diligence could have prevented value erosion”).

2. Jason Haislmaier, Deciphering Due Diligence: Tackling Software and IT Issues that Can Cripple M&A and Other Corporate Transactions, 57 praC. laW. no. 1, 2011, at 19, 21.

9781641051248_Ch_08.indd 357 04/05/18 2:31 pm

358 CHAPTER 8

property assets but also how those systems are owned and oper-ated. Accordingly, the due diligence process should involve the collection of any licensing agreements, service agreements, or other agreements relevant to the use of the IT systems on which the business relies to store, manage, use, and deploy its assets.

The practitioner should also determine whether IT systems are shared with parts of the seller organization not to be transferred in the subject transaction, and how the ownership of those systems will be affected by the transaction.3 The transaction agreement may contemplate the continued shared use of IT and technology systems after the transaction, either by retaining ownership in the seller and providing for continued shared use by the purchaser or vice versa.4 In these shared-use scenarios, parties will typically cre-ate a license agreement to formalize the terms of this shared use.5

Use and Maintenance. The due diligence process should also examine how the IT systems are used and maintained within the target organization. The practitioner should seek to under-stand the methods and applications used to access the technology infrastructure that houses intellectual property assets. The prac-titioner should request information regarding how IT systems are supported, maintained, and monitored by the target organization and should obtain any service reports or assessments of system performance that have been carried out by the target.6 The prac-titioner should also obtain a timeline of any scheduled or ongoing development or testing projects relevant to these systems and a description of the methodologies behind these projects.7 Addition-ally, the practitioner should seek to understand which employ-ees of the target organization are responsible for the control and maintenance of the relevant systems and should investigate any backup plans to deal with a situation in which those employees

3. David M. Klein, Ip In mergers & aCquIsItIons § 4:16, Intellectual Property Due Diligence (November 2016 Update).

4. Id.5. Haislmaier, supra note 2, at 23.6. Id.7. Id.

9781641051248_Ch_08.indd 358 04/05/18 2:31 pm

Technology Assets and Infrastructure 359

leave the organization.8 It may be helpful to understand the costs associated with using and maintaining the key systems that the business relies upon and to identify the past, current, and expected costs of maintaining adequate systems architecture.

Security and Compliance. Another important consider-ation is the physical security of data and media storage systems. The practitioner should seek to understand where any data centers are located and the physical security, disaster recovery, and backup/redundancy features of those data centers. It may also be necessary to speak to relevant personnel in the business about any jurisdiction-specific or industry-specific regulatory frameworks that may impose requirements on how particular assets are stored and protected. The due diligence process should include the identification of any employees within the organi-zation who are responsible for regulatory compliance of infor-mation technology and any regulatory compliance policies and procedures used.

Third Parties. Most IT or software systems used by compa-nies are not entirely developed or owned by the target organiza-tion.9 Third-party licensors of software or vendors/providers of IT systems must be identified as a part of the due diligence process. The practitioner must identify and obtain the key agreements and documents with these parties and seek to understand the extent of rights defined by such agreements. For example, many third-party software licenses or service agreements prohibit the use of the licensed system to provide services to others, which could restrict the buyer’s and seller’s ability to enter into the types of shared-use licensing agreements mentioned earlier.10

Redundancy and IT Overlap. Due diligence regarding key IT and technology assets should also include a review of the sys-tems used by the buying party. In many acquisition transactions,

8. Joel Schneider, Identifying and Addressing IT Issues in M&A Due Diligence, Wall st. J., Mar. 20, 2014, http://blogs.wsj.com/cio/2014/03/20/identifying-and-addressing-it-issues-in-ma-due-diligence/.

9. Id.10. Id.

9781641051248_Ch_08.indd 359 04/05/18 2:31 pm

360 CHAPTER 8

IT systems used by the target may overlap with or duplicate the systems used by the buyer. In these instances, the practitioner should consider whether any redundancy can be eliminated after the transaction closes and should consider whether vendor con-tracts relevant to those systems would allow for cancellation.11

III. Cloud Computing, Managed Services, and IT Outsourcing

Cloud computing commonly refers to “network-based services, which appear to be provided by real server hardware, and are in fact served up by virtual hardware, simulated by software running on one or more real machines.”12 The rapid adoption of cloud com-puting by various companies has been driven, in part, by cloud computing’s ability to avoid the large expense of maintaining organization-specific servers (e.g., capital expense associated with the servers, the rent costs associated with housing servers, and the personnel costs associated with the maintenance of those servers).13 By using cloud computing services, which “rel[y] on sharing com-puting resources rather than having local servers,” a company can avoid these large expenditures, instead electing to pay relatively small operating expenses to a cloud computing services operator.14

A. Identifying Relevant AgreementsIt is very likely that the target of an acquisition relies at least partially on a cloud service provider or an IT outsourcing services provider. For example, many small technology companies use products such as Amazon Web Services15 for “database storage, content delivery,” and other services.

11. Id.12. J. Nick Badgerow, The Move to Cloud City: The Benefits and Risks of Cloud

Computing, 84 J. kan. B. ass’n 22, at 1 (2015).13. Id.14. Id.15. See Cloud Computing with Amazon Web Services, www.aws.amazon.com/

what-is-aws/.

9781641051248_Ch_08.indd 360 04/05/18 2:31 pm

Cloud Computing, Managed Services, and IT Outsourcing 361

During the due diligence process, the practitioner should seek to understand the licensing agreements between the target orga-nization and these service providers and understand the steps required to ensure that these services will not be interrupted dur-ing and after the transaction. It will be necessary to identify the parties named in any licensing agreements to understand whether any new agreements will have to be formed after the transaction (for example, if service agreements are negotiated and signed by the seller organization, the target may lose the right to use these services after the transaction).

The practitioner should also examine the structure of any licensing or service agreements to understand their time frames (and when they may have to be renewed or renegotiated) and to evaluate their costs. The identification of any redundancies between services used by the target and services used by the buyer is an important way to identify previously undiscovered synergies and opportunities for cost savings.

The practitioner should be aware of the multitude of differ-ent types of services that a business may use. Cloud services may consist of:

• Offline backup services (allowing for the backing-up of data to offsite servers for disaster protection purposes)

• Hosted servers or “private cloud” services (remote servers used to store files and documents, run by external vendors for a fee; examples include GoogleApps and Intermedia)

• Document storage and document management services (e.g., Dropbox, Box)

B. SecurityIn general, the practitioner should consider the stability and terms of any cloud services vendor with which a company has contracts. The practitioner should consider whether the vendor agreement requires the vendor to preserve the confidential-ity and security of the data stored, and whether the vendor is bound by the terms of the agreement to notify the client of any

9781641051248_Ch_08.indd 361 04/05/18 2:31 pm

362 CHAPTER 8

unauthorized third-party access to the materials.16 Additionally, the practitioner should consider the backup and storage practices of the vendor and ensure that those practices align with any data storage and retention duties that may be relevant to the client’s industry, business, customer agreements, or privacy policies.17 It may also be prudent to examine the way in which the client com-pany uses the cloud computing service: some sources recommend that clients using cloud storage systems encrypt all data before storing it through a cloud computing service as an extra layer of protection against theft of the information.18

IV. Data, Aggregated Data, and Analytics Tools

In addition to the content that generates revenue for a media company, data that the company has collected from its employees and customers can be a valuable asset as well. These data are sources of information for identifying future growth opportunities and general marketing. This section discusses sources of data as well as the legal protections available for that data.

A. Data SourcesIn general, raw data is not protected by copyright law. However, it is still a valuable tool or commodity for business development. Media companies have a unique basket of data assets that differ from those of other industries. As part of a comprehensive due diligence process, the buyer should identify the seller’s assets and identify how the security program ensures the safety of those

16. Oregon Ethics Op. 2011-188 (Nov. 2011, rev. 2015), http://www.osbar.org/_docs/ethics/2011-188.pdf.

17. Id.18. Maine Ethics Op. 194 (June 30, 2008), http://www.maine.gov/tools/whatsnew/

index.php?topic=mebar_overseers_ethics_opinions&id=86894&v=article. Also see Ed Finkel, Feeling Secure in the Cloud, 103 Ill. B.J. 20 (2015) (noting the importance of encryption of data before the use of cloud storage systems, and identifying several recommended encryption services).

9781641051248_Ch_08.indd 362 04/05/18 2:31 pm

Data, Aggregated Data, and Analytics Tools 363

assets. A media company will have several asset categories, dis-cussed herein.

Consumer Data. Media companies collect customer data from a variety of sources. Companies typically request data from customers through online registration for website accounts, pur-chases of subscriptions, and long-term service contracts. The data may include customer names, birthdates, mailing addresses, phone numbers, email addresses, and credit card information. Such personally identifiable information is a valuable asset for helping identify and target relevant consumers.

Business Strategies. Proprietary information about the com-pany’s business strategies should be protected. Proprietary infor-mation includes data about strategic mergers and acquisitions, expansion plans, changes in territory, and hiring programs. Business information can be valuable to competitors, and subject to hacking. An Internet service provider (ISP) may outline a protocol for limiting access to highly confidential information internally and externally.

Financial Information. In addition to business strategies, other proprietary information about the inner workings of the company should be protected as well. Although public companies must disclose certain financial information in 10-Ks and other filings with the Securities and Exchange Commission, the bulk of financial information about a company should still be kept pro-tected. This information may include internal audits, the prices of inputs, and specific sales data.

Legal Information. Another category of internal information is data about the target’s legal exposure. Such data could include law firm memoranda on litigation strategy and responses to regu-lators, as well as information that was disclosed in discovery.

Internal Communication. Some information that may not appear to be valuable is also subject to breach. As the world learned through the Sony hack in 2014, data thieves may find value in internal communications of media companies in order to embarrass a company. One measure that an ISP may put in place to limit exposure of internal communications is automatic dele-tion of emails after a set amount of time.

9781641051248_Ch_08.indd 363 04/05/18 2:31 pm

364 CHAPTER 8

Employee Data. Personal data about employees must be protected from breach. These include names, social security num-bers, addresses, family information, and salary information.

User-Generated Content. Media platforms typically allow users to retain the rights of any content they post to the site. For example, the terms of service of social media sites such as Facebook and Twitter expressly state that the user retains the rights in all content submitted to the sites. Even though a com-pany may not own the copyright of user-generated content, these data are still a valuable resource for learning about customers.

Metadata. In the media and entertainment industries, meta-data plays a very large role in enabling a company to monetize its copyright assets such as photographs, videos, TV shows, movies, songs, and articles. Metadata is data that describes content. It can be data that describes what is happening in the media asset or IP rights information detailing what the company can do with the content. Metadata can even include financial information, such as royalties that have been paid relating to a given piece of content.

B. Aggregated DataAlthough raw data is not protected by copyright, aggregated data can be. Accordingly, aggregated data may be more valuable than raw data and should be counted among the intellectual property assets of the seller.

1. The Copyrightability of Compilations

The Copyright Act of 1976 provides for the protection of compila-tions, defining a compilation as:

a work formed by the collection and assembling of pre-existing materials or of data that are selected, coor-dinated, or arranged in such a way that the resulting work as a whole constitutes an original work of author-ship. The term “compilation” includes collective works.19

19. 17 U.S.C. § 101.

9781641051248_Ch_08.indd 364 04/05/18 2:31 pm


Prior to 1990, courts recognized copyrights in databases so long as the compilation of the data reflected some of the author’s own work. One such example involved an application from the National Republican Congressional Committee for registration of its donor lists, arranged alphabetically by zip code.20

This “sweat of the brow” analysis changed with the Supreme Court’s decision in Feist Publications v. Rural Telephone Service Co.21 In that case, the Court held that a white pages telephone directory was uncopyrightable because it lacked creative origi-nality. The Court reviewed the definition of “compilation” in the Copyright Act of 1976 and noted congressional intent to over-rule the sweat-of-the-brow doctrine by legislation. By defining a compilation as “a work formed by the collection and assem-bling of preexisting materials or of data that are selected, coor-dinated, or arranged in such a way that the resulting work as a whole constitutes an original work of authorship,” the Court explained, Congress specifically required originality in order for a compilation to be protected and described the elements of authorship that are protected in a compilation: the “selec[tion], coordina[tion] and arrange[ment]” of the underlying material.22 The Court held that the telephone directory at issue lacked these key elements because the selection was “obvious,” and its arrangement was “not only unoriginal, it [was] practically inevitable.”23

20. The District Court for the District of Columbia dismissed the Congressional Committee’s claims for unauthorized use of its lists because a compilation of donor facts is not copyrightable. Specifically, it noted that to find a violation of the Copyright Act would contravene the public policy of federal election laws that promoted trans-parency in campaign finance. On appeal, the D.C. Circuit reserved judgment on the copyrightability of the Congressional Committee’s databases until Congress had an opportunity to clarify the campaign finance public policy issue. National Republican Congressional Comm. v. Legi-Tech Corp., 795 F.2d 190, 192 (D.C. Cir. 1986).

21. Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 916 F.2d 718 (10th Cir. 1990), cert. granted, 498 23 U.S. 808 (1990).

22. Feist, 499 U.S. at 356–58.23. Id. at 359.

9781641051248_Ch_08.indd 365 04/05/18 2:31 pm

366 CHAPTER 8

The Feist decision ultimately narrowed the scope of the copy-right protection applied to compilations. Following Feist, lower courts have typically recognized a “thin” protection for compila-tions. Accordingly, most of the post-Feist appellate cases have found wholesale takings from copyrightable compilations to be noninfring-ing. Notably, the Second Circuit has held that a defendant’s compi-lation would not infringe if it “differs in more than a trivial degree” from a plaintiff ’s work, essentially creating a “virtual identity” standard for infringement.24 The Eleventh Circuit has created an even narrower standard, finding that copying of significant portions of copyrightable compilations was not an infringement because the material copied did not rise to the level of creative authorship.25

2. Enhancing copyright protection

In light of the Feist decision, owners of databases must take more precautions to ensure that their data are copyrightable. The buyer should assess the protectability of the seller’s databases. In recent years, three main strategies have emerged. Creators have “(1) sought to enhance their copyright protection by altering the structure or content of their databases to incorporate greater creativity; (2) increased their reliance on contracts to restrict the use of databases; and (3) employed technological safeguards to prevent unauthorized access and use.”26 Reflecting the jurispru-dence of aggregated data, the following characteristics help make a database more likely to be protected by copyright.

24. Kregos v. Associated Press, 3 F.3d 656, 662 (2d Cir. 1993); see also Harbor Software, Inc. v. Applied Sys., Inc., 936 F. Supp. 167, 170–71 (S.D.N.Y. 1996) (applying “trivial difference test” to screen displays and reports generated by computer program, which court had previously determined to be protectable as compilations).

25. Bellsouth Advert. & Publ’g Corp. v. Donnelley Info. Publ’g, 999 F.2d 1436 (11th Cir. 1993) (en banc) (holding that defendant’s compilation of all of the names, addresses, and telephone numbers of advertisers in the plaintiff ’s Yellow Pages tele-phone directory, along with business type and type of advertisement, did not infringe); see also Martindale-Hubbell, Inc. v. Dunhill Int’l List Co., No. 88-6767 (S.D. Fla. Dec. 30, 1994) (copying names and addresses of lawyers in the plaintiff ’s directory, together with certain biographical data, was not infringing).

26. See U.S. Copyright Office, Library of Congress, Report on Legal Protection for Databases 19 (August 1997), https://www.copyright.gov/reports/db4.pdf.

9781641051248_Ch_08.indd 366 04/05/18 2:31 pm


Adding Copyrightable Text. Databases that feature copy-rightable text have a stronger likelihood of copyright protection than ones that only feature facts. Copyrightable text may take the form of descriptive bibliographies, abstracts, profiles, or annota-tions connected to database entries.

Organizing the Database in a Creative Way. Database producers may increase the likelihood of copyright protection by incorporating a more subjective/original selection of facts or a more creative arrangement in their compilations. For some databases, such added value may enhance the desirability of the product. For example, Thomson Reuters’ Westlaw product adds “headnotes” that summarize cases, which provides greater usabil-ity for its case search database. In buying guides that compile lists of products, consumers may prefer a listing that “weeds out” the less desirable items from the recommended products.27

3. Data Licensing

Media companies may license data from other sources or license their own data for other companies to use. Sharing data can help companies identify who is using their product, create mar-keting opportunities, and help companies incorporate real-time data into products. For example, in September 2015, Bloomberg and Twitter announced that they had signed a data-sharing agreement so that Bloomberg could provide real-time tweets on Bloomberg terminals for subscribers.28 For due diligence pur-poses, it is important to understand whether the seller licenses its own data or uses data licensed from other companies. When reviewing data licenses, buyer’s counsel should note the following terms and conditions.

Scope of the Data. First and foremost, a data license agree-ment should describe and define the data in question.

27. See id. (providing guidance on enhancements that producers may add to databases to ensure protectability).

28. Bloomberg and Twitter Sign a Licensing Agreement, Sept. 16, 2015, https://www.bloomberg.com/company/announcements/bloomberg-and-twitter-sign-data- licensing-agreement/.

9781641051248_Ch_08.indd 367 04/05/18 2:31 pm

368 CHAPTER 8

Restrictions on Use. Typical restrictions on use include a limitation that the data may be used only for purposes of cus-tomer service, and a limitation that the licensee may not further distribute any modified data.

Anonymization. In some contracts, the licensor restricts the recipient’s rights to “anonymized” versions of the data; that is, to data “cleaned” so that it does not include individuals’ names or other personally identifiable information.

E-discovery. In litigation, the licensor’s opposing party may have the right to discover some of the data. The license agreement should explicitly identify the parties’ obligations in the case of discovery requests.

Ownership of the Original Data. Typically, data licenses do not transfer ownership. If ownership stays put, the licensor—whether vendor or customer—should state so explicitly.

Confirming and Protecting IP and Other Rights. Data licensors should include terms confirming and protecting their ownership rights in data—terms that bolster their ownership claims as discussed earlier. The licensee should agree that: (1) the data are property of licensor; (2) the data include trade secrets of licensor; and (3) the data constitute an original compilation pur-suant to U.S. copyright law.

Derivative Works. Licenses should include terms that address the creation and ownership of works derived from the licensed data. Derived data refers to: (1) new information gener-ated through analysis and other processing of customer data; and (2) information generated through monitoring or other observa-tion of customer’s and its end users’ use of the system. The par-ties should generally specify in the contract who owns derived data.

Data Security. Data security clauses govern the steps the recipient takes to protect the data from unauthorized exposure or disclosure. These steps often includes technical and physical measures, such as encryption, passwords, intrusion detection software, and locked doors in server rooms. Data security clauses may also cover employee background checks, outside audits of

9781641051248_Ch_08.indd 368 04/05/18 2:31 pm


data security procedures, internal audits and testing, penetration testing, and repair of inadequate systems.

Compliance with Laws and Policies. Licensors are often eager to make sure that license recipients comply with all applica-ble laws and regulations governing the handling of customer data. Any number of statutes could govern data, particularly if the data involve consumer personally identifiable information. Some laws to consider are the Health Information Portability and Account-ability Act (HIPAA); the Health Information Technology for Eco-nomic and Clinical Health Act (the HITECH Act); the Fair Credit Reporting Act (FCRA); and, of course, the Gramm-Leach-Bliley Act (GLBA), as well as statutes from states with particularly strong privacy legislation, such as Massachusetts and California.

Data Breach Cooperation. Licensors often request licens-ees to provide notice of data breaches and to cooperate with the licensor and with law enforcement authorities. Licensors also often request that, if the recipient causes a data breach, it provide credit monitoring services to any injured consumers—usually for one year.

Indemnification. Data indemnities address third-party suits triggered by data breaches—particularly suits by government agencies and injured consumers. In some contracts, the recipient indemnifies the licensor against suits triggered by the recipient’s alleged failure to keep the data secure. In others, the licensor indemnifies the recipient against suits triggered by the licensor’s alleged failures, particularly inclusion of third-party information that should not have been part of the data, or failure to obtain proper authorization to include third-party data.

Termination. Termination provisions should identify the steps for ending the contractual agreement. The agreement should provide for the return of the data, destruction of the data, transition services, and storage.

4. Data Analytics

Data analytics is the process of examining data sets to draw con-clusions that will enhance business gain. Data are analyzed to

9781641051248_Ch_08.indd 369 04/05/18 2:31 pm

370 CHAPTER 8

identify patterns of consumer behavior. After early adoption by the financial and technology industries, media companies have increasingly started to use data analytics. Understanding how the seller uses data analytics tools to harness its data is key to assessing the value of its data.

Data analytics tools When performing due diligence on how a com-pany uses data analytics, it is important to identify the tools that are used, their capabilities, and the goals of the analysis. Tools used can range from internally built, proprietary software to vendor-provided software. The buyer should assess the platforms used for their capabilities. Typical data analytics capabilities in-clude the following.29

Business Experiments. Business experiments, experimen-tal design, and AB testing are all techniques for testing the valid-ity of a plan of action before undertaking it. One classic example of a business experiment is when a television company produces several pilots before selecting only the successful ones to pro-duce. Running a business experiment is a multistep process that requires creating a hypothesis, designing the experiment, run-ning the experiment, and analyzing the results.

Visual Analytics. Visual analytics is the ability to analyze data in a visual way (e.g., graphs). This is an integrated approach that can be used to spot patterns in data. Information that could be gleaned with visual analytics include the geographic location of customers, the age of customers, changes to market share, and any correlations between seemingly independent variables. It is especially useful for analyzing a large volume of data.

Correlation Analysis. This is a statistical technique that allows a company to determine whether there is a relationship between two seemingly independent variables and how strong that relationship may be. Correlation analysis is most useful

29. For a comprehensive discussion of data analytics tools, including an in-depth discussion of different analytics tools, see Bernard Marr, key BusIness analytICs: the 60+ BusIness analysIs tools every manager needs to knoW (2016).

9781641051248_Ch_08.indd 370 04/05/18 2:31 pm


to test a hypothesis where there appears to be a relationship between two different factors. For instance, a retailer could use correlation analysis to identify if there is a correlation between the temperature and sweater sales. One limitation of correlation analysis is that it can only be used for numerical data sets.

Regression Analysis. Regression analysis is a statistical tool for investigating a causal relationship between variables. In contrast to correlation analysis, regression analysis seeks to identify an actual cause between variables, as opposed to a mere correlation. For example, does a change in the price of toothpaste cause a decrease in the sale of toothbrushes? Regression analysis is also helpful in testing a hypothesis.

Scenario Analysis. This is a method of projection that allows a company to run several different “scenarios.” For example, a media company may want to run a scenario analysis to assess whether it should stop publishing a print copy of a publication and switch to digital only. Like running a business experiment, setting up a scenario analysis requires the development of differ-ent scenarios.

Cohort Analysis. This is a subset of behavioral analytics that allows one to study the behavior of a group, or cohort, over time. For example, a media company may wish to study cohorts of consumers of a similar age (e.g., baby boomers versus millennials) to target specific advertising.

Text Analytics. Also known as text data mining, text ana-lytics is a process of extracting value from large quantities of unstructured text data. Text analytics is a particularly helpful tool for social media companies, which can use it to comb through user-generated text submissions to understand trends in user interests.

Sentiment Analysis. Sentiment analysis, also known as opinion mining, seeks to extract subjective opinion or sentiment from text, video, and audio data. For instance, one way of gauging an audience’s opinion is to assess their real-time reactions during a film. The basic aim is to determine the attitude of an individual or group regarding a particular topic or overall context.

9781641051248_Ch_08.indd 371 04/05/18 2:31 pm

372 CHAPTER 8

Image Analytics. Image analytics is the process of extracting information, meaning, and insights from images such as photographs, medical images, or graphics. Like text analytics, this tool can be har-nessed by social media companies to analyze their users’ submissions.

Data analytics objectives It is also important to understand the objec-tives underlying the seller’s data. Media companies primarily use data analytics to gain insight into their audiences. Some common goals of data analytics are as follows.

Consumer Profiles. Proper use of data analytics can give media companies a thorough understanding of their customers. Analytics can help companies identify the gender, age, geographic location, professions, and household income of their customers. Knowing what customers buy or shop for, what social media plat-forms they prefer, and what they are most likely to eat allows these companies to build personalized connections that enhance the customer’s experience.

Targeting Advertising. By using data analytics to gain a clear and precise understanding of their customers’ personal pref-erences, media companies can carry out highly targeted and per-sonalized promotions featuring relevant content and offers.

Personalized Recommendations. Analytics tools allow media companies to make content recommendations in real time. Companies such as Spotify, Amazon Prime, and Netflix30 have all used data analysis to provide their users with recommendations even before the user has finished the current consumption.

V. Online Privacy Considerations

The purpose of this section is to cover what policies a company has, or should, put in place regarding the collection and protec-tion of data that it accumulates online.

30. Natalie Burg, Your Company Can See the Future with Predictive Analytics, ForBes (Mar. 26, 2014), https://www.forbes.com/sites/sungardas/2014/03/26/your-com-pany-can-see-the-future-with-predictive-analytics-2/#4cdf047b63e9.

9781641051248_Ch_08.indd 372 04/05/18 2:31 pm

Online Privacy Considerations 373

A. Data Collection Use and PracticesThis subsection discusses the standards governing collection and sharing of data through the Internet. More specifically, this sub-section covers protocols for the collection of three types of data: (1) Payment Card Industry (PCI) standards for the collection of credit card information; (2) Federal Trade Commission (FTC) guidelines for the collection of personally identifiable information (PII); and (3) any information from children.

1. PCI Standards for Credit Card Information Collection

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operations requirements designed to protect account data; it applies to all entitles involved in payment card processing and all other entities that store, pro-cess, or transmit cardholder data.31 The twelve PCI DSS require-ments are:32

1. Install and maintain a firewall configuration to protect cardholder data.

Firewalls control computer traffic between an entity’s networks and untrusted networks, as well as traffic into and out of more sensitive areas (cardholder data), within an entity’s internal trusted networks. All systems must be protected from unauthor-ized access from untrusted networks, whether entering the sys-tem via the Internet as e-commerce, employee Internet access through desktop browsers, employee email access, dedicated con-nections such as business-to-business connections, via wireless networks, or other sources.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

31. Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures, version 3.2 (April 2016), https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1489510036218.

32. Id.

9781641051248_Ch_08.indd 373 04/05/18 2:31 pm

374 CHAPTER 8

Hackers (external and internal to an entity) often use vendor default passwords and other vendor default settings to compro-mise systems.

3. Protect stored cardholder data.

Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, the data are unreadable and unusable to that person without the proper cryptographic keys. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities.

4. Encrypt transmission of cardholder data across open, public networks.

Sensitive information must be encrypted during transmission over networks that are easily accessed by hackers. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of hackers, who exploit these vulnerabilities to gain privileged access to card-holder data environments.

5. Protect all systems against malware and regularly up-date anti-virus software or programs.

Malicious software, commonly referred to as malware—including viruses, worms, and Trojan horses—enters the network during many business-approved activities, including employee use of email and the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by mal-ware to protect systems from current and evolving malicious soft-ware threats.

6. Develop and maintain secure systems and applications.

Unscrupulous individuals use security vulnerabilities to gain priv-ileged access to systems. Many of these vulnerabilities are fixed

9781641051248_Ch_08.indd 374 04/05/18 2:31 pm


by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

7. Restrict access to cardholder data by business need to know.

To ensure that critical data can be accessed only by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the smallest amount of information needed to perform a job.

8. Identify and authenticate access to system components.

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes. The effectiveness of a password is largely determined by the design and implementa-tion of the authentication system—in particular, how frequently password attempts can be made by an attacker and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.

9. Restrict physical access to cardholder data.

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hard copies, and should be appro-priately restricted.

10. Track and monitor all access to network resources and cardholder data.

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, and minimizing the impact of a

9781641051248_Ch_08.indd 375 04/05/18 2:31 pm

376 CHAPTER 8

data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

11. Regularly test security systems and processes.

Vulnerabilities are continually being discovered by hackers and researchers and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure that security controls continue to reflect a changing environment.

12. Maintain a policy that addresses information security for all personnel.

A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibili-ties for protecting it.

Continuous monitoring and enforcement of the controls spec-ified in these twelve PCI DSS requirements is the best way to maximize security of cardholder data. Additionally, PCI recom-mends a three-step process: Assess, Remediate, and Report. First, a company should identify cardholder data by taking an inven-tory of IT assets and business processes for payment card process-ing, then analyze those processes for vulnerabilities. Next, the company should fix vulnerabilities by eliminating the storage of cardholder data unless absolutely necessary. Finally, the company should compile and submit required reports to the appropriate acquiring bank and card brands.33

2. FTC Guidelines for PII Collection

In performing necessary business functions, most companies retain sensitive personal information that identifies employees or

33. How to Secure with the PCI Data Security Standard (2017), https://www.pcisecuritystandards.org/pci_security/how.

9781641051248_Ch_08.indd 376 04/05/18 2:31 pm


customers. This information may include names, social security numbers, birthdates, addresses, and/or other data. If this infor-mation is leaked, the breach can not only allow fraud or identity theft to employees and customers, but it can also lead to liability for the company, negative publicity, and an overall loss of trust. The FTC suggests that a sound data security plan is built on five key principles:

Take Stock. In other words, know what personal informa-tion you have in your files and on your computers;Scale Down. Keep only what you need for your business;Lock It. Protect the information that you keep;Pitch It. Properly dispose of what you no longer need; andPlan Ahead. Create a plan to respond to security incidents.34

First, it is helpful to have the resources to hire an in-house IT team to take an inventory of all equipment in or on which sensi-tive data is, or may be, stored. Here is another useful place for the company to keep a spreadsheet inventory of the information stored by type and location. The IT team should also work with the sales and accounting teams on information stored through transactions, with the human resources office on employee data, and even with outside services providers to find out who sends and receives sensitive data to and from the company. It is also important to know what employees, and outside vendors and con-tractors, have access to this information and how the company can be safeguarded through initial engagement agreements with such persons. It behooves a company to take these precautions to stay compliant with statutes such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act.

Second, information that is not necessary should not be retained or even gathered in the first place. “Use Social Security

34. Federal Trade Commission, Protecting Personal Information: A Guide for Busi-ness (Oct. 2016), https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business.

9781641051248_Ch_08.indd 377 04/05/18 2:31 pm

378 CHAPTER 8

numbers only for required and lawful purposes—like reporting employee taxes, not as an employee or customer identification number, or because you’ve always done it.”35 If the company devel-ops a mobile application (app), ensure that the developer makes the app in a way so that it does not retain data it does not need. As stated earlier, credit card information should not be retained unless it is necessary. As an alternative, require that customers reenter the last four digits, the expiration date, and the security code each time this stored card is used.

Third, “the most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.”36 Paper files should be securely locked, with a record of who may access such files. Electronic security is not the responsibility of the IT team alone: liabilities may also be imposed on other employees, including the chief executive officer and even the general counsel.

Companies should also retain experts in the field to track any chance of breach. Sensitive data should not be stored on a computer with an Internet connection unless it is essential to the business, and it should be encrypted not only when sent to third parties over email and public networks but also when stored on your computer.

Some additional tips provided by the FTC are to regularly run anti-malware programs, check expert websites (such as www.us-cert.gov) to keep track of new vulnerabilities, restrict employees’ ability to download unauthorized software, disable unneeded ser-vices, and use a Transport Layer Security (TLS) encryption sys-tem when receiving or transmitting sensitive data. Additionally, devices should be password protected and require authentication; laptops should be given only to those employees who require them for their job functions; firewalls should be used to deter hackers; the company’s network should limit the wireless devices that can connect to it; and digital copiers’ hard drives should be protected.

35. Id.36. Id.

9781641051248_Ch_08.indd 378 04/05/18 2:31 pm


Despite all precautionary measures, breaches can still occur. However, the liability and damage can be limited by catch-ing a breach early on. The FTC suggests that to detect network breaches when they occur a company should use an intrusion detection system, which should be updated frequently to address new types of hacking. The documents retained of the data and their locations will be useful in knowing which devices have been compromised and the incoming traffic of new users that might be conducting the hack. Employees should also be trained to respond effectively to such hacks. In addition, the human resources department should be required to conduct background checks on employees who will have access to sensitive data, and a record should be kept of their access to identify internal hacks. In their initial engagement agreement, service providers and third par-ties should also be required to monitor and notify the company of any security incidents, even if the incidents may not have led to an actual compromise of sensitive data.

By properly disposing of sensitive information, a company can ensure that the information cannot be accessed or reconstructed. Reasonable measures for an operation are based on the sensitiv-ity of the information, the costs and benefits of different disposal methods, and changes in technology. If you use consumer credit reports for a business purpose, you may be subject to the FTC’s disposal rule.37

Ways in which a company can reduce the impact on business, employees, and customers is to have a plan in place to respond to breaches and to designate a senior staff member to imple-ment that plan. In the event of a breach, immediately disconnect compromised devices and close off existing vulnerabilities; most important, know who to notify in the event of a breach, both inside and outside the company. You may need to notify consumers, law enforcement, customers, credit bureaus, other businesses that may be affected, and state and federal bank regulatory agencies that have laws or regulations addressing data breaches.

37. Id.

9781641051248_Ch_08.indd 379 04/05/18 2:31 pm

380 CHAPTER 8

3. FTC Guidelines for Collection of Information from Children

The Children’s Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. § 6501 et seq., prohibits unfair or deceptive acts or prac-tices in connection with the collection, use, and/or disclosure of personal information from and about children (under age thir-teen) on the Internet.38 Essentially, COPPA gives parents control over what information websites can collect from their children, puts additional protections in place, and streamlines other proce-dures that companies covered by the rule must follow.39 The FTC sets forth a six-step compliance plan for companies to determine if they are covered by COPPA and how to comply with it.

First, COPPA only applies to operators of websites and online services that collect personal information from children. You must comply with COPPA if:

• Your website or online service is directed to children under the age of thirteen and you collect personal information from them and/or you let others collect personal informa-tion from them;

• Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under the age of thir-teen; or

• Your company runs an ad network or plug-in, for example, and has actual knowledge that you collect personal infor-mation from users of a website or service directed to chil-dren under the age of thirteen.40

In addition to standard websites, “website or online service” also includes, inter alia, mobile apps that send or receive informa-tion online, Internet gaming platforms, plug-ins, and advertising

38. Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. ch. 91, § 6501 et seq.

39. Federal Trade Commission, Children’s Privacy, https://www.ftc.gov/tips- advice/business-center/privacy-and-security/children%27s-privacy.

40. Federal Trade Commission, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business (July 2013), https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.

9781641051248_Ch_08.indd 380 04/05/18 2:31 pm


networks. The FTC also looks at a variety of factors to see if a site or service is directed to children under thirteen, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience.41

Personal information means individually identifiable infor-mation about an individual collected online, including name, address, user name, telephone number, social security number, photograph, geo location, or information concerning the child or parents that is combined with an identifier.42 Your company is collecting information if it requests, prompts, or encourages the submission of information (even if submission is optional); lets information be made publicly available; passively tracks a child online; or collects information through an ad network or plug-in.

A company is required to post a privacy policy that complies with COPPA and comprehensively describes how personal data are handled. The notice must describe the company’s practices, as well as those of third parties. The notice must include a list of all operators collecting personal information, a description of the personal information collected and how it is used, and a descrip-tion of parental rights.

A company is required to notify parents directly before collect-ing personal information from their children, and if the company makes a material change to the practices that the parents previ-ously agreed to, it has to send an updated direct notice. The notice must tell parents: that the company collected their online contact information for the purpose of getting their consent; the company wants to collect personal information from their child; that their consent is required for the collection, use, and disclosure of the

41. COPPA § 312.2.42. COPPA § 312.2.

9781641051248_Ch_08.indd 381 04/05/18 2:31 pm

382 CHAPTER 8

information; the specific personal information the company wants to collect and how it might be disclosed to others; a link to the company’s online privacy policy; how parents can give their con-sent; and that if the parent does not consent within a reasonable time, the company will delete the parent’s online contact informa-tion from its records.43

The company must get parents’ verifiable consent before col-lecting information from their children. The company is permitted to determine the method by which to go about doing this. How-ever, the method used should ensure that the person giving the consent is the child’s parent. If a company plans on using a child’s personal information for internal purposes only and not disclos-ing such information, it may use a method known as “email plus,” in which it would send an email to the parents and have them respond with their consent, which the company must specify that they can revoke at any time. The company must then send a con-firmation to the parents via email, letter, or phone call. Note that COPPA does contain some narrow exceptions to this rule.

The company must honor parents’ ongoing rights with respect to information collected from their children even if parents have previously consented. If parents ask, the company must give them a way to review the personal information collected from their child, give them a way to revoke their consent and refuse the further use or collection of personal information from their child, and delete their child’s personal information.44

The company must implement reasonable procedures to protect the security of children’s personal information. The pro-cedures required here are similar to those discussed earlier: a company should minimize what it collects; keep track of what information it, and third parties, retain; and properly dispose of information that is not necessary.

43. Federal Trade Commission, Children’s Online Privacy Protection Rule, supra note 40.

44. Id.

9781641051248_Ch_08.indd 382 04/05/18 2:31 pm


B. Website Privacy PoliciesA privacy policy is a statement that discloses the ways in which the owner of a website collects, uses, distributes, and maintains a user’s data. Such statements are legally required when the website is directed to children under the age of thirteen, know-ingly collects personal information from children under the age of thirteen,45 or interacts with users living in one of the states that has passed a law requiring website operators to publish privacy policies (this includes large states such as California). When dili-gencing the seller’s privacy policies, counsel should ensure that they comply with applicable laws and also reflect the company’s actual practices.

1. COPPA

Although there is no federal law that requires websites to display a privacy policy in all cases, the Children’s Online Privacy Pro-tection Act requires a privacy policy to be displayed on sites that knowingly collect information about, or target, children under age thirteen. Specifically, the COPPA rule applies to operators of commercial websites and online services (including mobile apps) directed to children under thirteen that collect, use, or disclose personal information from children, and operators of general-audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under the age of thirteen. The COPPA rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

A COPPA-compliant privacy policy must note the following:

• That the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child

45. These guidelines are laid out in the Children’s Online Privacy Protection Act, 15 U.S.C. § 6502.

9781641051248_Ch_08.indd 383 04/05/18 2:31 pm

384 CHAPTER 8

• That the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator

• That the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child

• That the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so

• That if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice46

The FTC is responsible for enforcing COPPA. A court can hold operators who violate the rule liable for civil penalties of up to $40,654 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egre-giousness of the violations, whether the operator has previously violated the rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether the information was shared with third parties, and the size of the company.47

2. California Privacy Law

Because media companies often conduct business in California, they will likely need to comply with the requirements of Cali-fornia’s Online Privacy Protection Act (CalOPPA). Many practi-tioners see CalOPPA as a de facto national privacy policy law, because it applies to any commercial website or online service in

46. 16 C.F.R. § 312.4(d).47. Federal Trade Commission, Complying with COPPA: Frequently Asked

Questions, https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions.

9781641051248_Ch_08.indd 384 04/05/18 2:31 pm


the country as long as that site or service collects personal infor-mation on California residents.

CalOPPA requires operators of commercial websites or online services that collect personal information on California residents through a website to conspicuously post a privacy policy on the site and to comply with that policy. The privacy policy must, among other things, identify the categories of personally identifi-able information collected about site visitors and the categories of third parties with which the operator may share the information. The privacy policy must also provide information on the opera-tor’s online tracking practices.

An operator is in violation for failure to post a policy within thirty days of being notified of noncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply with the provisions of its policy. In 2012, the state of California brought its first enforcement action under CalOPPA by suing Delta Airlines.48 The complaint alleged that Delta’s mobile app “Fly Delta” collected personal information from California residents who downloaded it, including telephone numbers, email addresses, and frequent flyer numbers, without providing a privacy policy.49 The state sought statutory penalties of $2,500 for each time the allegedly noncompliant mobile app was downloaded by a Cali-fornia resident.50 The suit was filed in California state court. On appeal, though, the California Court of Appeals dismissed the case as preempted by the federal Airline Deregulation Act of 1978.51

3. Other Considerations

CalOPPA requires that a privacy policy be “conspicuously posted” on a website. A privacy policy may be considered conspicuously

48. Cal. Attorney General Press Office, Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law, (Dec. 6, 2012), https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-files-suit-against-delta-airlines-failure.

49. Id.50. Id.51. People ex rel. Harris v. Delta Airlines, Inc., 202 Cal. Rptr. 3d 395, 397 (Cal.

Ct. App. 2016).

9781641051248_Ch_08.indd 385 04/05/18 2:31 pm

386 CHAPTER 8

posted if the website’s home page contains an icon or text link that includes the word “privacy” and is linked to the privacy pol-icy. Another way a privacy policy can be conspicuously posted is if the text link to the privacy policy is either written in capital letters that are at least the same size as the surrounding text or is otherwise written in a way that calls attention to the link. In the case of a mobile app, a link posted to the privacy policy on the application’s platform page is helpful so that users can review the policy before downloading the app. The California Attorney General’s Office guide also recommends providing copies of the policy in languages other than English, and including graphics or icons.52

C. Terms of UseTerms of use, sometimes known as terms of service, are terms and conditions that a customer must agree to in order to use a ser-vice. When conducting due diligence on a seller, it is important to evaluate the seller’s terms of use (TOUs). In contrast to a privacy policy, terms of use are not regulated by the state. Instead, the purpose of a terms-of-use statement is to provide a contractual license between the user and the company to ensure appropriate safeguards for both parties. Important topics to be covered by a terms-of-use agreement are discussed here.

Authorization. The TOUs should first establish who has the right to use the service. If the seller permits users to establish accounts, the terms should specify that by agreeing to use the website the users are agreeing to abide by a legal contract. Typi-cally, this provision also stipulates that by agreeing to the TOUs the user represents that he or she is at least thirteen years old.

Prohibited Conduct. TOUs should clearly identify prohib-ited conduct through the website. Types of prohibited conduct

52. See Kamala D. Harris, Making Your Privacy Practices Public, 10 (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_ practices_public.pdf.

9781641051248_Ch_08.indd 386 04/05/18 2:31 pm


include: impersonation and misrepresentation; selling, transfer-ring, copying, modifying, or making derivative works from the content on the website; using the website to export software or data in violation of applicable U.S. laws or regulations; obtain-ing or attempting to gain unauthorized access to other computer systems or materials through this website; and circumventing or reverse engineering any software in order to compromise the website.

Intellectual Property. This provision should articulate the ownership of the intellectual property on the company website. The provision should first define what is considered intellectual property. It should clarify that all content that is not produced by users is the property of the company or third parties. The provi-sion should limit copy of use and display to a single computer or device and download and print copies of the content only for non-commercial, informational, personal use, without modification or alteration in any way.

User Rights. The TOUs or terms of service should expressly note that users retain the copyright to any user-generated con-tent. In addition, the user grants the company a license to display, modify, copy, and distribute the user-submitted content.

Subscription Services. A media company may provide sub-scriber-only access to its content. If so, the terms of use should provide the terms of the subscription service. Considerations include whether the company uses automatic renewal, access restrictions that limit access to paid subscribers only, age and bill-ing authorization, the subscription fee, mobile access, suspension, and termination.

Liability. The company should disclaim any liability for claims that arise from a user’s violation of the terms of use. In addition, the company could limit the liability for any claims that arise within the scope of the agreement to actual damages, such as fees paid for the services.

Compliance with DMCA. The TOUs should accurately describe the take-down and notice process required by the Digi-tal Millennium Copyright Act (DMCA). The terms of use should

9781641051248_Ch_08.indd 387 04/05/18 2:31 pm

388 CHAPTER 8

identify how an individual who believes that her or his work has been infringed should notify the company through a take-down request. Such a request should include identification of the alleg-edly infringing material; a statement that the requester has a good faith belief that the disputed use is not authorized; and con-tact information of the requester. The company must also pro-vide a mailing address for the designated copyright agent of the company.

Privacy Policy. The TOUs should, at a minimum, contain a link to the company’s privacy policy. Typically, this is because the privacy policy is quite long and should be available as its own page that can be linked to other pages of the website.

Indemnification. The terms of use should explicitly state that the user agrees to indemnify the company for any claims arising out of the user’s actions on or use of the website, online conduct, and violation of the TOUs, or other negligence.

Governing Law. As with any other agreement, a governing law provision should identify the jurisdiction where any disputes arising from the agreement should be resolved. This will typically be the state in which the company is located.

Arbitration. To ensure fairness, an arbitration clause should typically begin with a disclaimer, in capital letters, that alerts the user that this provision may significantly affect his or her rights, and thus should be read in its entirely.

9781641051248_Ch_08.indd 388 04/05/18 2:31 pm

intellectual property technology due diligence · intellectual property and technology due...

Documents